Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report fillProxy_for_terminal_20210702_v1.0.0.exe

Overview

General Information

Sample Name:fillProxy_for_terminal_20210702_v1.0.0.exe
Analysis ID:540108
MD5:e744a9216199c95f313b5a9caff52306
SHA1:e6895f247ec71e97db4eb75070408f171203919e
SHA256:13d345e09772591b82023fb12d68e41158c865bfec60c017d50aff16486e07e1
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Infects executable files (exe, dll, sys, html)
Uses regedit.exe to modify the Windows registry
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Sigma detected: Imports Registry Key From a File
PE file contains more sections than normal
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Uses cacls to modify the permissions of files
Installs a global mouse hook
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • fillProxy_for_terminal_20210702_v1.0.0.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe" MD5: E744A9216199C95F313B5A9CAFF52306)
    • cmd.exe (PID: 4588 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • regedit.exe (PID: 4536 cmdline: regedit /s "C:\ztg\fillProxy\bin\startFill.reg" MD5: 617538C965AC4DDC72F9CF647C4343D5)
    • cmd.exe (PID: 6340 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cacls.exe (PID: 6388 cmdline: Cacls C:\ztg /t /e /c /g users:f MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
      • cacls.exe (PID: 6360 cmdline: Cacls C:\ztg /t /e /c /g "Domain users":f MD5: 4CBB1C027DF71C53A8EE4C855FD35B25)
    • cmd.exe (PID: 6448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vcredist_x86.exe (PID: 528 cmdline: C:\ztg\fillProxy\bin\vcredist_x86.exe /q MD5: DE34B1C517E0463602624BBC8294C08D)
        • vcredist_x86.exe (PID: 5620 cmdline: "C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=648 /q MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)
          • VC_redist.x86.exe (PID: 6792 cmdline: "C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{54123DCB-56EF-4DED-BE9C-51E415E752C4} {1225F69D-7066-4C39-BA2A-7AD819A06F23} 5620 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)
            • VC_redist.x86.exe (PID: 6208 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792 MD5: 77F9143FEEBC7782FE91336F104EC997)
              • VC_redist.x86.exe (PID: 2264 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792 MD5: 77F9143FEEBC7782FE91336F104EC997)
                • VC_redist.x86.exe (PID: 5480 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{93FF69D1-692B-4423-A937-AE18A3777091} {A80FDF07-0A55-46E1-B710-ADC6A0BE059A} 2264 MD5: 77F9143FEEBC7782FE91336F104EC997)
  • svchost.exe (PID: 5572 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5516 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • msiexec.exe (PID: 7144 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
  • svchost.exe (PID: 7020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • VC_redist.x86.exe (PID: 1992 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)
    • VC_redist.x86.exe (PID: 6176 cmdline: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)
      • VC_redist.x86.exe (PID: 4828 cmdline: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)
        • VC_redist.x86.exe (PID: 5848 cmdline: "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6A2D7F35-8C3D-49AA-BBC4-AEE1AF86D622} {DC087992-A519-4F88-83FE-6F746248D57E} 4828 MD5: 2F9D2B6CE54F9095695B53D1AA217C7B)
          • VC_redist.x86.exe (PID: 2796 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848 MD5: 77F9143FEEBC7782FE91336F104EC997)
            • VC_redist.x86.exe (PID: 5124 cmdline: "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848 MD5: 77F9143FEEBC7782FE91336F104EC997)
  • svchost.exe (PID: 6748 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Imports Registry Key From a FileShow sources
Source: Process startedAuthor: Oddvar Moe, Sander Wiebing, oscd.community: Data: Command: regedit /s "C:\ztg\fillProxy\bin\startFill.reg", CommandLine: regedit /s "C:\ztg\fillProxy\bin\startFill.reg", CommandLine|base64offset|contains: v+, Image: C:\Windows\SysWOW64\regedit.exe, NewProcessName: C:\Windows\SysWOW64\regedit.exe, OriginalFileName: C:\Windows\SysWOW64\regedit.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4588, ProcessCommandLine: regedit /s "C:\ztg\fillProxy\bin\startFill.reg", ProcessId: 4536

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003DF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,24_2_003DF961
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003B9C99 DecryptFileW,DecryptFileW,24_2_003B9C99
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003B9EB7 DecryptFileW,24_2_003B9EB7
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003FF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,41_2_003FF961
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003D9C99 DecryptFileW,DecryptFileW,41_2_003D9C99
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003D9EB7 DecryptFileW,41_2_003D9EB7
Source: fillClient.exe.0.drBinary or memory string: -----BEGIN PUBLIC KEY-----
Source: fillProxy_for_terminal_20210702_v1.0.0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDoneJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1028\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1029\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1031\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1036\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1040\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1041\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1042\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1045\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1046\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1049\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1055\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\2052\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\3082\license.rtfJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1040\license.rtf
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_x86.exe, 0000000E.00000000.400107640.0000000000D1B000.00000002.00020000.sdmp, vcredist_x86.exe, 0000000F.00000000.401995823.000000000119B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000014.00000000.434148264.00000000001AB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000000.460212560.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.625429162.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000000.462035907.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.464533095.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.625480614.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000000.545771296.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.625519241.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.625435082.000000000040B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002A.00000002.625517527.000000000040B000.00000002.00020000.sdmp, vcredist_x86.exe.14.dr, vcredist_x86.exe.0.dr
Source: Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.22.dr
Source: Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb source: sigc-vc142-3_0.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\concrt140.i386.pdb source: concrt140.dll.22.dr
Source: Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fillClient.pdb source: fillClient.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.22.dr
Source: Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\concrt140.i386.pdbGCTL source: concrt140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: mfc140.dll.22.dr
Source: Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb!! source: sigc-vc142-3_0.dll.0.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: VC_redist.x86.exe, 0000001B.00000002.629465222.000000006E7EF000.00000002.00020000.sdmp
Source: Binary string: spyxx.pdb source: spyxx.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: mfc140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb source: mfc140cht.dll.22.dr

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140esn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vcamp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfcm140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\concrt140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\msvcp140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vcomp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfcm140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vccorlib140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\msvcp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vcruntime140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\msvcp140_2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140enu.dllJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: z:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: x:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: v:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: t:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: r:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: p:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: n:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: l:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: j:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: h:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: f:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: b:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: y:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: w:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: u:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: s:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: q:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: o:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: m:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: k:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: i:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: g:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: e:
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile opened: c:
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile opened: a:
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040E4C1 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,lstrlenA,0_2_0040E4C1
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040E2EE lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,0_2_0040E2EE
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040B6B3 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,0_2_0040B6B3
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041FB81 FindFirstFileA,GetFileAttributesA,lstrlenA,FindNextFileA,FindClose,0_2_0041FB81
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003E4315 FindFirstFileW,FindClose,24_2_003E4315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003B993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,24_2_003B993E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D7A87 FindFirstFileExW,24_2_003D7A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003A3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,24_2_003A3BC3
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7D65CB FindFirstFileW,FindClose,27_2_6E7D65CB
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E6C8C FindFirstFileExA,27_2_6E7E6C8C
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_00404315 FindFirstFileW,FindClose,41_2_00404315
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,41_2_003D993E
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F7A87 FindFirstFileExW,41_2_003F7A87
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,41_2_003C3BC3
Source: libcurl.dll.0.drString found in binary or memory: http://.css
Source: libcurl.dll.0.drString found in binary or memory: http://.jpg
Source: VC_redist.x86.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: vcredist_x86.exe, 0000000E.00000000.400107640.0000000000D1B000.00000002.00020000.sdmp, vcredist_x86.exe, 0000000F.00000000.401995823.000000000119B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000014.00000000.434148264.00000000001AB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000000.460212560.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.625429162.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000000.462035907.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.464533095.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.625480614.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000000.545771296.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.625519241.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.625435082.000000000040B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002A.00000002.625517527.000000000040B000.00000002.00020000.sdmp, vcredist_x86.exe.14.dr, vcredist_x86.exe.0.drString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: svchost.exe, 0000001E.00000002.517753811.000001A20B4E0000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.628242281.000002A2C388A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000020.00000002.628242281.000002A2C388A000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpString found in binary or memory: http://help.disneyplus.com.
Source: libcurl.dll.0.drString found in binary or memory: http://html4/loose.dtd
Source: svchost.exe, 00000020.00000002.626777775.000002A2BE0B3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/0
Source: VC_redist.x86.exe, 0000001B.00000002.628557889.0000000003720000.00000004.00000001.sdmp, thm.xml.27.drString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: http://www.thraexsoftware.com
Source: fillClient.exe.0.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: libcurl.dll.0.drString found in binary or memory: https://curl.se/V
Source: libcurl.dll.0.drString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: libcurl.dll.0.drString found in binary or memory: https://curl.se/docs/copyright.htmlD
Source: libcurl.dll.0.drString found in binary or memory: https://curl.se/docs/hsts.html
Source: libcurl.dll.0.drString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: svchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpString found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000001E.00000003.498136935.000001A20BDAE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498128474.000001A20BD8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498112260.000001A20BDC5000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498188923.000001A20C202000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.499344878.000001A20BD6D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498097662.000001A20BDC5000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: svchost.exe, 0000001E.00000003.502223574.000001A20BD94000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-12-14T18:55:28.3057665Z||.||88f6cdbf-d7d4-4dd0-9e46-4da29a7e0531||1152921505694288666||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabi
Source: svchost.exe, 0000001E.00000003.502223574.000001A20BD94000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-12-14T18:55:28.3057665Z||.||88f6cdbf-d7d4-4dd0-9e46-4da29a7e0531||1152921505694288666||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabi
Source: svchost.exe, 0000001E.00000003.502223574.000001A20BD94000.00000004.00000001.sdmpString found in binary or memory: ed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":103460073,"MaxInstallSizeInBytes":201740288,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.174.631.0_x86__zpdnekdrzrea0","PackageId":"377324a7-6cb1-b0f7-9c77-af6e5647f10c-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.174.631.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"syst
Source: svchost.exe, 0000001E.00000003.502223574.000001A20BD94000.00000004.00000001.sdmpString found in binary or memory: ed\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify - Music and Podcasts","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NCBCSZSJRSB","Properties":{"FulfillmentData":{"ProductId":"9NCBCSZSJRSB","WuCategoryId":"5c353b9c-7ac7-4d27-af07-923e7d9aa2e2","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","SkuId":"0011"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"Spotify"}],"Architectures":["x86"],"Capabilities":["internetClient","runFullTrust","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":103460073,"MaxInstallSizeInBytes":201740288,"PackageFormat":"Appx","PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","MainPackageFamilyNameForDlc":null,"PackageFullName":"SpotifyAB.SpotifyMusic_1.174.631.0_x86__zpdnekdrzrea0","PackageId":"377324a7-6cb1-b0f7-9c77-af6e5647f10c-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750754275328,"MinVersion":2814750710366559,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"SpotifyAB.SpotifyMusic_1.174.631.0_x86__zpdnekdrzrea0\",\"content.productId\":\"caac1b9d-621b-4f96-b143-e10e1397740a\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750754275328,\"platform.minVersion\":2814750710366559,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Music\",\"optOut.backupRestore\":true,\"optOut.removeableMedia\":false},\"policy2\":{\"ageRating\":3,\"optOut.DVR\":false,\"thirdPartyAppRatings\":[{\"level\":9,\"systemId\":3},{\"level\":81,\"syst
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040EE9C GetDC,AppendMenuA,GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,ReleaseDC,DeleteDC,SelectObject,DeleteDC,GetDC,BitBlt,ReleaseDC,DeleteObject,0_2_0040EE9C
Source: fillProxy_for_terminal_20210702_v1.0.0.exeBinary or memory string: DirectInput8Create
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT.DLLJump to behavior

System Summary:

barindex
Uses regedit.exe to modify the Windows registryShow sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041938D0_2_0041938D
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_004068F20_2_004068F2
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_004054FF0_2_004054FF
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00425D8E0_2_00425D8E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CC0FA24_2_003CC0FA
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003A618424_2_003A6184
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D022D24_2_003D022D
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003DA3B024_2_003DA3B0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D066224_2_003D0662
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003AA7EF24_2_003AA7EF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003DA85E24_2_003DA85E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CF91924_2_003CF919
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003B69CC24_2_003B69CC
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D0A9724_2_003D0A97
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D2B2124_2_003D2B21
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D2D5024_2_003D2D50
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003DED4C24_2_003DED4C
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CFE1524_2_003CFE15
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7ED62827_2_6E7ED628
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E1F2E27_2_6E7E1F2E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E1CFF27_2_6E7E1CFF
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E850027_2_6E7E8500
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7D23E727_2_6E7D23E7
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E89AE27_2_6E7E89AE
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EC0FA41_2_003EC0FA
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003C618441_2_003C6184
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F022D41_2_003F022D
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003FA3B041_2_003FA3B0
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F066241_2_003F0662
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003CA7EF41_2_003CA7EF
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003FA85E41_2_003FA85E
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EF91941_2_003EF919
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003D69CC41_2_003D69CC
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F0A9741_2_003F0A97
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F2B2141_2_003F2B21
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F2D5041_2_003F2D50
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003FED4C41_2_003FED4C
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EFE1541_2_003EFE15
Source: spyxx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spyxx.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.22.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeSection loaded: tsappcmp.dll
Source: libcurl.dll.0.drStatic PE information: Number of sections : 11 > 10
Source: libcurl-x64.dll.0.drStatic PE information: Number of sections : 12 > 10
Source: curl.exe.0.drStatic PE information: Number of sections : 11 > 10
Source: fillProxy_for_terminal_20210702_v1.0.0.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI374C.tmpJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00411D82 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00411D82
Source: C:\ztg\fillProxy\bin\vcredist_x86.exeFile created: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 003E061A appears 34 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 003A1F20 appears 54 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 003E31C7 appears 85 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 003A37D3 appears 496 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 6E7D3D10 appears 82 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 003E012F appears 678 times
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: String function: 6E7DD536 appears 38 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: String function: 0041CBF9 appears 36 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: String function: 0041C467 appears 48 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: String function: 00424A30 appears 46 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: String function: 0041C047 appears 31 times
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: String function: 0040012F appears 678 times
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: String function: 003C37D3 appears 496 times
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: String function: 004031C7 appears 85 times
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: String function: 003C1F20 appears 53 times
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: String function: 0040061A appears 34 times
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041FEF9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,NtProtectVirtualMemory,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,FreeLibrary,CoInitialize,CoCreateInstance,CoUninitialize,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0041FEF9
Source: mfc140ita.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140jpn.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140rus.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140deu.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140esn.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140fra.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140kor.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140cht.dll.22.drStatic PE information: No import functions for PE file found
Source: mfc140enu.dll.22.drStatic PE information: No import functions for PE file found
Source: fillProxy_for_terminal_20210702_v1.0.0.exe, 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameSPYXXHK.DLL^ vs fillProxy_for_terminal_20210702_v1.0.0.exe
Source: fillProxy_for_terminal_20210702_v1.0.0.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fillProxyJump to behavior
Source: classification engineClassification label: mal48.spre.evad.winEXE@48/309@0/2
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00405408 GetLastError,FormatMessageA,GetActiveWindow,0_2_00405408
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003C6945 ChangeServiceConfigW,GetLastError,24_2_003C6945
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7DCEBD FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,27_2_6E7DCEBD
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile read: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe "C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g "Domain users":f
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ztg\fillProxy\bin\vcredist_x86.exe C:\ztg\fillProxy\bin\vcredist_x86.exe /q
Source: C:\ztg\fillProxy\bin\vcredist_x86.exeProcess created: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe "C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=648 /q
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeProcess created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe "C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{54123DCB-56EF-4DED-BE9C-51E415E752C4} {1225F69D-7066-4C39-BA2A-7AD819A06F23} 5620
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6A2D7F35-8C3D-49AA-BBC4-AEE1AF86D622} {DC087992-A519-4F88-83FE-6F746248D57E} 4828
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{93FF69D1-692B-4423-A937-AE18A3777091} {A80FDF07-0A55-46E1-B710-ADC6A0BE059A} 2264
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat""Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat""Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g "Domain users":fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ztg\fillProxy\bin\vcredist_x86.exe C:\ztg\fillProxy\bin\vcredist_x86.exe /qJump to behavior
Source: C:\ztg\fillProxy\bin\vcredist_x86.exeProcess created: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe "C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=648 /qJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeProcess created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe "C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{54123DCB-56EF-4DED-BE9C-51E415E752C4} {1225F69D-7066-4C39-BA2A-7AD819A06F23} 5620Jump to behavior
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6A2D7F35-8C3D-49AA-BBC4-AEE1AF86D622} {DC087992-A519-4F88-83FE-6F746248D57E} 4828
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{93FF69D1-692B-4423-A937-AE18A3777091} {A80FDF07-0A55-46E1-B710-ADC6A0BE059A} 2264
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25E609E4-B259-11CF-BFC7-444553540000}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00411D82 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00411D82
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003A44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,24_2_003A44E9
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003C44E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,41_2_003C44E9
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\aiw6653171.EXEJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041FEF9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,NtProtectVirtualMemory,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,FreeLibrary,LoadLibraryA,FreeLibrary,CoInitialize,CoCreateInstance,CoUninitialize,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0041FEF9
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040DE4D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetDiskFreeSpaceExA,FreeLibrary,FreeLibrary,FreeLibrary,0_2_0040DE4D
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeMutant created: \Sessions\1\BaseNamedObjects\fillProxymutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4692:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: cabinet.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: msi.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: version.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: wininet.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: comres.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: clbcatq.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: msasn1.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: crypt32.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCommand line argument: feclient.dll24_2_003A1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: cabinet.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: msi.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: version.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: wininet.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: comres.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: clbcatq.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: msasn1.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: crypt32.dll41_2_003C1070
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCommand line argument: feclient.dll41_2_003C1070
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: %s installation couldn't be found. Try re-installing the application before running update.
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: The installation was not removed. Do you still want to re-install?
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?
Source: VC_redist.x86.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x86.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: The installation was not removed. Do you still want to re-install?
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: %s installation couldn't be found. Try re-installing the application before running update.
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: BFile size mismatch: This file is corrupted; If you downloaded this file from the internet, try downloading it againChecksum mismatch. The installation is corrupt or has been tampered with. If you downloaded this file from the internet, try downloading it again.Initialization failed. Aborting. Error code: %dCouldn't read TOC. Aborting.The installation was not removed. Do you still want to re-install?<__Internal_InstallationNotRemoved__>Couldn't launch uninstaller. Previous installation was not removed!/SILENT /NOREMOVE"%s" Couldn't find uninstaller. Previous installation was not removed!<__Internal_AlreadyInstalled__>%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?.bakGraphics initialization failedAstrumInstaller\3rd-party\slideshow\installerFailed to launch installer. (CreateProcess failed) /revert /silent<IsAdmin><DS2000>C:\Progra~1\Common~1C:\Program Files\Common FilesCommonFilesDirC:\Progra~1C:\Program FilesSoftware\Microsoft\Windows\CurrentVersionProgramFilesDir<MyDocuments><DesktopNt><ProgramsDirNt><StartMenuNt><StartUpNt><Date><SystemDrive><SetupDir><ShortTempDir><TempDir><ShortSystemDir><SystemDir><ShortWindowsDir><WindowsDir><ShortCommonFiles><CommonFiles><ShortProgramFiles><ProgramFiles><ShortStartMenu><StartMenu><FontDir><ShortDesktop><Desktop><ShortStartUp><StartUp><ShortProgramsDir><ProgramsDir><IsUpdate>This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.
Source: fillProxy_for_terminal_20210702_v1.0.0.exeString found in binary or memory: (This message will not be shown in the registered version of Astrum InstallWizard.)Astrum InstallerGraphics initialization failed. Dialog image will not be shown<__Internal_InitializingTitle__><__Internal_Initializing__>RegisteredOrganizationSoftware\Microsoft\Windows NT\CurrentVersionGetUserNameExASecur32.dllOnMessageSystemInformationEntryPointCustomEntryPoint13EntryPoint12EntryPoint11EntryPoint10EntryPoint9EntryPoint8EntryPoint7EntryPoint6EntryPoint5EntryPoint4EntryPoint3EntryPoint2EntryPoint1_5EntryPoint1EntryPoint0AdvancedEntry.jpg/REVERT/SILENT"<ResourceDir>\3rd-party\Downloader.exe" /download /local "%s" /url "%s" /program "%s"<ResourceDir>\3rd-party\%s.exe"%s"%s /q:a /c:"dasetup.exe /q /n" /r:n /q:aDirectX9.08.18.07.0Microsoft Data Access ComponentsFullInstallVerSoftware\Microsoft\DataAccess2.80.1022.32.82.70.9001.02.72.60.6526.32.62.50.4403.122.5HTML Help Viewer 1.331.321.311.31.221.21a1.211.21.1b1.1a1.0\hhctrl.ocxJava .NET Framework 1.1.FOTmutexAutorunCommandCouldn't read destination directory from registry. Aborting<__Internal_DirNotFound__><ResourceDir><UninstallerName><ShortcutDir><InstallDir><ShortShortcutDir><ShortInstallDir><UserSerial><UserCompany><UserName><__Internal_FindingFile__>%sinst%dOut of memory%s installation couldn't be found. Try re-installing the application before running update.This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program.<__Internal_UpdateCannotUpdate1__>This update updates to version %s which is already installed on your system.<__Internal_UpdateAlreadyInstalled__>This update supports updates from version(s) %s. You have currently version %s and it cannot be updated by this program.<__Internal_UpdateCannotUpdate2__>This update updates to version %s which is already installed on your system and , HKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CLASSES_ROOTThis will install %s to your computer. Do you want to continue?<__Internal_InstallVerification__>This will update %s to version %s. Do you want to continue?<__Internal_UpdateVerification__>Do your really want to exit setup?JPGToBMPExJPGToBMPGetDllVersionBlit%b%sOut of boundsInvalid param
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile written: C:\ztg\fillProxy\data\FlashFXP.iniJump to behavior
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeWindow detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeWindow detected: Number of UI elements: 23
Source: fillProxy_for_terminal_20210702_v1.0.0.exeStatic file information: File size 23653052 > 1048576
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: vcredist_x86.exe, 0000000E.00000000.400107640.0000000000D1B000.00000002.00020000.sdmp, vcredist_x86.exe, 0000000F.00000000.401995823.000000000119B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000014.00000000.434148264.00000000001AB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000000.460212560.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.625429162.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000000.462035907.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.464533095.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.625480614.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000000.545771296.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.625519241.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.625435082.000000000040B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002A.00000002.625517527.000000000040B000.00000002.00020000.sdmp, vcredist_x86.exe.14.dr, vcredist_x86.exe.0.dr
Source: Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdb source: vcamp140.dll.22.dr
Source: Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb source: sigc-vc142-3_0.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcamp140.i386.pdbGCTL source: vcamp140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\concrt140.i386.pdb source: concrt140.dll.22.dr
Source: Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fillClient.pdb source: fillClient.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\mfc140u.i386.pdb source: mfc140u.dll.22.dr
Source: Binary string: D:\work\windows\wauditer1.0\fillProxy\Release\fixBoostIpcSharedMem6005issue.pdb source: fixBoostIpcSharedMem6005issue.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\concrt140.i386.pdbGCTL source: concrt140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: msvcp140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdb source: mfc140.dll.22.dr
Source: Binary string: D:\study\windows\libsigcplusplus-3.0.3\MSVC_NMake\vs16\release\Win32\sigc-vc142-3_0.pdb!! source: sigc-vc142-3_0.dll.0.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\WixStdBA.pdb source: VC_redist.x86.exe, 0000001B.00000002.629465222.000000006E7EF000.00000002.00020000.sdmp
Source: Binary string: spyxx.pdb source: spyxx.exe.0.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\mfc140.i386.pdbGCTL source: mfc140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.22.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb source: mfc140cht.dll.22.dr
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00425220 push eax; ret 0_2_0042524E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CE876 push ecx; ret 24_2_003CE889
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7DEE46 push ecx; ret 27_2_6E7DEE59
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EE876 push ecx; ret 41_2_003EE889
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00411811 lstrcpyA,LoadLibraryA,GetProcAddress,GetShortPathNameW,WideCharToMultiByte,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrcatA,0_2_00411811
Source: curl.exe.0.drStatic PE information: section name: .eh_fram
Source: vcredist_x86.exe.0.drStatic PE information: section name: .wixburn
Source: libcurl-x64.dll.0.drStatic PE information: section name: .xdata
Source: libcurl.dll.0.drStatic PE information: section name: .eh_fram
Source: sigc-vc142-d-3_0.dll.0.drStatic PE information: section name: .00cfg
Source: spyxxhk.dll.0.drStatic PE information: section name: .shdata
Source: vcredist_x86.exe.14.drStatic PE information: section name: .wixburn
Source: VC_redist.x86.exe.15.drStatic PE information: section name: .wixburn
Source: VC_redist.x86.exe.20.drStatic PE information: section name: .wixburn
Source: mfc140u.dll.22.drStatic PE information: section name: .didat
Source: msvcp140.dll.22.drStatic PE information: section name: .didat

Persistence and Installation Behavior:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140esn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vcamp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfcm140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\concrt140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\msvcp140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vcomp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfcm140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vccorlib140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\msvcp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\vcruntime140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\msvcp140_2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\SysWOW64\mfc140enu.dllJump to behavior
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeFile created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\sigc-vc142-d-3_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c59.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c69.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcamp140.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\curl.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c6f.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c56.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm140u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c66.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\SPYaaa.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c6c.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\registerNavicat.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\concrt140.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\hb_terminal_code.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140_1.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\Uninstall.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c54.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\spy++\spyxxhk.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140fra.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\wixstdba.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\vcredist_x86.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\sigc-vc142-3_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c64.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp140.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\SPY.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c53.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140cht.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\fillServer.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\fixBoostIpcSharedMem6005issue.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\fillClient.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c5a.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm140.dllJump to dropped file
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c6a.rbf (copy)Jump to dropped file
Source: C:\ztg\fillProxy\bin\vcredist_x86.exeFile created: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c63.rbf (copy)Jump to dropped file
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeFile created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c62.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\cleanNavicatHistory.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c6b.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c5b.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vccorlib140.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\boost_date_time-vc142-mt-gd-x32-1_72.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\crt6.6.1_tmp.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\spy++\spyxx.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c68.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\fillProxy.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\Users\user\AppData\Local\Temp\aiw6653171.EXEJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140kor.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\loadyyChannelCrt.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140_codecvt_ids.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\instsrv.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c65.rbf (copy)Jump to dropped file
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c58.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c6d.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\libcurl.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140enu.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\libcurl-x64.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c57.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c67.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 662c6e.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\ztg\fillProxy\bin\srvany.exeJump to dropped file
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcamp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vccorlib140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm140u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\concrt140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140_codecvt_ids.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140fra.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\msvcp140_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc140cht.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm140.dllJump to dropped file
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeJump to dropped file
Source: C:\ztg\fillProxy\bin\vcredist_x86.exeFile created: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeJump to dropped file
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1028\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1029\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1031\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1036\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1040\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1041\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1042\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1045\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1046\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1049\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1055\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\2052\license.rtfJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeFile created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\3082\license.rtfJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile created: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeFile created: C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1040\license.rtf
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fillProxyJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00419D70 CreateMutexA,GetLastError,FindWindowA,IsIconic,ShowWindow,SetForegroundWindow,0_2_00419D70
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_004184A4 DeleteFileA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,DeleteFileA,0_2_004184A4
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:f
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regedit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe TID: 6768Thread sleep count: 133 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2728Thread sleep time: -210000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7092Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe TID: 5612Thread sleep count: 48 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeLast function: Thread delayed
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041DF41 GetSystemTime followed by cmp: cmp word ptr [ebp-0eh], 0002h and CTI: jbe 0041DFF9h0_2_0041DF41
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003DFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 003DFE5Dh24_2_003DFDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003DFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 003DFE56h24_2_003DFDC2
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 003FFE5Dh41_2_003FFDC2
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003FFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 003FFE56h41_2_003FFDC2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeAPI coverage: 9.5 %
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c59.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c69.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\sigc-vc142-d-3_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c62.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\cleanNavicatHistory.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c6b.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c5b.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\curl.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c6f.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\boost_date_time-vc142-mt-gd-x32-1_72.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c56.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\crt6.6.1_tmp.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c66.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\spy++\spyxx.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c6c.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\SPYaaa.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c68.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\registerNavicat.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\fillProxy.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\hb_terminal_code.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aiw6653171.EXEJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\loadyyChannelCrt.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\msvcp140_codecvt_ids.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c65.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\instsrv.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c54.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\spy++\spyxxhk.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\sigc-vc142-3_0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c64.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c58.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c6d.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\libcurl.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\SPY.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c53.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\libcurl-x64.dllJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\fillServer.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\fixBoostIpcSharedMem6005issue.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c5a.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\fillClient.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c57.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c6a.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c67.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c63.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 662c6e.rbf (copy)Jump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeDropped PE file which has not been started: C:\ztg\fillProxy\bin\srvany.exeJump to dropped file
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_004068F2 rdtsc 0_2_004068F2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeRegistry key enumerated: More than 302 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeRegistry key enumerated: More than 153 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeRegistry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeRegistry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040E4C1 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,lstrlenA,0_2_0040E4C1
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\userJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: svchost.exe, 00000020.00000002.628146915.000002A2C385F000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
Source: svchost.exe, 0000001E.00000002.517731612.000001A20B4DC000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.517556137.000001A20B471000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000002.517753811.000001A20B4E0000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.626183485.000002A2BE02A000.00000004.00000001.sdmp, svchost.exe, 00000020.00000002.628022748.000002A2C3849000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: VC_redist.x86.exe, 0000001B.00000002.626831325.000000000135F000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0042037B GetSystemInfo,0_2_0042037B
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040E2EE lstrlenA,lstrlenA,lstrcpyA,lstrcatA,FindFirstFileA,FindClose,lstrlenA,FindClose,lstrcpyA,lstrcatA,lstrlenA,lstrcmpiA,FindNextFileA,FindClose,FindClose,lstrlenA,lstrcpyA,FindClose,0_2_0040E2EE
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0040B6B3 FindFirstFileA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,lstrcmpiA,SendDlgItemMessageA,FindNextFileA,FindClose,0_2_0040B6B3
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041FB81 FindFirstFileA,GetFileAttributesA,lstrlenA,FindNextFileA,FindClose,0_2_0041FB81
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003E4315 FindFirstFileW,FindClose,24_2_003E4315
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003B993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,24_2_003B993E
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D7A87 FindFirstFileExW,24_2_003D7A87
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003A3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,24_2_003A3BC3
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7D65CB FindFirstFileW,FindClose,27_2_6E7D65CB
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E6C8C FindFirstFileExA,27_2_6E7E6C8C
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_00404315 FindFirstFileW,FindClose,41_2_00404315
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003D993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,41_2_003D993E
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F7A87 FindFirstFileExW,41_2_003F7A87
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003C3BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,41_2_003C3BC3
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00411811 lstrcpyA,LoadLibraryA,GetProcAddress,GetShortPathNameW,WideCharToMultiByte,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrcatA,0_2_00411811
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D4812 mov eax, dword ptr fs:[00000030h]24_2_003D4812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E3C07 mov eax, dword ptr fs:[00000030h]27_2_6E7E3C07
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F4812 mov eax, dword ptr fs:[00000030h]41_2_003F4812
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_003CE625
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003A38D4 GetProcessHeap,RtlAllocateHeap,24_2_003A38D4
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_004068F2 rdtsc 0_2_004068F2
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CE773 SetUnhandledExceptionFilter,24_2_003CE773
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_003CE188
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003CE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_003CE625
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003D3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_003D3BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7DE730 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_6E7DE730
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7DEC77 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_6E7DEC77
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 27_2_6E7E09E7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_6E7E09E7
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EE773 SetUnhandledExceptionFilter,41_2_003EE773
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EE188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,41_2_003EE188
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003EE625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_003EE625
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeCode function: 41_2_003F3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,41_2_003F3BB0
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\regedit.exe regedit /s "C:\ztg\fillProxy\bin\startFill.reg"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g users:fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cacls.exe Cacls C:\ztg /t /e /c /g "Domain users":fJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\ztg\fillProxy\bin\vcredist_x86.exe C:\ztg\fillProxy\bin\vcredist_x86.exe /qJump to behavior
Source: C:\ztg\fillProxy\bin\vcredist_x86.exeProcess created: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe "C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=648 /qJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeProcess created: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe "C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{54123DCB-56EF-4DED-BE9C-51E415E752C4} {1225F69D-7066-4C39-BA2A-7AD819A06F23} 5620Jump to behavior
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792Jump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6A2D7F35-8C3D-49AA-BBC4-AEE1AF86D622} {DC087992-A519-4F88-83FE-6F746248D57E} 4828
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{93FF69D1-692B-4423-A937-AE18A3777091} {A80FDF07-0A55-46E1-B710-ADC6A0BE059A} 2264
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeProcess created: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe "C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041E3EF GetVersion,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,0_2_0041E3EF
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041E3EF GetVersion,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,0_2_0041E3EF
Source: fillProxy_for_terminal_20210702_v1.0.0.exe, 00000000.00000002.625711563.0000000000DE0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.626793602.0000000001030000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.627189856.00000000018D0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.627731470.0000000001D00000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.627197621.00000000013E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
Source: fillProxy_for_terminal_20210702_v1.0.0.exe, 00000000.00000002.625711563.0000000000DE0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.626793602.0000000001030000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.627189856.00000000018D0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.627731470.0000000001D00000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.627197621.00000000013E0000.00000002.00020000.sdmpBinary or memory string: Progman
Source: fillProxy_for_terminal_20210702_v1.0.0.exe, 00000000.00000002.625711563.0000000000DE0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.626793602.0000000001030000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.627189856.00000000018D0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.627731470.0000000001D00000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.627197621.00000000013E0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
Source: fillProxy_for_terminal_20210702_v1.0.0.exe, 00000000.00000002.625711563.0000000000DE0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.626793602.0000000001030000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.627189856.00000000018D0000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.627731470.0000000001D00000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.627197621.00000000013E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: GetLocaleInfoA,lstrcpyA,__aulldiv,__aulldiv,__aulldiv,0_2_0041D95E
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: SetDlgItemTextA,GetLocaleInfoA,lstrcpyA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,SetDlgItemTextA,GetDlgItem,EnableWindow,0_2_0040C96B
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: LoadLibraryA,GetProcAddress,FreeLibrary,GetLocaleInfoA,lstrcpyA,FreeLibrary,0_2_0041EEE8
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exeQueries volume information: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\logo.png VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeQueries volume information: C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeQueries volume information: C:\ VolumeInformation
Source: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exeQueries volume information: C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\logo.png VolumeInformation
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00406575 cpuid 0_2_00406575
Source: C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_0041DF41 GetDateFormatA,GetSystemTime,0_2_0041DF41
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003E8733 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,24_2_003E8733
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_00418092 GetUserNameA,LoadLibraryA,GetProcAddress,FreeLibrary,CreateDialogParamA,SetWindowTextA,GetDlgItem,SetWindowTextA,SetWindowTextA,ShowWindow,DestroyWindow,0_2_00418092
Source: C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exeCode function: 24_2_003B4CE8 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,24_2_003B4CE8
Source: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exeCode function: 0_2_004253CA EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_004253CA

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Scripting1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture2System Time Discovery12Taint Shared Content1Archive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API2Application Shimming1Application Shimming1Scripting1LSASS MemoryPeripheral Device Discovery11Replication Through Removable Media1Screen Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsCommand and Scripting Interpreter13Windows Service1Access Token Manipulation1Obfuscated Files or Information2Security Account ManagerAccount Discovery1SMB/Windows Admin SharesInput Capture2Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsService Execution1Registry Run Keys / Startup Folder1Windows Service1DLL Side-Loading1NTDSFile and Directory Discovery5Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronServices File Permissions Weakness1Process Injection13File Deletion1LSA SecretsSystem Information Discovery57SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Masquerading21Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsServices File Permissions Weakness1Modify Registry1DCSyncSecurity Software Discovery41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion2Proc FilesystemVirtualization/Sandbox Evasion2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowProcess Discovery12Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection13Network SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronServices File Permissions Weakness1Input CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 540108 Sample: fillProxy_for_terminal_2021... Startdate: 15/12/2021 Architecture: WINDOWS Score: 48 11 msiexec.exe 424 137 2->11         started        15 fillProxy_for_terminal_20210702_v1.0.0.exe 15 123 2->15         started        17 VC_redist.x86.exe 2->17         started        19 5 other processes 2->19 dnsIp3 78 C:\Windows\SysWOW64\vcomp140.dll, PE32 11->78 dropped 80 C:\Windows\SysWOW64\vccorlib140.dll, PE32 11->80 dropped 82 C:\Windows\SysWOW64\vcamp140.dll, PE32 11->82 dropped 90 42 other files (18 malicious) 11->90 dropped 104 Infects executable files (exe, dll, sys, html) 11->104 84 C:\ztg\fillProxy\bin\startFill.reg, Windows 15->84 dropped 86 C:\ztg\fillProxy\spy++\spyxxhk.dll, PE32 15->86 dropped 88 C:\ztg\fillProxy\spy++\spyxx.exe, PE32 15->88 dropped 92 22 other files (none is malicious) 15->92 dropped 22 cmd.exe 1 15->22         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 VC_redist.x86.exe 17->29         started        98 127.0.0.1 unknown unknown 19->98 100 192.168.2.1 unknown unknown 19->100 file4 signatures5 process6 signatures7 102 Uses regedit.exe to modify the Windows registry 22->102 31 regedit.exe 4 22->31         started        33 conhost.exe 22->33         started        35 vcredist_x86.exe 3 25->35         started        38 conhost.exe 25->38         started        40 cacls.exe 1 27->40         started        42 conhost.exe 27->42         started        44 cacls.exe 1 27->44         started        46 VC_redist.x86.exe 29->46         started        process8 file9 72 C:\Windows\Temp\...\vcredist_x86.exe, PE32 35->72 dropped 48 vcredist_x86.exe 71 35->48         started        74 C:\Windows\Temp\...\wixstdba.dll, PE32 46->74 dropped 51 VC_redist.x86.exe 46->51         started        process10 file11 68 C:\Windows\Temp\...\VC_redist.x86.exe, PE32 48->68 dropped 70 C:\Windows\Temp\...\wixstdba.dll, PE32 48->70 dropped 53 VC_redist.x86.exe 24 18 48->53         started        56 VC_redist.x86.exe 51->56         started        process12 file13 76 C:\ProgramData\...\VC_redist.x86.exe, PE32 53->76 dropped 58 VC_redist.x86.exe 53->58         started        60 VC_redist.x86.exe 56->60         started        process14 file15 63 VC_redist.x86.exe 58->63         started        94 C:\Windows\Temp\...\wixstdba.dll, PE32 60->94 dropped process16 file17 96 C:\Windows\Temp\...\wixstdba.dll, PE32 63->96 dropped 66 VC_redist.x86.exe 63->66         started        process18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
fillProxy_for_terminal_20210702_v1.0.0.exe3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
662c53.rbf (copy)3%MetadefenderBrowse
662c53.rbf (copy)0%ReversingLabs
662c54.rbf (copy)0%MetadefenderBrowse
662c54.rbf (copy)0%ReversingLabs
662c56.rbf (copy)0%MetadefenderBrowse
662c56.rbf (copy)0%ReversingLabs
662c57.rbf (copy)0%MetadefenderBrowse
662c57.rbf (copy)0%ReversingLabs
662c58.rbf (copy)0%MetadefenderBrowse
662c58.rbf (copy)0%ReversingLabs
662c59.rbf (copy)0%MetadefenderBrowse
662c59.rbf (copy)0%ReversingLabs
662c5a.rbf (copy)0%MetadefenderBrowse
662c5a.rbf (copy)0%ReversingLabs
662c5b.rbf (copy)0%MetadefenderBrowse
662c5b.rbf (copy)0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://curl.se/docs/hsts.html0%VirustotalBrowse
https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
http://html4/loose.dtd0%Avira URL Cloudsafe
https://curl.se/docs/copyright.htmlD0%URL Reputationsafe
https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
https://curl.se/docs/http-cookies.html0%URL Reputationsafe
https://disneyplus.com/legal.0%URL Reputationsafe
http://crl.ver)0%Avira URL Cloudsafe
https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor0%URL Reputationsafe
https://curl.se/docs/alt-svc.html0%URL Reputationsafe
http://.css0%Avira URL Cloudsafe
http://www.thraexsoftware.com0%Avira URL Cloudsafe
http://.jpg0%Avira URL Cloudsafe
http://help.disneyplus.com.0%URL Reputationsafe
http://appsyndication.org/2006/appsyn0%URL Reputationsafe
https://curl.se/V0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://curl.se/docs/hsts.htmllibcurl.dll.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
http://html4/loose.dtdlibcurl.dll.0.drfalse
  • Avira URL Cloud: safe
low
https://curl.se/docs/copyright.htmlDlibcurl.dll.0.drfalse
  • URL Reputation: safe
unknown
https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
unknown
https://www.disneyplus.com/legal/privacy-policysvchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpfalse
  • URL Reputation: safe
unknown
https://curl.se/docs/http-cookies.htmllibcurl.dll.0.drfalse
  • URL Reputation: safe
unknown
http://wixtoolset.org/schemas/thmutil/2010VC_redist.x86.exe, 0000001B.00000002.628557889.0000000003720000.00000004.00000001.sdmp, thm.xml.27.drfalse
    		high
    https://disneyplus.com/legal.svchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://crl.ver)svchost.exe, 00000020.00000002.628242281.000002A2C388A000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		low
    https://www.tiktok.com/legal/report/feedbacksvchost.exe, 0000001E.00000003.498136935.000001A20BDAE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498128474.000001A20BD8D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498112260.000001A20BDC5000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498188923.000001A20C202000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.499344878.000001A20BD6D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.498097662.000001A20BDC5000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorvcredist_x86.exe, 0000000E.00000000.400107640.0000000000D1B000.00000002.00020000.sdmp, vcredist_x86.exe, 0000000F.00000000.401995823.000000000119B000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000014.00000000.434148264.00000000001AB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000000.460212560.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000002.625429162.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000019.00000000.462035907.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000000.464533095.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000001B.00000002.625480614.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000000.545771296.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000022.00000002.625519241.00000000003EB000.00000002.00020000.sdmp, VC_redist.x86.exe, 00000029.00000002.625435082.000000000040B000.00000002.00020000.sdmp, VC_redist.x86.exe, 0000002A.00000002.625517527.000000000040B000.00000002.00020000.sdmp, vcredist_x86.exe.14.dr, vcredist_x86.exe.0.drfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2004/0svchost.exe, 00000020.00000002.626777775.000002A2BE0B3000.00000004.00000001.sdmpfalse
      		high
      https://curl.se/docs/alt-svc.htmllibcurl.dll.0.drfalse
      • URL Reputation: safe
      		unknown
      http://.csslibcurl.dll.0.drfalse
      • Avira URL Cloud: safe
      		low
      http://www.thraexsoftware.comfillProxy_for_terminal_20210702_v1.0.0.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://.jpglibcurl.dll.0.drfalse
      • Avira URL Cloud: safe
      		low
      http://help.disneyplus.com.svchost.exe, 0000001E.00000003.496830287.000001A20BD7D000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496896489.000001A20BDBE000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496769282.000001A20BD5B000.00000004.00000001.sdmp, svchost.exe, 0000001E.00000003.496990928.000001A20BD9E000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      		unknown
      https://curl.haxx.se/docs/http-cookies.htmlfillClient.exe.0.drfalse
        		high
        http://appsyndication.org/2006/appsynVC_redist.x86.exefalse
        • URL Reputation: safe
        		unknown
        https://curl.se/Vlibcurl.dll.0.drfalse
        • URL Reputation: safe
        		unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious

        Private

        IP
        192.168.2.1
        127.0.0.1

        General Information

        Joe Sandbox Version:34.0.0 Boulder Opal
        Analysis ID:540108
        Start date:15.12.2021
        Start time:07:48:15
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 13m 12s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:fillProxy_for_terminal_20210702_v1.0.0.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:44
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal48.spre.evad.winEXE@48/309@0/2
        EGA Information:
        • Successful, ratio: 44.4%
        HDC Information:
        • Successful, ratio: 100% (good quality ratio 93.1%)
        • Quality average: 75.4%
        • Quality standard deviation: 30.3%
        HCA Information:Failed
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 2.20.205.141, 20.54.110.249, 23.54.113.104
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Execution Graph export aborted for target VC_redist.x86.exe, PID 5848 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateFile calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryAttributesFile calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.
        • Report size getting too big, too many NtWriteFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        07:50:14AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {65e650ff-30be-469d-b63a-418d71ea1765} "C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
        07:50:39API Interceptor9x Sleep call for process: svchost.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        662c5b.rbf (copy)Trustwallet.exeGet hashmaliciousBrowse
          dqVPlpmWYt.exeGet hashmaliciousBrowse
            w2IPZXaPkO.exeGet hashmaliciousBrowse
              Scanner.exeGet hashmaliciousBrowse

                Created / dropped Files

                662c53.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):362272
                Entropy (8bit):6.480079655173682
                Encrypted:false
                SSDEEP:6144:TNdn9nbqWFEijveDAHlreqc7Bd0o+Sb9mut1EFnceq0CR0y5M+:j9uAeMBMBio+Sb9mut1EF1qi+
                MD5:766A806CF675EBFC1BCD8766D446692A
                SHA1:71A60564596341323B8544C46A63164974570216
                SHA-256:F59EEFB0DAF0CDD646C5B522BC14B13BCEA57A1ECD567E7A0B930AA5EAA2EC2F
                SHA-512:86B06DED1DBF3399ABEAB86C36268AD061CC19AFEF4F694EFE7F5584959F7551E803361A456EEDC2596440617EF28A7BAA6E34CFA6ABB3EC94D8E54D59FD9F01
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 3%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...AN..AN..AN...N..AN..@O..AN..DO..AN..EO..AN..BO..AN...N..AN..@N2.AN..HO..AN..AO..AN...N..AN...N..AN..CO..ANRich..AN........................PE..L....V.^.........."!................@3.......................................p......C.....@A........................@s..47......@.......8$...........F.. A...0...>...g..8....................h.......h..@...............|............................text...t........................... ..`.data....*.......(..................@....idata..............................@..@.rsrc...8$.......&..................@..@.reloc...>...0...@..................@..B........................................................................................................................................................................................................................................................................................
                662c54.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):141600
                Entropy (8bit):6.730918695182974
                Encrypted:false
                SSDEEP:3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
                MD5:072DA195F3C547B1584813E02E245CD8
                SHA1:EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
                SHA-256:DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
                SHA-512:37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................
                662c56.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):250144
                Entropy (8bit):6.698404457805156
                Encrypted:false
                SSDEEP:6144:emyq0GgZNA2UwM1vfEcgVAtP+9vIaIgVb5C/U0ZXQVSSIuVxND5S912z/VsDBZAu:eAIMogaIgyRZFuVxNkeztu
                MD5:92F00AD0D5283A6A763073E2F1E4EB58
                SHA1:70BCB3C04DDF9A07F4FA65E94FC6997E58606699
                SHA-256:17079A00DA2F4653B85C9B659088DD485BF84C0B3E5E7E80C7612CAF1EF2BEFC
                SHA-512:2A7BA56FF5B8BC7B8E7C2729C9E59E806F91188A594F306D8524B01C3752066709030F206AA1556507A90944A58D53E497F8774F90D8E8B5FBD31EEC6430FFB0
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.vH,.%H,.%H,.%..G%J,.%AT;%B,.%CC.$M,.%H,.%.,.%CC.$C,.%CC.$O,.%CC.$.,.%CC.$I,.%CCW%I,.%CC.$I,.%RichH,.%........................PE..L...<W.^.........."!.........x......0........0...........................................@A........................0....K..<r.......................... A.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2..................@....idata.......p.......N..............@..@.rsrc................`..............@..@.reloc...+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................
                662c57.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):453920
                Entropy (8bit):6.66950080753057
                Encrypted:false
                SSDEEP:12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
                MD5:697220335E5C4B4126AF45F6F8207896
                SHA1:8106F2DD4665AEC0D1C652E29378EF46EA4E5801
                SHA-256:D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
                SHA-512:B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.|C\.|C\.|C\....~C\.u;.jC\.|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................
                662c58.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):29472
                Entropy (8bit):6.817865566900363
                Encrypted:false
                SSDEEP:384:YXi/n/o+H/UgljjdJu+9WcU5gWE5d6c+pBj0HRN7ToucyHRN7rP1x4l78Ka:YknwQJVdJu1qqWNL3nKa
                MD5:511F8CF3E1C960B5AA76FDA0B845D246
                SHA1:6BA029A7C545D64C044AAAD93A3DD00702BDF44E
                SHA-256:4874449EE85BCA44BE95DEA5FAD6AC4F0F5456788C928844702CC5ED4935DD83
                SHA-512:5D0F04AD49AC91202254981CB69EE6EEAEF2C89535B5F396D03EB8BC42B786AF6DB1C3763807597DBDD3E13736B70BFBDEF9149EC45190E7DB1E03E62F939EE4
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................'!......y....................................................Rich....................PE..L...GW.^.........."!.........................0...............................p...........@A.........................*..J....@..x....P...............2.. A...`......h...8...............................@............@...............................text............................... ..`.data...H....0......."..............@....idata.......@.......$..............@..@.rsrc........P.......*..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................
                662c59.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):174064
                Entropy (8bit):6.871923327983383
                Encrypted:false
                SSDEEP:3072:l3ZqbqsS20jBQh6fLPbU7DuJMCIuW4vdzAY9Sx5+9:l3Zq2bQh6fL+CJMpuW4vdEY489
                MD5:57ED07CB2B239D7CF58EF98040A9B4BD
                SHA1:40BE57A54102EA5AF3D3173C8815BDF35761E5F5
                SHA-256:940FF0F7EA7149084533CF81156CAA42A05BB44656164D769DCB299ECF7A350C
                SHA-512:5459FB26218C13BFC8284E446403964D77CF27ABA51A5149FA7CD916C405811F80A93C93B1310044D586CB7C00489E3AFDDC97343CB40D945BAAEB4B80E971F3
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................ORA.....=....................................Q.........Rich...........PE..L...GW.^.........."!.....*...<...............@............................................@A.........................2..@....Q.......`...............f...A...p..P....\..8............................\..@............P...............................text....(.......*.................. ..`.data... ....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..P....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................
                662c5a.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):274208
                Entropy (8bit):6.608613260235627
                Encrypted:false
                SSDEEP:3072:JLZNCBQSuHX5pXCcDWUE1GM6FXNQBkNo9uYKTsWycLfaMHjb3yiH:WuTDJZXiBEkuYKTVfa6
                MD5:74E8CB0C4E08C63E386F373D1D2C394D
                SHA1:4134B4A2E5BA4C72A0F8D1472D90E94D7EACBD0F
                SHA-256:75E6504A83B23A9B3D58885BFB3ED8A5C06FAB4C25139AAB83C2EC0522D2C095
                SHA-512:84BAB1D2977089AB3BAC41710FAB40AC39D2FE3B0F9FD7AA6D1E2CEDFDE004595F74A8320E21A4D313EECB407B99BAD39429C8AFA65F16698FE485C4C474CBD1
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....`@..`@..`@......`@...A..`@...E..`@...D..`@...C..`@.....`@..`A.u`@...I..`@...@..`@......`@...B..`@.Rich.`@.........................PE..L....V.^.........."!......................... ............................... ............@A........................0....=.............................. A.......W..lJ..8............................J..@............................................text...K........................... ..`.data... p... ...n..................@....idata..............................@..@.rsrc...............................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................
                662c5b.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):83232
                Entropy (8bit):6.884071103046351
                Encrypted:false
                SSDEEP:1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
                MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
                SHA1:20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
                SHA-256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
                SHA-512:C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
                Malicious:false
                Antivirus:
                • Antivirus: Metadefender, Detection: 0%, Browse
                • Antivirus: ReversingLabs, Detection: 0%
                Joe Sandbox View:
                • Filename: Trustwallet.exe, Detection: malicious, Browse
                • Filename: dqVPlpmWYt.exe, Detection: malicious, Browse
                • Filename: w2IPZXaPkO.exe, Detection: malicious, Browse
                • Filename: Scanner.exe, Detection: malicious, Browse
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................
                662c62.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):4782880
                Entropy (8bit):7.048362842065633
                Encrypted:false
                SSDEEP:98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
                MD5:4B9941864214A7BB96D3704420C2D28C
                SHA1:05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
                SHA-256:1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
                SHA-512:5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
                Malicious:false
                Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................
                662c63.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):47592
                Entropy (8bit):6.147771533863041
                Encrypted:false
                SSDEEP:384:DA5dBlsNKvsXZWxdWvYbMktLiBr8uuPgldyevyBb7DVLN1Xzc+pBj0HRN7TPocyF:GdzvsXcb9tLkr8yTby97DVLBWUHui
                MD5:5EB37CFB087F972E0E9BF8CD9F216D0A
                SHA1:3FD426C91E122990E7746C415AEB3C9E6A459073
                SHA-256:9DBE835C0812D759A4461429D4FDE097BB9EC67A97F347F70C9796800DE92BA6
                SHA-512:865670D5EECF2EAB3BD17348FDCD31EC785F55F345E6048F83B346C16594535F59D68E6EE8F11453C2BD65D89440B50A54903D55E21F6DCB6C7DE79CDC2C06C2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L...|V.^.........."!.........v............................................................@.......................................... ..8s...........x...A..............8............................................................................text...............................@..@.rsrc...8s... ...t..................@..@....|V.^........Y...8...8.......|V.^........T...........RSDS..M.X=NK.....dH.....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................
                662c64.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):47392
                Entropy (8bit):6.180362861252495
                Encrypted:false
                SSDEEP:768:uDhffucVI4Sd7kYw4JUM3i/EhWrKpWin2vSd:YucVI4Sd4YJUM3XhWuoNKd
                MD5:40F626F56782D1C6AE773B202082CB92
                SHA1:65388EDEF5C7DC53A0040AD73D144D52FD02B7F8
                SHA-256:8056DF5651B576CFFAD288A322939049CF62C8A564CB53EEE187E2DCBDBD9BEF
                SHA-512:7F99BFB9C11E377BF5B1F526FA6015BF99E28683EEC5C52FB453F60F4C49561FE81B21A61A4783673C46A8F6D62E048609720674746057291A9F025F565822CD
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.........v......................................................R.....@.......................................... ..`s...........x.. A..............8............................................................................text...............................@..@.rsrc...`s... ...t..................@..@.....V.^........Y...8...8........V.^........T...........RSDS..9....N..'q........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................
                662c65.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):76272
                Entropy (8bit):4.788610818407564
                Encrypted:false
                SSDEEP:1536:SVPidQr0UZqnn0BDvmPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9xtP9:SVidQr0UZqnnSvmPS6VFaGCWKZX0Whpq
                MD5:20A38BD043C56FE2882F88944A3E6E6C
                SHA1:5E154DFD410A7F8F99D11C999DD68CD0C76842F9
                SHA-256:CD305576B63458ADF41BDB70FB6EBAED8A032294851336786A5A7169F4F57B05
                SHA-512:8C706656BA722EA7A9F313F5C1DEF41FA70D7E13D59BC5A3D8F85FE5CEDC2F014DDB76E16D15C231DD08FA6D639C8C457841FF0CCECC6B0FBAC379A460EC5C66
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................0[....@.......................................... ..X................A..............8............................................................................text...............................@..@.rsrc...X.... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS2j.5,..J.#..#......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140DEU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                662c66.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):66336
                Entropy (8bit):4.921664492323363
                Encrypted:false
                SSDEEP:768:9VmijcBEhCgy6cAu1HLPLNqyf/nWHBNhdBU2fd5GWPoRh:9Vdzfy6cAuhPLNXf/nWHNfd/PoRh
                MD5:183B42F7ECEDB4AE4BE8E06C2981EDEF
                SHA1:906365FECC6B420C63BDB05574C79571ED4C6654
                SHA-256:5C4B666503DCABF9763610EC5AB3B19D4555A5F349DE7067D6D0F7A3E8146126
                SHA-512:B4C57C1270D2E219210AEA3145148D8DC68A95ED31A0CC026413179A73961E7215DDE9F355B20859BD19B3BDDA943B48F79F94B6F7CC7BB8F4B087CD6E7F73E4
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ................. A..............8............................................................................text...............................@..@.rsrc....... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.W-.R.8@..(=.hYo....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..X....rsrc$02....................................................................................................................................................................................................................................................................
                662c67.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):75040
                Entropy (8bit):4.751545699698718
                Encrypted:false
                SSDEEP:768:5K0KnBU6gW6qg/iKuCOCF3OKWRElMRZ/IvpIfWUz1v3nl:Vwq6gW6B/iKuFm3OKWxRZ/InW1f
                MD5:D50AB1B9666BD7C9E7C134ADE3C42D1C
                SHA1:CDC5C1987689F1A0E34075CD18C692EA88C17E3A
                SHA-256:8AD53B060AA193BE6517C8C63D1855B39B6523696C617C0764822DB131E78F22
                SHA-512:489D6E0346168381066F0D372E1AD3CBC66FFD3B1F07DC80B76441DCD231563803EF940A96F93270F2BCC82A35F4793EE4B6AD6F4A15A4DAB25ACA343CB693BE
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... .................. A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS+..Ti.F.........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                662c68.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):76272
                Entropy (8bit):4.7728351522639585
                Encrypted:false
                SSDEEP:768:W26iNYajZELOtYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNerP:WNuqLOt6A2SCHu0joPwsM
                MD5:D58A56D308276A6323EDF45A704C443B
                SHA1:445244F7D875A04B8612E04CA1CACDC7D5275B0F
                SHA-256:22FB670A0C08110F12D9268BBC5F015E5344CD0EA61CF414F2BE4A05B3396478
                SHA-512:AB26805F0FF25ABB934B12F668E0FB5B462D27450673653251BB2B55656DDC4BCBBFA4C12445FAB46AB110E4C28B5F0A156A27D9DAB6CCC1F67748237FDFF8C0
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................s....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.....}.L...0...f....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02....................................................................................................................................................................................................................................................................
                662c69.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):74224
                Entropy (8bit):4.770796960519436
                Encrypted:false
                SSDEEP:768:3QE6XaCyqbK15MsOwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVfW5f+rWGg:3Qass5MsOwgSxNIlW3GoiTIF+yn
                MD5:B9C956ED374FFCDBA4C08C3720D1DB53
                SHA1:380CB5C40863E19D690177278C442EF2D10EFA01
                SHA-256:3C9809576B7811C9F2167AE45722C54C73926E133C5BC6B688A6C1846E9EB295
                SHA-512:4BF3FF88AC69131F6C6C23D2B492D7EEB5315259B9465F0316910B7E48FA94D16BC81D1395FE63E01C1B2E527EA8AB1B09561866FCF9EA40BE96E646F3E083A6
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSk.8.#pJ..`|........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                662c6a.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):55792
                Entropy (8bit):5.94964592117223
                Encrypted:false
                SSDEEP:768:VpxanVn/TsfJxsr10/eu9RHreFKpWzziDpI2:Vpcnp/TsguntoXyS2
                MD5:8CDEEEB4F6DC317140C9725D26EA4894
                SHA1:154C83C29AE78C37D24F181D30F0B677E5FA8CA4
                SHA-256:C85FAD3BE1ADB9007045FFB7226F340AA5E14FB35D44DD0177641BD410C9FEA8
                SHA-512:8B3F9CC4CF2C7118276CD8BF8605F6FA2F83A8D479873BABF98DF6C46E27C86A144B289D97D3026C1B2B2384C5938B6C05E78B33AFA1A485D5866AEA083ECB21
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................9+....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.y@b$..@.>.8Z.......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                662c6b.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):54768
                Entropy (8bit):6.1159324346768695
                Encrypted:false
                SSDEEP:768:fjVQO54LQTNdtUaHqNA3B2I7CvqXWfQNOWho:fjZ51TNdXqNAx2I7CvqmKOWho
                MD5:628CE133C7CDE15B08CC4C07646E7E2E
                SHA1:C6623E5E01DD83C89F96D540BD3D696C324533D2
                SHA-256:854EFA87200BDD5F2FB3B6E65CC43DFC8109A84887201093BAE5EA848271F639
                SHA-512:D79CFAA24A9556702794053CBBDD2B3E9468CB98D2991999ACB344E1ADAF19D7D1DCC204C83DC255E84B362DDCC31CE0B1617374BAC1C3CFB2911169DE802014
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................~....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.x).6JwK.>H..$.o....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140KOR.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..@~...rsrc$02....................................................................................................................................................................................................................................................................
                662c6c.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):72176
                Entropy (8bit):5.322279857085589
                Encrypted:false
                SSDEEP:768:rAv/gFXOv00iqNWTMHVhtZgFckD9uAWqMB:K6XOv0EhTW+q+
                MD5:76A39F21CC452E2A7040A78792318982
                SHA1:4EB98EAD87D9DAEB3E2D96127FFBE3727C3E2264
                SHA-256:696DDA39E8DF5BE1006E937BECE2DA07441E8C2BD79760C739922B557A7B9385
                SHA-512:9FA307E5B3FD510619298577E7FD3E036D632B11861A04FB739E4D1443F1EC530EE1E9C9018900A164162074873C50C676EB1477EFB31F3E215C779F48096B00
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSnS...^9@.4.TQ..X....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..H....rsrc$02....................................................................................................................................................................................................................................................................
                662c6d.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):5082912
                Entropy (8bit):6.8680590475042465
                Encrypted:false
                SSDEEP:98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
                MD5:109E1488C848F17E370F3973EFDE2C38
                SHA1:7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
                SHA-256:0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
                SHA-512:6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
                Malicious:false
                Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................
                662c6e.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):82720
                Entropy (8bit):6.481840055375367
                Encrypted:false
                SSDEEP:768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
                MD5:F46353456429BF7768968B6285D7C2FB
                SHA1:5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
                SHA-256:D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
                SHA-512:92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E*......x.......x.......x.......o*.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................
                662c6f.rbf (copy)
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):82720
                Entropy (8bit):6.4817802924170635
                Encrypted:false
                SSDEEP:1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
                MD5:A67DD2E47CAC448F5E0995FD8634FD4B
                SHA1:879F96580C33618EB4D4349DE3215A87BA132A56
                SHA-256:F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
                SHA-512:912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E*......x.......x.......x.......o*.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................
                C:\Config.Msi\662c52.rbs
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):14740
                Entropy (8bit):5.541534973052868
                Encrypted:false
                SSDEEP:192:PURxKoRxKfRZvQCf8AFSZShhhhhhhLqRxYyzF2:PURxVRxWRZVLFSt2
                MD5:9CF98D3112F045D8079B0F5B2AEED1A1
                SHA1:EACB1FEEE756C75C05CE8A9821D2EC4088F3D7E4
                SHA-256:0205C14AD91FDB805595E724F9F73616524EE1DDD7BA754C1ECCEA2445627E62
                SHA-512:CE7CC303968CCDCBE8D61C383C7E15B35E925DE0B083E5C3BF0CCB96C007472072B7ED9508135CFFDFEAE790F804057F1ADBBB4141C03CC8FD16A4A1EB708A37
                Malicious:false
                Preview: ...@IXOS.@.....@K>.S.@.....@.....@.....@.....@.....@......&.{19F7E289-17B8-44EC-A099-927507B6F739};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702..vc_runtimeMinimum_x86.msi.@.....@6l...@.....@........&.{4EC06479-0528-4ADB-820D-6027E57F3B81}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\982E7F918B71CE440A992957706B7F93\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\be1e5.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\982E7F918B71CE440A992957706B7F93\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ......
                C:\Config.Msi\662c55.rbs
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):16051
                Entropy (8bit):5.547722555157062
                Encrypted:false
                SSDEEP:192:mQXZhhhhhhhhUXQMe6MH8DXMH8DvJnQEs4qMfpE:ms2X5MH8jMH890t
                MD5:122F8539DB3E482EAE997BFA548CA3D0
                SHA1:29A3E7BA3018C1F796898DB4EEC84896A126EADA
                SHA-256:AE0519B6350347A6D365B4A2BA4683A5657773CBAE6AC6E8A6E44D60A0813ED8
                SHA-512:03548344ADD0E1B528F582622B9741D2FA5395A9FE9B3C77C2055B88AA5C18A3501CCF869FA21A1DDBA3380EEC9C716F0238E311FF90E34F37AFFFBFD199F2FE
                Malicious:false
                Preview: ...@IXOS.@.....@L>.S.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{A2E7203F-60C2-3D7E-8A46-DB3D381A2CE6}&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}.@......&.{BC0399EF-5E9D-3C7C-BFF5-5E9A95C96DAF}&
                C:\Config.Msi\662c60.rbs
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):16367
                Entropy (8bit):5.48231876941138
                Encrypted:false
                SSDEEP:384:ts8ERHXeGRjXeAR1v0GBT9Kaqw4qBheUM+raEgxStXv55FzyVGQPViV6ShKWH:ts84n1R1v0GBT9Kaqw4qBheUM+raEgkN
                MD5:2C834EBEA1F96F9115B09568F3B591BC
                SHA1:406B2F47A399801E18B988AFC02555F52B2DA3AA
                SHA-256:FB7BEA10109BF8839D9B6E38D30AEF23AAFAA2A50E655E1F57DED3FB7DE8C695
                SHA-512:37F69D72F9578A519F099000F0FEBFF0018A1169B66440F12B1D0E618C56CA22261E142BC87616594D56E3DFF0EE364937A1ECB82482C6F593FE28B52C1B99DF
                Malicious:false
                Preview: ...@IXOS.@.....@]>.S.@.....@.....@.....@.....@.....@......&.{213668DB-2263-4E2D-ABB8-487FD539130E}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702..vc_runtimeAdditional_x86.msi.@.....@6l...@.....@........&.{26AB52D0-6847-46B4-81E4-7CED60CF25DC}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BD8663123622D2E4BA8B84F75D9331E0\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\be1e9.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BD8663123622D2E4BA8B84F75D9331E0\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... .
                C:\Config.Msi\662c61.rbs
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):19646
                Entropy (8bit):5.520690921123956
                Encrypted:false
                SSDEEP:384:QAKnYqm11+GMGOHv5/i8GKCwBNEwBiFSiqQDSR2IB:QZnYqm/+GMGOHv5/i8GKCwHEwUFSi5Dw
                MD5:1F02344B45BDA6D3F2EA8763AE88995F
                SHA1:D65056E361C4B0467354336D9AE77CA1F59AF8FA
                SHA-256:B9E14B41D33E45E4996D41EF0714B984FCFA2C3B7632D5DD10D52E59E4A1AE56
                SHA-512:9AB23B9EE805DB40A3F4F4905EE0B6110499FB3D43F69204CCAFCD46CFB95AB08F2B76BE8B4B8E98D59C6D6B51DFEDC5B84FABA72D9F9FF77237681314DB608A
                Malicious:false
                Preview: ...@IXOS.@.....@b>.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{946D6FA6-49BB-3415-AD2D-4D634C432CF0}&.{0FA68574-690B-4B00-89AA-B28946231449}.@......&.{E533B148-A83A-3788-A763-0C6C4
                C:\Config.Msi\662c72.rbs
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:modified
                Size (bytes):3609
                Entropy (8bit):5.20242245903419
                Encrypted:false
                SSDEEP:96:G1dCmt5dfe4mNtvRqTY2mNSZd7ZdnvRqTYfZd7ZdSWm9imxc+iS0Xy:GHeHq+srSWrCV/eVS0i
                MD5:80D90ABF9651718C43157A654D8B4B31
                SHA1:3695B0BA5311D880640ECC94B498C709BBDA4055
                SHA-256:E490CF2121D063EED9925CFD62BE7037C01F8C6399AD08FFD719729FB937CECE
                SHA-512:FD21CC06A2EDCE716ED4760FA10D1D4A005371952974EB842C563DF8AA46009C64CF6C7133065BBB957526C3FAC4D9724561D5D5E013F08261600A58FEB098A5
                Malicious:false
                Preview: ...@IXOS.@.....@l>.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\47586AF0B09600B498AA2B9864324194\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall............................................. ...!.......?........... ... .......?...................?.........................................8..........
                C:\ProgramData\Microsoft\Network\Downloader\edb.log
                Process:C:\Windows\System32\svchost.exe
                File Type:MPEG-4 LOAS
                Category:dropped
                Size (bytes):1310720
                Entropy (8bit):0.2485865078881609
                Encrypted:false
                SSDEEP:1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4N:BJiRdwfu2SRU4N
                MD5:0312B0A3E6A05F630069BE556AD4AF9C
                SHA1:25CCD57D48899774C82AEE1647C010420566E0C8
                SHA-256:64E68B74099270F5E5276DEF6B17C122DE2209443BC449886459F71BD1952B05
                SHA-512:78AF4020D77650918C6B33AD32341B47242F31BEF76C58715999C31DFFEF935A046A296CCE95B72A4C0DF11999B755C56C255D43B0898F46D3BFA51630F53202
                Malicious:false
                Preview: V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................
                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                Process:C:\Windows\System32\svchost.exe
                File Type:Extensible storage user DataBase, version 0x620, checksum 0x280d9fa2, page size 16384, DirtyShutdown, Windows version 10.0
                Category:dropped
                Size (bytes):786432
                Entropy (8bit):0.2506659623988218
                Encrypted:false
                SSDEEP:384:c+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:DSB2nSB2RSjlK/+mLesOj1J2
                MD5:F1E0666711D5D357E66F5B9064FFDF96
                SHA1:5EC80158AAA47DB63359E1FAF4DB6278B56B90B2
                SHA-256:63537DAEC568B769F97D10D35F838E4239889800FBE2FD2288A6360C9B63B0BF
                SHA-512:7DE7D8F8B2E8A8BD5B3429E1540A619C67679DF35DB1E4C836C946EE46D7C71DA3EE988DE24D2D8DEF5A594D6384B8DF1816A57CA9B7B834B2D042CEDAEF7180
                Malicious:false
                Preview: (...... ................e.f.3...w........................&..........w..12...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................FE..12...y.q................H...12...y..........................................................................................................................................................................................................................................................................................................................................................................................
                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                Process:C:\Windows\System32\svchost.exe
                File Type:data
                Category:dropped
                Size (bytes):16384
                Entropy (8bit):0.07576643195493825
                Encrypted:false
                SSDEEP:3:mkGl7EvUXqqlkhl/bJdAtiVk/Xall3Vkttlmlnl:mfliUPkht4x23
                MD5:984F8F6F68B1F841F6E6EEA96991D711
                SHA1:DDB1568E0ED63235BD0ABBDDB9EA7F854EAB82D5
                SHA-256:3E00CF08911197C02F402B611BF27D55EF09A60EB87563C03E8559F02662B04E
                SHA-512:51ECB4CE3D1640B98F39EC4D4A7B840690206C85D3153C78F6AF0E995C4F9C33E810CC640E8AD22E00D4DD38F9019B1DFAEBABB33091A4455E6149A5761423B7
                Malicious:false
                Preview: n.A.....................................3...w..12...y.......w...............w.......w....:O.....w..................H...12...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ProgramData\Package Cache\.unverified\cab54A5CABBE7274D8A22EB58060AAB7623 (copy)
                Process:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                File Type:Microsoft Cabinet archive data, 1350653 bytes, 50 files
                Category:dropped
                Size (bytes):1367669
                Entropy (8bit):7.997832401624505
                Encrypted:true
                SSDEEP:24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
                MD5:29C34C40D349C145E297B6977908E687
                SHA1:025B5CF7D6515CC6151628063752C159F41D99C7
                SHA-256:61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
                SHA-512:BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
                Malicious:false
                Preview: MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_
                C:\ProgramData\Package Cache\.unverified\cabB3E1576D1FEFBB979E13B1A5379E0B16 (copy)
                Process:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                File Type:Microsoft Cabinet archive data, 5194062 bytes, 14 files
                Category:dropped
                Size (bytes):5211054
                Entropy (8bit):7.998080908238165
                Encrypted:true
                SSDEEP:98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
                MD5:4FEADE30692872EAB413C1123A5F3DE4
                SHA1:B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
                SHA-256:2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
                SHA-512:145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
                Malicious:false
                Preview: MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.
                C:\ProgramData\Package Cache\.unverified\vcRuntimeAdditional_x86 (copy)
                Process:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):184320
                Entropy (8bit):6.3376915344280516
                Encrypted:false
                SSDEEP:3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
                MD5:4B97853A7D10743D67665CCDD67E8566
                SHA1:AF5F7059C9A05A388B4773917E17A078FA58F5E9
                SHA-256:63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
                SHA-512:ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ProgramData\Package Cache\.unverified\vcRuntimeMinimum_x86 (copy)
                Process:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):192512
                Entropy (8bit):6.237627585353464
                Encrypted:false
                SSDEEP:3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
                MD5:6AA3A12A374E36C6A7BD75B7627A5A7C
                SHA1:56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
                SHA-256:AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
                SHA-512:B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\state.rsm
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:data
                Category:dropped
                Size (bytes):1156
                Entropy (8bit):2.8954647734219785
                Encrypted:false
                SSDEEP:12:/ZK34pgMClGttD6+xU9m4RCMzttun2QBa1Q1UMClB609TO3Xun2Q/1Q1UMClB60R:xKUgMClccDRNqSMClBjC3IqSMClB
                MD5:BF9FEB12F877E15CBCEE6319DF272F29
                SHA1:339163485F0B3B7B4DF4E6775EE014B2A8AB89D5
                SHA-256:209DC0F262AA37BA20006EBB140EC566B20DAA053807EBB20A0109B83BA146AC
                SHA-512:EA3E9F1A34B28954E147AF37DBEE2E0F4054B8C771D5B32EB083F92B7897E0149BC8ACB0A82B7FF3AA91D5E97AFD237DF35756223E2C8F0BB7B90DDA38218D07
                Malicious:false
                Preview: F...............................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.........................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.1...2.7.7.0.2.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....w...C.:.\.U.s.e.r.s.\.p.r.a.t.e.s.h.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.M.i.c.r.o.s.o.f.t...M.i.c.r.o.s.o.f.t.E.d.g.e._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.T.e.m.p.S.t.a.t.e.\.D.o.w.n.l.o.a.d.s.\.v.c._.r.e.d.i.s.t...x.8.6. .(.1.)...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.....b...C.:.\.U.s.e.r.s.\.p.r.a.t.e.s.h.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.
                C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                Process:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):647912
                Entropy (8bit):7.215948724836638
                Encrypted:false
                SSDEEP:12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
                MD5:2F9D2B6CE54F9095695B53D1AA217C7B
                SHA1:3F54934C240F1955301811D2C399728A3E6D1272
                SHA-256:0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
                SHA-512:692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................
                C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\state.rsm
                Process:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                File Type:data
                Category:dropped
                Size (bytes):854
                Entropy (8bit):2.5155157298473805
                Encrypted:false
                SSDEEP:12:7ZK34pgMClGttDa+xU9m4RIb7ttun2QCUel1s5un2QFG:lKUgMClccDR8ht1
                MD5:3AD27D3DC00B51235A5C9E9E0D698A2B
                SHA1:5611616F8694678DCD10EF5DAC5AD5A5ED2081BD
                SHA-256:B40DA618F2C4D1EECB2A4DE0D0BBA23DB7C4EFBEEF0C1FADC3BF0E9DEC78A19C
                SHA-512:0EA7EEA498243CCF899F65548F1C0D60D6A678DF9B401F45DAD3D1707828EA963446BC1351726777CB2C370775427A32C4726F8B432363562F3A7A27EA4325EA
                Malicious:false
                Preview: J...............................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.................................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....%...C.:.\.z.t.g.\.f.i.l.l.P.r.o.x.y.\.b.i.n.\.v.c.r.e.d.i.s.t._.x.8.6...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.z.t.g.\.f.i.l.l.P.r.o.x.y.\.b.i.n.\.................................
                C:\Users\user\AppData\Local\Temp\MSI6f6a4.LOG
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):2702
                Entropy (8bit):3.6791240131874527
                Encrypted:false
                SSDEEP:48:YcBUU5dZFIh9JahD1JKhSdj6RLBLXVhpFORLpOQmj/AcWcaqcE+otocwmgN5B:YwnDZFIhbahHKhOjaLBLFhbOTOQmMdfH
                MD5:C5C7098A3D8380C1E4DC505554F8DDE0
                SHA1:882EBA38F25B1DBB20D56EA5B5B2A35A82880044
                SHA-256:8A19FCBCD58AC20B434CF0F647396169782C9AD6A42E1F04B47B31438E1A5D14
                SHA-512:449A55D5F91B3DFC18CB73D3C53BF4CC92ACEF576CAF7250B758D02C41B2EEAD3AAB8E985CC77AD93BC9AD929351B66BF2D2B06DFD5104154EBEA290950DB3E7
                Malicious:false
                Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.5./.2.0.2.1. . .7.:.5.1.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.5.e.6.5.0.f.f.-.3.0.b.e.-.4.6.9.d.-.b.6.3.a.-.4.1.8.d.7.1.e.a.1.7.6.5.}.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.D.8.:.0.4.). .[.0.7.:.5.1.:.0.7.:.1.4.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.D.8.:.0.4.). .[.0.7.:.5.1.:.0.7.:.1.4.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.D.8.:.0.4.). .[.0.7.:.5.1.:.0.7.:.1.4.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.
                C:\Users\user\AppData\Local\Temp\MSI6f6a5.LOG
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):4434
                Entropy (8bit):3.70546095955533
                Encrypted:false
                SSDEEP:96:Y4DZFgmRjaLBLlOFNfWtJ4g81cyH1cy7foZeDy4eDMtJm35:lVsLBLlOFzBVVVcgDy7D1p
                MD5:965E004172582636B86447F338F10266
                SHA1:9A157A18584CD76E1A22E8EE95FAD4A36BA50110
                SHA-256:FD4FD3962793958F10B8724355D2B2B7111F7817FD0C0FD2E45A8B4CD3C0A794
                SHA-512:99EAE3276FD8F37B259C5B1CCCFAC14F010D427C3E28AEC5FEB51C7E9F401102550F33CDE8B7FA5D79D02E869543555378488B52B56F08F30F6912C942B8F690
                Malicious:false
                Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.5./.2.0.2.1. . .7.:.5.1.:.1.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.5.e.6.5.0.f.f.-.3.0.b.e.-.4.6.9.d.-.b.6.3.a.-.4.1.8.d.7.1.e.a.1.7.6.5.}.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.D.8.:.2.8.). .[.0.7.:.5.1.:.1.4.:.2.9.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.D.8.:.2.8.). .[.0.7.:.5.1.:.1.4.:.2.9.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.D.8.:.2.8.). .[.0.7.:.5.1.:.1.4.:.2.9.0.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.
                C:\Users\user\AppData\Local\Temp\MSI6f6a6.LOG
                Process:C:\Windows\System32\msiexec.exe
                File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):81122
                Entropy (8bit):3.7796658981885676
                Encrypted:false
                SSDEEP:1536:mLV+EZUMqOnJyZ3K5j80GvkyGzZgYbF9A1L/do0wKql6jCIQ:m89jCP
                MD5:03CDB75CA07065C32138A312AC4591F9
                SHA1:7DD988A03843818FEDB63EE9EA13EE11B9682B3D
                SHA-256:BF94291C5379569B7A6AF8526A597E592548FFF01ABBE692D912C8E38097A136
                SHA-512:1E529B22D3CAA1976A9291C365B48F87ABD40BAD22746DA950F752306307999E299EA0E9B955285C8CCEE2A5D121CEF5B7910E3ADDA22C7B9054FFF6CF49D265
                Malicious:false
                Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.5./.2.0.2.1. . .7.:.5.1.:.2.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.5.e.6.5.0.f.f.-.3.0.b.e.-.4.6.9.d.-.b.6.3.a.-.4.1.8.d.7.1.e.a.1.7.6.5.}.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.D.8.:.2.8.). .[.0.7.:.5.1.:.2.1.:.0.4.0.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.D.8.:.2.8.). .[.0.7.:.5.1.:.2.1.:.0.4.0.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.D.8.:.2.8.). .[.0.7.:.5.1.:.2.1.:.0.4.0.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.
                C:\Users\user\AppData\Local\Temp\aiw6653171.EXE
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):48128
                Entropy (8bit):6.3377933069406085
                Encrypted:false
                SSDEEP:768:5AOeS5yLM+ZCTrAthB5XWenVL0/fWHrHWicASQqvBMxJmgo71yncc:59qZdHWep0GH7WiLcMxJPo7s
                MD5:5BE82656185B51148A4F0B3ECF16788C
                SHA1:825DE97A1C861D07B9859E67FA3C1908378AF53A
                SHA-256:6B4A95A4468D79C1D09A0A4ECA5A504D406C4BBE532D8475F68AA6DDCF91572B
                SHA-512:387FC089CB295B867B113523BEE5F321BC480A96D2176815EC39DC87E26C16BB9BF1AB93419E122DD3A1FCB33AD5B001960DF6323D74809DC22DBCD793879FB2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+j..E9..E9..E9..I9..E9..N9..E9{.K9..E9..O9..E9..E9..E9..V9..E9..V9..E9..D9`.E9..N9..E9?.C9..E9Rich..E9........PE..L.....H@.....................4.......i............@......................................................................... ...........X............................................................................................................text............................... ..`.rdata..............................@..@.data...|...........................@....rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:ASCII text, with very long lines, with CRLF line terminators
                Category:modified
                Size (bytes):17670
                Entropy (8bit):5.508724858507934
                Encrypted:false
                SSDEEP:192:DAlqnL10161h1V1y1I1X1wjft4wTEBq52nX3XBWm4l4Ani8NLGjE1:DAMojft48QX3xL8NLME1
                MD5:3ADC7CC8A91EB7DEE6C1E4E6C4D419B7
                SHA1:757196A5EC47BA061CB9CBB83BF7BE69641DE2FA
                SHA-256:6B609EEBC894FAE27F29EA52A55F4CCFF6D07FF8F52B6A080E4E057B67908818
                SHA-512:3551B896866C19B17E3D7363F723FC4A20EF782BBFADCDB0A32912F2A57499860956326443CFF72A29496FBE19D344CAD2A588A6677C75D28D8D50E471CD42F7
                Malicious:false
                Preview: [15F4:15B0][2021-12-15T07:49:55]i001: Burn v3.10.4.4718, Windows v10.0 (Build 17134: Service Pack 0), path: C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe..[15F4:15B0][2021-12-15T07:49:55]i009: Command Line: '-burn.clean.room=C:\ztg\fillProxy\bin\vcredist_x86.exe -burn.filehandle.attached=564 -burn.filehandle.self=648 /q'..[15F4:15B0][2021-12-15T07:49:55]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\ztg\fillProxy\bin\vcredist_x86.exe'..[15F4:15B0][2021-12-15T07:49:55]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\ztg\fillProxy\bin\'..[15F4:15B0][2021-12-15T07:50:09]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log'..[15F4:15B0][2021-12-15T07:50:09]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.25.28508'..[15F4:15B0][2021-12-15T07:50:09]i000: Setting string variable
                C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009_000_vcRuntimeMinimum_x86.log
                Process:C:\Windows\System32\msiexec.exe
                File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):232368
                Entropy (8bit):3.8268493427369528
                Encrypted:false
                SSDEEP:3072:irVB/KP1jC9rrrrrryLfgSjrx88888888w1JLAtgyiQ/kyII0akv9drJo:Fj7jp
                MD5:AAEA036B76E5079316B9A3652B0D48DC
                SHA1:FE42EC3D5D87800B77BD6410E04E6E4A8BE1AEC5
                SHA-256:97BA9AEF3470A78FAF20D42EC95A52CDBAB740EDE2D01921537F5CF8D996D9CF
                SHA-512:8CC189506EB08EC216498447B0253A27B42D39434885161589A6A8EC14928544AFA241286B83F3EA9F1C232652DA230AE56AAD3B18F58BDD332D5CFF7399E45D
                Malicious:false
                Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.5./.2.0.2.1. . .7.:.5.0.:.1.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.1.D.1.8.7.9.A.7.-.3.A.2.3.-.4.3.5.9.-.8.1.8.1.-.1.8.7.A.6.7.2.B.4.5.C.F.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.8.:.E.C.). .[.0.7.:.5.0.:.1.4.:.6.9.6.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.8.:.E.C.). .[.0.7.:.5.0.:.1.4.:.6.9.6.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.8.:.E.C.). .[.0.7.:.5.0.:.1.4.:.6.9.6.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.2.B.C.3.B.D.4.D.-.F.A.B.A.-.4.3.9.4.-.9.3.C.7.-.9.A.C.8.2.A.2.6.3.F.E.2.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.M.
                C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009_001_vcRuntimeAdditional_x86.log
                Process:C:\Windows\System32\msiexec.exe
                File Type:Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):269102
                Entropy (8bit):3.8331587178340505
                Encrypted:false
                SSDEEP:3072:0s65tNJcjIoVVVVVVVVVVVVVsg6PjYybbbbbbbiiiiiiuHXwRkUDy3m3NI0I98kA:djMjd
                MD5:E7B6E784B6098CF476D7C1DE330FD29C
                SHA1:03DF81151EF7766FAC58017C8E40A77A125D1844
                SHA-256:E19DECFA9F7123A6A2ABDF8D48B1C0079441145326F8627FDF5106EBBFC0E384
                SHA-512:0600E7330F1E39FA336535345DF0EC6728A925D566CA7B002B70A6417A1E6513DF0C31EC7F9DE07AA41329CA8D095497038721176F06C63CF08AC569A791876F
                Malicious:false
                Preview: ..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.2./.1.5./.2.0.2.1. . .7.:.5.0.:.4.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.1.D.1.8.7.9.A.7.-.3.A.2.3.-.4.3.5.9.-.8.1.8.1.-.1.8.7.A.6.7.2.B.4.5.C.F.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.8.6...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.8.8.:.7.4.). .[.0.7.:.5.0.:.4.6.:.2.4.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.8.8.:.7.4.). .[.0.7.:.5.0.:.4.6.:.2.4.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.8.8.:.7.4.). .[.0.7.:.5.0.:.4.6.:.2.4.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.F.A.6.8.5.7.4.-.6.9.0.B.-.4.B.0.0.-.8.9.A.A.-.B.2.8.9.4.6.2.3.1.4.4.9.}.v.1.4...2.5...2.8.5.0.8.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.A.
                C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075134.log
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:ASCII text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):9014
                Entropy (8bit):5.39325798272163
                Encrypted:false
                SSDEEP:96:BgdOZW7LD2i6nHRt41o121l1h1G1U1b1F7bVqEyZE/0EzYdRnRB4bYev0e7Zeoqo:YvD6nw1o121l1h1G1U1b144L
                MD5:2DAD473F61045FB06BD46C3C88C51DA7
                SHA1:960F07349046DEB23B4F447A8F4E14BB1F5F0D23
                SHA-256:73E7C13A1A268A3039E6F6DA7F3BDD64737FAD07C34E2D561FABD338AEF497EB
                SHA-512:0A38DEE699B273F322FC7B2D3FFCBF52D99C1748DAE0951E8FE2CF944327E81597CEE495AEC15C9A3BC8498EF7FCC2DE71300BDDAF52420A56442987D6480189
                Malicious:false
                Preview: [08D8:0198][2021-12-15T07:51:20]i001: Burn v3.10.4.4718, Windows v10.0 (Build 17134: Service Pack 0), path: C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe..[08D8:0198][2021-12-15T07:51:20]i003: This bundle is being run by a related bundle as type 'Upgrade'...[08D8:0198][2021-12-15T07:51:20]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792'..[08D8:0198][2021-12-15T07:51:34]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075134.log'..[08D8:0198][2021-12-15T07:51:34]i000: Setting string variable 'WixBundleManufacturer' to value 'M
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fillProxy\ fillProxy.lnk
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Dec 15 14:49:46 2021, mtime=Wed Dec 15 14:49:46 2021, atime=Wed Dec 15 14:49:46 2021, length=0, window=hide
                Category:dropped
                Size (bytes):785
                Entropy (8bit):4.498673550772882
                Encrypted:false
                SSDEEP:12:8mM3c1RK/eoZGpZVw3cYdZiKwGlT6qCGeAjAwfzhGYU6wUNlLhmJ7hmJHm:8mMhGjPYv4GlAPUAyhXFlVm/m1m
                MD5:C9EB022BCB452D0EBE5CD1FD201627DD
                SHA1:C2C63CD7CFAB818C3B8A90E5229F1925E7B711D1
                SHA-256:4CB5E82E8594B026A722AF1C62413B5E4173732DCAE4FDB0818A0A79FBC65618
                SHA-512:56F4A9FADFC6407FBD09E5E86038A842AB30CA66A247039B09CDEA70CAFEED48FB4F6565F766FE167953BFFD20A0533875433C43142C73D84BB7BAE288540432
                Malicious:false
                Preview: L..................F.... ...R8.b....R8.b....R8.b............................=....P.O. .:i.....+00.../C:\...................J.1......S1~..ztg.8......S1~.S1~....(.....................t...z.t.g.....\.1......S8~..FILLPR~1..D......S1~.S8~....).........................f.i.l.l.P.r.o.x.y.....h.2......S8~ .UNINST~1.EXE..L......S8~.S8~..............................U.n.i.n.s.t.a.l.l...e.x.e.......M...............-.......L...........0..h.....C:\ztg\fillProxy\Uninstall.exe..6.....\.....\.....\.....\.....\.....\.....\.....\.....\.z.t.g.\.f.i.l.l.P.r.o.x.y.\.U.n.i.n.s.t.a.l.l...e.x.e...C.:.\.z.t.g.\.f.i.l.l.P.r.o.x.y.`.......X.......701188...........!a..%.H.VZAj......1........-$..!a..%.H.VZAj......1........-$.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                C:\Windows\Installer\662c4f.msi
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):192512
                Entropy (8bit):6.237627585353464
                Encrypted:false
                SSDEEP:3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
                MD5:6AA3A12A374E36C6A7BD75B7627A5A7C
                SHA1:56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
                SHA-256:AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
                SHA-512:B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Installer\662c5c.msi
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):192512
                Entropy (8bit):6.237627585353464
                Encrypted:false
                SSDEEP:3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
                MD5:6AA3A12A374E36C6A7BD75B7627A5A7C
                SHA1:56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
                SHA-256:AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
                SHA-512:B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Installer\662c5d.msi
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):184320
                Entropy (8bit):6.3376915344280516
                Encrypted:false
                SSDEEP:3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
                MD5:4B97853A7D10743D67665CCDD67E8566
                SHA1:AF5F7059C9A05A388B4773917E17A078FA58F5E9
                SHA-256:63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
                SHA-512:ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Installer\662c70.msi
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):184320
                Entropy (8bit):6.3376915344280516
                Encrypted:false
                SSDEEP:3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
                MD5:4B97853A7D10743D67665CCDD67E8566
                SHA1:AF5F7059C9A05A388B4773917E17A078FA58F5E9
                SHA-256:63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
                SHA-512:ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Installer\MSI2F42.tmp
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):791
                Entropy (8bit):5.467578216582388
                Encrypted:false
                SSDEEP:24:qBVhPUoCpsVraj4PUotQXkXZIMEVlt1hlSpF:q1PVCmtaMPVAe3EVlt1ez
                MD5:0758A3CDC5298D2A1EE9FE9708D24E96
                SHA1:B3180BB921A906FBFDF4F4633F9122C19EEDB63A
                SHA-256:18C1035CEDD7518A372ABA2C0EE039627E4AE855E48EE891287F96EB813112A1
                SHA-512:64324F876767FB633BEEB571A4145179969BA7427439183D8A27547B3C783C1544285380EF1E9059EF340C2D2731FCC0B6896ADF1364D608ACC8D87B2592159D
                Malicious:false
                Preview: ...@IXOS.@.....@k>.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}q.C:\ProgramData\Package Cache\{0FA68574-690B-4B00-89AA-B28946231449}v14.25.28508\packages\vcRuntimeAdditional_x86\...@.....@.....@....
                C:\Windows\Installer\MSI374C.tmp
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):5108
                Entropy (8bit):5.76370893450946
                Encrypted:false
                SSDEEP:96:ZkDpJ8DphgiHMBN6KX+PDdTdr5J5J5J5J5J5J5J59pqLSQFnfSeeDpFaDlEPW:ZLHIX3NN3pWW
                MD5:22EE5A30208EC6F8C6A62D4DCAF4D820
                SHA1:F94AC10ED112AD7F04F219683E53EEC018CD22DD
                SHA-256:435C374E533F466CA2A20EC00176238200446496D98E75424918DC16D969D7F3
                SHA-512:F917BE7212A5283C520BD164C9514FDC61AEE082555EA104B2E0C5136117740B04BCCE03E2B530AECACDF324EB4033D9CD530A087297ABCF788162D1C2C5DD7C
                Malicious:false
                Preview: ...@IXOS.@.....@J>.S.@.....@.....@.....@.....@.....@......&.{19F7E289-17B8-44EC-A099-927507B6F739};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702..vc_runtimeMinimum_x86.msi.@.....@6l...@.....@........&.{4EC06479-0528-4ADB-820D-6027E57F3B81}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{65E5BD06-6392-3027-8C26-853107D3CF1A}....&.{4EC06479-0528-4ADB-820D-6027E57F3B81}c.&.{65E5BD06-6392-3027-8C26-853107D3CF1A}............ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{19F7E289-17B8-44EC-A099-927507B6F739}..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}...@.....@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}&.{19F7E289-17B8-44EC-A099-927507B6F739}..&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}...@.....@......&.{E8E
                C:\Windows\Installer\MSI442F.tmp
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):8105
                Entropy (8bit):5.684469978488724
                Encrypted:false
                SSDEEP:96:NsDDpeDVDpE8rorjkFEdogLNy5J5J5J5J5J5J5J5J5A25WIh7PYP5k7DR/i8tlDL:KsWzLzIVPk5k3hl0eMnGYWOK
                MD5:63B4860E6920E678142F8E8FF1C7C067
                SHA1:B07A92E08CFD7F7CD5140BF5621AA9DCE9F59139
                SHA-256:4DB7290A9B68E600F236E68DDDB0F1049967E79C4D11C25E5CC0EF4067C0812F
                SHA-512:5D4893E0B41BC30E260480DEB666BDF8FCABC890BE2972759CAE1B9B3BE892037B5FEDB47CA393788D58BB6A97C00D93466FB54C1300F204C7B650F939E276CF
                Malicious:false
                Preview: ...@IXOS.@.....@K>.S.@.....@.....@.....@.....@.....@......&.{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2};.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508..vc_runtimeMinimum_x86.msi.@.....@\o...@.....@........&.{DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{42F41217-AF8B-33D4-9CB3-FF5F696BECBB}...@.......@.....@.....@......&.{E8E39D3B-4F35-36D8-B892-4B28336FE041}$.C:\Windows\SysWOW64\vcruntime140.dll.@.......@.....@.....@......&.{A2AA960C-FD3C-3A6D-BD6F-14933011AFB3} .C:\Windows\SysWOW64\msvcp140.dll.@.......@.....@.....@......&.{A2E7203F-60C2-3D7E-8A46-DB3D
                C:\Windows\Installer\MSIC076.tmp
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):6669
                Entropy (8bit):5.683943867424807
                Encrypted:false
                SSDEEP:96:aZQdlpdwCu5XTQoQMK1UahtL4yrxV7y0oegyBu75J5J5J5J5J5J5J5J5J5J5J5JU:anCuE1/hhVjxjk3Lso+bAWZ
                MD5:4BEE7BFE7FBE77BBFAB1378F8C5BBE5E
                SHA1:EC7A5C101E4B3468D6735E3214ADAC221DFE94A2
                SHA-256:33EDE61EE51AE30837AD9ACEA44BDEFF96D64C42C5920E645F94DFB2FABC6822
                SHA-512:1A8CEBADE2FDF97A64085B61051359EF6DD74F8EC2A9CA2002BB4F0F728F2926772727FA94430EDADEE1D55BB0C63963B898FEE3D4399D36337CEBE4B6379033
                Malicious:false
                Preview: ...@IXOS.@.....@[>.S.@.....@.....@.....@.....@.....@......&.{213668DB-2263-4E2D-ABB8-487FD539130E}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702..vc_runtimeAdditional_x86.msi.@.....@6l...@.....@........&.{26AB52D0-6847-46B4-81E4-7CED60CF25DC}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{C78B8E51-0C65-377E-85D1-282F689FE505}....&.{26AB52D0-6847-46B4-81E4-7CED60CF25DC}c.&.{C78B8E51-0C65-377E-85D1-282F689FE505}............ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}&.{213668DB-2263-4E2D-ABB8-487FD539130E}..&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}...@.....@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}&.{213668DB-2263-4E2D-ABB8-487FD539130E}..&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}...@.....@...
                C:\Windows\Installer\MSID7E8.tmp
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):11258
                Entropy (8bit):5.590467992369232
                Encrypted:false
                SSDEEP:192:HivmH5xSSSLuyAV2YO8tgxgcgSxg76gIdg/g6gmgBgwCUoBaOe/p33LsLNWsrJ5:HivmH5xSSguyA0YOBXSOpnQZWsrJ5
                MD5:30760AF1C28864119BB1BDE0CF1EA689
                SHA1:4D56949AEBD16C873B4A63D6AF1A08A48466B478
                SHA-256:C6327C3C67418CB8FEA950007A73C75706A36DC6CEE010EF6822FE7773F0E6D5
                SHA-512:3FECCFE4353B4A80B97BBFCB696105FD89912946467830B9AD279ACEA8D6CCE42257A8E2756C0501BD00E336E128711EE9CAA2293F37BEC07A40404BE1EDDD61
                Malicious:false
                Preview: ...@IXOS.@.....@`>.S.@.....@.....@.....@.....@.....@......&.{0FA68574-690B-4B00-89AA-B28946231449}>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508..vc_runtimeAdditional_x86.msi.@.....@\o...@.....@........&.{AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E3819B64-3C56-3DD7-921D-00B011AD31DE}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X86\Version.@.......@.....@.....@......&.{4FD4AB8C-C57F-3782-9230-9CCA22153AD3}..C:\Windows\SysWOW64\mfc140.dll.@.......@.....@.....@......&.{46A1EA6B-3D81-3399-8991-127F7F7AE76A}..C:\Windows\SysWOW64\mfc140u.dll.@.......@.....@.....@......&.{C94DDE19-CC70-3B9A-A6AF-5CA7340B9B9A}..C:\Windows\SysWOW64\mfcm140.dll.@.......@.....@.....@....
                C:\Windows\Installer\SourceHash{0FA68574-690B-4B00-89AA-B28946231449}
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.2084708381651903
                Encrypted:false
                SSDEEP:12:JSbX72FjnXAlfLIlHuRpWBhG7777777777777777777777777ZDHFw7zpHQEQBpe:JFUIwUieFHQjcF
                MD5:DB1BA9A21FCF4091203EBEB6DB84DEDE
                SHA1:5CCF4020AB75DBC69B26D32A1923104F08261ECA
                SHA-256:8B66433BE339575B13B33FC41DD7D36B5D9FAC4495DADD1A793FD28107E36E80
                SHA-512:20551588A69245D556A90FB964029BCB520547A0704132776A03741A0719C1DEE965D01F2A941CB152D5A524EED972D790CF449675CBB595AC27182BC475AFCC
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Installer\SourceHash{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.2064111782326248
                Encrypted:false
                SSDEEP:12:JSbX72FjVXAlfLIlHuRpZhG7777777777777777777777777ZDHFPZx2hs9X4KQr:J/UIwExP2hs9fcF
                MD5:CE78995192A718E90DDD7411D49929B5
                SHA1:14DD811881650F9EFEA7819C341621866AF15955
                SHA-256:9786BC038F33C02C7974AC8B0DAA04FF20ED15BC135A52B29CBDE51D78D5C75F
                SHA-512:10CFD83CDF3A1CD377B8A0FD05D8E04775CA27EE562D0E938487D8EB8B0420EDC4E9901462CA34D8868AF4D09A7FE14FBBADE1D970D7A68B874890419C22847C
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Installer\inprogressinstallinfo.ipi
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.546026671740729
                Encrypted:false
                SSDEEP:48:h8PhiuRc06WXi/nT5RWpdj6RLBL71WSmRSqdZFt1S6WeUJSZQc:8hi1RnT3ajaLBL74VRrZFf8eNZQc
                MD5:A08D50FD22C98F2BBD45C8A8F7A29C8E
                SHA1:8828FA54F915338755889CFC25EFF8A088AC9A6D
                SHA-256:51915B86C7B8AB1C5D936B6EF8E98A4919F4D67D4C141D190811FEF970EFE183
                SHA-512:1B0DA9C13EBD0B663ACEA4D65C64E8BB7B5A382322376CA52D93D72054A6366D98618391A4F39663568B0B69FCC3584412F7F4DDBD3B85BD121B1F3DEDFD6F4D
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
                Process:C:\Windows\System32\msiexec.exe
                File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):120125
                Entropy (8bit):5.369134042567348
                Encrypted:false
                SSDEEP:768:NSXZf5Y2mhq+Lswt33IyCr7el3OEmSoay55QIxVV9lQ2es9YU/tYcxywq9D+crLz:NSc2mhbT1pAcuYb
                MD5:89FF91723EDD4D45A7B015045A4862C7
                SHA1:22C993E3BCA828EBD7C25EF021552B1562B16CF9
                SHA-256:D19761CB6F34CCCC9679F224CA4C076C56DBCE461A9143475ACDA402ECFD936E
                SHA-512:FA4CD3B5D682443A7D7B71FF3877F68AE7B4AC7777711AB8FE409AD2E5E16FC97B8B22735D82EA75D110FBFC0AD23FA78128BC5D9AB9EC573CEE615BF37367FB
                Malicious:false
                Preview: .To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 11:01:16.006 [3252]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:16.021 [3252]: ngen returning 0x00000000..07/23/2020 11:01:16.068 [1236]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:16.084 [1236]: ngen returning 0x00000000..07/23/2020 11:01:16.131 [4512]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Excel.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 1
                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                Process:C:\Windows\System32\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):55
                Entropy (8bit):4.306461250274409
                Encrypted:false
                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                MD5:DCA83F08D448911A14C22EBCACC5AD57
                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                Malicious:false
                Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                C:\Windows\SysWOW64\concrt140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):250144
                Entropy (8bit):6.698404457805156
                Encrypted:false
                SSDEEP:6144:emyq0GgZNA2UwM1vfEcgVAtP+9vIaIgVb5C/U0ZXQVSSIuVxND5S912z/VsDBZAu:eAIMogaIgyRZFuVxNkeztu
                MD5:92F00AD0D5283A6A763073E2F1E4EB58
                SHA1:70BCB3C04DDF9A07F4FA65E94FC6997E58606699
                SHA-256:17079A00DA2F4653B85C9B659088DD485BF84C0B3E5E7E80C7612CAF1EF2BEFC
                SHA-512:2A7BA56FF5B8BC7B8E7C2729C9E59E806F91188A594F306D8524B01C3752066709030F206AA1556507A90944A58D53E497F8774F90D8E8B5FBD31EEC6430FFB0
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.vH,.%H,.%H,.%..G%J,.%AT;%B,.%CC.$M,.%H,.%.,.%CC.$C,.%CC.$O,.%CC.$.,.%CC.$I,.%CCW%I,.%CC.$I,.%RichH,.%........................PE..L...<W.^.........."!.........x......0........0...........................................@A........................0....K..<r.......................... A.......+...;..8............................<..@............p..8............................text............................... ..`.data....4...0...2..................@....idata.......p.......N..............@..@.rsrc................`..............@..@.reloc...+.......,...d..............@..B........................................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):4782880
                Entropy (8bit):7.048362842065633
                Encrypted:false
                SSDEEP:98304:rcQO/zACc35FeIj0v8Tu8expRWrBu2gubZkFLOAkGkzdnEVomFHKnP7z:jqie9v8CVp4Bu2gubZkFLOyomFHKnP
                MD5:4B9941864214A7BB96D3704420C2D28C
                SHA1:05ACF3D57A349DCF29BC68A7A6F0DEC6D971B940
                SHA-256:1F9CCCA43EEF25CA44C69648124265944493FC220BCDECDB79AA28C33468B59B
                SHA-512:5CB4FFE656AB0C9973A02A7055689F8B945BCFB312B6B324432A717B2C95FF89B35BF70AE553F5176921A7DFF0E8F8F357288496EDC149CB377675130C7AD38B
                Malicious:true
                Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........%.suv.suv.suv7.v.suv7.v.suv7.v.suv...v.suv..tw.suv..qw.suv..vw.suv..pw.suv7.v.suv.stv.wuv..|w.ruv..uw.suv...v.suv..ww.suvRich.suv........................PE..L....V.^.........."!.........b......._*......................................0I.....r.I...@A.........................-....../......./...............H. A....E.x...l@..8...........................@4..@............./.....`.-......................text.............................. ..`.data...............................@....idata...T..../..V...6/.............@..@.didat......../......./.............@....rsrc........./......./.............@..@.reloc..x.....E......(E.............@..B................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140chs.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):47592
                Entropy (8bit):6.147771533863041
                Encrypted:false
                SSDEEP:384:DA5dBlsNKvsXZWxdWvYbMktLiBr8uuPgldyevyBb7DVLN1Xzc+pBj0HRN7TPocyF:GdzvsXcb9tLkr8yTby97DVLBWUHui
                MD5:5EB37CFB087F972E0E9BF8CD9F216D0A
                SHA1:3FD426C91E122990E7746C415AEB3C9E6A459073
                SHA-256:9DBE835C0812D759A4461429D4FDE097BB9EC67A97F347F70C9796800DE92BA6
                SHA-512:865670D5EECF2EAB3BD17348FDCD31EC785F55F345E6048F83B346C16594535F59D68E6EE8F11453C2BD65D89440B50A54903D55E21F6DCB6C7DE79CDC2C06C2
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L...|V.^.........."!.........v............................................................@.......................................... ..8s...........x...A..............8............................................................................text...............................@..@.rsrc...8s... ...t..................@..@....|V.^........Y...8...8.......|V.^........T...........RSDS..M.X=NK.....dH.....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140cht.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):47392
                Entropy (8bit):6.180362861252495
                Encrypted:false
                SSDEEP:768:uDhffucVI4Sd7kYw4JUM3i/EhWrKpWin2vSd:YucVI4Sd4YJUM3XhWuoNKd
                MD5:40F626F56782D1C6AE773B202082CB92
                SHA1:65388EDEF5C7DC53A0040AD73D144D52FD02B7F8
                SHA-256:8056DF5651B576CFFAD288A322939049CF62C8A564CB53EEE187E2DCBDBD9BEF
                SHA-512:7F99BFB9C11E377BF5B1F526FA6015BF99E28683EEC5C52FB453F60F4C49561FE81B21A61A4783673C46A8F6D62E048609720674746057291A9F025F565822CD
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.........v......................................................R.....@.......................................... ..`s...........x.. A..............8............................................................................text...............................@..@.rsrc...`s... ...t..................@..@.....V.^........Y...8...8........V.^........T...........RSDS..9....N..'q........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140CHT.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140deu.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):76272
                Entropy (8bit):4.788610818407564
                Encrypted:false
                SSDEEP:1536:SVPidQr0UZqnn0BDvmPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9xtP9:SVidQr0UZqnnSvmPS6VFaGCWKZX0Whpq
                MD5:20A38BD043C56FE2882F88944A3E6E6C
                SHA1:5E154DFD410A7F8F99D11C999DD68CD0C76842F9
                SHA-256:CD305576B63458ADF41BDB70FB6EBAED8A032294851336786A5A7169F4F57B05
                SHA-512:8C706656BA722EA7A9F313F5C1DEF41FA70D7E13D59BC5A3D8F85FE5CEDC2F014DDB76E16D15C231DD08FA6D639C8C457841FF0CCECC6B0FBAC379A460EC5C66
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................0[....@.......................................... ..X................A..............8............................................................................text...............................@..@.rsrc...X.... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS2j.5,..J.#..#......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140DEU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140enu.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):66336
                Entropy (8bit):4.921664492323363
                Encrypted:false
                SSDEEP:768:9VmijcBEhCgy6cAu1HLPLNqyf/nWHBNhdBU2fd5GWPoRh:9Vdzfy6cAuhPLNXf/nWHNfd/PoRh
                MD5:183B42F7ECEDB4AE4BE8E06C2981EDEF
                SHA1:906365FECC6B420C63BDB05574C79571ED4C6654
                SHA-256:5C4B666503DCABF9763610EC5AB3B19D4555A5F349DE7067D6D0F7A3E8146126
                SHA-512:B4C57C1270D2E219210AEA3145148D8DC68A95ED31A0CC026413179A73961E7215DDE9F355B20859BD19B3BDDA943B48F79F94B6F7CC7BB8F4B087CD6E7F73E4
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ................. A..............8............................................................................text...............................@..@.rsrc....... ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.W-.R.8@..(=.hYo....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..X....rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140esn.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):75040
                Entropy (8bit):4.751545699698718
                Encrypted:false
                SSDEEP:768:5K0KnBU6gW6qg/iKuCOCF3OKWRElMRZ/IvpIfWUz1v3nl:Vwq6gW6B/iKuFm3OKWxRZ/InW1f
                MD5:D50AB1B9666BD7C9E7C134ADE3C42D1C
                SHA1:CDC5C1987689F1A0E34075CD18C692EA88C17E3A
                SHA-256:8AD53B060AA193BE6517C8C63D1855B39B6523696C617C0764822DB131E78F22
                SHA-512:489D6E0346168381066F0D372E1AD3CBC66FFD3B1F07DC80B76441DCD231563803EF940A96F93270F2BCC82A35F4793EE4B6AD6F4A15A4DAB25ACA343CB693BE
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... .................. A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS+..Ti.F.........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ESN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140fra.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):76272
                Entropy (8bit):4.7728351522639585
                Encrypted:false
                SSDEEP:768:W26iNYajZELOtYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNerP:WNuqLOt6A2SCHu0joPwsM
                MD5:D58A56D308276A6323EDF45A704C443B
                SHA1:445244F7D875A04B8612E04CA1CACDC7D5275B0F
                SHA-256:22FB670A0C08110F12D9268BBC5F015E5344CD0EA61CF414F2BE4A05B3396478
                SHA-512:AB26805F0FF25ABB934B12F668E0FB5B462D27450673653251BB2B55656DDC4BCBBFA4C12445FAB46AB110E4C28B5F0A156A27D9DAB6CCC1F67748237FDFF8C0
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................s....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.....}.L...0...f....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140FRA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140ita.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):74224
                Entropy (8bit):4.770796960519436
                Encrypted:false
                SSDEEP:768:3QE6XaCyqbK15MsOwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVfW5f+rWGg:3Qass5MsOwgSxNIlW3GoiTIF+yn
                MD5:B9C956ED374FFCDBA4C08C3720D1DB53
                SHA1:380CB5C40863E19D690177278C442EF2D10EFA01
                SHA-256:3C9809576B7811C9F2167AE45722C54C73926E133C5BC6B688A6C1846E9EB295
                SHA-512:4BF3FF88AC69131F6C6C23D2B492D7EEB5315259B9465F0316910B7E48FA94D16BC81D1395FE63E01C1B2E527EA8AB1B09561866FCF9EA40BE96E646F3E083A6
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSk.8.#pJ..`|........d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140ITA.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140jpn.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):55792
                Entropy (8bit):5.94964592117223
                Encrypted:false
                SSDEEP:768:VpxanVn/TsfJxsr10/eu9RHreFKpWzziDpI2:Vpcnp/TsguntoXyS2
                MD5:8CDEEEB4F6DC317140C9725D26EA4894
                SHA1:154C83C29AE78C37D24F181D30F0B677E5FA8CA4
                SHA-256:C85FAD3BE1ADB9007045FFB7226F340AA5E14FB35D44DD0177641BD410C9FEA8
                SHA-512:8B3F9CC4CF2C7118276CD8BF8605F6FA2F83A8D479873BABF98DF6C46E27C86A144B289D97D3026C1B2B2384C5938B6C05E78B33AFA1A485D5866AEA083ECB21
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!................................................................9+....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.y@b$..@.>.8Z.......d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140JPN.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140kor.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):54768
                Entropy (8bit):6.1159324346768695
                Encrypted:false
                SSDEEP:768:fjVQO54LQTNdtUaHqNA3B2I7CvqXWfQNOWho:fjZ51TNdXqNAx2I7CvqmKOWho
                MD5:628CE133C7CDE15B08CC4C07646E7E2E
                SHA1:C6623E5E01DD83C89F96D540BD3D696C324533D2
                SHA-256:854EFA87200BDD5F2FB3B6E65CC43DFC8109A84887201093BAE5EA848271F639
                SHA-512:D79CFAA24A9556702794053CBBDD2B3E9468CB98D2991999ACB344E1ADAF19D7D1DCC204C83DC255E84B362DDCC31CE0B1617374BAC1C3CFB2911169DE802014
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!.................................................................~....@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDS.x).6JwK.>H..$.o....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140KOR.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..@~...rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140rus.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):72176
                Entropy (8bit):5.322279857085589
                Encrypted:false
                SSDEEP:768:rAv/gFXOv00iqNWTMHVhtZgFckD9uAWqMB:K6XOv0EhTW+q+
                MD5:76A39F21CC452E2A7040A78792318982
                SHA1:4EB98EAD87D9DAEB3E2D96127FFBE3727C3E2264
                SHA-256:696DDA39E8DF5BE1006E937BECE2DA07441E8C2BD79760C739922B557A7B9385
                SHA-512:9FA307E5B3FD510619298577E7FD3E036D632B11861A04FB739E4D1443F1EC530EE1E9C9018900A164162074873C50C676EB1477EFB31F3E215C779F48096B00
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<.M.R.M.R.M.R.F...L.R.F.P.L.R.RichM.R.................PE..L....V.^.........."!......................................................................@.......................................... ...................A..............8............................................................................text...............................@..@.rsrc........ ......................@..@.....V.^........Y...8...8........V.^........T...........RSDSnS...^9@.4.TQ..X....d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\MFC140RUS.i386.pdb............8....rdata..8........rdata$zzzdbg.... ..p....rsrc$01....p1..H....rsrc$02....................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfc140u.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):5082912
                Entropy (8bit):6.8680590475042465
                Encrypted:false
                SSDEEP:98304:pwTgRb/8LXPwCVSf9qGeFgHt23653x0qfSbNa/S306FLOAkGkzdnEVomFHKnPZC:6cR87wFFqG236L0XNa/S306FLOyomFHT
                MD5:109E1488C848F17E370F3973EFDE2C38
                SHA1:7F2FEB94CF7FD1378DF4963316C7941067E7EDC0
                SHA-256:0CE7B07B16BA59AAE714495043D1CC8385691125F977B34227DBE826DA6D1EEF
                SHA-512:6C66CA88306106E07432D05AE60A0278D6619E57B1B1EAC5C1AD4B02F3DD13EA8F68FE986322877FA975077C879629E0248239C00654420353772E8287583E23
                Malicious:true
                Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........;%.sUv.sUv.sUv..v.sUv..v.sUv..v.sUv...v.sUv..Tw.sUv..Qw.sUv..Vw.sUv..Pw.sUv..v.sUv.sTvVpUv..\w9rUv..Uw.sUv...v.sUv..Ww.sUvRich.sUv........................PE..L....V.^.........."!......2..h.......V......../...............................M.....m.N...@A............................L.....3......`4..............NM. A....J.(.....2.8............................a..@.............3.....@.2......................text...t.2.......2................. ..`.data...8.....3.......2.............@....idata..DS....3..T....3.............@..@.didat.......P4.......4.............@....rsrc........`4...... 4.............@..@.reloc..(.....J.......I.............@..B................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfcm140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):82720
                Entropy (8bit):6.481840055375367
                Encrypted:false
                SSDEEP:768:7xg82UCqlWXqCVz79dzv3sG2wlv13BVO5ncylfhcsZGolyQw3n/20c6dhVbuwSy1:J2Slq7vzvvTyphcsZGBpcGhQwSwUJ0
                MD5:F46353456429BF7768968B6285D7C2FB
                SHA1:5A6A6D4DB4BBD32CD141C3CD3D4F1996F1D27084
                SHA-256:D7FA4DFD8681B10EBF04CB5C72D0F3A20EAF9C4D287CC05C973561EC8DC6A019
                SHA-512:92C1F4C4AE572DBA8409FBC51F1ACC7FE5C347AFBD0A8B4EABDD339C4F4EF91698B7487E0F4708B89FAE8D2D436644026B89EC53F16F128DA9D773BB5AFE23C2
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E*......x.......x.......x.......o*.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0......@.....@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\mfcm140u.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):82720
                Entropy (8bit):6.4817802924170635
                Encrypted:false
                SSDEEP:1536:V8alW6KV4ueuAUnPcsZGVxIb+OvE1R4Wod:K6KpQUnPcsKIbHv+i
                MD5:A67DD2E47CAC448F5E0995FD8634FD4B
                SHA1:879F96580C33618EB4D4349DE3215A87BA132A56
                SHA-256:F371D0868A9BAD5B012AC25BDC55FBF41D7F9535ECDE1A37CB23F2732F5ED303
                SHA-512:912238A4299D50481EF3C48A0E7DBD799B29880131A9667AACD252E3BACE8CDD38F0EAA2EB2C6EE7380B8146B105F94E54F43134AFA841F70176C5F4F318D909
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........v.L............K.M......E*......x.......x.......x.......o*.....K.V.........X....x.......x.......xF......x......Rich............................PE..L....V.^.........."!.....@...........N.......P...............................0............@.........................0................................... A... ..L...hU..8............................T..@............P..,............R..H............text...)?.......@.................. ..`.rdata..^....P.......D..............@..@.data...............................@....rsrc...............................@..@.reloc..L.... ......................@..B........................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\msvcp140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):453920
                Entropy (8bit):6.66950080753057
                Encrypted:false
                SSDEEP:12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
                MD5:697220335E5C4B4126AF45F6F8207896
                SHA1:8106F2DD4665AEC0D1C652E29378EF46EA4E5801
                SHA-256:D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
                SHA-512:B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.|C\.|C\.|C\....~C\.u;.jC\.|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\msvcp140_1.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):29472
                Entropy (8bit):6.817865566900363
                Encrypted:false
                SSDEEP:384:YXi/n/o+H/UgljjdJu+9WcU5gWE5d6c+pBj0HRN7ToucyHRN7rP1x4l78Ka:YknwQJVdJu1qqWNL3nKa
                MD5:511F8CF3E1C960B5AA76FDA0B845D246
                SHA1:6BA029A7C545D64C044AAAD93A3DD00702BDF44E
                SHA-256:4874449EE85BCA44BE95DEA5FAD6AC4F0F5456788C928844702CC5ED4935DD83
                SHA-512:5D0F04AD49AC91202254981CB69EE6EEAEF2C89535B5F396D03EB8BC42B786AF6DB1C3763807597DBDD3E13736B70BFBDEF9149EC45190E7DB1E03E62F939EE4
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................'!......y....................................................Rich....................PE..L...GW.^.........."!.........................0...............................p...........@A.........................*..J....@..x....P...............2.. A...`......h...8...............................@............@...............................text............................... ..`.data...H....0......."..............@....idata.......@.......$..............@..@.rsrc........P.......*..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\msvcp140_2.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):174064
                Entropy (8bit):6.871923327983383
                Encrypted:false
                SSDEEP:3072:l3ZqbqsS20jBQh6fLPbU7DuJMCIuW4vdzAY9Sx5+9:l3Zq2bQh6fL+CJMpuW4vdEY489
                MD5:57ED07CB2B239D7CF58EF98040A9B4BD
                SHA1:40BE57A54102EA5AF3D3173C8815BDF35761E5F5
                SHA-256:940FF0F7EA7149084533CF81156CAA42A05BB44656164D769DCB299ECF7A350C
                SHA-512:5459FB26218C13BFC8284E446403964D77CF27ABA51A5149FA7CD916C405811F80A93C93B1310044D586CB7C00489E3AFDDC97343CB40D945BAAEB4B80E971F3
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................ORA.....=....................................Q.........Rich...........PE..L...GW.^.........."!.....*...<...............@............................................@A.........................2..@....Q.......`...............f...A...p..P....\..8............................\..@............P...............................text....(.......*.................. ..`.data... ....@......................@....idata..`....P.......6..............@..@.rsrc........`.......D..............@..@.reloc..P....p.......H..............@..B........................................................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):26400
                Entropy (8bit):6.826117601279947
                Encrypted:false
                SSDEEP:384:hlFGXZfbOwqjmeIFWiWEWu9Pc+pBj0HRN7TsHEcyHRN7rwr2l4UP:UD/OtuWLUG
                MD5:4905D449E1C36735AF33A8CF4F08895D
                SHA1:D34E3F579507F23C6B3378DA44E666B85FFF6E3B
                SHA-256:54CF497485E1247F04EF705157CAD26F2FE9D0C353D5970A6FF8E5848504C4DE
                SHA-512:6FF95EB8B191D970E145C6A6DE98370A0B464BE215A5A2DC14E98BEF03DBB886444CEEA0906DFFEFE07960CC870AF377D64AC4EAF6D9FE7E7F5E0D4A92080559
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........qT............mO......................................................................Rich............PE..L...GW.^.........."!................@........0...............................p......u.....@A.........................!../...l@..P....P..0............&.. A...`..D...D...8...............................@............@..h............................text............................... ..`.data........0......................@....idata..t....@......................@..@.rsrc...0....P......................@..@.reloc..D....`.......$..............@..B........................................................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\vcamp140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):362272
                Entropy (8bit):6.480079655173682
                Encrypted:false
                SSDEEP:6144:TNdn9nbqWFEijveDAHlreqc7Bd0o+Sb9mut1EFnceq0CR0y5M+:j9uAeMBMBio+Sb9mut1EF1qi+
                MD5:766A806CF675EBFC1BCD8766D446692A
                SHA1:71A60564596341323B8544C46A63164974570216
                SHA-256:F59EEFB0DAF0CDD646C5B522BC14B13BCEA57A1ECD567E7A0B930AA5EAA2EC2F
                SHA-512:86B06DED1DBF3399ABEAB86C36268AD061CC19AFEF4F694EFE7F5584959F7551E803361A456EEDC2596440617EF28A7BAA6E34CFA6ABB3EC94D8E54D59FD9F01
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./...AN..AN..AN...N..AN..@O..AN..DO..AN..EO..AN..BO..AN...N..AN..@N2.AN..HO..AN..AO..AN...N..AN...N..AN..CO..ANRich..AN........................PE..L....V.^.........."!................@3.......................................p......C.....@A........................@s..47......@.......8$...........F.. A...0...>...g..8....................h.......h..@...............|............................text...t........................... ..`.data....*.......(..................@....idata..............................@..@.rsrc...8$.......&..................@..@.reloc...>...0...@..................@..B........................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\vccorlib140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):274208
                Entropy (8bit):6.608613260235627
                Encrypted:false
                SSDEEP:3072:JLZNCBQSuHX5pXCcDWUE1GM6FXNQBkNo9uYKTsWycLfaMHjb3yiH:WuTDJZXiBEkuYKTVfa6
                MD5:74E8CB0C4E08C63E386F373D1D2C394D
                SHA1:4134B4A2E5BA4C72A0F8D1472D90E94D7EACBD0F
                SHA-256:75E6504A83B23A9B3D58885BFB3ED8A5C06FAB4C25139AAB83C2EC0522D2C095
                SHA-512:84BAB1D2977089AB3BAC41710FAB40AC39D2FE3B0F9FD7AA6D1E2CEDFDE004595F74A8320E21A4D313EECB407B99BAD39429C8AFA65F16698FE485C4C474CBD1
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B....`@..`@..`@......`@...A..`@...E..`@...D..`@...C..`@.....`@..`A.u`@...I..`@...@..`@......`@...B..`@.Rich.`@.........................PE..L....V.^.........."!......................... ............................... ............@A........................0....=.............................. A.......W..lJ..8............................J..@............................................text...K........................... ..`.data... p... ...n..................@....idata..............................@..@.rsrc...............................@..@.reloc...W.......X..................@..B................................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\vcomp140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):141600
                Entropy (8bit):6.730918695182974
                Encrypted:false
                SSDEEP:3072:Dx2TmVYqVACERsarapgaqKSVoSkOuRoJm4t4/lAcXNt:FdbPFqjoPOuRou/lA2f
                MD5:072DA195F3C547B1584813E02E245CD8
                SHA1:EDA3A7CD19D4BB362BE37EC06290C1309962D4D4
                SHA-256:DBCB040304AC8A81E149840DEB816E1C4E5BC20487766541AA8C7C5C0629C804
                SHA-512:37BF63D59DF173D5152253CE2A4F5A2BB7DC2BF9F63BF7C379ED5BB3C9989BB782E6A836E8C6D7EBF2F927092E098FAA747F31AC4D6296194AEBCCC4EA8F68CE
                Malicious:true
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uI...'..'..'..r$..'..r"...'..r#..'.{"..'.{#..'.{$..'......'..&...'.{...'.{'..'.{...'.{%..'.Rich..'.................PE..L...|V.^.........."!.........>............................................... ............@................................`...<....................... A......d....b..8............................b..@...............\............................text............................... ..`.data...D...........................@....idata..,...........................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................
                C:\Windows\SysWOW64\vcruntime140.dll
                Process:C:\Windows\System32\msiexec.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):83232
                Entropy (8bit):6.884071103046351
                Encrypted:false
                SSDEEP:1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
                MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
                SHA1:20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
                SHA-256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
                SHA-512:C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1028\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):18127
                Entropy (8bit):4.036737741619669
                Encrypted:false
                SSDEEP:192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
                MD5:B7F65A3A169484D21FA075CCA79083ED
                SHA1:5DBFA18928529A798FF84C14FD333CB08B3377C0
                SHA-256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
                SHA-512:EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1028\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2980
                Entropy (8bit):6.163758160900388
                Encrypted:false
                SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
                MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1029\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13053
                Entropy (8bit):5.125552901367032
                Encrypted:false
                SSDEEP:192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
                MD5:B408556A89FCE3B47CD61302ECA64AC9
                SHA1:AAC1CDAF085162EFF5EAABF562452C93B73370CB
                SHA-256:21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
                SHA-512:BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1029\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3333
                Entropy (8bit):5.370651462060085
                Encrypted:false
                SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
                MD5:16343005D29EC431891B02F048C7F581
                SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1031\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11936
                Entropy (8bit):5.194264396634094
                Encrypted:false
                SSDEEP:192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
                MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
                SHA1:E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
                SHA-256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
                SHA-512:6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1031\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3379
                Entropy (8bit):5.094097800535488
                Encrypted:false
                SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
                MD5:561F3F32DB2453647D1992D4D932E872
                SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1036\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11593
                Entropy (8bit):5.106817099949188
                Encrypted:false
                SSDEEP:192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
                MD5:F0FF747B85B1088A317399B0E11D2101
                SHA1:F13902A39CEAE703A4713AC883D55CFEE5F1876C
                SHA-256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
                SHA-512:AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1036\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3366
                Entropy (8bit):5.0912204406356905
                Encrypted:false
                SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
                MD5:7B46AE8698459830A0F9116BC27DE7DF
                SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1040\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11281
                Entropy (8bit):5.046489958240229
                Encrypted:false
                SSDEEP:192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
                MD5:9D98044BAC59684489C4CF66C3B34C85
                SHA1:36AAE7F10A19D336C725CAFC8583B26D1F5E2325
                SHA-256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
                SHA-512:D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\p
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1040\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3319
                Entropy (8bit):5.019774955491369
                Encrypted:false
                SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
                MD5:D90BC60FA15299925986A52861B8E5D5
                SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1041\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):28232
                Entropy (8bit):3.7669201853275722
                Encrypted:false
                SSDEEP:192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
                MD5:8C49936EC4CF0F64CA2398191C462698
                SHA1:CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
                SHA-256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
                SHA-512:4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1041\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3959
                Entropy (8bit):5.955167044943003
                Encrypted:false
                SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
                MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1042\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):27936
                Entropy (8bit):3.871317037004171
                Encrypted:false
                SSDEEP:384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
                MD5:184D94082717E684EAF081CEC3CBA4B1
                SHA1:960B9DA48F4CDDF29E78BBAE995B52204B26D51B
                SHA-256:A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
                SHA-512:E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1042\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3249
                Entropy (8bit):5.985100495461761
                Encrypted:false
                SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
                MD5:B3399648C2F30930487F20B50378CEC1
                SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1045\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13265
                Entropy (8bit):5.358483628484379
                Encrypted:false
                SSDEEP:192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
                MD5:5B9DF97FC98938BF2936437430E31ECA
                SHA1:AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
                SHA-256:8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
                SHA-512:4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1045\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3212
                Entropy (8bit):5.268378763359481
                Encrypted:false
                SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
                MD5:15172EAF5C2C2E2B008DE04A250A62A1
                SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1046\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):10656
                Entropy (8bit):5.092962528947159
                Encrypted:false
                SSDEEP:192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
                MD5:360FC4A7FFCDB915A7CF440221AFAD36
                SHA1:009F36BBDAD5B9972E8069E53855FC656EA05800
                SHA-256:9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
                SHA-512:9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1046\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3095
                Entropy (8bit):5.150868216959352
                Encrypted:false
                SSDEEP:48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
                MD5:BE27B98E086D2B8068B16DBF43E18D50
                SHA1:6FAF34A36C8D9DE55650D0466563852552927603
                SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
                SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1049\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):31915
                Entropy (8bit):3.6440775919653996
                Encrypted:false
                SSDEEP:384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
                MD5:A59C893E2C2B4063AE821E42519F9812
                SHA1:C00D0B11F6B25246357053F6620E57D990EFC698
                SHA-256:0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
                SHA-512:B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1049\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):4150
                Entropy (8bit):5.444436038992627
                Encrypted:false
                SSDEEP:48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
                MD5:17C652452E5EE930A7F1E5E312C17324
                SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
                SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
                SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1055\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13379
                Entropy (8bit):5.214715951393874
                Encrypted:false
                SSDEEP:192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
                MD5:BD2DC15DFEE66076BBA6D15A527089E7
                SHA1:8768518F2318F1B8A3F8908A056213042A377CC4
                SHA-256:62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
                SHA-512:9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\1055\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3221
                Entropy (8bit):5.280530692056262
                Encrypted:false
                SSDEEP:48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
                MD5:DEFBEA001DC4EB66553630AC7CE47CCA
                SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
                SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
                SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\2052\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):17863
                Entropy (8bit):3.9617786349452775
                Encrypted:false
                SSDEEP:192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
                MD5:3CF16377C0D1B2E16FFD6E32BF139AC5
                SHA1:D1A8C3730231D51C7BB85A7A15B948794E99BDCE
                SHA-256:E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
                SHA-512:E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\2052\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2978
                Entropy (8bit):6.135205733555905
                Encrypted:false
                SSDEEP:48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
                MD5:3D1E15DEEACE801322E222969A574F17
                SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
                SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
                SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\3082\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):10714
                Entropy (8bit):5.122578090102117
                Encrypted:false
                SSDEEP:192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
                MD5:FBF293EE95AFEF818EAF07BB088A1596
                SHA1:BBA1991BA6459C9F19B235C43A9B781A24324606
                SHA-256:1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
                SHA-512:6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\3082\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3265
                Entropy (8bit):5.0491645049584655
                Encrypted:false
                SSDEEP:48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
                MD5:47F9F8D342C9C22D0C9636BC7362FA8F
                SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
                SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
                SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\BootstrapperApplicationData.xml
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):13122
                Entropy (8bit):3.729412080010859
                Encrypted:false
                SSDEEP:192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
                MD5:B51EF22109AEEA9AE5190E9EF67D9476
                SHA1:FDF939DA26A1268CDF0510AA40FBCA614947C9FD
                SHA-256:1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
                SHA-512:27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
                Malicious:false
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\license.rtf
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):9046
                Entropy (8bit):5.157073875669985
                Encrypted:false
                SSDEEP:192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
                MD5:2EABBB391ACB89942396DF5C1CA2BAD8
                SHA1:182A6F93703549290BCDE92920D37BC1DEC712BB
                SHA-256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
                SHA-512:20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\logo.png
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                Category:dropped
                Size (bytes):1861
                Entropy (8bit):6.868587546770907
                Encrypted:false
                SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
                MD5:D6BD210F227442B3362493D046CEA233
                SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                Malicious:false
                Preview: .PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\thm.wxl
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2952
                Entropy (8bit):5.052095286906672
                Encrypted:false
                SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
                MD5:FBFCBC4DACC566A3C426F43CE10907B6
                SHA1:63C45F9A771161740E100FAF710F30EED017D723
                SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\thm.xml
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):8332
                Entropy (8bit):5.184632608060528
                Encrypted:false
                SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
                MD5:F62729C6D2540015E072514226C121C7
                SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.ba\wixstdba.dll
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):195600
                Entropy (8bit):6.682530937585544
                Encrypted:false
                SSDEEP:3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
                MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
                SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
                SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
                SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):647912
                Entropy (8bit):7.215948724836638
                Encrypted:false
                SSDEEP:12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
                MD5:2F9D2B6CE54F9095695B53D1AA217C7B
                SHA1:3F54934C240F1955301811D2C399728A3E6D1272
                SHA-256:0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
                SHA-512:692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\cab54A5CABBE7274D8A22EB58060AAB7623
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Microsoft Cabinet archive data, 1350653 bytes, 50 files
                Category:dropped
                Size (bytes):1367669
                Entropy (8bit):7.997832401624505
                Encrypted:true
                SSDEEP:24576:OawWVgz9615LBBl9NWA5852M/fzoapq0m9Oz03FOae6p4Cjd81kD0+0CCxco2iJs:OawWV+96vVBNWOMU0qhOz035e6ppNCst
                MD5:29C34C40D349C145E297B6977908E687
                SHA1:025B5CF7D6515CC6151628063752C159F41D99C7
                SHA-256:61AACFF6365DA15F2C9D0FF1C8FB2EC207D145CD9104AFA0CE663BF1542DB245
                SHA-512:BBD9F65C2619DE25F99A8BA21346D7EA46DB9EBA79FEB6039E0E86999D1EA2C9A4564FA727DDA442A69C169DBDC8A4913DF925C42B3AD7F4030A655AC01C0691
                Malicious:false
                Preview: MSCF............D...........2...................xB..........~...o....O........(P.. .api_ms_win_core_console_l1_1_0.dll..M...O....(P.. .api_ms_win_core_datetime_l1_1_0.dll..N........(P.. .api_ms_win_core_debug_l1_1_0.dll. M........(P.. .api_ms_win_core_errorhandling_l1_1_0.dll. [...9....(P.. .api_ms_win_core_file_l1_1_0.dll. M..0.....(P.. .api_ms_win_core_file_l1_2_0.dll. M..P.....(P.. .api_ms_win_core_file_l2_1_0.dll. M..p.....(P.. .api_ms_win_core_handle_l1_1_0.dll..O...{....(P.. .api_ms_win_core_heap_l1_1_0.dll..O........(P.. .api_ms_win_core_interlocked_l1_1_0.dll..O..p.....(P.. .api_ms_win_core_libraryloader_l1_1_0.dll..W..`k....(P.. .api_ms_win_core_localization_l1_2_0.dll..O..P.....(P.. .api_ms_win_core_memory_l1_1_0.dll. M..@.....(P.. .api_ms_win_core_namedpipe_l1_1_0.dll..Q..``....(P.. .api_ms_win_core_processenvironment_l1_1_0.dll..U..P.....(P.. .api_ms_win_core_processthreads_l1_1_0.dll..O..@.....(P.. .api_ms_win_core_processthreads_l1_1_1.dll..K..0X....(P.. .api_ms_win_core_
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\cabB3E1576D1FEFBB979E13B1A5379E0B16
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Microsoft Cabinet archive data, 5194062 bytes, 14 files
                Category:dropped
                Size (bytes):5211054
                Entropy (8bit):7.998080908238165
                Encrypted:true
                SSDEEP:98304:dEpMtGvCYmfjBvRxMh7vhetajX6x0XSvrTBEbwwF0XVsvufq:dElCPLBvE8xuEebw6vuy
                MD5:4FEADE30692872EAB413C1123A5F3DE4
                SHA1:B08C319BD7E01176F02D0DC3B4AA8B7C5B9A82C6
                SHA-256:2805E5CC8E477AC1D6847B3CF083A85EC463F646037B59C93CB9E3096A78B81A
                SHA-512:145956C65E193AD5309CA3C0F0BC94DFB20C6BCF73494BDE2ABC48F6495061EE727C9FAA1B97739FE3028873A540A5F17FDFFEB08D8C3A35C2CD7B3DDB088E54
                Malicious:false
                Preview: MSCF....NAO.....D...........................NAO.`B..............F... .H.......(P.. .mfc140.dll.... .H...(P.. .mfc140chs.dll. .....I...(P.. .mfc140cht.dll..)..(nJ...(P.. .mfc140deu.dll. .....K...(P.. .mfc140enu.dll. %..8.L...(P.. .mfc140esn.dll..)..X.M...(P.. .mfc140fra.dll..!..H.N...(P.. .mfc140ita.dll.....8.P...(P.. .mfc140jpn.dll.....(.P...(P.. .mfc140kor.dll.......Q...(P.. .mfc140rus.dll. .M...R...(P.. .mfc140u.dll. C..(e....(P.. .mfcm140.dll. C..H.....(P.. .mfcm140u.dll..J.%.4..CK..w....0...Q6Q..}.......[.nl....;. ...L.....H%.K.w}.<.u..y.y.....g........M6....E..}.m.=...?....?.$Q4...O..;..<8....^{........].Ov....<$.u.d..${...........i..z......s,p.....?...8..F......].~=c.{.].~=m.C.?~..A..6....O....~.h...\..v...s.l..z..'..q..=|..l...........h.I&...j.N..Y..;.I..-*'D.....;/.Eq.....(...../SG..u..t..eO|o.p..F.../......{t....E..g/..$.s./..v.........l.Vt.y...L....xW.e&._.i.d..Q4.c......?.=.8$...9..]..N....X>a.]..%...._g.Ng...w.5..........V........v71.~2.
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\vcRuntimeAdditional_x86
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {AD7DFCA8-EC53-476F-8C40-02D89ABDEA49}, Create Time/Date: Wed Jan 8 09:31:14 2020, Last Saved Time/Date: Wed Jan 8 09:31:14 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):184320
                Entropy (8bit):6.3376915344280516
                Encrypted:false
                SSDEEP:3072:JviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdN:JvipBaTDo1j//SZhN
                MD5:4B97853A7D10743D67665CCDD67E8566
                SHA1:AF5F7059C9A05A388B4773917E17A078FA58F5E9
                SHA-256:63802C8D96CF21A8EADB1EC5B0B52A9A040581AB2797FE5132E1B3A469108713
                SHA-512:ED88564A372FBA36FB7F2D98476C82D1D66B17B25AB9B6C34489D33BB7F1D64ABBD2E746E75470E05DECA09252D9B855AB0F37F6F82210AF3F006C9A683C7370
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\vcRuntimeMinimum_x86
                Process:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2019 X86 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508., Template: Intel;1033, Revision Number: {DC639984-8B88-4DB7-A65E-0E5CCB21EAB1}, Create Time/Date: Wed Jan 8 09:28:18 2020, Last Saved Time/Date: Wed Jan 8 09:28:18 2020, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.4.4718), Security: 2
                Category:dropped
                Size (bytes):192512
                Entropy (8bit):6.237627585353464
                Encrypted:false
                SSDEEP:3072:VGviOApBgbxkK3zoGCK4Kr1kNM+BxWy2bDZRJdNt:8vipBaTDo1j//SZhN
                MD5:6AA3A12A374E36C6A7BD75B7627A5A7C
                SHA1:56DD5F67FE9FB9C9B70470F535FC2DD6C2DECF38
                SHA-256:AA5B428789D83FBCD60442EE253B364C5FC833C698C1DC1EB73F5559A63FB976
                SHA-512:B3A4497E3629A4ED8DB8C7D83C5D8CF2270D7DCE320CA4D5009EDB0F6CBC3F3759A2F753ED0C673EFAF521AA175E2E6D53FC609F351B8A0AA00D74BC4F179720
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                Process:C:\ztg\fillProxy\bin\vcredist_x86.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):647912
                Entropy (8bit):7.215948724836638
                Encrypted:false
                SSDEEP:12288:snMwHskY7gjcjhVIEhqgM7bWvcsi6aVhPIyP3WRCzJ9ztLz5/YTDd:6MysZgjS1hqgSC/izxf+czJZhz5Qnd
                MD5:2F9D2B6CE54F9095695B53D1AA217C7B
                SHA1:3F54934C240F1955301811D2C399728A3E6D1272
                SHA-256:0009D3F27837C3AF3F6FFF7973FAF07AFAA4B53119846F55B6F2A79F1759C757
                SHA-512:692857F960F26039C7B0AF6329E65A71E8588FF71EAAC6B956BD6E437994A8D5A470C7E75DD776E0772E473967B64D5EA0E1D8396546691316DAF4D6B8CCC237
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............$...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1028\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):18127
                Entropy (8bit):4.036737741619669
                Encrypted:false
                SSDEEP:192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
                MD5:B7F65A3A169484D21FA075CCA79083ED
                SHA1:5DBFA18928529A798FF84C14FD333CB08B3377C0
                SHA-256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
                SHA-512:EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1028\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2980
                Entropy (8bit):6.163758160900388
                Encrypted:false
                SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
                MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1029\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13053
                Entropy (8bit):5.125552901367032
                Encrypted:false
                SSDEEP:192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
                MD5:B408556A89FCE3B47CD61302ECA64AC9
                SHA1:AAC1CDAF085162EFF5EAABF562452C93B73370CB
                SHA-256:21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
                SHA-512:BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1029\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3333
                Entropy (8bit):5.370651462060085
                Encrypted:false
                SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
                MD5:16343005D29EC431891B02F048C7F581
                SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1031\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11936
                Entropy (8bit):5.194264396634094
                Encrypted:false
                SSDEEP:192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
                MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
                SHA1:E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
                SHA-256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
                SHA-512:6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1031\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3379
                Entropy (8bit):5.094097800535488
                Encrypted:false
                SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
                MD5:561F3F32DB2453647D1992D4D932E872
                SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1036\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11593
                Entropy (8bit):5.106817099949188
                Encrypted:false
                SSDEEP:192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
                MD5:F0FF747B85B1088A317399B0E11D2101
                SHA1:F13902A39CEAE703A4713AC883D55CFEE5F1876C
                SHA-256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
                SHA-512:AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1036\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3366
                Entropy (8bit):5.0912204406356905
                Encrypted:false
                SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
                MD5:7B46AE8698459830A0F9116BC27DE7DF
                SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1040\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11281
                Entropy (8bit):5.046489958240229
                Encrypted:false
                SSDEEP:192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
                MD5:9D98044BAC59684489C4CF66C3B34C85
                SHA1:36AAE7F10A19D336C725CAFC8583B26D1F5E2325
                SHA-256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
                SHA-512:D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\p
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1040\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3319
                Entropy (8bit):5.019774955491369
                Encrypted:false
                SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
                MD5:D90BC60FA15299925986A52861B8E5D5
                SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1041\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):28232
                Entropy (8bit):3.7669201853275722
                Encrypted:false
                SSDEEP:192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
                MD5:8C49936EC4CF0F64CA2398191C462698
                SHA1:CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
                SHA-256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
                SHA-512:4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1041\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3959
                Entropy (8bit):5.955167044943003
                Encrypted:false
                SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
                MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1042\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):27936
                Entropy (8bit):3.871317037004171
                Encrypted:false
                SSDEEP:384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
                MD5:184D94082717E684EAF081CEC3CBA4B1
                SHA1:960B9DA48F4CDDF29E78BBAE995B52204B26D51B
                SHA-256:A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
                SHA-512:E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1042\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3249
                Entropy (8bit):5.985100495461761
                Encrypted:false
                SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
                MD5:B3399648C2F30930487F20B50378CEC1
                SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1045\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13265
                Entropy (8bit):5.358483628484379
                Encrypted:false
                SSDEEP:192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
                MD5:5B9DF97FC98938BF2936437430E31ECA
                SHA1:AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
                SHA-256:8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
                SHA-512:4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1045\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3212
                Entropy (8bit):5.268378763359481
                Encrypted:false
                SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
                MD5:15172EAF5C2C2E2B008DE04A250A62A1
                SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1046\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):10656
                Entropy (8bit):5.092962528947159
                Encrypted:false
                SSDEEP:192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
                MD5:360FC4A7FFCDB915A7CF440221AFAD36
                SHA1:009F36BBDAD5B9972E8069E53855FC656EA05800
                SHA-256:9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
                SHA-512:9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1046\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3095
                Entropy (8bit):5.150868216959352
                Encrypted:false
                SSDEEP:48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
                MD5:BE27B98E086D2B8068B16DBF43E18D50
                SHA1:6FAF34A36C8D9DE55650D0466563852552927603
                SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
                SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1049\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):31915
                Entropy (8bit):3.6440775919653996
                Encrypted:false
                SSDEEP:384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
                MD5:A59C893E2C2B4063AE821E42519F9812
                SHA1:C00D0B11F6B25246357053F6620E57D990EFC698
                SHA-256:0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
                SHA-512:B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1049\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):4150
                Entropy (8bit):5.444436038992627
                Encrypted:false
                SSDEEP:48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
                MD5:17C652452E5EE930A7F1E5E312C17324
                SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
                SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
                SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1055\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13379
                Entropy (8bit):5.214715951393874
                Encrypted:false
                SSDEEP:192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
                MD5:BD2DC15DFEE66076BBA6D15A527089E7
                SHA1:8768518F2318F1B8A3F8908A056213042A377CC4
                SHA-256:62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
                SHA-512:9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\1055\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3221
                Entropy (8bit):5.280530692056262
                Encrypted:false
                SSDEEP:48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
                MD5:DEFBEA001DC4EB66553630AC7CE47CCA
                SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
                SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
                SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\2052\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):17863
                Entropy (8bit):3.9617786349452775
                Encrypted:false
                SSDEEP:192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
                MD5:3CF16377C0D1B2E16FFD6E32BF139AC5
                SHA1:D1A8C3730231D51C7BB85A7A15B948794E99BDCE
                SHA-256:E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
                SHA-512:E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\2052\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2978
                Entropy (8bit):6.135205733555905
                Encrypted:false
                SSDEEP:48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
                MD5:3D1E15DEEACE801322E222969A574F17
                SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
                SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
                SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\3082\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):10714
                Entropy (8bit):5.122578090102117
                Encrypted:false
                SSDEEP:192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
                MD5:FBF293EE95AFEF818EAF07BB088A1596
                SHA1:BBA1991BA6459C9F19B235C43A9B781A24324606
                SHA-256:1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
                SHA-512:6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\3082\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3265
                Entropy (8bit):5.0491645049584655
                Encrypted:false
                SSDEEP:48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
                MD5:47F9F8D342C9C22D0C9636BC7362FA8F
                SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
                SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
                SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\BootstrapperApplicationData.xml
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):13122
                Entropy (8bit):3.7302550311932055
                Encrypted:false
                SSDEEP:192:X0sgKnH5zHqQHG0Hd8Hz7HE06HA0rH3F5FhFxLo3SzLa0LgnOBx7z8NkzzkvQaiS:X0sLdLbmnoNfb0e1TpotVoi
                MD5:E45E751A540729570C17491DF5A6E5EF
                SHA1:7FFDE23B6813BF7326FDE6E0F4A01F9E6F735026
                SHA-256:4F6462CE939AC30F5CA0657DC8567071329551460898D470D6B7058A623DD73E
                SHA-512:E9CD4F9451D7C280AC5EBD4A7B638D7EA7D517EB1DDA5992F7578E7FBB552008BC9231B3DEC5851356EB26FE81AC5A1FCF17DEAE934F53B5DADDC077B9F71288
                Malicious:false
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.1...2.7.7.0.2.". .L.o.g.P.
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):9046
                Entropy (8bit):5.157073875669985
                Encrypted:false
                SSDEEP:192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
                MD5:2EABBB391ACB89942396DF5C1CA2BAD8
                SHA1:182A6F93703549290BCDE92920D37BC1DEC712BB
                SHA-256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
                SHA-512:20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\logo.png
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                Category:dropped
                Size (bytes):1861
                Entropy (8bit):6.868587546770907
                Encrypted:false
                SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
                MD5:D6BD210F227442B3362493D046CEA233
                SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                Malicious:false
                Preview: .PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2952
                Entropy (8bit):5.052095286906672
                Encrypted:false
                SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
                MD5:FBFCBC4DACC566A3C426F43CE10907B6
                SHA1:63C45F9A771161740E100FAF710F30EED017D723
                SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\thm.xml
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):8332
                Entropy (8bit):5.184632608060528
                Encrypted:false
                SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
                MD5:F62729C6D2540015E072514226C121C7
                SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig
                C:\Windows\Temp\{8BC0F8D3-62B3-4401-AF05-907ACC026DAE}\.ba\wixstdba.dll
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):195600
                Entropy (8bit):6.682530937585544
                Encrypted:false
                SSDEEP:3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
                MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
                SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
                SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
                SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1028\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):18127
                Entropy (8bit):4.036737741619669
                Encrypted:false
                SSDEEP:192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
                MD5:B7F65A3A169484D21FA075CCA79083ED
                SHA1:5DBFA18928529A798FF84C14FD333CB08B3377C0
                SHA-256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
                SHA-512:EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1028\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2980
                Entropy (8bit):6.163758160900388
                Encrypted:false
                SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
                MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1029\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13053
                Entropy (8bit):5.125552901367032
                Encrypted:false
                SSDEEP:192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
                MD5:B408556A89FCE3B47CD61302ECA64AC9
                SHA1:AAC1CDAF085162EFF5EAABF562452C93B73370CB
                SHA-256:21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
                SHA-512:BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1029\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3333
                Entropy (8bit):5.370651462060085
                Encrypted:false
                SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
                MD5:16343005D29EC431891B02F048C7F581
                SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1031\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11936
                Entropy (8bit):5.194264396634094
                Encrypted:false
                SSDEEP:192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
                MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
                SHA1:E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
                SHA-256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
                SHA-512:6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1031\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3379
                Entropy (8bit):5.094097800535488
                Encrypted:false
                SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
                MD5:561F3F32DB2453647D1992D4D932E872
                SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1036\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11593
                Entropy (8bit):5.106817099949188
                Encrypted:false
                SSDEEP:192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
                MD5:F0FF747B85B1088A317399B0E11D2101
                SHA1:F13902A39CEAE703A4713AC883D55CFEE5F1876C
                SHA-256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
                SHA-512:AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1036\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3366
                Entropy (8bit):5.0912204406356905
                Encrypted:false
                SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
                MD5:7B46AE8698459830A0F9116BC27DE7DF
                SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1040\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11281
                Entropy (8bit):5.046489958240229
                Encrypted:false
                SSDEEP:192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
                MD5:9D98044BAC59684489C4CF66C3B34C85
                SHA1:36AAE7F10A19D336C725CAFC8583B26D1F5E2325
                SHA-256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
                SHA-512:D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\p
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1040\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3319
                Entropy (8bit):5.019774955491369
                Encrypted:false
                SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
                MD5:D90BC60FA15299925986A52861B8E5D5
                SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1041\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):28232
                Entropy (8bit):3.7669201853275722
                Encrypted:false
                SSDEEP:192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
                MD5:8C49936EC4CF0F64CA2398191C462698
                SHA1:CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
                SHA-256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
                SHA-512:4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1041\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3959
                Entropy (8bit):5.955167044943003
                Encrypted:false
                SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
                MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1042\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):27936
                Entropy (8bit):3.871317037004171
                Encrypted:false
                SSDEEP:384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
                MD5:184D94082717E684EAF081CEC3CBA4B1
                SHA1:960B9DA48F4CDDF29E78BBAE995B52204B26D51B
                SHA-256:A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
                SHA-512:E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1042\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3249
                Entropy (8bit):5.985100495461761
                Encrypted:false
                SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
                MD5:B3399648C2F30930487F20B50378CEC1
                SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\1045\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3212
                Entropy (8bit):5.268378763359481
                Encrypted:false
                SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
                MD5:15172EAF5C2C2E2B008DE04A250A62A1
                SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\license.rtf
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):9046
                Entropy (8bit):5.157073875669985
                Encrypted:false
                SSDEEP:192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
                MD5:2EABBB391ACB89942396DF5C1CA2BAD8
                SHA1:182A6F93703549290BCDE92920D37BC1DEC712BB
                SHA-256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
                SHA-512:20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\logo.png
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                Category:dropped
                Size (bytes):1861
                Entropy (8bit):6.868587546770907
                Encrypted:false
                SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
                MD5:D6BD210F227442B3362493D046CEA233
                SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                Malicious:false
                Preview: .PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\thm.wxl
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2952
                Entropy (8bit):5.052095286906672
                Encrypted:false
                SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
                MD5:FBFCBC4DACC566A3C426F43CE10907B6
                SHA1:63C45F9A771161740E100FAF710F30EED017D723
                SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\thm.xml
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):8332
                Entropy (8bit):5.184632608060528
                Encrypted:false
                SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
                MD5:F62729C6D2540015E072514226C121C7
                SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig
                C:\Windows\Temp\{AB75068D-C269-46B9-B621-37212D4F9BA8}\.ba\wixstdba.dll
                Process:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):195600
                Entropy (8bit):6.682530937585544
                Encrypted:false
                SSDEEP:3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
                MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
                SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
                SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
                SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1028\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):18127
                Entropy (8bit):4.036737741619669
                Encrypted:false
                SSDEEP:192:xaz+aCQbjdBCLCgfvtfLEmmVxJzLKLIW7cBFCoSM0fvJ93eyryH1MqG1xcRY/c5f:seh/IMHexG4q2
                MD5:B7F65A3A169484D21FA075CCA79083ED
                SHA1:5DBFA18928529A798FF84C14FD333CB08B3377C0
                SHA-256:32585B93E69272B6D42DAC718E04D954769FE31AC9217C6431510E9EEAD78C49
                SHA-512:EDA2F946C2E35464E4272B1C3E4A8DC5F17093C05DAB9A685DBEFD5A870B9D872D8A1645ED6F5B9A72BBB2A59D22DFA58FBF420F6440278CCBE07B6D0555C283
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fb\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a3\'ac\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\'bb\'f2\'b1\'be\'dc\'9b\'f3\'77\'d6\'ae\'b8\'fc\'d0\'c2\'a3
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1028\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2980
                Entropy (8bit):6.163758160900388
                Encrypted:false
                SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
                MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1029\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13053
                Entropy (8bit):5.125552901367032
                Encrypted:false
                SSDEEP:192:TKwfs7OUpXLa5HEXQwNCNvZSjotXxiwH++3kamdEj6ZDbugDHgbGNlv6NbrYGY9x:Lfs7c5DRH0aHmJGpafU0AliwGra2
                MD5:B408556A89FCE3B47CD61302ECA64AC9
                SHA1:AAC1CDAF085162EFF5EAABF562452C93B73370CB
                SHA-256:21DDCBB0B0860E15FF9294CBB3C4E25B1FE48619210B8A1FDEC90BDCDC8C04BC
                SHA-512:BDE33918E68388C60750C964CDC213EC069CE1F6430C2AA7CF1626E6785C7C865094E59420D00026918E04B9B8D19FA22AC440F851ADC360759977676F8891E7
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z\~jej\f0\'edch afilac\'ed v\~z\'e1vislosti na tom, kde bydl\'edte) a\~v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI TYTO
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1029\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3333
                Entropy (8bit):5.370651462060085
                Encrypted:false
                SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
                MD5:16343005D29EC431891B02F048C7F581
                SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1031\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11936
                Entropy (8bit):5.194264396634094
                Encrypted:false
                SSDEEP:192:+XkOmRUOl6WBsl4kA+sn+mvtI0qHl4qj+iPqk6kVV9iX9GzYNvQ8yOejIpRMrhC2:DDHMFPCeV3i4zOHyOejIpkC2
                MD5:C2CFA4CE43DFF1FCD200EDD2B1212F0A
                SHA1:E8286E843192802E5EBF1BE67AE30BCAD75AC4BB
                SHA-256:F861DB23B972FAAA54520558810387D742878947057CF853DC74E5F6432E6A1B
                SHA-512:6FDF02A2DC9EF10DD52404F19C300429E7EA40469F00A43CA627F3B7F3868D1724450F99C65B70B9B7B1F2E1FA9D62B8BE1833A8C5AA3CD31C940459F359F30B
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBESTIMMUNGEN\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Diese Lizenzbestimmungen sind ein Vertrag zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem mit Microsoft verbundenen Unternehmen). Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b SOFERN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, SIND SIE ZU FOLGENDEM BERECHTIGT:\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 RECHTE ZUR INSTALLATION UND NUTZUNG. \
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1031\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3379
                Entropy (8bit):5.094097800535488
                Encrypted:false
                SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
                MD5:561F3F32DB2453647D1992D4D932E872
                SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1036\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11593
                Entropy (8bit):5.106817099949188
                Encrypted:false
                SSDEEP:192:aRAbNYjVk+z5GUSLse5GgALEXmAWL+/3FEShP9sJgi8+Ra8woh+89EQdhwQPely6:K4yrPqm9LcVEg9sVp2ohHVdKoXJXci9a
                MD5:F0FF747B85B1088A317399B0E11D2101
                SHA1:F13902A39CEAE703A4713AC883D55CFEE5F1876C
                SHA-256:4D9B7F06BE847E9E135AB3373F381ED7A841E51631E3C2D16E5C40B535DA3BCF
                SHA-512:AA850F05571FFC361A764A14CA9C1A465E2646A8307DEEE0589852E6ACC61AF145AEF26B502835724D7245900F9F0D441451DD8C055404788CE64415F5B79506
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Les pr\'e9sents termes du contrat de licence constituent un contrat entre Microsoft Corporation (ou, en fonction de votre lieu de r\'e9sidence, l\rquote un de ses affili\'e9s) et vous. Ils s\rquote appliquent au logiciel vis\'e9 ci-dessus. Les termes s\rquote appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\rquote autres termes n\rquote accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT DE LICENCE, VOUS AVEZ LES DROITS CI-DESSOUS.\par....\pard{\pntext\f1\'B7\tab}{\*\pn\pnlvlblt\pnf1\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\s
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1036\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3366
                Entropy (8bit):5.0912204406356905
                Encrypted:false
                SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
                MD5:7B46AE8698459830A0F9116BC27DE7DF
                SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1040\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):11281
                Entropy (8bit):5.046489958240229
                Encrypted:false
                SSDEEP:192:WBGNX6UXR2+5SmgS/ChMErYkQvowHVw6zdgkycEGCDLQ+n3YJ2d8XSiej+T4Ma8f:gAzSVARBR5jEPLQY3YJpSjTP2
                MD5:9D98044BAC59684489C4CF66C3B34C85
                SHA1:36AAE7F10A19D336C725CAFC8583B26D1F5E2325
                SHA-256:A3F745C01DEA84CE746BA630814E68C7C592B965B048DDC4B1BBE1D6E533BE22
                SHA-512:D849BBB6C87C182CC98C4E2314C0829BB48BAD483D0CD97BF409E75457C3695049C3A8ADFE865E1ECBC989A910096D2C1CDF333705AAC4D22025DF91B355278E
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONTRATTO DI LICENZA PER IL SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario, Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, a meno che questo non sia accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\p
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1040\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3319
                Entropy (8bit):5.019774955491369
                Encrypted:false
                SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
                MD5:D90BC60FA15299925986A52861B8E5D5
                SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1041\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):28232
                Entropy (8bit):3.7669201853275722
                Encrypted:false
                SSDEEP:192:Qkb65jNkzrUJVbpEiTskXHH1AZWoJxfnVnkDYUqfQFXBue6hX2JSfR7q05kWZxhY:epCD3y/ybox2yrk2
                MD5:8C49936EC4CF0F64CA2398191C462698
                SHA1:CC069FE8F8BC3B6EE2085A4EACF40DB26C842BAC
                SHA-256:7355367B7C48F1BBACC66DFFE1D4BF016C16156D020D4156F288C2B2207ED1C2
                SHA-512:4381147FF6707C3D31C5AE591F68BC61897811112CB507831EFF5E71DD281009400EDA3300E7D3EFDE3545B89BCB71F2036F776C6FDFC73B6B2B2B8FBC084499
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS Gothic;}{\f1\fnil\fcharset0 MS Gothic;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67 \'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41 \'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\par..\f1 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation (\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'c4\'82\'cd\'82\'bb\'82\'cc\'8a\'d6\'98\'41\'89\'ef\'8e\'d0) \'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\'81\'42\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1041\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3959
                Entropy (8bit):5.955167044943003
                Encrypted:false
                SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
                MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1042\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):27936
                Entropy (8bit):3.871317037004171
                Encrypted:false
                SSDEEP:384:kKIgbA2uBsarNG/HxPvCL1ewjxsXmEw4C7C7R4jAeqCBO968y7yNRylBSFfQv9yH:d3ar8Xa/XAeqoc0wfBB4qN
                MD5:184D94082717E684EAF081CEC3CBA4B1
                SHA1:960B9DA48F4CDDF29E78BBAE995B52204B26D51B
                SHA-256:A4C25DA9E3FBCED47464152C10538F16EE06D8E06BC62E1CF4808D293AA1AFA2
                SHA-512:E4016C0CA348299B5EF761F456E3B5AD9B99E5E100C07ACAB1369DFEC214E75AA88E9AD2A0952C0CC1B707E2732779E6E3810B3DA6C839F0181DC81E3560CBDA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f1\'ba\'bb\f0 \f1\'bb\'e7\'bf\'eb\'b1\'c7\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'c1\'b6\'b0\'c7\'c0\'ba\f0 \f1\'c0\'a7\'bf\'a1\f0 \f1\'b8\'ed\'bd\'c3\'b5\'c8\f0 \f1
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1042\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3249
                Entropy (8bit):5.985100495461761
                Encrypted:false
                SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
                MD5:B3399648C2F30930487F20B50378CEC1
                SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1045\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13265
                Entropy (8bit):5.358483628484379
                Encrypted:false
                SSDEEP:192:TKpWRd0NE41Y/od7V/sHFos7YLQY9DbLM5D+Vw1VAOb0P4/sHLS7VHwHMPw95a+Q:uy0CG9KZ7qQCw1VAOZ/sHOJfcY2wf6p2
                MD5:5B9DF97FC98938BF2936437430E31ECA
                SHA1:AB1DA8FECDF85CF487709774033F5B4B79DFF8DE
                SHA-256:8CB5EB330AA07ACCD6D1C8961F715F66A4F3D69FB291765F8D9F1850105AF617
                SHA-512:4EF61A484DF85C487BE326AB4F95870813B9D0644DF788CE22D3BEB6E062CDF80732CB0B77FCDA5D4C951A0D67AECF8F5DCD94EA6FA028CFCA11D85AA97714E3
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w\~zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z\~podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a\~Licencjobiorc\f1\'b9. Maj\'b9 one zastosowanie do wskazanego powy\'bfej oprogramowania. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym towarzysz\f1\'b9 inne postanowienia.\par..\b\
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1045\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3212
                Entropy (8bit):5.268378763359481
                Encrypted:false
                SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
                MD5:15172EAF5C2C2E2B008DE04A250A62A1
                SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1046\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):10656
                Entropy (8bit):5.092962528947159
                Encrypted:false
                SSDEEP:192:WIPAufWXXF0+YkR6E0/CiTS0CsGlHIMqf29H7KxLY/aYzApT3anawLXCBX2:VPAufb+YSSCYrCb5BmW4UDaTqzLwX2
                MD5:360FC4A7FFCDB915A7CF440221AFAD36
                SHA1:009F36BBDAD5B9972E8069E53855FC656EA05800
                SHA-256:9BF79B54F4D62BE501FF53EEDEB18683052A4AE38FF411750A764B3A59077F52
                SHA-512:9550A99641F194BB504A76DE011D07C1183EE1D83371EE49782FC3D05BF779415630450174DD0C03CB182A5575F6515012337B899E2D084203717D9F110A6FFE
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Estes termos de licen\'e7a formam um contrato firmado entre a Microsoft Corporation (ou com base no seu pa\'eds de resid\'eancia, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\t
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1046\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3095
                Entropy (8bit):5.150868216959352
                Encrypted:false
                SSDEEP:48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
                MD5:BE27B98E086D2B8068B16DBF43E18D50
                SHA1:6FAF34A36C8D9DE55650D0466563852552927603
                SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
                SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1049\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):31915
                Entropy (8bit):3.6440775919653996
                Encrypted:false
                SSDEEP:384:ntaMxngQEqQUaAEJxkSjjujcme51oVwuZOFsrnkGxunWxGc9wtvVYgCzkSxN1S2:npgnmWWNEvVYgCzxD
                MD5:A59C893E2C2B4063AE821E42519F9812
                SHA1:C00D0B11F6B25246357053F6620E57D990EFC698
                SHA-256:0EC8368E87B3DFC92141885A2930BDD99371526E09FC52B84B764C91C5FC47B8
                SHA-512:B9AD8223DDA2208EC2068DBB85742A03BE0291942E60D4498E3DAB4DDF559AA6DCF9879952F5819223CFC5F4CB71D4E06E4103E129727AACFB8EFE48403A04FA
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset204 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\f1\lang9 MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0\f0\lang1049\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0 \'e2\'e0\'f8\'e5\'e3\'ee \'ef\'f0\'ee\'e6\'e8\'e2\'e0\'ed\'e8\'ff, \'ee\
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1049\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):4150
                Entropy (8bit):5.444436038992627
                Encrypted:false
                SSDEEP:48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
                MD5:17C652452E5EE930A7F1E5E312C17324
                SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
                SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
                SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1055\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):13379
                Entropy (8bit):5.214715951393874
                Encrypted:false
                SSDEEP:192:1fGkc01jIjZTUDUTvXt2QpfC5VAlCPpDwuOfH7df3YwnnbZIWG2XjQeoO9uBO8CA:Iiqx4Uh2QpMVA8haDdv9nbZzG6oQR2
                MD5:BD2DC15DFEE66076BBA6D15A527089E7
                SHA1:8768518F2318F1B8A3F8908A056213042A377CC4
                SHA-256:62A07232017702A32F4B6E43E9C6F063B67098A1483EEDDB31D7C73EAF80A6AF
                SHA-512:9C9467A2F2D0886FF4302A44AEA89734FCEFBD3CBE04D895BCEACBA1586AB746E62391800E07B6228E054014BE51F14FF63BA71237268F94019063C8C8B7EF74
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan anla\'bamay\u305? olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\par..\b BU L\f1\u304?SANS \'aaARTLARINA UYDU\u286?UNUZ TAKD\u304?RDE A\'aaA\u286?IDAK\u3
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\1055\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3221
                Entropy (8bit):5.280530692056262
                Encrypted:false
                SSDEEP:48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
                MD5:DEFBEA001DC4EB66553630AC7CE47CCA
                SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
                SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
                SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\2052\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):17863
                Entropy (8bit):3.9617786349452775
                Encrypted:false
                SSDEEP:192:BxoqPyOj+/8Tk5VigWgijAlk5xWvSCI5lgios0EhGXxGMLVGW+uUoqyLZDvAJxMx:vbIeaE7q3KGgzD2
                MD5:3CF16377C0D1B2E16FFD6E32BF139AC5
                SHA1:D1A8C3730231D51C7BB85A7A15B948794E99BDCE
                SHA-256:E95CA64C326A0EF7EF3CED6CDAB072509096356C15D1761646E3C7FDA744D0E0
                SHA-512:E9862FD0E8EC2B2C2180183D06535A16A527756F6907E6A1D2DB85092636F72C497508E793EE8F2CC8E0D1A5E090C6CCF465F78BC1FA8E68DAF7C68815A0EE16
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset134 SimSun;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'ce\'a2\'c8\'ed\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f1\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0\f0\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f1 Microsoft Corporation\f0\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f1 Microsoft \f0\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\'ce\'a2\'c8\'ed\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'b5\'ab\'d3\'d0\'b2\'bb\'cd\
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\2052\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):2978
                Entropy (8bit):6.135205733555905
                Encrypted:false
                SSDEEP:48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
                MD5:3D1E15DEEACE801322E222969A574F17
                SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
                SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
                SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\3082\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):10714
                Entropy (8bit):5.122578090102117
                Encrypted:false
                SSDEEP:192:WthGE/9wd8eQF/hJOmQeNrXT77uOlQ+v3AqHqc3wpXGYdjvsk2cwBb2:mhGuhj+ed388Bb2
                MD5:FBF293EE95AFEF818EAF07BB088A1596
                SHA1:BBA1991BA6459C9F19B235C43A9B781A24324606
                SHA-256:1FEC058E374C20CB213F53EB3C44392DDFB2CAA1E04B7120FFD3FA7A296C83E2
                SHA-512:6971F20964EF74B19077EE81F953342DC6D2895A8640EC84855CECCEA5AEB581E6A628BCD3BA97A5D3ACB6CBE7971FDF84EF670BDDF901857C3CD28855212019
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LA LICENCIA DE SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2019 RUNTIME\par..\b0 Estos t\'e9rminos de licencia constituyen un contrato entre Microsoft Corporation (o, en funci\'f3n de donde resida, una de sus filiales) y usted. Se aplican al software antes mencionado. Los t\'e9rminos tambi\'e9n se aplican a cualquier servicio o actualizaci\'f3n de Microsoft para el software, excepto en la medida que tengan t\'e9rminos diferentes.\par..\b SI USTED CUMPLE CON LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE SE DESCRIBEN A CONTINUACI\'d3N.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\3082\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):3265
                Entropy (8bit):5.0491645049584655
                Encrypted:false
                SSDEEP:48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
                MD5:47F9F8D342C9C22D0C9636BC7362FA8F
                SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
                SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
                SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\BootstrapperApplicationData.xml
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):13122
                Entropy (8bit):3.729412080010859
                Encrypted:false
                SSDEEP:192:X0sg+QnH5zHqQHG0Hd8Hz7HE06HA0rH3FxF6OxLo3MzLa0LTnDBx7z8NkzzkvQwj:X0sBydLbmnoN10A1TpotVos
                MD5:B51EF22109AEEA9AE5190E9EF67D9476
                SHA1:FDF939DA26A1268CDF0510AA40FBCA614947C9FD
                SHA-256:1031C44505A4D8322C3BFF5BA92AE5E2C84D7041A01537D187726C9D4E862E5F
                SHA-512:27AA0612337B7473C75BA73EFAF606EE1DB13F7F633151ED5BFF7A9BB5A5AF5502EF3597AE0E95F714F5F0D19A2452413BD18E91516E696DED76C277D0BCA238
                Malicious:false
                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .2.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.2. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.1.9. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.8.6.). .-. .1.4...2.5...2.8.5.0.8.". .L.o.g.P.
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\license.rtf
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:Rich Text Format data, version 1, ANSI
                Category:dropped
                Size (bytes):9046
                Entropy (8bit):5.157073875669985
                Encrypted:false
                SSDEEP:192:W8lZ1UVDWkgWZTIsvPhghtQ1Qf4lCfnEtHixEGx736wHqItfSpOy2:9T15WZMgAYlOnjt5HLoL2
                MD5:2EABBB391ACB89942396DF5C1CA2BAD8
                SHA1:182A6F93703549290BCDE92920D37BC1DEC712BB
                SHA-256:E3156D170014CED8D17A02B3C4FF63237615E5C2A8983B100A78CB1F881D6F38
                SHA-512:20D656A123A220CD3CA3CCBF61CC58E924B44F1F0A74E70D6850F39CECD101A69BCE73C5ED14018456E022E85B62958F046AA4BD1398AA27303C2E86407C3899
                Malicious:false
                Preview: {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.17763}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2019 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-363\
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\logo.png
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                Category:dropped
                Size (bytes):1861
                Entropy (8bit):6.868587546770907
                Encrypted:false
                SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
                MD5:D6BD210F227442B3362493D046CEA233
                SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                Malicious:false
                Preview: .PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\thm.wxl
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):2952
                Entropy (8bit):5.052095286906672
                Encrypted:false
                SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
                MD5:FBFCBC4DACC566A3C426F43CE10907B6
                SHA1:63C45F9A771161740E100FAF710F30EED017D723
                SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\thm.xml
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):8332
                Entropy (8bit):5.184632608060528
                Encrypted:false
                SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
                MD5:F62729C6D2540015E072514226C121C7
                SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                Malicious:false
                Preview: <?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig
                C:\Windows\Temp\{E085B316-1885-4D6D-8AFA-013530797FCD}\.ba\wixstdba.dll
                Process:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):195600
                Entropy (8bit):6.682530937585544
                Encrypted:false
                SSDEEP:3072:OXoiFK6b0k77I+QfaIl191rSJHvlalB+8BHkY6v53EfcUzN0m6I+WxBlnKzeZuqt:OXoQNb++gDrSJdr8BHkPh3wIgnK/IU1a
                MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
                SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
                SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
                SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF03D1023022D3A91E.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF03DAB1A89980E874.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF0B192711479E0864.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.546026671740729
                Encrypted:false
                SSDEEP:48:h8PhiuRc06WXi/nT5RWpdj6RLBL71WSmRSqdZFt1S6WeUJSZQc:8hi1RnT3ajaLBL74VRrZFf8eNZQc
                MD5:A08D50FD22C98F2BBD45C8A8F7A29C8E
                SHA1:8828FA54F915338755889CFC25EFF8A088AC9A6D
                SHA-256:51915B86C7B8AB1C5D936B6EF8E98A4919F4D67D4C141D190811FEF970EFE183
                SHA-512:1B0DA9C13EBD0B663ACEA4D65C64E8BB7B5A382322376CA52D93D72054A6366D98618391A4F39663568B0B69FCC3584412F7F4DDBD3B85BD121B1F3DEDFD6F4D
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF0D3CB2589B105547.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2412631553513016
                Encrypted:false
                SSDEEP:48:D8zuEs4vFXiiT5fBdj6RLBL7KS2fsl8RSqmjSIVoZQc:gzn3TFjaLBL7KIeRCJoZQc
                MD5:64DDEA5A119F0E09B6CD84E4A1B5169F
                SHA1:0878AEFF1A40206B22BB983D02C53E96210A6223
                SHA-256:EDB8FD32D6A1D8B173D5D6364051344251BCC7C40D0FC9498932A6E8592F30B9
                SHA-512:41C9704C6EB2E38CAE724239317AEDE6EBF0505C06465E3FF2A73B4BD91DE679B2F56BB53A6F246360E5E8723156E95637E652AC0C333C8635493BE89E3B1A99
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF0E41D21F803AD375.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2412631553513016
                Encrypted:false
                SSDEEP:48:D8zuEs4vFXiiT5fBdj6RLBL7KS2fsl8RSqmjSIVoZQc:gzn3TFjaLBL7KIeRCJoZQc
                MD5:64DDEA5A119F0E09B6CD84E4A1B5169F
                SHA1:0878AEFF1A40206B22BB983D02C53E96210A6223
                SHA-256:EDB8FD32D6A1D8B173D5D6364051344251BCC7C40D0FC9498932A6E8592F30B9
                SHA-512:41C9704C6EB2E38CAE724239317AEDE6EBF0505C06465E3FF2A73B4BD91DE679B2F56BB53A6F246360E5E8723156E95637E652AC0C333C8635493BE89E3B1A99
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF181E23D5E6D5A0A2.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.5472913823039223
                Encrypted:false
                SSDEEP:48:W8PhruRc06WXikwFT52dmF6r3S2/mRSqmjSItZQ:phr1WwFT4mFQ3bmRChZQ
                MD5:087CF9DB434B5EDE6FCF1C9004F8D9EE
                SHA1:8FF25AC4ECDB3E6F6E79A823B808D370C1B6C2A3
                SHA-256:3621430A397C10F011301EC800E74F8AFFF4AB31C8BF50D797CC7A661B81F3F6
                SHA-512:E37497D15D900DA1146A0C7B5DA2D74F8F31826ECBD4FA3351275EA272E19E4944E47C041376DC4886B15815B41D81138AFAB0262BFD4CF616C79D43632E2FC0
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF1ECF5059408BC5FF.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.546026671740729
                Encrypted:false
                SSDEEP:48:h8PhiuRc06WXi/nT5RWpdj6RLBL71WSmRSqdZFt1S6WeUJSZQc:8hi1RnT3ajaLBL74VRrZFf8eNZQc
                MD5:A08D50FD22C98F2BBD45C8A8F7A29C8E
                SHA1:8828FA54F915338755889CFC25EFF8A088AC9A6D
                SHA-256:51915B86C7B8AB1C5D936B6EF8E98A4919F4D67D4C141D190811FEF970EFE183
                SHA-512:1B0DA9C13EBD0B663ACEA4D65C64E8BB7B5A382322376CA52D93D72054A6366D98618391A4F39663568B0B69FCC3584412F7F4DDBD3B85BD121B1F3DEDFD6F4D
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF24460C64EADADF23.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF267443EC0486615B.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF268861D346F33CF5.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2371491291954149
                Encrypted:false
                SSDEEP:48:Jsmquau4vFXiAT50Wpdj6RLBL71WSmRSqdZFt1S6WeUJSZQc:NqzVTGajaLBL74VRrZFf8eNZQc
                MD5:5467C03514D7113FE7BCBA750A5DED15
                SHA1:78EECD59466201CE3069D0F95DD126490801621A
                SHA-256:6DBBF48159D846F242D2A37BCACA5E88F42ECC571B5D004BEE24AE6AC0B651A7
                SHA-512:B1EA0793594214237899885D234893A6E60CC444134C56817F7A4089BC1AF210E17017CEF590D3EF0490065B006F1945D81215389437B1489940557DF164E162
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF351C22D7D29442B9.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF3681F9BAF91D3156.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF3AEFDA1C00071105.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF539BBE62CC52B080.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2371491291954149
                Encrypted:false
                SSDEEP:48:Jsmquau4vFXiAT50Wpdj6RLBL71WSmRSqdZFt1S6WeUJSZQc:NqzVTGajaLBL74VRrZFf8eNZQc
                MD5:5467C03514D7113FE7BCBA750A5DED15
                SHA1:78EECD59466201CE3069D0F95DD126490801621A
                SHA-256:6DBBF48159D846F242D2A37BCACA5E88F42ECC571B5D004BEE24AE6AC0B651A7
                SHA-512:B1EA0793594214237899885D234893A6E60CC444134C56817F7A4089BC1AF210E17017CEF590D3EF0490065B006F1945D81215389437B1489940557DF164E162
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF58A6C35AFA9D7343.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2373689194030248
                Encrypted:false
                SSDEEP:48:4Gzu2s4vFXiQZT5ddmF6r3S2/mRSqmjSItZQ:HzBtZTZmFQ3bmRChZQ
                MD5:16111EBF9D5F1A8D492E142F43F65976
                SHA1:5BAB1E0C3B8623DF260A72591531449A114E1FD5
                SHA-256:8C0AA0659D617C59EABD149BCC6BD273E046ECEBE51AC610E5BE212B18FBC280
                SHA-512:5AF3124128954FC3145A61D60FA09B9377FACEAEA46A5EE9241D3C651165EC3080BF3B52729BAAF1636C72C6981E23FB7DBC139867B351A9C4C94AB7482526EF
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF5C859F33798446C1.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2373689194030248
                Encrypted:false
                SSDEEP:48:4Gzu2s4vFXiQZT5ddmF6r3S2/mRSqmjSItZQ:HzBtZTZmFQ3bmRChZQ
                MD5:16111EBF9D5F1A8D492E142F43F65976
                SHA1:5BAB1E0C3B8623DF260A72591531449A114E1FD5
                SHA-256:8C0AA0659D617C59EABD149BCC6BD273E046ECEBE51AC610E5BE212B18FBC280
                SHA-512:5AF3124128954FC3145A61D60FA09B9377FACEAEA46A5EE9241D3C651165EC3080BF3B52729BAAF1636C72C6981E23FB7DBC139867B351A9C4C94AB7482526EF
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF6136DE2223DD6251.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF66AEE814433F0D33.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF74FC4270CF6F4CC7.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2371491291954149
                Encrypted:false
                SSDEEP:48:Jsmquau4vFXiAT50Wpdj6RLBL71WSmRSqdZFt1S6WeUJSZQc:NqzVTGajaLBL74VRrZFf8eNZQc
                MD5:5467C03514D7113FE7BCBA750A5DED15
                SHA1:78EECD59466201CE3069D0F95DD126490801621A
                SHA-256:6DBBF48159D846F242D2A37BCACA5E88F42ECC571B5D004BEE24AE6AC0B651A7
                SHA-512:B1EA0793594214237899885D234893A6E60CC444134C56817F7A4089BC1AF210E17017CEF590D3EF0490065B006F1945D81215389437B1489940557DF164E162
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF789353DB4371F516.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF798D74367264A2CB.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF87D5AE4566D85176.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):0.10315420318511248
                Encrypted:false
                SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKOJSDBsJp8z8JEM9TEkuL1dQO6iGYcBlIVky6l80t/:50i8n0itFzDHFw7zpHQEQBp801
                MD5:60ACE1ED3D1052DD04B59CF080FFE8F9
                SHA1:130ECD05D54CA74F36D0B75F565E5A7B216CACBE
                SHA-256:084EF06277D865635F060799E85D33CEFAAE0B0465DDD17559853DA5481A10B5
                SHA-512:151457DECAED8CF0B1E07A67960D7E9E35A50A091BBB9D06E7350F2AE6C898FF2C8893ABB2643315E2098157FF7FB4A3CD53F992A7EC1B3EA544E756F426B21B
                Malicious:false
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF8AFFC9A50ABC34CD.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF8D440D0E6EF0BE92.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF8F1CABEF4810B7B9.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2373689194030248
                Encrypted:false
                SSDEEP:48:4Gzu2s4vFXiQZT5ddmF6r3S2/mRSqmjSItZQ:HzBtZTZmFQ3bmRChZQ
                MD5:16111EBF9D5F1A8D492E142F43F65976
                SHA1:5BAB1E0C3B8623DF260A72591531449A114E1FD5
                SHA-256:8C0AA0659D617C59EABD149BCC6BD273E046ECEBE51AC610E5BE212B18FBC280
                SHA-512:5AF3124128954FC3145A61D60FA09B9377FACEAEA46A5EE9241D3C651165EC3080BF3B52729BAAF1636C72C6981E23FB7DBC139867B351A9C4C94AB7482526EF
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF9498A288DC7B88B4.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):69632
                Entropy (8bit):0.13456204913449224
                Encrypted:false
                SSDEEP:48:4ZQcaWeUJ4S9SmRSqdZFtB9Ddj6RLBL4W:4ZQcVe9kVRrZFpxjaLBL4
                MD5:72DE8B6A6E869C1BBC40B4E7C46CA0A8
                SHA1:EBC07F49548A83C7D0DAF92F77485007D9E2F0E7
                SHA-256:A8C23ED2E8F61D61C7436D448C63314F9153681AE224E8B20A7F73DFC62AFDA7
                SHA-512:7CA063BEE286C3EBA1B8DA2C4BA2592909A6D83175CB2E68563DDF7228E715083D7793B3329AB3DBE535EA4EC5719E2223237892E9657FF0883FBADAF6552553
                Malicious:false
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF9740C832CDEB1844.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.5522720144430304
                Encrypted:false
                SSDEEP:48:l8PhruRc06WXi/FT5aBdj6RLBL7KS2fsl8RSqmjSIVoZQc:Ihr1RFTEjaLBL7KIeRCJoZQc
                MD5:02EA07B1F6C7F34C7F716E8F3A8B7A75
                SHA1:189848F56E819305CDDF2A85CE115265F8C1D43A
                SHA-256:46EA3892CD6256142D3DC9B68D40794E818EFC0D368E5746F8F4508D67969750
                SHA-512:56BC9A50F8F9825D3E758C7591787CD7978080CC77570A148D19161A03E3626D80459BC4FFD59679954C7C87B616ABF4FE58B126F1513AB2AE3B7B55E59EB563
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF9BEA940E7DEA78CC.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2373689194030248
                Encrypted:false
                SSDEEP:48:4Gzu2s4vFXiQZT5ddmF6r3S2/mRSqmjSItZQ:HzBtZTZmFQ3bmRChZQ
                MD5:16111EBF9D5F1A8D492E142F43F65976
                SHA1:5BAB1E0C3B8623DF260A72591531449A114E1FD5
                SHA-256:8C0AA0659D617C59EABD149BCC6BD273E046ECEBE51AC610E5BE212B18FBC280
                SHA-512:5AF3124128954FC3145A61D60FA09B9377FACEAEA46A5EE9241D3C651165EC3080BF3B52729BAAF1636C72C6981E23FB7DBC139867B351A9C4C94AB7482526EF
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF9DB49B59FFBB0487.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2412631553513016
                Encrypted:false
                SSDEEP:48:D8zuEs4vFXiiT5fBdj6RLBL7KS2fsl8RSqmjSIVoZQc:gzn3TFjaLBL7KIeRCJoZQc
                MD5:64DDEA5A119F0E09B6CD84E4A1B5169F
                SHA1:0878AEFF1A40206B22BB983D02C53E96210A6223
                SHA-256:EDB8FD32D6A1D8B173D5D6364051344251BCC7C40D0FC9498932A6E8592F30B9
                SHA-512:41C9704C6EB2E38CAE724239317AEDE6EBF0505C06465E3FF2A73B4BD91DE679B2F56BB53A6F246360E5E8723156E95637E652AC0C333C8635493BE89E3B1A99
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DF9F17EEDA91CF2AAF.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFA3B4A6704F56C897.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFAF1C69BAC7E75306.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):69632
                Entropy (8bit):0.13685086162309887
                Encrypted:false
                SSDEEP:24:2LLZQcpWYaazipVvipVIfsl8S0W1VMNgNlGl+f+qdMCltLbMClmVj1LFGm1LFDx:4ZQcoVmS9S2fsl8RSqmdFdj6RLBLP
                MD5:277788611E21133E73731D482BC111BE
                SHA1:8A1A018BC6B5B66D89BE81139F58E2D2519C5FA5
                SHA-256:72B9FAA912DD8F0E2EFAC240B88FA5FEF39EF566CD9CA413FCCFD4C5C5E084B0
                SHA-512:4BCDF9000B82DC0DE40464FC7F8668EB5BC717E3EA55B4C715BEBC4EA2FC1E6A843B57DA13CB7A9B0C9433FB85070A20491B1A5A353759474F222BD40ADF9540
                Malicious:false
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFB45662C3BF5FE35A.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):69632
                Entropy (8bit):0.13468961415718264
                Encrypted:false
                SSDEEP:24:tlZYuYsjipVvipVIfDLmS0W1VMNgNlGl+3+BdMCl4FMClmVjLm:tlZRdS9S2/mRSqm1udmF6
                MD5:A7AF3DAFB2798E8E6255AAE3FDFB4108
                SHA1:920EFDC5FD979CBEC7DBA8C67A0BD4EDCF198B6A
                SHA-256:28191BC3AB19494CFE0C1820FD0BB62FA0C7F6CF491148A39A8A3B85CA3C9FD2
                SHA-512:3D00E379579F77AC8AC2828C54A7EC6F2C54CA42953D93B0E219188DEB628CB1EC5954B30F977F86BDC7A9FB16DB41A3FAE275C8C923666CE404BA5780E22196
                Malicious:false
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFB49845D25130926B.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFBBE5E9A89A32D94D.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2373689194030248
                Encrypted:false
                SSDEEP:48:4Gzu2s4vFXiQZT5ddmF6r3S2/mRSqmjSItZQ:HzBtZTZmFQ3bmRChZQ
                MD5:16111EBF9D5F1A8D492E142F43F65976
                SHA1:5BAB1E0C3B8623DF260A72591531449A114E1FD5
                SHA-256:8C0AA0659D617C59EABD149BCC6BD273E046ECEBE51AC610E5BE212B18FBC280
                SHA-512:5AF3124128954FC3145A61D60FA09B9377FACEAEA46A5EE9241D3C651165EC3080BF3B52729BAAF1636C72C6981E23FB7DBC139867B351A9C4C94AB7482526EF
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFBC0ECE661FDF88DC.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFC5FA91E0FB764E24.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.5472913823039223
                Encrypted:false
                SSDEEP:48:W8PhruRc06WXikwFT52dmF6r3S2/mRSqmjSItZQ:phr1WwFT4mFQ3bmRChZQ
                MD5:087CF9DB434B5EDE6FCF1C9004F8D9EE
                SHA1:8FF25AC4ECDB3E6F6E79A823B808D370C1B6C2A3
                SHA-256:3621430A397C10F011301EC800E74F8AFFF4AB31C8BF50D797CC7A661B81F3F6
                SHA-512:E37497D15D900DA1146A0C7B5DA2D74F8F31826ECBD4FA3351275EA272E19E4944E47C041376DC4886B15815B41D81138AFAB0262BFD4CF616C79D43632E2FC0
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFC639B6AF3E02B280.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2412631553513016
                Encrypted:false
                SSDEEP:48:D8zuEs4vFXiiT5fBdj6RLBL7KS2fsl8RSqmjSIVoZQc:gzn3TFjaLBL7KIeRCJoZQc
                MD5:64DDEA5A119F0E09B6CD84E4A1B5169F
                SHA1:0878AEFF1A40206B22BB983D02C53E96210A6223
                SHA-256:EDB8FD32D6A1D8B173D5D6364051344251BCC7C40D0FC9498932A6E8592F30B9
                SHA-512:41C9704C6EB2E38CAE724239317AEDE6EBF0505C06465E3FF2A73B4BD91DE679B2F56BB53A6F246360E5E8723156E95637E652AC0C333C8635493BE89E3B1A99
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFC8EB3B2A32A31592.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFCF1D99A9A021023C.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2412631553513016
                Encrypted:false
                SSDEEP:48:D8zuEs4vFXiiT5fBdj6RLBL7KS2fsl8RSqmjSIVoZQc:gzn3TFjaLBL7KIeRCJoZQc
                MD5:64DDEA5A119F0E09B6CD84E4A1B5169F
                SHA1:0878AEFF1A40206B22BB983D02C53E96210A6223
                SHA-256:EDB8FD32D6A1D8B173D5D6364051344251BCC7C40D0FC9498932A6E8592F30B9
                SHA-512:41C9704C6EB2E38CAE724239317AEDE6EBF0505C06465E3FF2A73B4BD91DE679B2F56BB53A6F246360E5E8723156E95637E652AC0C333C8635493BE89E3B1A99
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFD9E79EBB015AB73A.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFDFEBDF249F13033F.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFE9C47E4AAB3B0593.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2412631553513016
                Encrypted:false
                SSDEEP:48:D8zuEs4vFXiiT5fBdj6RLBL7KS2fsl8RSqmjSIVoZQc:gzn3TFjaLBL7KIeRCJoZQc
                MD5:64DDEA5A119F0E09B6CD84E4A1B5169F
                SHA1:0878AEFF1A40206B22BB983D02C53E96210A6223
                SHA-256:EDB8FD32D6A1D8B173D5D6364051344251BCC7C40D0FC9498932A6E8592F30B9
                SHA-512:41C9704C6EB2E38CAE724239317AEDE6EBF0505C06465E3FF2A73B4BD91DE679B2F56BB53A6F246360E5E8723156E95637E652AC0C333C8635493BE89E3B1A99
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFECD7832E8DBC912F.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):512
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3::
                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                Malicious:false
                Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFEF3689AB55940DDF.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):20480
                Entropy (8bit):1.5522720144430304
                Encrypted:false
                SSDEEP:48:l8PhruRc06WXi/FT5aBdj6RLBL7KS2fsl8RSqmjSIVoZQc:Ihr1RFTEjaLBL7KIeRCJoZQc
                MD5:02EA07B1F6C7F34C7F716E8F3A8B7A75
                SHA1:189848F56E819305CDDF2A85CE115265F8C1D43A
                SHA-256:46EA3892CD6256142D3DC9B68D40794E818EFC0D368E5746F8F4508D67969750
                SHA-512:56BC9A50F8F9825D3E758C7591787CD7978080CC77570A148D19161A03E3626D80459BC4FFD59679954C7C87B616ABF4FE58B126F1513AB2AE3B7B55E59EB563
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFF3F54730DFC75E05.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:data
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):0.101966517312601
                Encrypted:false
                SSDEEP:6:xPLG7iVCnLG7iVrKOzPLHKOP1/x2I2M9R9X4IOxkQliVky6lJl0t/:50i8n0itFzDHFPZx2hs9X4KQDr01
                MD5:4C576594FA66D0DC4C7A6A7AE5F90728
                SHA1:501FA73B78162CE60B28F7010F01F19C7DAC0832
                SHA-256:A75EB9D68001602F6E03987E09472D3C25851AA318AE58DB08C085E4E81D5F2E
                SHA-512:D10BE1817CB6B1004614FB05DB54FDC2DFE732C7F15934E0D0E2242D313FC61254F60B34F587D9D731A7A52EDB3394635143C249082E9E68C7F38CBFFE35E0D6
                Malicious:false
                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Windows\Temp\~DFF4A953BE8EADB48A.TMP
                Process:C:\Windows\System32\msiexec.exe
                File Type:Composite Document File V2 Document, Cannot read section info
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):1.2373689194030248
                Encrypted:false
                SSDEEP:48:4Gzu2s4vFXiQZT5ddmF6r3S2/mRSqmjSItZQ:HzBtZTZmFQ3bmRChZQ
                MD5:16111EBF9D5F1A8D492E142F43F65976
                SHA1:5BAB1E0C3B8623DF260A72591531449A114E1FD5
                SHA-256:8C0AA0659D617C59EABD149BCC6BD273E046ECEBE51AC610E5BE212B18FBC280
                SHA-512:5AF3124128954FC3145A61D60FA09B9377FACEAEA46A5EE9241D3C651165EC3080BF3B52729BAAF1636C72C6981E23FB7DBC139867B351A9C4C94AB7482526EF
                Malicious:false
                Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\Uninstall.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:modified
                Size (bytes):51018
                Entropy (8bit):6.496159482396507
                Encrypted:false
                SSDEEP:1536:59qZdHWep0GH7WiLcMxJPo7ss97agwv/j:59qNqWDLcMxJPox9s
                MD5:9511320E3B8C1697079D6434B45B387F
                SHA1:04ADFDA0E7FFE7158AE890FE30CE2FA8353395F4
                SHA-256:0D0927657D909D051CF47C8B516AB9B719FCDC946FA7366D5CC348AADCF94BC7
                SHA-512:CEAA28B0CB0B0DC1878A567F3B6317B0647267C1ECD9EF670E1EFD4924C899CBD22534D675A5106C65EF813A7EBC64BE5ABFF61AE4D86F29525742359028D674
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+j..E9..E9..E9..I9..E9..N9..E9{.K9..E9..O9..E9..E9..E9..V9..E9..V9..E9..D9`.E9..N9..E9?.C9..E9Rich..E9........PE..L.....H@.....................4.......i............@......................................................................... ...........X............................................................................................................text............................... ..`.rdata..............................@..@.data...|...........................@....rsrc...X...........................@..@................................................................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\Default.rdp
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):2000
                Entropy (8bit):3.31564836065367
                Encrypted:false
                SSDEEP:24:QWcuYaRlTZAzx+ifn9WDjMn5vZm6/0hfq0Yhyl1rUcAqI4tiqn2zqRnMgtp:YkDTZSlf9WPMfmNpblhRnh
                MD5:486F42E6B70BAAC5EC59E930BEC884A2
                SHA1:E2B4CFF7911C941EE7BBE9332D1E1C32E46BD15C
                SHA-256:651BAD16A3D8626B0065814B5D24349F639D288D51DDD949D48CB06462938905
                SHA-512:164C7A441D68DCDFEF5A587D576FA4F5C6A79949BF3FA416EB36BF8B3CB9CCE372821B128FC5713A5D88313EBB30884C03FCE33D952338FEF2053DC20888E7F1
                Malicious:false
                Preview: ..s.c.r.e.e.n. .m.o.d.e. .i.d.:.i.:.1.....u.s.e. .m.u.l.t.i.m.o.n.:.i.:.0.....d.e.s.k.t.o.p.w.i.d.t.h.:.i.:.1.9.2.0.....d.e.s.k.t.o.p.h.e.i.g.h.t.:.i.:.1.0.8.0.....s.e.s.s.i.o.n. .b.p.p.:.i.:.1.6.....w.i.n.p.o.s.s.t.r.:.s.:.2.,.3.,.0.,.0.,.8.0.0.,.6.0.0.....c.o.m.p.r.e.s.s.i.o.n.:.i.:.1.....k.e.y.b.o.a.r.d.h.o.o.k.:.i.:.2.....a.u.d.i.o.c.a.p.t.u.r.e.m.o.d.e.:.i.:.0.....v.i.d.e.o.p.l.a.y.b.a.c.k.m.o.d.e.:.i.:.1.....c.o.n.n.e.c.t.i.o.n. .t.y.p.e.:.i.:.2.....d.i.s.p.l.a.y.c.o.n.n.e.c.t.i.o.n.b.a.r.:.i.:.1.....d.i.s.a.b.l.e. .w.a.l.l.p.a.p.e.r.:.i.:.1.....a.l.l.o.w. .f.o.n.t. .s.m.o.o.t.h.i.n.g.:.i.:.0.....a.l.l.o.w. .d.e.s.k.t.o.p. .c.o.m.p.o.s.i.t.i.o.n.:.i.:.0.....d.i.s.a.b.l.e. .f.u.l.l. .w.i.n.d.o.w. .d.r.a.g.:.i.:.1.....d.i.s.a.b.l.e. .m.e.n.u. .a.n.i.m.s.:.i.:.1.....d.i.s.a.b.l.e. .t.h.e.m.e.s.:.i.:.0.....d.i.s.a.b.l.e. .c.u.r.s.o.r. .s.e.t.t.i.n.g.:.i.:.0.....b.i.t.m.a.p.c.a.c.h.e.p.e.r.s.i.s.t.e.n.a.b.l.e.:.i.:.1.....f.u.l.l. .a.d.d.r.e.s.s.:.s.:.1.7.2...1.6...5...2.9.....a.u.d.i.
                C:\ztg\fillProxy\bin\SPY.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):452608
                Entropy (8bit):6.609176403412194
                Encrypted:false
                SSDEEP:6144:ryvstmSbTvYPv7Eu9nFmtvUuAjDR7qPJAOQZnOS2WFy4J:rZvvYn7Eu9n8tgx2Wp
                MD5:545B8DA480D98435C995CF1FFF55C873
                SHA1:73746290B655A5979A03841FED13E3686A428726
                SHA-256:DB7A130D294364FFB05CF9750B82459D7FE70A58489B99706222CE12DBA60417
                SHA-512:7031C21A2DD7D4219F66A21A0517DB4E16FE15B92685616E49B3647009F16CE3010DEC2566B5B31A5BB1679A58C8D85454385F2E3AD40CEA90FE7F58F4A135B1
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........DLv..Lv..Lv..X...Bv..X....v..X...Zv.. ...Cv.. ...Zv.. ....v......Ov......Nv..X...Gv..Lv...v......Ov......Mv......Mv......Mv..RichLv..................PE..L...[..`...........!.........................................................0............@..........................u..x....y..x................................M......p...............................@...............$............................text...v........................... ..`.rdata..\...........................@..@.data....6.......$...t..............@....rsrc...............................@..@.reloc...M.......N..................@..B................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\SPYaaa.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):460288
                Entropy (8bit):6.640982703797016
                Encrypted:false
                SSDEEP:12288:AzHtlicKZ78uGfejmJIPb+m6uL1+oxi0IIv8uEwTiMi:A5MfNPtjmJ6U1A8uEnL
                MD5:03ED0A0F88A2ED035123A93920FB7AF7
                SHA1:B36AFCFEDA852E78EE4327DECD3BE5896AFF06AB
                SHA-256:CDA21182C591D30572A46325EB6A40D9B304CCF4DF7C484E6F7373E58EF08508
                SHA-512:C770EBDDE6F30FEA014BA6A54C0A399EC84D51F2AF0145B91C6CD81844914A9BDDEEB14FEA246E1FB3533E74AC3617E18961257E0B642731FEFD25DFE5A88C56
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................S..........s.......s.......s...E...z.......K..................b...Z.......Z.......Z.].....Z.......Rich....................PE..L....V.`...........!........."...............................................`............@.....................................x................................Q...%..p...................@'......P&..@...............(............................text............................... ..`.rdata..............................@..@.data...X6......."..................@....rsrc...............................@..@.reloc...Q.......R..................@..B................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\boost_date_time-vc142-mt-gd-x32-1_72.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):94720
                Entropy (8bit):5.9975485249767075
                Encrypted:false
                SSDEEP:1536:TppLlylulDlfbD4L+JJFFsW1tomxFpfJ0X2SRdxx5G:T7lylulDlfbD4L+JJcW16mxFpfJ0X2On
                MD5:D78D2152487E69DE35171633FBA5EC4E
                SHA1:5C8ECFDD8812C1396CAFBAD3F7FA06DA0AF558A0
                SHA-256:F14629671AE2D930D0429B9E431B7C3FD354EC10B90DA765CBA991FDE81EAEE0
                SHA-512:A13A135CC4C6E3BC24F7B43F3D0AD586164F02D56D49A5CD61AC8B2FABB11EFA48A033D4D9610172B0CCEE7EAE5CF73FF5AFA064FF964AEBF9A7FB59CE207F3A
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............P...P...P...Q...P...Q...P...Q...P...Q...P...Q...P...P...Pb..Q...Pb..Q...Pb..Q...PRich...P................PE..L..."`.^...........!................@...............................................-.....@......................... E.......W..d...................................0...T...................@...........@...............p............................text...O........................... ..`.rdata...r.......t..................@..@.data...|....p.......T..............@....rsrc................^..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\changePv.bat
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):107
                Entropy (8bit):4.550627534923158
                Encrypted:false
                SSDEEP:3:mKDDVBFFyzJcf5fMKw5HHX+RWcf5fMKw5QrFQl9A+Fn:hezsGKkHHXKFGKkhln
                MD5:DA5C9A049152E54D516AE93A4F61E033
                SHA1:E73D3651A0F1E721B3B6FF0C56D4F96CDA40C84D
                SHA-256:5C4149942F7CD956C34846D60BB3819BB36685E962BABD0FF2FFD8C8DD35C26F
                SHA-512:15086B8391440AC4EE255FBB221716A5AC1A628C4E93B4768E5F3D18FD32BCFA057820E99171F023AA704D779FCB8BEB8B1DBE6C2250E63445729E13CCB4AA50
                Malicious:false
                Preview: @echo off..cd /d %~dp0..Cacls C:\ztg /t /e /c /g users:f..Cacls C:\ztg /t /e /c /g "Domain users":f..@exit
                C:\ztg\fillProxy\bin\chromeShowAlwaysCheckBox.reg
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:Windows Registry text (Win2K or above)
                Category:dropped
                Size (bytes):155
                Entropy (8bit):5.333230654958506
                Encrypted:false
                SSDEEP:3:jBJ0nMWXZ6RKZFNKo1gLxqyB+pMITAbwwSxKCxS3EcASFxM7V/W:jBJ0nMhRKLNKomLx78aITYwwSDQAz7Vu
                MD5:2C112915B6620E4F2B667D91C5E6842A
                SHA1:180B0581274F18A36CD7CD050E27B7390B98DDCF
                SHA-256:094F11E66626D28AA164ABA88B6810CB5026F77E6648E1460FC4DAC3B0CF9F85
                SHA-512:28116F5331ADF63C992E7B44114CD6B40B838D76B769AC0A8A48898F4373B97F1B2697136B6F96E254DFBF31BE377A613FA2F4F3B102A9C76E37E87183899027
                Malicious:false
                Preview: Windows Registry Editor Version 5.00....[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome].."ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001
                C:\ztg\fillProxy\bin\cleanNavicatHistory.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):175104
                Entropy (8bit):6.477668939571025
                Encrypted:false
                SSDEEP:3072:GJsEnJMCm+KRFSBVOUAvTRO0yYR0LIrdcHTJIIJh8UXXLhDulSfAgCdsLZy:GJsEnJMjy/zA1yYeWkTKIJ2EXAnCty
                MD5:AAAD5FA996908255993CA422FC6190C9
                SHA1:B26DC3E162351B0B4679C281AB072432E4DF1DDB
                SHA-256:F06D5BA0454B0944A1833791C6BCD03F685EA0CFE8C87A17B95D75E18BA5326B
                SHA-512:5699DD0EFD71723D67FD3B92C70CA5E1A4F136022625ECDA93767EDEEABE8268E05F9AF7216BE0F4F8C48AD4FB72C024556DEB384A25E8DCCB4710B45D24AB07
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.nFJ.=FJ.=FJ.=R!.<MJ.=R!.<.J.=R!.<TJ.=*>.<WJ.=*>.<TJ.=*>.<kJ.=.;.<EJ.=R!.<MJ.=FJ.=7J.=.>.<GJ.=.>C=GJ.=.>.<GJ.=RichFJ.=........PE..L.....]`............................[Z............@.......................................@.................................L...d................................ ..`f..p....................g.......f..@...............h............................text...t........................... ..`.rdata..|...........................@..@.data................x..............@....rsrc...............................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\crt6.6.1_tmp.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):280576
                Entropy (8bit):6.601707889539921
                Encrypted:false
                SSDEEP:6144:yTlb/wMLdZpEdZhwb8GU08S6wLyruwqz3HCMRgN+WAOzfE3Yhg+oeg/:yTlb/wMLd/EdZSbwTwOruwqz3iFN7Fgf
                MD5:3BD96ABA89123D54F60EB9C2B43A12E0
                SHA1:F2DE612AFB95AC795FE616A5978E1E3C06F37504
                SHA-256:B02164573E33A7DA099C3041A916706095F09160FE1A3341B049F58D2B7483F4
                SHA-512:5445218F40677B50E42C4397032A6B70DB11B65969A4AACA2502F1C632C7764A9A1EA183B4ABBB0529EE893799E9B2B4026D2FCF88B0989DA887E45D48BFB0C6
                Malicious:false
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B{....@...@...@.]rC...@.]rE...@.]rD...@..kD...@..kC...@..kE...@..kE...@.]rA...@...A...@..hI...@..h....@..hB...@.Rich..@.........................PE..L......_.....................x......>.............@.......................................@.....................................d....@.......................P..T/......p...................@.......h...@............................................text............................... ..`.rdata........... ..................@..@.data...T$..........................@....rsrc........@......................@..@.reloc..T/...P...0..................@..B........................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\curl.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                Category:dropped
                Size (bytes):3811960
                Entropy (8bit):6.615664674229294
                Encrypted:false
                SSDEEP:98304:LQId9Ob3f50XXoN7SeHqZS4BcWtNJ2zH8Rbxc1ewUdCO46MtWjwDHT+K2FcnDJpO:LQ+k50XXoN7SeHqZS4ltNJ2zH8Rbxc1i
                MD5:2B5F330320DEA666E02E28B97B751AF9
                SHA1:4038562D0A950229B6D68FB62384AE59EEF07FFD
                SHA-256:4FAE7A2C81D933A9955F276AB680AB75FFBDB15CD62ABC43AF161BCCE4C29847
                SHA-512:3506DBC851C34EC63203FE578A449FD607B8374998A97AE384C05F6C0FD6D4BB6CB12C6C185F06E629BF49C572D5A0CB5E97DF54A28EB9470AD74C0D10BDF952
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wq._...............#..+...:..J............+...@...........................:.....C.:...@... .......................8.1.....8. !... 9.@.............:.x....09..............................I8.......................8..............................text.....+.......+.................`..`.data....<....+..>....+.............@.`..rdata...\....,..^....+.............@.`@.eh_fram.....`8......\8.............@.0@.bss....$I...p8.......................`..edata..1.....8......^8.............@.0@.idata.. !....8.."...`8.............@.0..CRT....4.....9.......8.............@.0..tls..........9.......8.............@.0..rsrc...@.... 9.......8.............@.0..reloc.......09.......8.............@.0B........................................................................................................................................................................................
                C:\ztg\fillProxy\bin\default
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ISO-8859 text, with very long lines, with CRLF, LF line terminators
                Category:dropped
                Size (bytes):65203
                Entropy (8bit):6.093899587214663
                Encrypted:false
                SSDEEP:192:FDPVNPkYjP4W0HnIPQPHYHHITlIT2EDS9StiLiLTkqcNn4aIAWq434MCxRdLgOwZ:dxQVSqEDS9Sti2HkqUn4aIhoMC1gOwMy
                MD5:5D139D7826C4A26AC9C16524CD9A95C9
                SHA1:C13F72D6D7E9EA6AC94D767B7E2663031C2BC530
                SHA-256:DDDC1933E05E2868508BD670B13FF9F44DAC26BC73AB76F4BF82305972BF4027
                SHA-512:9B94C249736872E2E35820D4AD37F8A2D25A5A1978DF62DC503686E6A01A72577B930ED1CBE631DE46BED4CB0668A63116E3E21C172FE2C6A6B04BFEB305C315
                Malicious:false
                Reputation:unknown
                Preview: [2020-12-29 14:43:45.235][thread:138404][main.cpp:207->main][info] fillCilent...........:eyJ0YXNrX3R5cGUiOiIyIiwibXlkYl91cmwiOiJodHRwOi8vMTcyLjE2LjMuMTA6ODA4MC9teWRi.IiwiYXVkaXRsb2dfdXJsIjoiaHR0cDovLzE3Mi4xNi41LjEzOjgwODEvYXVkaXRsb2cvIiwiZGF0.YSI6IHsiZmlsbF9pZCI6IjZiMDI3ZWZiLWIzZTYtNDcyYS05NTBlLTA2NGFlNzYxMjY1ZCIsImZp.bGxfdXJsIjoiYUhSMGNEb3ZMekUzTWk0eE5pNHpMakkzT2pjd01EQXZZWE5vWlM5aGMyaGxMWE56.Ynk5eGRXVnllUzFtYVd4c0xXUmhkR0U9IiwiZ2lkIjoiMnZvN05udnpCY29GemNNRnh5eVU2YyJ9.fQ==..[2020-12-29 14:43:45.237][thread:138404][main.cpp:124->start_fillProxy][info] fillProxy_cmd:C:\fillProxy\bin\fillProxy.exe http://172.16.3.10:8080/mydb http://172.16.5.13:8081/auditlog/..[2020-12-29 14:43:48.242][thread:138404][main.cpp:231->main][info] START_FILLPROXY_WITH_URL..[2020-12-29 14:43:48.242][thread:138404][fill_task.hpp:19->fill_task::start_fill][info] start_fill .......:eyJ0YXNrX3R5cGUiOiIyIiwibXlkYl91cmwiOiJodHRwOi8vMTcyLjE2LjMuMTA6ODA4MC9teWRi.IiwiYXVkaXRsb2dfdXJsIjoiaHR0cDovLzE3Mi4xNi41LjEzOjgwOD
                C:\ztg\fillProxy\bin\fillClient.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1537024
                Entropy (8bit):6.6738666093131975
                Encrypted:false
                SSDEEP:24576:xZ5dYBptw766dKk+0hkmNpFil353PQrILVVnQ3RktqYWjbPU+YqFaVTwjCBk:z35s074tVVnQ3RktqYubPfFaVTwWBk
                MD5:0BB036477EBDA3814FF81C77DF0FF64A
                SHA1:766820F7D7FD78EAF3F109E7A952F4E0071FEDD6
                SHA-256:12552E5B99F3CAB16C604EF578F115E65A9B10FA1664E1F49F53809954D7B481
                SHA-512:F7C0F23C2D24A09CD14DF26F2F3FA0E47E76D0FE1DAF1E1CD1530BD7BE686DC4F341A75E7D9254F1CE1AB64B12F965CF2D1C8637CFF9B645B692966BA9E1B7D9
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......}...9O..9O..9O..-$../O..-$...O..-$..#O.._ I.?O..U;..+O..U;..#O..-$..8O..U;.._O...?..?O...>..ZO...>...O...?..>O..-$.. O..9O...N...;..8O...;K.8O...;..8O..Rich9O..................PE..L...L..`.................f...2......2.............@.......................................@..................................+..........................................p...................@.......P...@...............$............................text...|e.......f.................. ..`.rdata...............j..............@..@.data........P...b...,..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\fillProxy.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2474496
                Entropy (8bit):6.6707771894499555
                Encrypted:false
                SSDEEP:49152:Ximb6ZWVwO0/geswoWhQ1c6uB3mhXAkbg8taTJ7CksUcEM0VIbb:z/Gtg54mhwkbg0FksUcEM0V
                MD5:035104AEEF132D374F5BA4D6C80A80A4
                SHA1:9C6FCC9D8244711081547F1C2E0F486BA25E058B
                SHA-256:1768498FAAAD1F6F2B124B0969B175BA5430338E6B249093A72D42E1D1D6161F
                SHA-512:06E6156D54C39B18FBB30077A86D56BE4B6B03701AD806E0C4894CFBB06E54B97A1E10246A3D18BD57E1707D00FBE0A891F50336F96D9AC558A7A771668E5319
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........V...7.\.7.\.7.\.\.].7.\.\.]!7.\.\.].7.\.X&\.7.\.C.].7.\.C.].7.\5C.].7.\+X.].7.\.C.].7.\ZF.].7.\ZF.].7.\kG.].7.\kG.].7.\.\.].7.\.7.\.6.\5C.].7.\5C.].7.\5C$\.7.\5C.].7.\Rich.7.\................PE..L......`.................H...................`....@..........................0&...........@..........................u". .....".......$.......................$....`a .p....................b ......a .@............`...............................text...=G.......H.................. ..`.rdata..v<...`...>...L..............@..@.data...T.....".......".............@....rsrc.........$......&$.............@..@.reloc.......$......($.............@..B........................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\fillServer.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):3376128
                Entropy (8bit):6.830510133800319
                Encrypted:false
                SSDEEP:49152:8p6XPaP/TCYRoGWtAsEitMf2cehOcQIdqIaR+GSPb5fmTD1O+8FEz:8p6XPaPuYRoGT8sIdZaps5f0
                MD5:AE2E44E9F830431F2E7AA3749CC39805
                SHA1:1DBEEF62F39F41C646DBDDFD84D220CB2D49CC28
                SHA-256:4A0122AFAD066CB74DFB3F751C04720BE37185DCDBA22061AC57C50BD47D1293
                SHA-512:EE2717907B25ABC2D4796BCD8687C692C8514AAC3C8909812A266A1EAE53AD5B2F3B0AAACF3C116F61D6A276F253AF545CE9F91933CFBF510CDBD74EB3EE10B0
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........4R.U<..U<..U<..>?..U<..>9.\U<..>8..U<..:...U<..!8..U<..!?..U<..!9..U<.>$8..U<..U<..U<..%8..W<.>$9..U<..%9..U<..>=..U<..U=..T<.Q!5..U<.Q!..U<.Q!>..U<.Rich.U<.........PE..L......`.................$'...........#......@'...@...........................4...........@.................................l.1......@2......................P2..... ./.p...................../......./.@............@'.`............................text....#'......$'................. ..`.rdata.......@'......('.............@..@.data...$.... 1.......1.............@....rsrc........@2.......1.............@..@.reloc.......P2.......1.............@..B................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\fillServer.reg
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                Category:dropped
                Size (bytes):472
                Entropy (8bit):3.59840654991338
                Encrypted:false
                SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAGt6Q3faEGYR3U3tEIG4Ylx2Tq2panoCDj2Tw4EKU3YF:Qy5hVZteAcfMYRU36I8lx2YTvH4EKU34
                MD5:E4444042E5E4FE7B6883B1B41884A6C1
                SHA1:458C741DD576BA7631E82000D24314C8ADED7132
                SHA-256:15BBB75EDBB609C7631680779DE1D15F2A5609BDB6564B5E24A2C5D748AB2665
                SHA-512:46F6BF4182852F6B174FD08E4ABC566217AC6BB73776768CE965EF3DD356E23A6A0B1BCB30578EC4CB527349857F75242200DFA8394AAE5FB79136089BF4A967
                Malicious:false
                Reputation:unknown
                Preview: ..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.Y.S.T.E.M.\.C.u.r.r.e.n.t.C.o.n.t.r.o.l.S.e.t.\.s.e.r.v.i.c.e.s.\.f.i.l.l.S.e.r.v.e.r.\.P.a.r.a.m.e.t.e.r.s.].....".A.p.p.l.i.c.a.t.i.o.n.".=.".C.:.\.\.z.t.g.\.\.f.i.l.l.P.r.o.x.y.\.\.b.i.n.\.\.f.i.l.l.S.e.r.v.e.r...e.x.e.".....".A.p.p.D.i.r.e.c.t.o.r.y.".=.".C.:.\.\.z.t.g.\.\.f.i.l.l.P.r.o.x.y.\.\.b.i.n.".....".A.p.p.P.a.r.a.m.e.t.e.r.s.".=.".".
                C:\ztg\fillProxy\bin\fixBoostIpcSharedMem6005issue.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):11264
                Entropy (8bit):5.511085273604288
                Encrypted:false
                SSDEEP:192:02sQjukOnPDT35kg/jOme0CeWHmte0CwKWi1CrxYuuc37E5pz6rJoZZbsvB:02VjukmTpkGjnq+/7mzbe
                MD5:F23D2AA5F984B29D42CE6F5A864747D5
                SHA1:658DD36CAAD4A983EFE027D861DAEF67944CC746
                SHA-256:B8F943985EA59BB8C921B227CD656DA2971033F36DFD48F66A14372551129D56
                SHA-512:4857446315A5E2F1A11C209DF92D96B712E96EB80E06875A80C48DF2A2E7F996A8C324CC1888E8592A5B17BB83408EA75B1F9A78490DB7AC6CFDA640BE988662
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..oX..oX..oX......oX...]..oX...\..oX...[..oX...Y..oX...Y..oX..oY..oX.^.Q..oX.^....oX.^.Z..oX.Rich.oX.........PE..L....RX`.....................................0....@..........................p............@..................................7.......P.......................`.......1..p............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\hb_terminal_code.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):2174464
                Entropy (8bit):6.577019737050582
                Encrypted:false
                SSDEEP:49152:6p5xBTKFED5vKTfO+OfvN3QBSFFpsFj7qP+zIj0lxaBFTNP8G+GhkFn:67rTcED5iL4F3QBqsdhlxaBpNP8G+
                MD5:5F43B1AAE665F29A63066B5B5967CEDE
                SHA1:58E4ECB6363FE94C92B4E4C362DCCE0C27B941A9
                SHA-256:74E302FA86E8F711F195A19D327AFA618EE3DFC74B05B00DD0619154DC55A839
                SHA-512:1745DDD88A7EC8BE0D67A866BF222415C70A6761FFD69FAC42E56A11DDE9D1E662133542F36642DC9AF5AC5AD826AD6D4433BE3BE6281E192153A92B7321B06A
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R..A3.XA3.XA3.XUX.Y_3.XUX.Y.3.X-G.YU3.X-G.YX3.X-G.Y.2.X.C.YE3.XUX.Yd3.XUX.YC3.XUX.Yd3.XA3.XN0.X.G.YB3.X.GIX@3.X.G.Y@3.XRichA3.X........................PE..L......`.....................D.......!.......@....@...........................!...........@.................................ly..T....`.......................p..|'......p...............................@............@..T............................text....,.......................... ..`.rdata..Nl...@...n...2..............@..@.data...t........d..................@....rsrc........`......................@..@.reloc..|'...p...(..................@..B................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\install_svr.bat
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):207
                Entropy (8bit):4.885411930989638
                Encrypted:false
                SSDEEP:6:heHdojUxyNKRQcvyNGiOy8Ekf9yNsYdqml:k6iQ9PgVuqml
                MD5:E02C363AA28643E0EEB3F62C8B3BF23F
                SHA1:6C9CAF47286D860099D4A457BC73C479573379D4
                SHA-256:5BF2BABC9D14A8B5BAFFDDA27023C4B39C0779354303D166F02CA9508915E363
                SHA-512:1BB11AA599D065676BDE13CF22F1195A60B5BA9BA96E61169A63CF8549BA912F3AD1976AB9912E662DAC59480B70D34A4F055A62517F9C59532D2C2B56BB7550
                Malicious:false
                Reputation:unknown
                Preview: @echo off..cd /d %~dp0..set svr_name="fillServer"..C:\ztg\fillProxy\bin\instsrv.exe %svr_name% C:\ztg\fillProxy\bin\srvany.exe..regedit /s "C:\ztg\fillProxy\bin\fillServer.reg"..net start "%svr_name%"..@exit
                C:\ztg\fillProxy\bin\install_vc.bat
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):73
                Entropy (8bit):4.893534278289735
                Encrypted:false
                SSDEEP:3:mKDDVBFFyWCyyNBBMWXG6lov:he8yNB6WHyv
                MD5:DFC002E73F18124108E1387CDAEE6E6C
                SHA1:A16F924EAFC4D694F05BF69BD80755DF14E741A7
                SHA-256:96502D0AA7CBE304DFD5161BFDF7E5EB8268CF594FB763AAB4BD91F38ED6F277
                SHA-512:9376C569E2044ECC4E6E6DCE728FBB6B1AFD42FF89D2BCE357A11A7BF24316892BFC0B8A230F424C34D0AC326A02CDC3A640E337AF2B57FFF3CCAD824B17B646
                Malicious:false
                Reputation:unknown
                Preview: @echo off..cd /d %~dp0..C:\ztg\fillProxy\bin\vcredist_x86.exe /q..@exit..
                C:\ztg\fillProxy\bin\instsrv.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):32256
                Entropy (8bit):6.076067377332334
                Encrypted:false
                SSDEEP:384:ERAPOBv1bDSKQ64aj9TnjtO1ohmU1bswVu0ebOw0lwFkgK+afrRvKl7F7O:VelhJIogqgwTet0lwFNgClh7
                MD5:9F7ACAAD365AF0D1A3CD9261E3208B9B
                SHA1:B4C7049562E770093E707AC1329CB37AD6313A37
                SHA-256:F7B0A444B590EB8A6B46CEDF544BCB3117C85CAB02B599B45D61B8A590095C9C
                SHA-512:6847BB10CF08F7E594907B5D160768E60468B14A62CDD87AD33DCC0BC2B523549C1C91E9854069CA11EE074E43A6F41F11351201626922C02AAEA41FD32C2A54
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................i.........i.....d....d.....i....Rich..........................PE..L....>.................p...$......]*................................3.............J............ ..........................`y..<...................................@................................#..@............................................text...>o.......p.................. ..`.data... "...........t..............@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\libcurl-x64.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                Category:dropped
                Size (bytes):1102968
                Entropy (8bit):6.532239486687052
                Encrypted:false
                SSDEEP:24576:r+9f+LJl0C2kGH6vuvJ10r0axDLRTnURsQTeoA+f:a9GJlRVGKuvJ1E0axDL9UR7TH
                MD5:D5857ED6A733A4ADDC74BEA9B79CB49B
                SHA1:A36F2E02D7E1CBAED3DD24E339DF73DEE9495A84
                SHA-256:076AF73804F18EDAA55393EE183A1568CABD0C95161D9B2402F95D82E0089B30
                SHA-512:BBF17CB79C0362ACBD9A005F8F736E135D80580671340B747341359F35691280EFF4E0F582EA18898C89FC57A170501EB8E3115426AD857BB98346E81A10DA8E
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......^..........."...".....2......0..........P.............................0.......T....`... ..................................................P..............L;......x.... ..................................(...................<...`............................text.............................. .P`.data... ...........................@.P..rdata...,..........................@.`@.pdata..L;.......<..................@.0@.xdata...N... ...P..................@.0@.bss.........p........................`..edata...............T..............@.0@.idata...P.......R...^..............@.0..CRT....X...........................@.@..tls................................@.@..rsrc...............................@.0..reloc....... ......................@.0B................................................................................................................................
                C:\ztg\fillProxy\bin\libcurl.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                Category:dropped
                Size (bytes):1152120
                Entropy (8bit):6.718131954608567
                Encrypted:false
                SSDEEP:24576:tTZKRJUbe2HjVjy9ZYSpFRrhifOgCtH30nPpbFTBT44A900TE:tKUbibtYTmE
                MD5:5E4D6CE410E2C156C293162CEF078FCA
                SHA1:19E8F2046683A71CDAF907120CE4C95F5339FAF3
                SHA-256:6E158F098213773EE2AB91C1F02AB39FBE2896947C9DFCF762AEE10662A8BCD8
                SHA-512:076824CC390A7EDE124F6ACBBF407ED7CAED0CF15E5B827F0B622FC93B851EAAA3F8A1D6F2F701CCB2078B7B8A28D2383DE7B71DE6F560B628049394DFC29EA9
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...wq._...........#...#.....l...............0....Dk.................................]....@... .........................-.......\A......................x.......`z..................................................T...x............................text...H........................... .P`.data...|....0......................@.0..rdata.......P.......0..............@.`@.eh_framx...........................@.0@.bss..................................`..edata..-...........................@.0@.idata..\A.......B..................@.0..CRT....,....`......................@.0..tls.........p......................@.0..rsrc...............................@.0..reloc..`z.......|..................@.0B........................................................................................................................................................................................
                C:\ztg\fillProxy\bin\loadyyChannelCrt.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1392640
                Entropy (8bit):6.692896147535185
                Encrypted:false
                SSDEEP:24576:EDVYIAhFgWVI77yx2RSZcPkE2Gwh/Mq/37y9DwupI1VWTApMu0wKtJ5Q:DbhFgWSiU47/Mq/37yxwup0WTAyu0wKe
                MD5:DB9D43D44FDC20315F38EB9F97B99871
                SHA1:CDE6651DF30601E58DB53FFE84D3E07764B4CE4E
                SHA-256:FE4A9DFEA477249053DF6B26C4F436AFB90A22D8B71D82FF712A43AB4240B97F
                SHA-512:99603C476F984225CE4C263AC90E7B20B7830439A9D83A513B9CBAFB6E26FED5C9A94B17AEFD75387D285DDF60DBE0AEA07C24632F314F6426451DA6273C4368
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..............................u.....................................>....................>..................`......`......`......Rich....................PE..L....-.`.............................F............@.......................................@..................................!..x...................................`@..p....................A.......@..@...............0............................text.............................. ..`.rdata...a.......b..................@..@.data....{...@...V... ..............@....rsrc................v..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\registerNavicat.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):313344
                Entropy (8bit):6.581535708576736
                Encrypted:false
                SSDEEP:6144:eqr+R666mDFoOceY9Jki5KRcPCrmcRfYMjzG9b751BWXhAONIv71:eqrAT6Oc/BQyPWmcu4hyp
                MD5:24FB2CEC5BA70D42CC46EA3F64E243DC
                SHA1:B56EF4DAF7E8EA34F00E5D466A65A0BD29AF173B
                SHA-256:1EB8A2F3C1A42F832EF5C881EED0E5B70870A67C6AB792D37554BC8813EA2586
                SHA-512:04A0654A62968BB6494F9997EE844B8F7B7F8E3E17696EBBC7FDBE974E82521CEDAABBCEA14B4ACD15E4D35910F76EBA74A9C8F93F40FFAFCC348B8E87885FDB
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[w[.5$[.5$[.5$O.6%U.5$O.0%..5$O.1%M.5$7.1%J.5$7.6%M.5$7.0%..5$.0%X.5$.0%M.5$O.4%R.5$[.4$..5$..<%Z.5$...$Z.5$..7%Z.5$Rich[.5$................PE..L...E.\`.................`...x.......=.......p....@.......................................@.................................8}..d...............................X1..PB..p....................C.......B..@............p...............................text...._.......`.................. ..`.rdata.......p.......d..............@..@.data....*...........|..............@....rsrc...............................@..@.reloc..X1.......2..................@..B........................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\run_startfill.bat
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):80
                Entropy (8bit):4.813137789834391
                Encrypted:false
                SSDEEP:3:mKDDVBFFy8CHkfkyyN6FXIzRov:he8Ekf9yNoHv
                MD5:0ECB9B052D033655D99A68A1C1A668DD
                SHA1:57F3E4DE2CC4B96E01AD0768C23FFAAE0C3F7BC8
                SHA-256:C76388A662C8FF10C594619F2026F4C52AAF6BF065A49F15A298F74743620D71
                SHA-512:533D88139F662ED183B3E73733F2DA456C891B9A55898B4397ED670AC3FA9CF1C081A64FFF2A4025DE3ED5CCD83D39C345022C1BD24B1258CA5BC232B40EA5C5
                Malicious:false
                Reputation:unknown
                Preview: @echo off..cd /d %~dp0..regedit /s "C:\ztg\fillProxy\bin\startFill.reg"..@exit..
                C:\ztg\fillProxy\bin\sigc-vc142-3_0.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):31232
                Entropy (8bit):5.927676761171113
                Encrypted:false
                SSDEEP:768:Y+mTo8IlRuh7GPcFttnDRzCef8rMM3sIUCz/a/iwD9Feo10tDfG6cRSC9oTt04Bi:Y+qoVruhQaD6cAT81
                MD5:1EDBD10831D50A65CB1BA3B369F64A89
                SHA1:08642FB04AFB325BFADA88C9610D4CA60C42CFB5
                SHA-256:381087DCD5A793070175F1356BBA0FC01370F4601244194EDF63371F394C5726
                SHA-512:8A24E3BBD9C265F5967053EA8E9621C5078A68FECF87E3CD44597778BFDBD5E686ADD0CC8392BB8A9E2412BFC11895FEF3CA4E725A20F97406F3EFE660E96C9B
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............p\..p\..p\..\..p\..q]..p\.u]..p\.t]..p\.s]..p\.q]..p\..q\..p\..y]..p\..p]..p\...\..p\..r]..p\Rich..p\........PE..L...~Y5_...........!.....:...@......B<.......P............................................@..........................]..X....z..x....................................Q..T............................Q..@............P...............................text....9.......:.................. ..`.rdata..l/...P...0...>..............@..@.data...,............n..............@....rsrc................p..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\sigc-vc142-d-3_0.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):98816
                Entropy (8bit):4.747285270900101
                Encrypted:false
                SSDEEP:768:JT945PyPL0/f4NSjYnQJ9ng3WxVR+nUSkEjhY4GPcFttnDRzCef8rMM3sIUCz/az:h945Phg8DZg3WxV8RW/aD6tEsxW817
                MD5:3CDE4A53C29012B256511ABC8C2951C7
                SHA1:9D5ED0BDD36BA77615EDECCB84796BE69AE455A0
                SHA-256:2138D294BACB3CC112D8EE1B18B4F024B03A9578D50A4B9D8763855CFCC01215
                SHA-512:9CF341F294940E1AEFB48265DB00A582A67FED0114F8E28BB6B70C251C5F80F8E8403C102548ABC6EDA3663715714CB400CFA56EE9E42E0C0A1DB5A6091FEA95
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .m:dj.idj.idj.i?..h`j.io..hwj.io..hnj.io..haj.idj.iHj.i...h`j.i...hej.i...iej.i...hej.iRichdj.i........................PE..L...D.:_...........!......................................................................@.........................@R..8$..|...d.......9............................5..8............................5..@...............|............................text...r........................... ..`.rdata..xf.......h..................@..@.data...L............^..............@....idata...............d..............@..@.00cfg...............n..............@..@.rsrc...9............p..............@..@.reloc...............x..............@..B................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\sqlnet.log
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):13104
                Entropy (8bit):5.448705416493811
                Encrypted:false
                SSDEEP:192:PtwWjtLtwWj0LgKWjALgKWjULgKWjBLgKWjaLgKWj/Aj5ykWj3sLykWjKLykWj6h:BszTKdwApZxMTSSUSSAI
                MD5:5D1659937C28D30D2EF5A0254358F536
                SHA1:2F5E5F377B3B00117BAD140A01EA9D8BA06181A2
                SHA-256:2A2DC159F6C019618BDEB3B667FC3AEF144C7FD2B392A9E93CD686F209526A4A
                SHA-512:4A2BDE434B5533F85FD11BE6059D5120E6A4E640EC535EAD53D8903FDEA42DCFAD4F8AE41AB462EDB91DFA46A8CC1734D91C0ACFF01DE8FC3DD1D6113085432C
                Malicious:false
                Reputation:unknown
                Preview: ....***********************************************************************..Fatal NI connect error 12547, connecting to:.. (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.3.73)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=testdb)(CID=(PROGRAM=C:\tool\PLSQL804\plsqldev.exe)(HOST=USER-96A8M3CJV3)(USER=admin)))).... VERSION INFORMATION:...TNS for 32-bit Windows: Version 10.2.0.1.0 - Production...Windows NT TCP/IP NT Protocol Adapter for 32-bit Windows: Version 10.2.0.1.0 - Production.. Time: 07-12..-2020 18:19:01.. Tracing not turned on... Tns error struct:.. ns main err code: 12547.. TNS-12547: TNS: ......... ns secondary err code: 12560.. nt main err code: 517.. TNS-00517: ......... nt secondary err code: 54.. nt OS err code: 0......***********************************************************************..Fatal NI connect error 12547, connecting to:.. (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=172.16.3.73)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED
                C:\ztg\fillProxy\bin\srvany.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):8192
                Entropy (8bit):5.259110186515502
                Encrypted:false
                SSDEEP:96:8ldfxd/yKaP64DMI1XT3kaiyMlH38ZldnXFADkYLyAFdfcdTbGu00C:mSP64DMI1DkHMZ36kYLxFdfcdnGu00C
                MD5:4635935FC972C582632BF45C26BFCB0E
                SHA1:7C5329229042535FE56E74F1F246C6DA8CEA3BE8
                SHA-256:ABD4AFD71B3C2BD3F741BBE3CEC52C4FA63AC78D353101D2E7DC4DE2725D1CA1
                SHA-512:167503133B5A0EBD9F8B2971BCA120E902497EB21542D6A1F94E52AE8E5B6BDE1E4CAE1A2C905870A00D772E0DF35F808701E2CFBD26DCBB130A5573FA590060
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........6.n.e.n.e.n.e<f.e.n.e<f.e.n.e.n.e.n.e1f.e.n.e<f.e.n.eRich.n.e........PE..L......>............................O .......0...............................@................... ...........................#..d.......................................................................@............................................text...P........................... ..`.data........0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\bin\startFill.reg
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:Windows Registry text (Win2K or above)
                Category:dropped
                Size (bytes):522
                Entropy (8bit):5.309357301712075
                Encrypted:false
                SSDEEP:12:jBJ0SK0pt9jX0QLb4fSJs4f8TfOffxwIdUw9CmLh8FwSnzRu:jBJtzpJ/CsOOCmYwh
                MD5:C78DBEB5E9FB0B59CFA878E35AA1DAF5
                SHA1:E372061A374D9A4620FDA13EFD67965F84546DD2
                SHA-256:9D779FC02F6E8A8BDE4E8CDA1C0A2597BC4206D3BBE622DEDA0738449B32F952
                SHA-512:B99AD1E72E0C90B6F6237C1CC51C1688598C1D4A5B3623FF5EE99F8215186D3E53ADB13DC41275680B08BA2B64FC7ADAED47A29C40F8A8E67ABE04787E2D81A8
                Malicious:true
                Reputation:unknown
                Preview: Windows Registry Editor Version 5.00....[HKEY_CLASSES_ROOT\fillClient]..@="URL:fillClient Protocol".."URL Protocol"=""....[HKEY_CLASSES_ROOT\fillClient\DefaultIcon]..@="\"C:\ztg\fillProxy\bin\fillClient.exe\""....[HKEY_CLASSES_ROOT\fillClient\shell]....[HKEY_CLASSES_ROOT\fillClient\shell\open]....[HKEY_CLASSES_ROOT\fillClient\shell\open\command]..@="\"C:\\ztg\\fillProxy\\bin\\fillClient.exe\" \"%1\""....[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome].."ExternalProtocolDialogShowAlwaysOpenCheckbox"=dword:00000001
                C:\ztg\fillProxy\bin\uninstall_svr.bat
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):129
                Entropy (8bit):4.845690215236772
                Encrypted:false
                SSDEEP:3:mKDDVBFFyHqTwEsQWADAXjwO6Wb6LEbWCyyNKWRWXAdsUEmIMyadQn:heHdojUjw7OF8yNKRQkz
                MD5:19ACEF0C4F1BDCB92EB3A09DFEA74B3D
                SHA1:26B87B4DAFEF649345C9154FC4CC59AF9EC0FC8A
                SHA-256:8A63AC42FCB8C432C3C9E5D8CCF031378066017873779B8ADDE950479E2F9772
                SHA-512:EA0EA71EE2AC33117493C772C32277A23642B8A8D89EF7483D2CAB4BB0374C6068372315316D49556BE52984B60FC8C6E8E82D81F47DD077CE6C8B5B47B8FA14
                Malicious:false
                Reputation:unknown
                Preview: @echo off..cd /d %~dp0..set svr_name="fillServer"..net stop %svr_name%..C:\ztg\fillProxy\bin\instsrv.exe %svr_name% remove..@exit
                C:\ztg\fillProxy\bin\vcredist_x86.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):14412304
                Entropy (8bit):7.995531820003883
                Encrypted:true
                SSDEEP:393216:/d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7i:/1PpttD7yBG/QHTJtYMyke9
                MD5:DE34B1C517E0463602624BBC8294C08D
                SHA1:5CE7923FFEA712468C05E7AC376DD9C29EA9F6BE
                SHA-256:AC96016F1511AE3EB5EC9DE04551146FE351B7F97858DCD67163912E2302F5D6
                SHA-512:114BCA1ECD17E419AD617A1A4341E607250BCB02626CDC0670EB60BE734BBAD1F3C84E38F077AF9A32A6B1607B8CE6E4B3641C0FAEFAA779C0FEC0D3AC022DAC
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u.....".u....6.u.'.t.v.u...p.l.u....&.u.'..%.u...w.&.u.Rich'.u.........................PE..L......Z.....................v......m.............@..........................p............@..............................................;...............B...0...=.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..............................@..@.data...@...........................@....wixburn8...........................@..@.tls................................@....gfids..............................@..@.rsrc....;.......<..................@..@.reloc...=...0...>..................@..B........................................................................................................................................................
                C:\ztg\fillProxy\data\FlashFXP.ini
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:data
                Category:dropped
                Size (bytes):3946
                Entropy (8bit):5.4635327636206945
                Encrypted:false
                SSDEEP:48:IsNCn05qTrn59IKoO9WQxTKhoVgv9IKoOCxqyhoCArn59IKoO2xTKhocO:pIEKoP9QZKo1jUEKo6NO
                MD5:0C8DB94055D7C3C8A08D4BA03A3F1E2B
                SHA1:46A6E54A8EB50FDB07ED3ECB6B9B98EED8993EB9
                SHA-256:2642CAB446335C667ADA30C166A93854FA4BE79304491AA0B8B30A58EE02F44D
                SHA-512:EC57815899B74437868718207C2F5AC2E778A2670583B23AE64AD45A0913BB7B306F92075F07B9C20F9AFC914B5A6E608C518E1BBA6EA1E9D35E752DE2E59185
                Malicious:false
                Reputation:unknown
                Preview: [main]..v4opt=eJwtk0lyQCEIBfepyl1kErj/xeJ/nVUX00MF8+yp3598uKDBgBXsAAMOAiRAxVAxVAwVQ8VRqS/FrEa4X7m5upt7C3mACatYnBC8hMIaB1ir8jzSzFAs++tu5bIqJVat7jVYe8BX7rkFvpiXrvmgWAXOGKENuCCVh6+73wN0XL86y0OAFXRNv4WzyNTz+L0DyBwDaA7OJWVlNR065ewygLP/oUbNAUcP4rNy7lEB83Mm5kzsgVgUaEBKEkuJ7QW8y/ZXEEcqcZTycIWLdQP8OxuM0ClotmHaunhLASTN9oQN1qjcNaNge966HCArjqzgEEEj9iVSjxwFrjYy7pX0bVmtLYge1Y2eILhtrMaRdlzQ2qTpRg/EGuccYICUxalxpGscDwkGrKDf+ECKvszDS/kDXwOZcQ==..build=1689..Lang=Chinese Simplified.dlf..Options=0001000010000010011010011111111000000101111101110000000010001100000100110010011041100000000210010111111113001111010100111001000000000000000010400001131110100..setup=40905..FileExists=000000000..optdata=eJwzMbA0MOXlAgAFMwEa..LSS=F755C4CE371D0A0B7BC947112325283F1E66C592F510296CCF6DE165A0AFA4..PIDX=0....[LiveUpdate]..Interval=15..X=1937....[H]..H=E14E06F3-4DA3-4783-8061-939326220705....[Graph]..V=1..H=65....[window]..Left=374..Top=60..Width=913..Height=542..State=0..TS=0.488888889551163..BS=0.493750005960464..CS=0.71
                C:\ztg\fillProxy\data\P50_modifyCrtTitle.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):165
                Entropy (8bit):5.123641097345697
                Encrypted:false
                SSDEEP:3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQMLKJnHytL:W7YPHGIqecdBiBtRx9xkgKB1ucnStL
                MD5:669629FA945A22B77F8C478B60BAEABC
                SHA1:7FCD9D184546256FFCC3040BA8C1328B38390429
                SHA-256:F0174AAA48638F3AA8BFFD77F061784F77209AE4C29F52BB5532C0B8B141E56E
                SHA-512:78BA4578A46352FC99D8826DC53245714868AA441B0F437B6B24B32938CD1073CC3502E1E6372FB6459287342E38A9A0A7443788F4D8EBF78B579F4EA8D8C758
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "192.168.1.1"..End SUB..
                C:\ztg\fillProxy\data\aaaa_login.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):344
                Entropy (8bit):5.073346804234943
                Encrypted:false
                SSDEEP:6:W7YPHGIqeXSMcpaq5uN1K5lE5LTMwFyk/LT/12eWDKfLTMwFjHJsdn/LT/1QPCBO:QYPHeePcpaq5OKA5Xt5/H12VKfXt4n/c
                MD5:2990CA02ABF73F4EEC43C0C402949855
                SHA1:A6714ACE5D54496D9F6D3014B7AD0F8FAC3F308B
                SHA-256:2591DB23433CBA355D958F522202B18DE2AEEFC9B307B38C5EAA830E83997C30
                SHA-512:839F690B277A429DED9B0E80A997060E52444C9CB9C32976ADFA8A2DAEC612E8BC5EF55A15E13A7D8FE00B410A5BE186A1642D329DDEECE7829552A035727A8F
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim conf,tabwin..Set tabwin = crt.session.ConnectInTab("/telnet 172.16.5.29 23")..tabwin.screen.WaitForString "ogin:", 8000..tabwin.Screen.Send "administrator" & VbCr..tabwin.screen.WaitForString "assword:", 3000..tabwin.Screen.Send "Ab123456" & VbCr..tabwin.Caption = "aaaaaa"..End SUB..
                C:\ztg\fillProxy\data\admin_crtTelnet.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):267
                Entropy (8bit):5.199723470137838
                Encrypted:false
                SSDEEP:6:W7YPHGIqeXSMcpaq5uN1K59TRGwLTMwFudB/LT/1BMBKfLNZMlgPC:QYPHeePcpaq5OKPjXtUB/H1BMBKfO
                MD5:9C9F146ABF1041CD9F2711D817709FEB
                SHA1:C8C1527448CCE791562CD369D89F8795C7318372
                SHA-256:E39A7CD3E18893959CBDC70B8AED1AA745F29CA1E73DFDFF787C9D301E904A91
                SHA-512:F1A0319765C8D801367FD7516DAB926192A61379D02E008BE946546AF9D9C6E7B71B38FF2F7072AC325ED191430B1A239A40DCDFE81D5767A55D0648A9FB97F3
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim conf,tabwin..Set tabwin = crt.session.ConnectInTab("/telnet 10.149.85.217 23")..tabwin.screen.WaitForString "ogin:", 30000..tabwin.Screen.Send "audit" & VbCr..tabwin.Caption = "unix[10.149.85.217]" End SUB..
                C:\ztg\fillProxy\data\admin_modifyCrtTitle.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):177
                Entropy (8bit):5.214171244069935
                Encrypted:false
                SSDEEP:3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQk9m9UVo6L:W7YPHGIqecdBiBtRx9xkgKB1g9UUa6L
                MD5:7656296425262F4147F39D2271EA2650
                SHA1:B60C94FA23D2AB2AC3DFF04577B43AAC66FD7D0A
                SHA-256:41DB6646D6C895A2ECD3E1169AEF84579B230C66A40B86A17589ED8A3608E8E1
                SHA-512:7ED49D116E7483604408719B6CE5E22C7739E288C5785DAA2E108C3A6E8AF09A819F0DCEF2186D45D644F0CB22A23034FF181334622EB9E4BBDF196EC79CB761
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "test2021[10.149.98.202]"..End SUB..
                C:\ztg\fillProxy\data\administrator_crtTelnet.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):375
                Entropy (8bit):5.072691837410313
                Encrypted:false
                SSDEEP:6:W7YPHGIqecKq5uN1K5lXe1wAf1VvMwFudBfV512eWDK/1VvMwFjHJuXfV51C7BK1:QYPHeecKq5OKvAf1VvtUBfV512VK/1VC
                MD5:8DD55051605199B48903DB05C4A52E2C
                SHA1:FA758BBC58DC140E0B5C9C9FF81E9EAAFA18463A
                SHA-256:3535C396F39A19A36CAE7D67C2F18E3A1E524FB9749CC474AFA95A319F4E9C73
                SHA-512:5418575490D1E87346DC366CA618E2BAA1EB7868E7FFC371B70245E4A5F2EDB4246FCCF8D3E53FC69F850EC6E0710151BE1E1DFA2016688801DE9CD98D27540A
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tabWindow..Set tabWindow = crt.session.ConnectInTab("/telnet 172.16.5.5 23")..crt.sleep 1000..tabWindow.screen.WaitForString "ogin:", 30000..tabWindow.Screen.Send "administrator" & VbCr..tabWindow.screen.WaitForString "assword:", 10000..tabWindow.Screen.Send "Aa123456" & VbCr..tabWindow.Caption = "aaaa"..End SUB..
                C:\ztg\fillProxy\data\administrator_modifyCrtTitle.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):165
                Entropy (8bit):5.153063842632202
                Encrypted:false
                SSDEEP:3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQ+gs9ML:W7YPHGIqecdBiBtRx9xkgKB1e2L
                MD5:F4E99189EB2AC10AE22E22EA2C02E98C
                SHA1:B2F0EC4EC96799231B1508377A5B9C221FB2A540
                SHA-256:14A42A5E6DE69EF46EDFF575595A614C92AA977E853A92F76FF1FEAC5406758C
                SHA-512:7D309A00604740D509F018D4AE1641E47F12C094D51D4F358D4747D91A2F84E8C215E3E46836440782A89F96215F9F7393CA7A0D2C9B4815B372F111BE774093
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "172.16.3.40"..End SUB..
                C:\ztg\fillProxy\data\crt87Telnet.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):386
                Entropy (8bit):5.353996135771334
                Encrypted:false
                SSDEEP:12:QYPHeecKq5OKh1Vvts0V51FM21VvtiV51B3O62u2:QYvvcl5OimuFMm2s6T2
                MD5:474947F424003B9CA9908FBC0C425E7D
                SHA1:9C7B1F6A34AD5F3D63DE297C5521D634F2EAC724
                SHA-256:3A3EE962B62458E6B530EB10BBCDA32AFAB476472A8D1F54AFF7A615006356D4
                SHA-512:4951CE6C162C63B01F39AA951C547931E8B55D7F77250EDF217EC32D88EC1DAB3B4F10BB737EB2AF1F4867BDC8147430672F07F92D7BA3CC8416827F2AC4EDCB
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tabWindow..Set tabWindow = crt.session.ConnectInTab("/telnet [HOST] [PORT]")..tabWindow.screen.WaitForString "[LOGIN_FLAG]", [WAIT_LOGIN]..tabWindow.Screen.Send "[USERNAME]" & chr(13)..tabWindow.screen.WaitForString "assword:", [WAIT_PWD]..tabWindow.Screen.Send "[PASSWORD]" & chr(13)..tabWindow.Caption = "[TITLE]"..End SUB..
                C:\ztg\fillProxy\data\crtTelnet.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):271
                Entropy (8bit):5.304229409825305
                Encrypted:false
                SSDEEP:6:W7YPHGIqeXSMcpaq5uN1K5sfMBLTMwFCUsIFLT/1FRKfLjC:QYPHeePcpaq5OKBXtsUH1FRKfi
                MD5:C4CCD80375CDC93FDA009CF7750C317F
                SHA1:630B11A2BBA1241EC36BCE77784EAA9874F5359F
                SHA-256:3FE6D7FA8FC880B99F04D71D2436FF157F39052824AEA0ADC41EC9484936DC7B
                SHA-512:3DE513CE3BDDF1B1B567C71B80D5D1AC83B7CCBFB10C9BB755E4CDCFC9427F0C7C9821704A0B50B6E33E94A85E8D46DD6969F8CBD4FA9F03AF3DA4974D7899E6
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim conf,tabwin..Set tabwin = crt.session.ConnectInTab("/telnet [HOST] [PORT]")..tabwin.screen.WaitForString "[LOGIN_FLAG]", [WAIT_LOGIN]..tabwin.Screen.Send "[USERNAME]" & VbCr..tabwin.Caption = "[TITLE]" End SUB..
                C:\ztg\fillProxy\data\modifyCrtTitle.vbs
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):163
                Entropy (8bit):5.150623648930425
                Encrypted:false
                SSDEEP:3:WUgYjk+v/GoY+yXF4fIrdBY2R4BP9jRxE4xEGKQcB+KB1IQL5qQ4IvOaL:W7YPHGIqecdBiBtRx9xkgKB1cMOaL
                MD5:CB2159FA8DFFD55C0BF7390E27541B0F
                SHA1:D09E5D7642FE76FB777137ED98EC4BC95F475CD6
                SHA-256:E448FC32434DEEDA833E5D78604F7F1C0D4FC5BE64B3308D807E8C3E20EBCBD2
                SHA-512:4E51BE7CCF39B0D06FFC061C390EAEB3BBFB311B7F130C5DD99E16660EE3818E56738651CF1AF15A9CF54F04C283E8AD2FDC3024865A44D76DAC9EFB3B45771C
                Malicious:false
                Reputation:unknown
                Preview: #$language = "VBScript"..#$interface = "1.0"..SUB MAIN..Dim tab_window..Set tab_window = crt.GetTab(crt.GetTabCount())..tab_window.Caption = "[CAPTION]"..End SUB..
                C:\ztg\fillProxy\data\tnsnames.ora
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):183
                Entropy (8bit):4.1040802361906366
                Encrypted:false
                SSDEEP:3:sLuFYyFhRrFYolFQ1uvuNmjygCPZKpioHFFhzfblmtLJzfdAYE2Hd/vM:sLuFVFhXFlFQ1UuwjygyciCFFhzT8FJW
                MD5:EAB2FBA5BC46241271A1F9FFB162C710
                SHA1:4124CB7F6A9474681BD12D1FC0F08511E76367DA
                SHA-256:7EB0306172B9C44328834FF519D735DF1C8843171E764FA3CD05CBF3B84EFBE8
                SHA-512:7CB59D6F842625F9144A03D589B2E2CECCE406F4B29B7E274D532C01182FCACF269EE314410DC0FA61F2BA6CBC4A1B5DD2716B8F850334D39F452407C8EC7054
                Malicious:false
                Reputation:unknown
                Preview: [IP]_[SID] =.. (DESCRIPTION =.. (ADDRESS = (PROTOCOL = TCP)(HOST = [IP])(PORT = [PORT])).. (CONNECT_DATA =.. (SERVER = DEDICATED).. (SERVICE_NAME = [SID]).. ).. )
                C:\ztg\fillProxy\etc\CloudDesktopAuth.xml
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):399
                Entropy (8bit):5.301480720580332
                Encrypted:false
                SSDEEP:12:TMHdwLZZEaK2vZZEp9Yx6Rd6y/iKuXtmvW/c9WVb:2dwbNKGHqOnmO/px
                MD5:94D8A4DFC5C4620163D24339637F0791
                SHA1:E57F14DA2C00D52696079D94FB6B05F6C2AA31ED
                SHA-256:5293115291C5E162A2F48813E521A5DB2144A4460EC499C9B10F6E0D4B4870E9
                SHA-512:8B4805E1BB9ECF952180DDEED8B4D862E7FB9F64D2AC8CE13096D123CA2DB2BEFC72E24188EC23B17FB7BCD220480A5062B891C16DF0FBE9F1B84BB79CD2E4BC
                Malicious:false
                Reputation:unknown
                Preview: <?xml version="1.0" encoding="UTF-8"?>..<config>...<auth username_auth_url="http://172.16.4.157:7000/ashe/ashe-hlj-login/checkUser" smscode_auth_url="http://172.16.4.157:7000/ashe/ashe-hlj-login/smsAuthen" ie_path="C:\\Program Files\\Internet Explorer\\iexplore.exe" chrome_path="C:\\ztg\\fillProxy\\tool\\Chrome\\Application\\chrome.exe"/>.. <white_list>....<u>P50</u>...</white_list>..</config>
                C:\ztg\fillProxy\etc\CloudDesktopAuthTmp.ini
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):41
                Entropy (8bit):4.353618847088081
                Encrypted:false
                SSDEEP:3:7QiOEN4y5r6B66ff1:77dG71
                MD5:5A3ABBE5F21C78B5848AC03C192CF1A8
                SHA1:10D4444693955A9D41E05C48A06F530AB736A008
                SHA-256:3284637CE5FB828A1EF94E1C1278E32C23BCC199B3DF93DF5A6745BED32380E2
                SHA-512:C94669B398E848D4BC774EA734F8410C2790AC7C3FA26D34B0942B00308A0A3D497B8427EC43F6F8DE53B03442C79DD9E0D263D004188C5874C73FE2F2F60B10
                Malicious:false
                Reputation:unknown
                Preview: [CloudDesktopAuth]..auth_cmd_line=xxxxxxx
                C:\ztg\fillProxy\etc\address.ini
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):117
                Entropy (8bit):4.723855136482454
                Encrypted:false
                SSDEEP:3:dJH15BMRExJpA1vWWLwvKCWie6fZJgBYdVkvy:d51kuPp8vW/vKWuudVkvy
                MD5:1D56D1CE58AD11A1C033D6DA9BCB01DB
                SHA1:C8641A0D0A4CD64700AACB058F4F0CEE1BCC97EE
                SHA-256:0C5BCE82900011755CDF94612380FFC22EB594DB07C734E24D34CC4C1C3AA5DE
                SHA-512:48A6CEBDA2A873CAFB87507599E4EE9D9740943B3E27B77C6DE8395A5015B112DC330F3B0226A67CB1B2CC78F7E65673FF1612A6B1376217E20B22CC1F74781D
                Malicious:false
                Reputation:unknown
                Preview: [fillProxy]..audit_cfg_url=..[fillServer]..session_cfg_upload_url=xxxxxx..local_ip=127.0.0.1..restful_port=8038......
                C:\ztg\fillProxy\etc\fillProxy.xml
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):588
                Entropy (8bit):5.148997956865145
                Encrypted:false
                SSDEEP:12:TMHdwWw49Ln3Kpms/2U0zkq941IlxjDJFl11voosn0koo4VEYogKTZb:2dwN46pmE2UMK1OxjdF/I0N2OKTl
                MD5:C2136B9C76280C3CEA8509F9756A32D5
                SHA1:5181453D43A7F4E9DA32C13C4029262432318A92
                SHA-256:5A3D943C8A8EE80C5D1D66852FD9B9207C56C3D84DF0537611B1BB5ABF4BA428
                SHA-512:0B29C8B383EFC617CE5A9FDE5E1D73EF0C2F1CA44D33446B31D511484C93C427A2AAD6C11CD6066AA4C6B606F24286D577FE292D8783A408D30D6E0E2463A556
                Malicious:false
                Reputation:unknown
                Preview: <?xml version="1.0" encoding="UTF-8"?>..<config>...<log pattern="[%Y-%m-%d %H:%M:%S.%e][thread:%t][%s:%#->%!][%l] %v" level="trace" filepath="default" file_type="console" max_file_size="1024000" max_file_num="3"/>...<agent local_ip="1.1.1.1" mode="local" ipc_mode="pipe"/>...<audit url="xxxxxx" enable="false" block="false"/>...<session upload_url="xxxxxx" enable_logoff="false"/>...<curl cnn_timeout="30" opt_timeout="30"/>.. <process_black_list>....<process>cmd.exe</process>....<process>powershell.exe</process>....<process>explorer.exe</process>...</process_black_list>..</config>
                C:\ztg\fillProxy\etc\fillProxy.xml.bak
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):602
                Entropy (8bit):5.14771576715101
                Encrypted:false
                SSDEEP:12:TMHdwWw49Ln3Kpms/2U0ohlq941IlxjDJFl11voosn0koo4VEYogKTZb:2dwN46pmE2UNOK1OxjdF/I0N2OKTl
                MD5:A40D196FF81ECD9695869FEC4DC23386
                SHA1:CEFFC8FEF563B8A5EF56A0A1E8B8A586B94120AC
                SHA-256:DA79E4DD6349CBA32285C034E97221B250FD0590FAA1FE0BBB8A918CDA43AADA
                SHA-512:4012ABD8C679599AD6433A6EBFD5F57CF00101CDF464911A1FD1AC0EDF6ABFCB1A3AFB5984331D88747B13E34B4E39950F6E47BD38366E8CE7B170219EB8409D
                Malicious:false
                Reputation:unknown
                Preview: <?xml version="1.0" encoding="UTF-8"?>..<config>...<log pattern="[%Y-%m-%d %H:%M:%S.%e][thread:%t][%s:%#->%!][%l] %v" level="trace" filepath="default" file_type="console" max_file_size="1024000" max_file_num="3"/>...<agent local_ip="www.atg.server.com.cn" mode="local" ipc_mode="pipe"/>...<audit url="xxxxxx" enable="false" block="false"/>...<session upload_url="xxxxxx" enable_logoff="false"/>...<curl cnn_timeout="30" opt_timeout="30"/>.. <process_black_list>....<process>cmd.exe</process>....<process>powershell.exe</process>....<process>explorer.exe</process>...</process_black_list>..</config>
                C:\ztg\fillProxy\log\a.txt
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:E:E
                MD5:0CC175B9C0F1B6A831C399E269772661
                SHA1:86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8
                SHA-256:CA978112CA1BBDCAFAC231B39A23DC4DA786EFF8147C4E72B9807785AFEE48BB
                SHA-512:1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75
                Malicious:false
                Reputation:unknown
                Preview: a
                C:\ztg\fillProxy\script\ .txt
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:UTF-8 Unicode text, with no line terminators
                Category:dropped
                Size (bytes):62
                Entropy (8bit):4.794933359081599
                Encrypted:false
                SSDEEP:3:mKN5ALTA4Pn4w+F:wHAs4vF
                MD5:DD1F573470F6FE4ACB6BDD08EDBE0A4C
                SHA1:119CDA19328B8131639E8FFB3BCAA642C6CAA3A3
                SHA-256:22C929A962F21B82A9FFA08C0FD724234983C241C860A1DFE136D69BF430A093
                SHA-512:1B42EF70B60A35AF9B88CBCAF14E78C6B00BEA7A191E502CCC109AFB6796BB6BEAB0A78D56DC7E5ACC59D6692F7AF42263BAF83EC1764EF19B2F557BA3BC45F8
                Malicious:false
                Reputation:unknown
                Preview: ...........ie.........
                C:\ztg\fillProxy\script\IE.xml
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):1192
                Entropy (8bit):5.041173060503044
                Encrypted:false
                SSDEEP:24:2dduhk/TgHZqFcduA67JUsh0boiyqHAOc8IGIkB3l8T4/O1:cl/TVcuA67JnyMiFHcWIpTb
                MD5:28953B648AED823690925857D30114E1
                SHA1:036A40AE59453927B936EBC7CC155455A3F3F138
                SHA-256:FFD675DA113CC103AD7402A8F60ED6D3F003C331F94C631BA560D5490C328D50
                SHA-512:67942A6FD1791AC5ADDC9FF86DEDF92C97ADA9AF7758D83495754A3775C20ABE258B54E18F967F862C4121BCE631DAF737329254CB8D40C8F90E5F3505F9F150
                Malicious:false
                Reputation:unknown
                Preview: <?xml version="1.0" encoding="GBK"?>..<ie>.. <fill>. .. <cmd_string.format var="ie_path" fmt="[WHOLEPATH]" params="..." WHOLEPATH="C:\Program Files\Internet Explorer\iexplore.exe" need_quote="true"/>.. <cmd_string.format var="cmd" fmt="[IEPATH] [SSO]" params="..." IEPATH="*ie_path" SSO="#ssohref"/> .. <cmd_app.start var="pid" cmd_line="*cmd" mode="aaa"/>.. <cmd_wnd.run_process_and_get_wnd var="ie_wnd" cmd_line="*cmd" class_name="IEFrame" win_text="NULL" time_wait="3000"/>.. <cmd_wnd.focus_window hwnd="*ie_wnd"/>-->... .. <cmd_app.get_local_ip var="apptoolsgateip"/>.. <cmd_app.get_self_pid var="fillProxyPid"/>.. <cmd_app.get_win_session_id var="win_session_id"/>.. <cmd_audit.send_audit_info kv_field="..." apptoolsgateip="*apptoolsgateip" fillprocessid="*fillProxyPid" filledprocessid="*pid" hid="*win_session_id" gid="#gid" ssohref="#ssohref" schemaData="#schemaData" userName="#userName" prot="http" filedprocessname="iexplore
                C:\ztg\fillProxy\script\chrome.xml
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                Category:dropped
                Size (bytes):1009
                Entropy (8bit):5.041929860738074
                Encrypted:false
                SSDEEP:24:2d9uhk/TUaZqFcdu6/qHAOc8IGIkBaQl8T4DBDV:cF/TUJcu6iHcWIvZTmBJ
                MD5:0BE8E8BACCA0E7F0699E6F854EEA8290
                SHA1:81B2D907919B5F493CDF8F8CB340CA932FF95266
                SHA-256:E99D060223BF6F7BA3A93EC4A5AEA0505674ADF213710C1D0C8F41750DE9B71F
                SHA-512:045FA727F4DF4AB02DABBE3B1C491D34D3EF6D1DAD7121664A398DDEE5667B788BD1A0BCDF5737362B9A50DFEBEBE807F71461BCEB9EDE722A674811607D7EAF
                Malicious:false
                Reputation:unknown
                Preview: <?xml version="1.0" encoding="GBK"?>..<chrome>.. <fill>. .. <cmd_string.format var="ie_path" fmt="[WHOLEPATH]" params="..." WHOLEPATH="C:\ztg\fillProxy\tool\Chrome\Application\chrome.exe" need_quote="true"/>.. <cmd_string.format var="cmd" fmt="[IEPATH] [SSO]" params="..." IEPATH="*ie_path" SSO="#ssohref"/> .. <cmd_app.start var="pid" cmd_line="*cmd" mode="aaa"/>.. <cmd_app.get_local_ip var="apptoolsgateip"/>.. <cmd_app.get_self_pid var="fillProxyPid"/>.. <cmd_app.get_win_session_id var="win_session_id"/>.. <cmd_audit.send_audit_info kv_field="..." apptoolsgateip="*apptoolsgateip" fillprocessid="*fillProxyPid" filledprocessid="*pid" hid="*win_session_id" gid="#gid" ssohref="#ssohref" schemaData="#schemaData" userName="#userName" prot="http" filedprocessname="chrome.exe" sessionId="#sessionId"/> .. <cmd_audit.start_session_monitor pid="0" gid="#gid" sessionId="#sessionId" processName="chrome.exe" need_record="false"/>-->.. </fill>..
                C:\ztg\fillProxy\session_record\a.txt
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:E:E
                MD5:0CC175B9C0F1B6A831C399E269772661
                SHA1:86F7E437FAA5A7FCE15D1DDCB9EAEAEA377667B8
                SHA-256:CA978112CA1BBDCAFAC231B39A23DC4DA786EFF8147C4E72B9807785AFEE48BB
                SHA-512:1F40FC92DA241694750979EE6CF582F2D5D7D28E18335DE05ABC54D0560E0F5302860C652BF08D560252AA5E74210546F369FBBBCE8C12CFC7957B2652FE9A75
                Malicious:false
                Reputation:unknown
                Preview: a
                C:\ztg\fillProxy\spy++\spyxx.exe
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):496824
                Entropy (8bit):5.656320161333186
                Encrypted:false
                SSDEEP:6144:ohX9SnE7wwsuHix7yziQYy5x4j/s7pSUD7o5JwtOQnQ3dvyf3k1MMN:kkRwsuCx7Aj5x4j/ipZ7otvyf3RMN
                MD5:E81E6028623071835DEB307E7B9E86E5
                SHA1:51956F194082616CB74068FAA926CA46F121A883
                SHA-256:58E30254A936D5B22C7FFF8B66EFD9EB823DD91A4B5C0165581463E95F742C88
                SHA-512:BC876D353C4A26F2FA4B0C3D60DBE6724BD45CE7B1BC3B40B718984CA0A90411DF252271B0BF3A8A6C48CFD102432D07E876079F5B4287042D8EF7F051882C1A
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5k.Y5k.Y5k.Y.d.Y9k.Y...Y0k.Y...Y#k.Y5k.Y.i.Y...Y<k.Y...Ysk.Y...Y<k.Y...Y)k.Y...Y4k.Y...Y4k.YRich5k.Y................PE..L...U.3C.............................I............@.............................................. ..........................8~.......................z..............................................@...@....................}..@....................text...J........................... ..`.data...............................@....rsrc................|..............@..@................................................................................................................................................................................................................................................................................................................................................................................................
                C:\ztg\fillProxy\spy++\spyxxhk.dll
                Process:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):73728
                Entropy (8bit):3.1519636837492246
                Encrypted:false
                SSDEEP:768:hcueEe71u1LMX9JUSZROeW7XyOzA/z0nep:iuze7SAX9NR9ROk/Fp
                MD5:8B351FA820CEFBFFF7733C47A1CD0A91
                SHA1:FD7FBD9D5DAB45C238E0B32AC76384230A97FC21
                SHA-256:8D9AE4417D3DD3E35C2400591CF7AEC07010D4BF9FFAAA0CE234BA92B27E5E99
                SHA-512:62AFE5AA328A661250035939A358AA0ED935008DB883E38FA9E7139A603EFD3D9575273155105D04388407EE03CB5789878B1D1EB32DCDEF0765B509B92C8738
                Malicious:false
                Reputation:unknown
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{V...8...8...8...e...8...9..8...C...8...E...8...V...8...U...8...B...8...I...8...D...8...@...8.Rich..8.................PE..L...M.3C...........!.....R...........M.......p.....[.........................P......&................................].......W..x....0.......................@......P................................"..@...............4...|V..@....................text....Q.......R.................. ..`.data...`....p.......V..............@....shdata..............^..............@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................
                \Device\ConDrv
                Process:C:\Windows\SysWOW64\cacls.exe
                File Type:ASCII text, with CRLF, CR line terminators
                Category:dropped
                Size (bytes):62
                Entropy (8bit):4.221564407119748
                Encrypted:false
                SSDEEP:3:DEVT8KvCi6A3QVgScA3:DEV4KD6AAVgSB
                MD5:53F5122CBD1A96F1EEAC4CD2A5C949F3
                SHA1:ED231A2874ABDB6040CC0DA9D9145F3D712E31D1
                SHA-256:E8E11D19A10A061437CF5EB7786292AA85C18EBD5FE37F3281BA2A729FC63FE2
                SHA-512:9A23BA096C3B7D4604F646CC430BC1FCD143C21F316C4958272BDE97F5FE68A6F263EEB17637F73334CE8848C622E6D6AB5882522C461573ED8E1CCDDEDB3AD0
                Malicious:false
                Reputation:unknown
                Preview: No mapping between account names and security IDs was done....

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.998867226699473
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.40%
                • InstallShield setup (43055/19) 0.43%
                • Windows Screen Saver (13104/52) 0.13%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                File name:fillProxy_for_terminal_20210702_v1.0.0.exe
                File size:23653052
                MD5:e744a9216199c95f313b5a9caff52306
                SHA1:e6895f247ec71e97db4eb75070408f171203919e
                SHA256:13d345e09772591b82023fb12d68e41158c865bfec60c017d50aff16486e07e1
                SHA512:e8d23ae31d7a427c00ccf480f5c3d6b3f4d9daeee6bb84dc9fb67081b6c6066e21c4410c5bc56e34a3aae36352b3502e2f207c2940a50b961d044dd184d38e6c
                SSDEEP:393216:iREgL13gKDvc4T+HYqelF3oJbg7VM5b3lpT7CajBLUzQBKakg/lTbbEeyU6qkyOO:Dg9MTelFYlYm1pT9dLUzQBJ5/5bweymF
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P...1...1...1...-...1..*....1..A-...1..*....1.......1.......1...1...1.......1...1..91..=....1...7...1..Rich.1.................

                File Icon

                Icon Hash:c8d49ccde690ae46

                Static PE Info

                General

                Entrypoint:0x4253ca
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:
                Time Stamp:0x40813A96 [Sat Apr 17 14:09:26 2004 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:76d5c02c1b61ff55cf8d344cde5d8b26

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                push FFFFFFFFh
                push 00428828h
                push 00424EE0h
                mov eax, dword ptr fs:[00000000h]
                push eax
                mov dword ptr fs:[00000000h], esp
                sub esp, 58h
                push ebx
                push esi
                push edi
                mov dword ptr [ebp-18h], esp
                call dword ptr [0042812Ch]
                xor edx, edx
                mov dl, ah
                mov dword ptr [0047F344h], edx
                mov ecx, eax
                and ecx, 000000FFh
                mov dword ptr [0047F340h], ecx
                shl ecx, 08h
                add ecx, edx
                mov dword ptr [0047F33Ch], ecx
                shr eax, 10h
                mov dword ptr [0047F338h], eax
                xor esi, esi
                push esi
                call 00007F7104B89295h
                pop ecx
                test eax, eax
                jne 00007F7104B891BAh
                push 0000001Ch
                call 00007F7104B89265h
                pop ecx
                mov dword ptr [ebp-04h], esi
                call 00007F7104B8A5E8h
                call dword ptr [00428108h]
                mov dword ptr [0047F840h], eax
                call 00007F7104B8A4A6h
                mov dword ptr [0047F378h], eax
                call 00007F7104B8A24Fh
                call 00007F7104B8A191h
                call 00007F7104B88963h
                mov dword ptr [ebp-30h], esi
                lea eax, dword ptr [ebp-5Ch]
                push eax
                call dword ptr [0042818Ch]
                call 00007F7104B8A122h
                mov dword ptr [ebp-64h], eax
                test byte ptr [ebp-30h], 00000001h
                je 00007F7104B891B8h
                movzx eax, word ptr [ebp-2Ch]
                jmp 00007F7104B891B5h
                push 0000000Ah
                pop eax
                push eax
                push dword ptr [ebp-64h]
                push esi
                push esi
                call dword ptr [0042822Ch]

                Rich Headers

                Programming Language:
                • [ C ] VS98 (6.0) build 8168
                • [EXP] VC++ 6.0 SP5 build 8804
                • [C++] VS98 (6.0) build 8168

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x28b880xf0.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000xfb0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x280000x418.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x26ae00x26c00False0.58205015121data6.59632180574IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x280000x22080x2400False0.415907118056zlib compressed data5.57765758968IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x2b0000x548580x3200False0.465703125data5.50529776871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .rsrc0x800000xfb00x1000False0.37744140625data4.30991765431IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_CURSOR0x80e600x134dataFinnishFinland
                RT_BITMAP0x80c880x1d4dataFinnishFinland
                RT_ICON0x806d00x2e8dataFinnishFinland
                RT_DIALOG0x802a00xf0dataFinnishFinland
                RT_DIALOG0x804380x1e0dataFinnishFinland
                RT_DIALOG0x803900xa6dataFinnishFinland
                RT_DIALOG0x806180xb6dataFinnishFinland
                RT_GROUP_CURSOR0x80f980x14Lotus unknown worksheet or configuration, revision 0x1FinnishFinland
                RT_GROUP_ICON0x809b80x14dataFinnishFinland
                RT_MANIFEST0x809d00x2b8XML 1.0 document, ASCII text, with CRLF line terminatorsFinnishFinland

                Imports

                DLLImport
                KERNEL32.dllWaitForSingleObject, GetModuleFileNameA, GetDateFormatA, GetSystemDirectoryA, GetWindowsDirectoryA, GetCommandLineA, GetVersionExA, CreateMutexA, GetPrivateProfileIntA, GetPrivateProfileStringA, lstrcmpA, GetSystemTime, LocalFree, LocalAlloc, GetVersion, GetSystemInfo, GetComputerNameA, SetEndOfFile, LCMapStringA, GetStringTypeW, GetStringTypeA, GetOEMCP, lstrcpynA, GetCPInfo, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, HeapReAlloc, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetStartupInfoA, RtlUnwind, TerminateProcess, HeapAlloc, HeapFree, GetExitCodeProcess, SetFileTime, GlobalMemoryStatus, GetShortPathNameA, SetErrorMode, WritePrivateProfileStringA, WritePrivateProfileSectionA, MoveFileExA, GetCurrentProcess, ExitProcess, WideCharToMultiByte, CreateProcessA, RemoveDirectoryA, GetFileTime, VerLanguageNameA, CompareFileTime, CopyFileA, GetFileSize, GetLogicalDriveStringsA, FreeLibrary, GetCurrentDirectoryA, SetCurrentDirectoryA, MultiByteToWideChar, SetFileAttributesA, LCMapStringW, GetTempPathA, GetFileAttributesA, CreateDirectoryA, GetLocaleInfoA, FindFirstFileA, lstrcmpiA, FindNextFileA, FindClose, GetDriveTypeA, lstrcatA, GetModuleHandleA, LoadLibraryA, GetProcAddress, GetTickCount, Sleep, GetCurrentThread, QueryPerformanceFrequency, QueryPerformanceCounter, GetThreadPriority, SetThreadPriority, GlobalReAlloc, GlobalUnlock, GlobalFree, GlobalAlloc, GlobalLock, MulDiv, lstrlenA, GetLastError, FormatMessageA, WriteFile, ReadFile, lstrcpyA, SetFilePointer, CreateFileA, CloseHandle, GetACP, DeleteFileA
                USER32.dllFindWindowA, IsIconic, PostMessageA, RegisterClassA, SetRectEmpty, ExitWindowsEx, MsgWaitForMultipleObjects, GetMessageA, TranslateMessage, DispatchMessageA, FillRect, PostQuitMessage, EnableWindow, SetWindowPos, SetTimer, GetDlgItemTextA, CreateDialogParamA, GetWindowLongA, IsWindowEnabled, GetSystemMetrics, RegisterClassExA, GetClientRect, IsWindowVisible, PtInRect, SetCursor, EndDialog, GetActiveWindow, WaitMessage, IsDialogMessageA, MessageBoxA, CopyRect, KillTimer, DrawEdge, GetDlgItem, SendDlgItemMessageA, SetDlgItemTextA, PeekMessageA, SetWindowTextA, ReleaseDC, EnumDisplaySettingsA, LoadBitmapA, GetDC, DestroyWindow, DefWindowProcA, GetWindowRect, InvalidateRect, LoadIconA, LoadImageA, GetSysColor, GetDesktopWindow, SystemParametersInfoA, SetForegroundWindow, DialogBoxParamA, GetWindowTextLengthA, GetWindowTextA, CreateWindowExA, SetWindowLongA, SetFocus, GetSystemMenu, DeleteMenu, AppendMenuA, ShowWindow, LoadCursorA, GetCursorPos, ScreenToClient, SendMessageA
                GDI32.dllSaveDC, SetMapMode, SetViewportOrgEx, RestoreDC, StartDocA, StartPage, EndPage, TextOutA, SetBkMode, SelectObject, CreateFontA, GetDeviceCaps, BitBlt, DeleteDC, DeleteObject, CreateSolidBrush, GetStockObject, SetBkColor, SetTextColor, CreateCompatibleBitmap, CreateCompatibleDC, StretchDIBits, GetTextExtentPoint32A, CreateBitmap, CreateDIBitmap, CreatePalette, AddFontResourceA, CreateScalableFontResourceA, EndDoc, RemoveFontResourceA
                comdlg32.dllGetOpenFileNameA, PrintDlgA
                ADVAPI32.dllRegCloseKey, RegOpenKeyExA, AdjustTokenPrivileges, LookupPrivilegeValueA, RegDeleteValueA, RegQueryInfoKeyA, RegEnumKeyExA, OpenThreadToken, DuplicateToken, AllocateAndInitializeSid, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, IsValidSecurityDescriptor, AccessCheck, FreeSid, GetUserNameA, RegSetValueExA, RegCreateKeyExA, OpenProcessToken, RegQueryValueExA
                SHELL32.dllSHFileOperationA, SHBrowseForFolderA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, ShellExecuteA, SHChangeNotify
                ole32.dllCoUninitialize, CoInitialize, OleInitialize, CoCreateInstance, OleUninitialize
                OLEAUT32.dllRegisterTypeLib, LoadTypeLib
                WINMM.dllwaveOutGetNumDevs, midiOutGetNumDevs, joyGetPos
                COMCTL32.dllImageList_Create, ImageList_Add
                VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                FinnishFinland

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: fillProxy_for_terminal_20210702_v1.0.0.exe PID: 6940 Parent PID: 5736

                General

                Start time:07:49:32
                Start date:15/12/2021
                Path:C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe"
                Imagebase:0x400000
                File size:23653052 bytes
                MD5 hash:E744A9216199C95F313B5A9CAFF52306
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: svchost.exe PID: 5572 Parent PID: 560

                General

                Start time:07:49:41
                Start date:15/12/2021
                Path:C:\Windows\System32\svchost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                Imagebase:0x7ff6b7590000
                File size:51288 bytes
                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: cmd.exe PID: 4588 Parent PID: 6940

                General

                Start time:07:49:49
                Start date:15/12/2021
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\run_startfill.bat""
                Imagebase:0x2a0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: conhost.exe PID: 4692 Parent PID: 4588

                General

                Start time:07:49:49
                Start date:15/12/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff61de10000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: regedit.exe PID: 4536 Parent PID: 4588

                General

                Start time:07:49:50
                Start date:15/12/2021
                Path:C:\Windows\SysWOW64\regedit.exe
                Wow64 process (32bit):true
                Commandline:regedit /s "C:\ztg\fillProxy\bin\startFill.reg"
                Imagebase:0x280000
                File size:316416 bytes
                MD5 hash:617538C965AC4DDC72F9CF647C4343D5
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: cmd.exe PID: 6340 Parent PID: 6940

                General

                Start time:07:49:50
                Start date:15/12/2021
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\changePv.bat""
                Imagebase:0x2a0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: conhost.exe PID: 6364 Parent PID: 6340

                General

                Start time:07:49:51
                Start date:15/12/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff61de10000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: cacls.exe PID: 6388 Parent PID: 6340

                General

                Start time:07:49:51
                Start date:15/12/2021
                Path:C:\Windows\SysWOW64\cacls.exe
                Wow64 process (32bit):true
                Commandline:Cacls C:\ztg /t /e /c /g users:f
                Imagebase:0x810000
                File size:27648 bytes
                MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: cacls.exe PID: 6360 Parent PID: 6340

                General

                Start time:07:49:52
                Start date:15/12/2021
                Path:C:\Windows\SysWOW64\cacls.exe
                Wow64 process (32bit):true
                Commandline:Cacls C:\ztg /t /e /c /g "Domain users":f
                Imagebase:0x810000
                File size:27648 bytes
                MD5 hash:4CBB1C027DF71C53A8EE4C855FD35B25
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: cmd.exe PID: 6448 Parent PID: 6940

                General

                Start time:07:49:53
                Start date:15/12/2021
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\ztg\fillProxy\bin\install_vc.bat""
                Imagebase:0x2a0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: conhost.exe PID: 5312 Parent PID: 6448

                General

                Start time:07:49:53
                Start date:15/12/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff61de10000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: vcredist_x86.exe PID: 528 Parent PID: 6448

                General

                Start time:07:49:54
                Start date:15/12/2021
                Path:C:\ztg\fillProxy\bin\vcredist_x86.exe
                Wow64 process (32bit):true
                Commandline:C:\ztg\fillProxy\bin\vcredist_x86.exe /q
                Imagebase:0xcd0000
                File size:14412304 bytes
                MD5 hash:DE34B1C517E0463602624BBC8294C08D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: vcredist_x86.exe PID: 5620 Parent PID: 528

                General

                Start time:07:49:55
                Start date:15/12/2021
                Path:C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Temp\{655084CD-5F11-4827-BB47-94D45513B158}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ztg\fillProxy\bin\vcredist_x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=648 /q
                Imagebase:0x1150000
                File size:647912 bytes
                MD5 hash:2F9D2B6CE54F9095695B53D1AA217C7B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: svchost.exe PID: 5516 Parent PID: 560

                General

                Start time:07:49:58
                Start date:15/12/2021
                Path:C:\Windows\System32\svchost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                Imagebase:0x7ff6b7590000
                File size:51288 bytes
                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 6792 Parent PID: 5620

                General

                Start time:07:50:10
                Start date:15/12/2021
                Path:C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Temp\{1D1879A7-3A23-4359-8181-187A672B45CF}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{54123DCB-56EF-4DED-BE9C-51E415E752C4} {1225F69D-7066-4C39-BA2A-7AD819A06F23} 5620
                Imagebase:0x160000
                File size:647912 bytes
                MD5 hash:2F9D2B6CE54F9095695B53D1AA217C7B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: msiexec.exe PID: 7144 Parent PID: 560

                General

                Start time:07:50:14
                Start date:15/12/2021
                Path:C:\Windows\System32\msiexec.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\msiexec.exe /V
                Imagebase:0x7ff7d16e0000
                File size:66048 bytes
                MD5 hash:4767B71A318E201188A0D0A420C8B608
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: svchost.exe PID: 7020 Parent PID: 560

                General

                Start time:07:50:17
                Start date:15/12/2021
                Path:C:\Windows\System32\svchost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                Imagebase:0x7ff6b7590000
                File size:51288 bytes
                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 1992 Parent PID: 3440

                General

                Start time:07:50:22
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /burn.runonce
                Imagebase:0x3a0000
                File size:647912 bytes
                MD5 hash:2F9D2B6CE54F9095695B53D1AA217C7B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 6176 Parent PID: 1992

                General

                Start time:07:50:23
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
                Imagebase:0x3a0000
                File size:647912 bytes
                MD5 hash:2F9D2B6CE54F9095695B53D1AA217C7B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 4828 Parent PID: 6176

                General

                Start time:07:50:24
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -burn.filehandle.attached=604 -burn.filehandle.self=600 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\dd_vcredist_x86_20211215075009.log
                Imagebase:0x3a0000
                File size:647912 bytes
                MD5 hash:2F9D2B6CE54F9095695B53D1AA217C7B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: svchost.exe PID: 6748 Parent PID: 560

                General

                Start time:07:50:38
                Start date:15/12/2021
                Path:C:\Windows\System32\svchost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                Imagebase:0x7ff6b7590000
                File size:51288 bytes
                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: svchost.exe PID: 7152 Parent PID: 560

                General

                Start time:07:50:48
                Start date:15/12/2021
                Path:C:\Windows\System32\svchost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Imagebase:0x7ff6b7590000
                File size:51288 bytes
                MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 5848 Parent PID: 4828

                General

                Start time:07:51:02
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{65e650ff-30be-469d-b63a-418d71ea1765}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{6A2D7F35-8C3D-49AA-BBC4-AEE1AF86D622} {DC087992-A519-4F88-83FE-6F746248D57E} 4828
                Imagebase:0x3a0000
                File size:647912 bytes
                MD5 hash:2F9D2B6CE54F9095695B53D1AA217C7B
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 6208 Parent PID: 6792

                General

                Start time:07:51:19
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
                Imagebase:0x3c0000
                File size:654616 bytes
                MD5 hash:77F9143FEEBC7782FE91336F104EC997
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 2264 Parent PID: 6208

                General

                Start time:07:51:19
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=564 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=992 -burn.embedded BurnPipe.{194902FD-C586-4C01-993D-93F130A238F3} {9A8E0363-256F-4B62-B2C0-A739805587AC} 6792
                Imagebase:0x3c0000
                File size:654616 bytes
                MD5 hash:77F9143FEEBC7782FE91336F104EC997
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 2796 Parent PID: 5848

                General

                Start time:07:51:30
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
                Imagebase:0x3c0000
                File size:654616 bytes
                MD5 hash:77F9143FEEBC7782FE91336F104EC997
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 5124 Parent PID: 2796

                General

                Start time:07:51:30
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 -uninstall -quiet -burn.related.upgrade -burn.ancestors={65e650ff-30be-469d-b63a-418d71ea1765} -burn.filehandle.self=1000 -burn.embedded BurnPipe.{05D5D051-E4A9-4B0C-BB87-73D4F857D334} {577B37C1-2FF3-4169-BEB1-E0F81A86B2E3} 5848
                Imagebase:0x3c0000
                File size:654616 bytes
                MD5 hash:77F9143FEEBC7782FE91336F104EC997
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Analysis Process: VC_redist.x86.exe PID: 5480 Parent PID: 2264

                General

                Start time:07:51:35
                Start date:15/12/2021
                Path:C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe
                Wow64 process (32bit):true
                Commandline:"C:\ProgramData\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{93FF69D1-692B-4423-A937-AE18A3777091} {A80FDF07-0A55-46E1-B710-ADC6A0BE059A} 2264
                Imagebase:0x3c0000
                File size:654616 bytes
                MD5 hash:77F9143FEEBC7782FE91336F104EC997
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: fillProxy_for_terminal_20210702_v1.0.0.exe PID: 6940 Parent PID: 5736 fillProxy_for_terminal_20210702_v1.0.0.exeCOMMON

                  Execution Graph

                  Execution Coverage:12%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:14.8%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:43

                  Graph

                  execution_graph 20087 4253ca GetVersion 20112 425509 HeapCreate 20087->20112 20089 425429 20090 425436 20089->20090 20091 42542e 20089->20091 20119 426871 20090->20119 20251 4254e5 8 API calls 20091->20251 20095 42543e GetCommandLineA 20133 42673f 20095->20133 20099 425458 20165 426439 20099->20165 20101 42545d 20102 425462 GetStartupInfoA 20101->20102 20178 4263e1 20102->20178 20104 425474 GetModuleHandleA 20182 415089 #17 20104->20182 20109 4254a1 20253 42625d UnhandledExceptionFilter 20109->20253 20111 4254b2 20113 425529 20112->20113 20114 42553e 20112->20114 20254 425545 HeapAlloc 20113->20254 20114->20089 20116 42552e 20117 425532 HeapDestroy 20116->20117 20118 425541 20116->20118 20117->20114 20118->20089 20255 424b9c 20119->20255 20122 426890 GetStartupInfoA 20130 4269a1 20122->20130 20132 4268dc 20122->20132 20125 426a08 SetHandleCount 20125->20095 20126 4269c8 GetStdHandle 20128 4269d6 GetFileType 20126->20128 20126->20130 20127 424b9c 6 API calls 20127->20132 20128->20130 20129 42694d 20129->20130 20131 42696f GetFileType 20129->20131 20130->20125 20130->20126 20131->20129 20132->20127 20132->20129 20132->20130 20134 42675a GetEnvironmentStringsW 20133->20134 20135 42678d 20133->20135 20136 426762 20134->20136 20138 42676e GetEnvironmentStrings 20134->20138 20135->20136 20137 42677e 20135->20137 20140 4267a6 WideCharToMultiByte 20136->20140 20141 42679a GetEnvironmentStringsW 20136->20141 20139 42544e 20137->20139 20142 426820 GetEnvironmentStrings 20137->20142 20143 42682c 20137->20143 20138->20137 20138->20139 20156 4264f2 20139->20156 20145 4267da 20140->20145 20146 42680c FreeEnvironmentStringsW 20140->20146 20141->20139 20141->20140 20142->20139 20142->20143 20147 424b9c 6 API calls 20143->20147 20148 424b9c 6 API calls 20145->20148 20146->20139 20154 426847 20147->20154 20149 4267e0 20148->20149 20149->20146 20150 4267e9 WideCharToMultiByte 20149->20150 20152 4267fa 20150->20152 20153 426803 20150->20153 20151 42685d FreeEnvironmentStringsA 20151->20139 20286 424ab4 20152->20286 20153->20146 20154->20151 20157 426504 20156->20157 20158 426509 GetModuleFileNameA 20156->20158 20294 426f6c 19 API calls 20157->20294 20160 42652c 20158->20160 20161 424b9c 6 API calls 20160->20161 20162 42654d 20161->20162 20163 42655d 20162->20163 20295 4254c0 7 API calls 20162->20295 20163->20099 20166 426446 20165->20166 20168 42644b 20165->20168 20296 426f6c 19 API calls 20166->20296 20169 424b9c 6 API calls 20168->20169 20170 426478 20169->20170 20171 42648c 20170->20171 20297 4254c0 7 API calls 20170->20297 20175 424b9c 6 API calls 20171->20175 20176 4264cf 20171->20176 20298 4254c0 7 API calls 20171->20298 20173 424ab4 4 API calls 20174 4264db 20173->20174 20174->20101 20175->20171 20176->20173 20179 4263ea 20178->20179 20181 4263ef 20178->20181 20299 426f6c 19 API calls 20179->20299 20181->20104 20300 40d808 GetTempPathA GetFileAttributesA 20182->20300 20191 4150d3 20565 41b09c 20191->20565 20192 4150be 20903 41b2a8 233 API calls 20192->20903 20197 4150e1 20630 419eb2 20197->20630 20200 4150ce 20252 424c3d GetCurrentProcess TerminateProcess ExitProcess 20200->20252 20202 415138 20202->20200 20203 415168 20202->20203 20904 41bbaf 233 API calls 20202->20904 20203->20200 20720 418092 GetUserNameA 20203->20720 20208 4151c5 20211 4151f3 20208->20211 20923 41e3ef GetVersion 20208->20923 20209 41517d 20905 41bdc5 GlobalAlloc GlobalLock 20209->20905 20214 415200 20211->20214 20215 41528d 20211->20215 20784 41246c 20214->20784 20946 417ea6 520 API calls 20215->20946 20217 415185 20906 41c467 20217->20906 20223 4151d6 20227 41cd1e 233 API calls 20223->20227 20224 415294 20947 41a256 6 API calls 20224->20947 20233 4151e1 20227->20233 20230 4151a0 20921 41b2a8 233 API calls 20230->20921 20231 415237 20237 415240 20231->20237 20238 415249 20231->20238 20232 41522b 20943 415dc6 246 API calls 20232->20943 20941 41b2a8 233 API calls 20233->20941 20234 41529b 20240 4152ac 20234->20240 20948 415dc6 246 API calls 20234->20948 20944 411d82 239 API calls 20237->20944 20945 412c58 239 API calls 20238->20945 20949 41b45d 233 API calls 20240->20949 20242 4151a9 20922 41befb GlobalUnlock GlobalFree 20242->20922 20244 415232 20244->20200 20246 4151ea 20942 41a1b5 233 API calls 20246->20942 20252->20109 20253->20111 20254->20116 20259 424bae 20255->20259 20258 4254c0 7 API calls 20258->20122 20260 424bab 20259->20260 20262 424bb5 20259->20262 20260->20122 20260->20258 20262->20260 20263 424bda 20262->20263 20264 424be7 20263->20264 20267 424bed 20263->20267 20269 4258d9 20264->20269 20266 424bf9 RtlAllocateHeap 20268 424c0e 20266->20268 20267->20266 20267->20268 20268->20262 20272 42590b 20269->20272 20270 4259aa 20274 4259b9 20270->20274 20282 425c93 20270->20282 20272->20270 20272->20274 20275 425be2 20272->20275 20274->20267 20276 425c25 RtlAllocateHeap 20275->20276 20277 425bf5 HeapReAlloc 20275->20277 20279 425c75 20276->20279 20280 425c4b VirtualAlloc 20276->20280 20278 425c14 20277->20278 20277->20279 20278->20276 20279->20270 20280->20279 20281 425c65 HeapFree 20280->20281 20281->20279 20283 425ca5 VirtualAlloc 20282->20283 20285 425cee 20283->20285 20285->20274 20287 424ae1 20286->20287 20288 424abd 20286->20288 20287->20153 20289 424ad3 HeapFree 20288->20289 20290 424ac9 20288->20290 20289->20287 20293 4255ae VirtualFree VirtualFree HeapFree 20290->20293 20292 424acf 20292->20153 20293->20292 20294->20158 20295->20163 20296->20168 20297->20171 20298->20171 20299->20181 20301 40d85d 20300->20301 20302 40d84e CreateDirectoryA 20300->20302 20303 419146 GetVersionExA 20301->20303 20302->20301 20304 4191ba 20303->20304 20950 424dd9 20304->20950 20307 419274 20310 41927f GetModuleFileNameA 20307->20310 20308 41cd1e 233 API calls 20309 41926e 20308->20309 20990 41d881 233 API calls 20309->20990 20953 41bf12 GlobalUnlock 20310->20953 20317 4192b2 20975 41c6d0 lstrlenA 20317->20975 20320 41c6d0 233 API calls 20321 4192e8 20320->20321 20322 419331 GetVersionExA 20321->20322 20323 419350 20322->20323 20989 41befb GlobalUnlock GlobalFree 20323->20989 20325 4150ac 20326 4160a6 20325->20326 21006 416462 20326->21006 20329 416462 235 API calls 20330 4160d1 20329->20330 20331 416462 235 API calls 20330->20331 20332 4160e5 20331->20332 20333 416462 235 API calls 20332->20333 20334 4160f8 20333->20334 20335 416462 235 API calls 20334->20335 20336 416109 20335->20336 20337 416150 20336->20337 20338 416119 20336->20338 20340 416462 235 API calls 20337->20340 20339 416462 235 API calls 20338->20339 20341 416122 20339->20341 20342 416159 20340->20342 20343 416462 235 API calls 20341->20343 20344 416462 235 API calls 20342->20344 20345 416133 20343->20345 20346 41616a 20344->20346 20348 416462 235 API calls 20345->20348 20347 416462 235 API calls 20346->20347 20349 416144 20347->20349 20348->20349 20350 416462 235 API calls 20349->20350 20351 41618c 20350->20351 20352 416462 235 API calls 20351->20352 20353 41619d 20352->20353 21011 41dae7 20353->21011 20356 4161da 20359 41bf12 233 API calls 20356->20359 20357 4161bd 21026 416031 lstrlenA 20357->21026 20360 4161e7 20359->20360 20362 41bf12 233 API calls 20360->20362 20364 4161d7 20362->20364 20363 424dce 4 API calls 20363->20364 20365 41dae7 233 API calls 20364->20365 20366 416208 20365->20366 20367 416232 20366->20367 20368 41620f 20366->20368 20370 41bf12 233 API calls 20367->20370 20369 416031 235 API calls 20368->20369 20371 416227 20369->20371 20372 416242 20370->20372 20373 424dce 4 API calls 20371->20373 20374 41bf12 233 API calls 20372->20374 20375 41622f 20373->20375 20374->20375 20376 424dd9 6 API calls 20375->20376 20377 41625a 20376->20377 20378 416272 20377->20378 20379 41cd1e 233 API calls 20377->20379 20381 41627d GetWindowsDirectoryA 20378->20381 20380 41626c 20379->20380 21043 41d881 233 API calls 20380->21043 20383 416031 235 API calls 20381->20383 20384 41629c 20383->20384 20385 4162a6 GetSystemDirectoryA 20384->20385 20386 416031 235 API calls 20385->20386 20387 4162cb 20386->20387 20388 4162d5 GetTempPathA 20387->20388 20389 416031 235 API calls 20388->20389 20390 4162fa 20389->20390 20391 424dce 4 API calls 20390->20391 20392 416302 20391->20392 20393 41bf12 233 API calls 20392->20393 20394 416328 GetDateFormatA GetDateFormatA 20393->20394 20395 41bf12 233 API calls 20394->20395 20396 416358 20395->20396 20397 424dd9 6 API calls 20396->20397 20398 41635f 20397->20398 20400 41636b 20398->20400 21044 407add GlobalAlloc GlobalLock 20398->21044 20401 416385 20400->20401 20402 41cd1e 233 API calls 20400->20402 20403 41bf12 233 API calls 20401->20403 20404 41637f 20402->20404 20405 416392 20403->20405 21045 41d881 233 API calls 20404->21045 21033 41df41 GetSystemTime 20405->21033 20408 4163aa 20409 41bf12 233 API calls 20408->20409 20410 4163d6 20409->20410 21035 41e87a 20410->21035 20412 4163e5 20413 424dd9 6 API calls 20412->20413 20414 4163ec 20413->20414 20415 4163f8 20414->20415 21046 407add GlobalAlloc GlobalLock 20414->21046 20417 416412 20415->20417 20418 41cd1e 233 API calls 20415->20418 20419 41bf12 233 API calls 20417->20419 20421 41640c 20418->20421 20420 41641f 20419->20420 20422 41e3ef 24 API calls 20420->20422 21047 41d881 233 API calls 20421->21047 20424 416432 20422->20424 20425 41bf12 233 API calls 20424->20425 20426 416453 20425->20426 20427 41e87a 233 API calls 20426->20427 20428 4150b3 20427->20428 20429 4168fe 20428->20429 21063 41a393 20429->21063 20431 4150ba 20431->20191 20431->20192 20432 41690f 20432->20431 21104 41bdc5 GlobalAlloc GlobalLock 20432->21104 20434 416950 20435 41cd1e 233 API calls 20434->20435 20436 41695c 20435->20436 21105 41cac5 CreateFileA 20436->21105 20439 416969 21175 41befb GlobalUnlock GlobalFree 20439->21175 20441 416978 20441->20439 21119 41c2e0 233 API calls 20441->21119 20444 416988 20444->20439 21120 41d0fd lstrcmpA 20444->21120 20447 41d0fd 234 API calls 20448 4169b9 20447->20448 20449 41d0fd 234 API calls 20448->20449 20450 4169c4 20449->20450 21151 41d728 234 API calls 20450->21151 20452 4169d4 20453 41cd1e 233 API calls 20452->20453 20454 4169dc 20453->20454 20477 416a40 20454->20477 21152 417b53 233 API calls 20454->21152 20456 424dd9 6 API calls 20456->20477 20457 424dd9 6 API calls 20472 416b2b 20457->20472 20459 41cd1e 233 API calls 20459->20477 20460 424dd9 6 API calls 20488 416be6 20460->20488 20462 41bf12 233 API calls 20462->20477 20464 41bf12 233 API calls 20464->20472 20465 41cd1e 233 API calls 20465->20472 20467 424dd9 6 API calls 20503 416cb3 20467->20503 20469 41cd1e 233 API calls 20469->20488 20470 41bdc5 GlobalAlloc GlobalLock 20470->20503 20471 424dd9 6 API calls 20505 416d80 20471->20505 20472->20457 20472->20464 20472->20465 20481 41e87a 233 API calls 20472->20481 20472->20488 21156 417af9 GlobalAlloc GlobalLock 20472->21156 21157 41d881 233 API calls 20472->21157 21158 4167aa 233 API calls 20472->21158 20474 41bf12 233 API calls 20474->20488 20476 41cd1e 233 API calls 20476->20503 20477->20456 20477->20459 20477->20462 20477->20472 20487 41e87a 233 API calls 20477->20487 21153 417acd GlobalAlloc GlobalLock 20477->21153 21154 41d881 233 API calls 20477->21154 21155 4167aa 233 API calls 20477->21155 20479 424dd9 6 API calls 20504 416f04 20479->20504 20481->20472 20482 4170e0 20486 41bf12 233 API calls 20482->20486 20484 41bf12 233 API calls 20484->20503 20485 41cd1e 233 API calls 20485->20505 20489 4170f0 20486->20489 20487->20477 20488->20460 20488->20469 20488->20474 20497 41e87a 233 API calls 20488->20497 20488->20503 21159 417b15 GlobalAlloc GlobalLock 20488->21159 21160 41d881 233 API calls 20488->21160 21161 4167aa 233 API calls 20488->21161 20494 41bf12 233 API calls 20489->20494 20491 424dd9 6 API calls 20509 417002 20491->20509 20496 41710d 20494->20496 20495 41cd1e 233 API calls 20495->20504 20498 41bf12 233 API calls 20496->20498 20497->20488 20510 41712a 20498->20510 20502 41cd1e 233 API calls 20502->20509 20503->20467 20503->20470 20503->20476 20503->20484 20503->20505 20506 41e87a 233 API calls 20503->20506 21162 41d881 233 API calls 20503->21162 21163 4167aa 233 API calls 20503->21163 20504->20479 20504->20495 20508 41bf12 233 API calls 20504->20508 20504->20509 20524 41e87a 233 API calls 20504->20524 21168 417b15 GlobalAlloc GlobalLock 20504->21168 21169 41d881 233 API calls 20504->21169 21170 4167aa 233 API calls 20504->21170 20505->20471 20505->20485 20505->20504 20511 41bf12 233 API calls 20505->20511 20528 4164b1 233 API calls 20505->20528 20532 41e87a 233 API calls 20505->20532 20534 41bf80 233 API calls 20505->20534 21164 407add GlobalAlloc GlobalLock 20505->21164 21165 41d881 233 API calls 20505->21165 21166 42504e 6 API calls 20505->21166 21167 41c1fa 233 API calls 20505->21167 20506->20503 20508->20504 20509->20482 20509->20491 20509->20502 20515 41bf12 233 API calls 20509->20515 20522 41e87a 233 API calls 20509->20522 21171 417b34 GlobalAlloc GlobalLock 20509->21171 21172 41d881 233 API calls 20509->21172 21173 4167aa 233 API calls 20509->21173 20512 41bf12 233 API calls 20510->20512 20511->20505 20513 417174 20512->20513 20514 41bf12 233 API calls 20513->20514 20516 417191 20514->20516 20515->20509 20517 41bf12 233 API calls 20516->20517 20519 4171ae 20517->20519 20521 41bf12 233 API calls 20519->20521 20523 4171cb 20521->20523 20522->20509 20525 41bf12 233 API calls 20523->20525 20524->20504 20526 4171e8 20525->20526 20527 41bf12 233 API calls 20526->20527 20529 417205 20527->20529 20528->20505 20530 41bf12 233 API calls 20529->20530 20531 417222 20530->20531 20533 41bf12 233 API calls 20531->20533 20532->20505 20535 41723f 20533->20535 20534->20505 20536 41bf12 233 API calls 20535->20536 20537 41725c 20536->20537 20539 41bf12 233 API calls 20537->20539 20541 41728d 20539->20541 20542 41bf12 233 API calls 20541->20542 20543 4172aa 20542->20543 20544 41bf12 233 API calls 20543->20544 20545 4172c7 20544->20545 20546 41bf12 233 API calls 20545->20546 20547 4172e4 20546->20547 20548 41bf12 233 API calls 20547->20548 20549 417301 20548->20549 20550 41bf12 233 API calls 20549->20550 20551 41731e 20550->20551 20552 41bf12 233 API calls 20551->20552 20553 41733b 20552->20553 20554 41bf12 233 API calls 20553->20554 20555 417358 20554->20555 20556 41bf12 233 API calls 20555->20556 20557 417375 20556->20557 20558 41bf12 233 API calls 20557->20558 20559 417629 20558->20559 20560 41bf12 233 API calls 20559->20560 20561 4179af 20560->20561 20562 41bf12 233 API calls 20561->20562 20563 417a32 20562->20563 21174 41d728 234 API calls 20563->21174 20566 41b114 20565->20566 20567 41b0b9 GetCurrentDirectoryA 20565->20567 20568 41bf80 233 API calls 20566->20568 20569 41bf12 233 API calls 20567->20569 20570 41b126 20568->20570 20575 41b0f6 20569->20575 21201 41c7db lstrlenA 20570->21201 20574 41b112 20577 41b1e0 GetTempPathA 20574->20577 20578 41b14f GetModuleFileNameA 20574->20578 20575->20574 21200 41c3a9 233 API calls 20575->21200 20581 4150da 20577->20581 20582 41b216 lstrlenA 20577->20582 20583 41be35 233 API calls 20578->20583 20580 41bf80 233 API calls 20580->20574 20607 41a04c 20581->20607 20584 41b23b GetTickCount 20582->20584 20585 41b22d lstrcatA 20582->20585 20586 41b18a 20583->20586 21229 41bdc5 GlobalAlloc GlobalLock 20584->21229 20585->20584 20588 41c7db 234 API calls 20586->20588 20589 41b196 20588->20589 20591 41b1d8 20589->20591 21227 41c3a9 233 API calls 20589->21227 20590 41bf12 233 API calls 20597 41b251 20590->20597 20593 41b29e 20591->20593 21234 41befb GlobalUnlock GlobalFree 20593->21234 20594 41c467 233 API calls 20594->20597 20595 41b1aa 20598 41c7db 234 API calls 20595->20598 20597->20590 20597->20594 20599 41cd1e 233 API calls 20597->20599 20604 41b28d 20597->20604 21230 40df52 20597->21230 20600 41b1b6 20598->20600 20599->20597 20600->20591 21228 41c3a9 233 API calls 20600->21228 20603 41b1ca 20605 41bf80 233 API calls 20603->20605 20606 41bf80 233 API calls 20604->20606 20605->20591 20606->20591 21249 4164b1 20607->21249 20610 4164b1 233 API calls 20611 41a067 20610->20611 20612 4164b1 233 API calls 20611->20612 20613 41a074 20612->20613 21360 41b3b9 20613->21360 20616 4164b1 233 API calls 20617 41a08e 20616->20617 20618 41b3b9 233 API calls 20617->20618 20619 41a09b 20618->20619 20620 41b3b9 233 API calls 20619->20620 20621 41a0a9 20620->20621 20622 41b3b9 233 API calls 20621->20622 20623 41a0b6 20622->20623 20624 41b3b9 233 API calls 20623->20624 20625 41a0c3 20624->20625 20626 41bf80 233 API calls 20625->20626 20627 41a0d0 20626->20627 20628 41cd1e 233 API calls 20627->20628 20629 41a14b 20628->20629 20629->20197 20631 41cd1e 233 API calls 20630->20631 20632 419ed6 RegOpenKeyExA 20631->20632 20633 419ee7 RegQueryValueExA RegCloseKey 20632->20633 20634 4150e8 20632->20634 20633->20634 20635 419f33 20633->20635 20634->20200 20634->20202 20649 419d70 20634->20649 20636 41be35 233 API calls 20635->20636 20637 419f42 20636->20637 20638 419f4f 20637->20638 20642 419f64 20637->20642 21379 41ca01 233 API calls 20638->21379 20640 419f5a 20641 41bff8 233 API calls 20640->20641 20641->20642 20643 41cd1e 233 API calls 20642->20643 20644 419f9e CreateProcessA 20643->20644 20645 419fb5 20644->20645 20646 419faa CloseHandle 20644->20646 21380 41befb GlobalUnlock GlobalFree 20645->21380 20646->20645 20648 419fbd 20648->20634 20650 41be99 233 API calls 20649->20650 20651 419d85 20650->20651 21381 41c047 lstrlenA 20651->21381 20654 41cd1e 233 API calls 20655 419d9d CreateMutexA GetLastError 20654->20655 20656 419db4 20655->20656 20657 419ded 20655->20657 20658 41cd1e 233 API calls 20656->20658 21391 41befb GlobalUnlock GlobalFree 20657->21391 20660 419dbe FindWindowA 20658->20660 20660->20657 20662 419dd0 IsIconic 20660->20662 20661 41510a 20661->20200 20661->20202 20665 41baec 20661->20665 20663 419de4 SetForegroundWindow 20662->20663 20664 419ddb ShowWindow 20662->20664 20663->20657 20664->20663 20671 41bb03 20665->20671 20679 415121 20665->20679 20668 41bf12 233 API calls 20668->20671 20669 41cd1e 233 API calls 20669->20671 20670 41e87a 233 API calls 20670->20671 20671->20668 20671->20669 20671->20670 20673 41bb9e 20671->20673 20671->20679 21393 41e814 GlobalAlloc GlobalLock 20671->21393 21394 41bdc5 GlobalAlloc GlobalLock 20671->21394 21395 415a59 20671->21395 21432 41befb GlobalUnlock GlobalFree 20671->21432 21433 41e841 GlobalUnlock GlobalFree 20671->21433 21434 41befb GlobalUnlock GlobalFree 20673->21434 20676 41bba3 21435 41e841 GlobalUnlock GlobalFree 20676->21435 20679->20200 20679->20202 20680 4158e2 20679->20680 20681 4158fa 20680->20681 20682 41591b 20681->20682 20683 41590f 20681->20683 20687 415916 20681->20687 20684 41cd1e 233 API calls 20682->20684 21459 41b61b 242 API calls 20683->21459 20686 41592f RegOpenKeyExA 20684->20686 20688 415940 20686->20688 20689 4159a7 20686->20689 20687->20202 21442 4229a8 20688->21442 20691 4159c6 20689->20691 20692 4159af RegCloseKey 20689->20692 20695 41cd1e 233 API calls 20691->20695 20693 4159b8 20692->20693 21460 4155d2 233 API calls 20693->21460 20698 4159d4 RegQueryValueExA RegCloseKey 20695->20698 20697 40df52 GetFileAttributesA 20699 41595d 20697->20699 20698->20693 20700 4159ed 20698->20700 20699->20687 20701 415966 20699->20701 20702 4229a8 233 API calls 20700->20702 20703 41bf12 233 API calls 20701->20703 20704 4159fe 20702->20704 20705 415979 20703->20705 20706 40df52 GetFileAttributesA 20704->20706 20707 41c047 233 API calls 20705->20707 20708 415a0a 20706->20708 20709 415986 20707->20709 20708->20687 20710 415a0f 20708->20710 20711 41cd1e 233 API calls 20709->20711 20712 41bf12 233 API calls 20710->20712 20713 41598e CopyFileA 20711->20713 20714 415a22 20712->20714 20715 415a4b DeleteFileA 20713->20715 20716 41c047 233 API calls 20714->20716 20715->20687 20717 415a2f 20716->20717 20718 41cd1e 233 API calls 20717->20718 20719 415a37 CopyFileA 20718->20719 20719->20715 20721 41bf12 233 API calls 20720->20721 20722 4180cd 20721->20722 20723 4180d7 LoadLibraryA 20722->20723 20724 41812b 20722->20724 20723->20724 20725 4180e9 GetProcAddress 20723->20725 20726 41dae7 233 API calls 20724->20726 20727 418122 FreeLibrary 20725->20727 20732 4180f9 20725->20732 20728 418157 20726->20728 20727->20724 20729 418173 20728->20729 20731 41bf12 233 API calls 20728->20731 21461 41a2c6 20729->21461 20733 41816b 20731->20733 20732->20727 20734 41bf12 233 API calls 20732->20734 20735 424dce 4 API calls 20733->20735 20734->20727 20735->20729 20736 41817c 20777 415177 20736->20777 21486 40de4d LoadLibraryA 20736->21486 20739 418221 21495 4184a4 20739->21495 20742 4181cf CreateDialogParamA 21720 41d46f 20742->21720 20744 418276 21732 42371f 339 API calls 20744->21732 20745 4181f1 20747 4181fb GetDlgItem SetWindowTextA 20745->20747 20748 41820d 20745->20748 20747->20748 20750 41d46f 233 API calls 20748->20750 20749 418246 20749->20744 20753 41824e 20749->20753 20751 418217 20750->20751 20751->20739 20754 41821b SetWindowTextA 20751->20754 21730 40fd20 317 API calls 20753->21730 20754->20739 20755 418352 20758 418377 20755->20758 20759 41c047 233 API calls 20755->20759 20755->20777 20757 418255 20757->20744 20761 41cd1e 233 API calls 20757->20761 21733 41c2e0 233 API calls 20758->21733 20759->20758 20763 418265 20761->20763 20762 41837e 20764 41dcd0 233 API calls 20762->20764 21731 41b2cc 233 API calls 20763->21731 20766 418388 20764->20766 21734 41c2e0 233 API calls 20766->21734 20768 418390 20769 4183a7 20768->20769 20770 4183d3 20768->20770 21735 40efe7 244 API calls 20768->21735 20769->20770 20772 4183b8 ShowWindow DestroyWindow 20769->20772 20774 424dd9 6 API calls 20770->20774 20780 4183e2 20770->20780 20772->20770 20774->20780 20775 418438 20776 418484 20775->20776 20775->20777 21736 41b2cc 233 API calls 20775->21736 20776->20777 20779 424dce 4 API calls 20776->20779 20777->20208 20777->20209 20779->20777 20780->20775 20783 41cd1e 233 API calls 20780->20783 20781 41847d 20782 424dd9 6 API calls 20781->20782 20782->20776 20783->20775 20785 4124c7 20784->20785 20786 412486 20784->20786 20787 41250f 20785->20787 20789 41cd1e 233 API calls 20785->20789 20800 41257b 20785->20800 21956 4237b5 20786->21956 20787->20800 22224 41a69c 20787->22224 20792 412509 20789->20792 22176 40dc10 20792->22176 20800->20200 20800->20231 20800->20232 20807 412554 20807->20800 20810 412561 20807->20810 20811 412582 20807->20811 20813 414c1b 272 API calls 20810->20813 20814 4125b5 20811->20814 20818 41cd1e 233 API calls 20811->20818 20817 412570 20813->20817 20815 414c1b 272 API calls 20814->20815 20819 4125c1 20815->20819 22573 4102f6 247 API calls 20817->22573 20822 4125aa GetDlgItem SetWindowTextA 20818->20822 20823 414c1b 272 API calls 20819->20823 20822->20814 20826 4125ca 20823->20826 20825 412577 20825->20800 20825->20811 22321 41bdc5 GlobalAlloc GlobalLock 20826->22321 20832 41be99 233 API calls 20834 4125e2 20832->20834 20834->20832 20839 41262b 20834->20839 22322 413399 20834->22322 20841 412631 20839->20841 20842 41264f 20839->20842 20844 41cd1e 233 API calls 20841->20844 20843 412676 20842->20843 20845 41cd1e 233 API calls 20842->20845 20846 414c1b 272 API calls 20843->20846 20847 41263c 20844->20847 20849 41266b GetDlgItem SetWindowTextA 20845->20849 20850 41267f 20846->20850 22574 41b2a8 233 API calls 20847->22574 20849->20843 22360 413211 20850->22360 20852 412686 20854 4126a3 20852->20854 20856 41cd1e 233 API calls 20852->20856 20855 4126ca 20854->20855 20857 41cd1e 233 API calls 20854->20857 20858 414c1b 272 API calls 20855->20858 20859 412695 20856->20859 20860 4126bf GetDlgItem SetWindowTextA 20857->20860 20861 4126d3 20858->20861 22575 41b2a8 233 API calls 20859->22575 20860->20855 22381 412e58 20861->22381 20865 412701 20867 414c1b 272 API calls 20865->20867 20866 41cd1e 233 API calls 20868 4126f6 GetDlgItem SetWindowTextA 20866->20868 20869 41270a 20867->20869 20868->20865 22422 410891 20869->22422 20899 41264a 22618 41befb GlobalUnlock GlobalFree 20899->22618 20903->20200 20904->20203 20905->20217 20907 41c047 230 API calls 20906->20907 20908 41c480 lstrlenA 20907->20908 20909 415194 20908->20909 20911 41c494 20908->20911 20914 41cd1e GlobalUnlock GlobalReAlloc 20909->20914 20910 41c645 lstrlenA 20910->20909 20910->20911 20911->20910 20912 41cbf9 230 API calls 20911->20912 20913 41c63f lstrlenA 20911->20913 20912->20911 20913->20910 20915 41cd51 GlobalLock 20914->20915 20916 41cd40 20914->20916 20915->20230 20917 41cd1e 230 API calls 20916->20917 20918 41cd4a 20917->20918 23437 41d881 233 API calls 20918->23437 20920 41cd50 20920->20915 20921->20242 20922->20200 20924 41e453 GetCurrentThread OpenThreadToken 20923->20924 20925 4151d2 20923->20925 20926 41e49b DuplicateToken 20924->20926 20927 41e46f GetLastError 20924->20927 20925->20211 20925->20223 20929 41e4b2 AllocateAndInitializeSid 20926->20929 20940 41e5be 20926->20940 20928 41e480 GetCurrentProcess OpenProcessToken 20927->20928 20927->20940 20928->20926 20928->20940 20931 41e4d7 LocalAlloc 20929->20931 20929->20940 20933 41e4ed InitializeSecurityDescriptor 20931->20933 20931->20940 20932 41e5ca 20932->20925 20934 41e4fe GetLengthSid LocalAlloc 20933->20934 20933->20940 20935 41e51f InitializeAcl 20934->20935 20934->20940 20936 41e531 AddAccessAllowedAce 20935->20936 20935->20940 20937 41e54a SetSecurityDescriptorDacl 20936->20937 20936->20940 20938 41e55f SetSecurityDescriptorGroup SetSecurityDescriptorOwner IsValidSecurityDescriptor 20937->20938 20937->20940 20939 41e586 AccessCheck 20938->20939 20938->20940 20939->20940 23438 41e5e3 LocalFree LocalFree FreeSid CloseHandle CloseHandle 20940->23438 20941->20246 20943->20244 20945->20200 20946->20224 20947->20234 20948->20240 20949->20244 20951 424bae 6 API calls 20950->20951 20952 41925a 20951->20952 20952->20307 20952->20308 20954 41bf27 20953->20954 20955 41bf2b lstrlenA 20953->20955 20956 41bf34 GlobalReAlloc 20954->20956 20955->20956 20957 41bf59 GlobalLock 20956->20957 20958 41bf48 20956->20958 20960 41929a 20957->20960 20959 41cd1e 229 API calls 20958->20959 20961 41bf52 20959->20961 20964 424dce 20960->20964 20991 41d881 233 API calls 20961->20991 20963 41bf58 20963->20957 20965 424ab4 4 API calls 20964->20965 20966 4192a2 GetCommandLineA 20965->20966 20967 41be35 lstrlenA GlobalAlloc 20966->20967 20968 41be61 20967->20968 20969 41be72 GlobalLock 20967->20969 20971 41cd1e 230 API calls 20968->20971 20970 41be84 20969->20970 20970->20317 20972 41be6b 20971->20972 20992 41d881 233 API calls 20972->20992 20974 41be71 20974->20969 20976 41c6f7 20975->20976 20987 4192ca 20975->20987 20976->20987 20993 41bdc5 GlobalAlloc GlobalLock 20976->20993 20978 41c70f 20994 41bdc5 GlobalAlloc GlobalLock 20978->20994 20980 41c717 20995 41bf80 GlobalUnlock GlobalReAlloc 20980->20995 20983 41bf12 232 API calls 20988 41c72b 20983->20988 20985 41c7c0 21004 41befb GlobalUnlock GlobalFree 20985->21004 20987->20320 21003 41befb GlobalUnlock GlobalFree 20988->21003 20989->20325 20990->20307 20991->20963 20992->20974 20993->20978 20994->20980 20996 41bfb9 GlobalLock 20995->20996 20997 41bfa8 20995->20997 20999 41bfcb 20996->20999 20998 41cd1e 230 API calls 20997->20998 21000 41bfb2 20998->21000 20999->20983 21005 41d881 233 API calls 21000->21005 21002 41bfb8 21002->20996 21003->20985 21004->20987 21005->21002 21048 40df78 21006->21048 21009 416031 235 API calls 21010 4160c0 21009->21010 21010->20329 21012 4161b6 21011->21012 21013 41dafe RegOpenKeyExA 21011->21013 21012->20356 21012->20357 21013->21012 21014 41db1b RegQueryValueExA 21013->21014 21014->21012 21015 41db37 21014->21015 21016 424dd9 6 API calls 21015->21016 21017 41db41 21016->21017 21018 41cd1e 229 API calls 21017->21018 21024 41db58 21017->21024 21019 41db52 21018->21019 21061 41d881 233 API calls 21019->21061 21020 41db65 RegQueryValueExA 21022 41db7b RegCloseKey 21020->21022 21023 41db8d 21020->21023 21022->21012 21025 424dce 4 API calls 21023->21025 21024->21020 21025->21012 21027 416049 21026->21027 21028 41bf12 233 API calls 21027->21028 21029 416060 21028->21029 21030 4160a0 21029->21030 21031 416066 GetShortPathNameA 21029->21031 21030->20363 21032 41bf12 233 API calls 21031->21032 21032->21030 21034 41df62 21033->21034 21034->20408 21034->21034 21036 41e893 GlobalUnlock GlobalReAlloc GlobalLock 21035->21036 21037 41e888 21035->21037 21038 41e8c5 21036->21038 21040 41e8d5 21036->21040 21037->21036 21037->21040 21039 41cd1e 230 API calls 21038->21039 21041 41e8cf 21039->21041 21040->20412 21062 41d881 233 API calls 21041->21062 21043->20378 21044->20400 21045->20401 21046->20415 21047->20417 21049 40e040 RegOpenKeyExA 21048->21049 21052 40df8e 21048->21052 21050 40e0c9 SHGetSpecialFolderLocation 21049->21050 21057 40e061 RegQueryValueExA 21049->21057 21051 40e0dc SHGetPathFromIDListA SHGetMalloc 21050->21051 21053 40e0fc 21050->21053 21051->21053 21052->21049 21056 40dfbb 21052->21056 21053->21009 21055 40e0bf RegCloseKey 21055->21050 21055->21053 21056->21050 21058 40dfd3 RegOpenKeyExA 21056->21058 21057->21055 21058->21050 21060 40dff8 RegQueryValueExA 21058->21060 21060->21055 21061->21024 21062->21040 21064 41cd1e 233 API calls 21063->21064 21065 41a3b8 CreateFileA 21064->21065 21066 41a3cf GetFileSize SetFilePointer ReadFile ReadFile 21065->21066 21077 41a653 21065->21077 21067 41a438 SetFilePointer ReadFile ReadFile 21066->21067 21068 41a42b 21066->21068 21070 41a682 21067->21070 21071 41a475 21067->21071 21068->21067 21069 41a524 SetFilePointer ReadFile 21068->21069 21074 41a54e 21069->21074 21103 41a5c2 SetFilePointer ReadFile 21069->21103 21191 41b2a8 233 API calls 21070->21191 21071->21070 21073 41a487 SetFilePointer 21071->21073 21078 41a498 SetFilePointer ReadFile 21073->21078 21080 41cd1e 233 API calls 21074->21080 21095 41a64f 21074->21095 21076 41a694 21076->21077 21077->20432 21084 41a4ba SetFilePointer 21078->21084 21085 41a4cd SetFilePointer ReadFile ReadFile 21078->21085 21086 41a570 21080->21086 21081 41a607 21083 41a61f CloseHandle 21081->21083 21081->21095 21082 41a5f7 CloseHandle 21082->21077 21087 41cd1e 233 API calls 21083->21087 21084->21078 21084->21085 21085->21070 21088 41a517 21085->21088 21089 41cac5 244 API calls 21086->21089 21090 41a642 21087->21090 21088->21069 21088->21070 21091 41a57b 21089->21091 21092 41cac5 244 API calls 21090->21092 21176 41be99 GlobalAlloc 21091->21176 21092->21095 21094 41a588 21184 41c2e0 233 API calls 21094->21184 21095->21077 21190 41b2a8 233 API calls 21095->21190 21097 41a590 21098 41a594 21097->21098 21185 41dcd0 21097->21185 21189 41befb GlobalUnlock GlobalFree 21098->21189 21100 41a5a6 21188 41c2e0 233 API calls 21100->21188 21103->21081 21103->21082 21104->20434 21106 416965 21105->21106 21107 41cafb SetFilePointer SetFilePointer 21105->21107 21106->20439 21118 41c2e0 233 API calls 21106->21118 21108 41cb29 GlobalUnlock GlobalFree GlobalAlloc GlobalLock 21107->21108 21110 41cb78 21108->21110 21111 41cb6b CloseHandle 21108->21111 21112 41cb83 CloseHandle 21110->21112 21113 41cb99 ReadFile FindCloseChangeNotification 21110->21113 21111->21106 21114 41cd1e 233 API calls 21112->21114 21113->21106 21115 41cb92 21114->21115 21193 41d881 233 API calls 21115->21193 21117 41cb98 21117->21113 21118->20441 21119->20444 21121 41d119 21120->21121 21123 41d11f 21120->21123 21194 42504e 6 API calls 21121->21194 21126 41d183 21123->21126 21132 41d162 21123->21132 21195 41c1fa 233 API calls 21123->21195 21125 41bf12 233 API calls 21127 4169a9 21125->21127 21128 41bf12 233 API calls 21126->21128 21127->20447 21130 41d18c 21128->21130 21129 41d173 21129->21125 21196 42504e 6 API calls 21130->21196 21132->21129 21133 41d272 21132->21133 21134 424dd9 6 API calls 21133->21134 21135 41d401 21134->21135 21136 41d40d 21135->21136 21197 407add GlobalAlloc GlobalLock 21135->21197 21138 41d427 21136->21138 21139 41cd1e 233 API calls 21136->21139 21140 41bf12 233 API calls 21138->21140 21141 41d421 21139->21141 21142 41d43d 21140->21142 21198 41d881 233 API calls 21141->21198 21144 41bf12 233 API calls 21142->21144 21145 41d446 21144->21145 21146 41bf12 233 API calls 21145->21146 21147 41d44e 21146->21147 21199 42504e 6 API calls 21147->21199 21149 41d454 21150 41e87a 233 API calls 21149->21150 21150->21127 21151->20452 21152->20454 21153->20477 21154->20477 21155->20477 21156->20472 21157->20472 21158->20472 21159->20488 21160->20488 21161->20488 21162->20503 21163->20503 21164->20505 21165->20505 21166->20505 21167->20505 21168->20504 21169->20504 21170->20504 21171->20509 21172->20509 21173->20509 21174->20439 21175->20431 21177 41bed1 GlobalLock 21176->21177 21178 41bec0 21176->21178 21179 41bee3 21177->21179 21180 41cd1e 231 API calls 21178->21180 21179->21094 21179->21179 21181 41beca 21180->21181 21192 41d881 233 API calls 21181->21192 21183 41bed0 21183->21177 21184->21097 21186 41cd1e 233 API calls 21185->21186 21187 41dcde 21186->21187 21187->21100 21187->21187 21188->21098 21189->21103 21190->21077 21191->21076 21192->21183 21193->21117 21194->21123 21195->21123 21196->21127 21197->21136 21198->21138 21199->21149 21200->20574 21202 41b131 21201->21202 21203 41c805 21201->21203 21215 41cc95 21202->21215 21203->21202 21235 41bdc5 GlobalAlloc GlobalLock 21203->21235 21205 41c825 21236 41bdc5 GlobalAlloc GlobalLock 21205->21236 21207 41c82d 21208 41bf80 233 API calls 21207->21208 21209 41c836 21208->21209 21210 41bf12 233 API calls 21209->21210 21214 41c841 21210->21214 21212 41c8c6 21238 41befb GlobalUnlock GlobalFree 21212->21238 21237 41befb GlobalUnlock GlobalFree 21214->21237 21216 41ccab 21215->21216 21223 41ccc3 21215->21223 21239 41bdc5 GlobalAlloc GlobalLock 21216->21239 21218 41bf80 233 API calls 21220 41cccc 21218->21220 21219 41ccb9 21240 4251dd 13 API calls 21219->21240 21222 41b13a 21220->21222 21224 41bf12 233 API calls 21220->21224 21222->20580 21223->21218 21225 41cce5 21224->21225 21225->21222 21241 41bff8 GlobalUnlock GlobalReAlloc 21225->21241 21227->20595 21228->20603 21229->20597 21231 40df5b 21230->21231 21232 40df60 21231->21232 21233 40df63 GetFileAttributesA 21231->21233 21232->20597 21233->20597 21234->20581 21235->21205 21236->21207 21237->21212 21238->21202 21239->21219 21240->21223 21242 41c02b GlobalLock 21241->21242 21243 41c01a 21241->21243 21242->21225 21244 41cd1e 230 API calls 21243->21244 21245 41c024 21244->21245 21248 41d881 233 API calls 21245->21248 21247 41c02a 21247->21242 21248->21247 21250 41cd1e 233 API calls 21249->21250 21251 4164c4 21250->21251 21252 4164db 21251->21252 21253 41cd1e 233 API calls 21251->21253 21252->20610 21254 4164ee 21253->21254 21370 41cbf9 lstrlenA lstrlenA 21254->21370 21257 41cd1e 233 API calls 21258 416506 21257->21258 21259 41cbf9 233 API calls 21258->21259 21260 416513 21259->21260 21261 41cd1e 233 API calls 21260->21261 21262 41651e 21261->21262 21263 41cbf9 233 API calls 21262->21263 21264 41652b 21263->21264 21265 41cd1e 233 API calls 21264->21265 21266 416536 21265->21266 21267 41cbf9 233 API calls 21266->21267 21268 416543 21267->21268 21269 41cd1e 233 API calls 21268->21269 21270 41654e 21269->21270 21271 41cbf9 233 API calls 21270->21271 21272 41655b 21271->21272 21273 41cd1e 233 API calls 21272->21273 21274 416569 21273->21274 21275 41cbf9 233 API calls 21274->21275 21276 416576 21275->21276 21277 41cd1e 233 API calls 21276->21277 21278 416584 21277->21278 21279 41cbf9 233 API calls 21278->21279 21280 416591 21279->21280 21281 41cd1e 233 API calls 21280->21281 21282 41659c 21281->21282 21283 41cbf9 233 API calls 21282->21283 21284 4165a9 21283->21284 21285 41cd1e 233 API calls 21284->21285 21286 4165b4 21285->21286 21287 41cbf9 233 API calls 21286->21287 21288 4165c1 21287->21288 21289 41cd1e 233 API calls 21288->21289 21290 4165cc 21289->21290 21291 41cbf9 233 API calls 21290->21291 21292 4165d9 21291->21292 21293 41cd1e 233 API calls 21292->21293 21294 4165e4 21293->21294 21295 41cbf9 233 API calls 21294->21295 21296 4165f1 21295->21296 21297 41cd1e 233 API calls 21296->21297 21298 4165ff 21297->21298 21299 41cbf9 233 API calls 21298->21299 21300 41660c 21299->21300 21301 41cd1e 233 API calls 21300->21301 21302 41661a 21301->21302 21303 41cbf9 233 API calls 21302->21303 21304 416627 21303->21304 21305 41cd1e 233 API calls 21304->21305 21306 416632 21305->21306 21307 41cbf9 233 API calls 21306->21307 21308 41663f 21307->21308 21309 41cd1e 233 API calls 21308->21309 21310 41664a 21309->21310 21311 41cbf9 233 API calls 21310->21311 21312 416657 21311->21312 21313 41cd1e 233 API calls 21312->21313 21314 416665 21313->21314 21315 41cbf9 233 API calls 21314->21315 21316 416672 21315->21316 21317 41cd1e 233 API calls 21316->21317 21318 416680 21317->21318 21319 41cbf9 233 API calls 21318->21319 21320 41668d 21319->21320 21321 41cd1e 233 API calls 21320->21321 21322 41669b 21321->21322 21323 41cbf9 233 API calls 21322->21323 21324 4166a8 21323->21324 21325 41cd1e 233 API calls 21324->21325 21326 4166b6 21325->21326 21327 41cbf9 233 API calls 21326->21327 21328 4166c3 21327->21328 21329 4166e6 21328->21329 21331 41cd1e 233 API calls 21328->21331 21330 41cd1e 233 API calls 21329->21330 21332 4166f4 21330->21332 21333 4166d9 21331->21333 21334 41cbf9 233 API calls 21332->21334 21335 41cbf9 233 API calls 21333->21335 21335->21329 21361 41b3d1 21360->21361 21362 41a082 21360->21362 21363 41cd1e 233 API calls 21361->21363 21362->20616 21368 41b3dd 21363->21368 21364 41cd1e 233 API calls 21364->21368 21365 41c6d0 233 API calls 21365->21368 21366 41b421 21378 41aacd 233 API calls 21366->21378 21368->21362 21368->21364 21368->21365 21368->21366 21369 41cbf9 233 API calls 21368->21369 21369->21368 21375 41cc1d 21370->21375 21371 41c6d0 231 API calls 21371->21375 21372 4164fb 21372->21257 21375->21371 21375->21372 21376 41c3a9 233 API calls 21375->21376 21377 41ca20 233 API calls 21375->21377 21376->21375 21377->21375 21378->21368 21379->20640 21380->20648 21382 41c062 GlobalUnlock GlobalReAlloc 21381->21382 21383 41c05e 21381->21383 21384 41c081 21382->21384 21385 41c092 GlobalLock 21382->21385 21383->21382 21386 41cd1e 229 API calls 21384->21386 21387 419d95 21385->21387 21388 41c08b 21386->21388 21387->20654 21392 41d881 233 API calls 21388->21392 21390 41c091 21390->21385 21391->20661 21392->21390 21393->20671 21394->20671 21396 41cd1e 233 API calls 21395->21396 21397 415a72 RegOpenKeyExA 21396->21397 21398 415aa1 21397->21398 21399 415a95 21397->21399 21401 415b7c 21398->21401 21402 415b68 21398->21402 21404 415ac6 21398->21404 21400 41e87a 233 API calls 21399->21400 21400->21398 21403 415b82 RegOpenKeyExA 21401->21403 21407 415b9c 21401->21407 21402->21404 21408 415b78 21402->21408 21403->21407 21409 415b61 21403->21409 21436 41bdc5 GlobalAlloc GlobalLock 21404->21436 21405 415bd6 RegCloseKey 21405->21408 21407->21405 21412 415a59 236 API calls 21407->21412 21415 415c01 RegCloseKey 21407->21415 21408->21409 21441 41e9ea 236 API calls 21408->21441 21409->20671 21410 415ace 21437 41bdc5 GlobalAlloc GlobalLock 21410->21437 21412->21407 21413 415b19 21416 41cd1e 233 API calls 21413->21416 21415->21409 21417 415b21 21416->21417 21419 41cd1e 233 API calls 21417->21419 21418 41c047 233 API calls 21421 415ad6 21418->21421 21420 415b2c 21419->21420 21422 41c467 233 API calls 21420->21422 21421->21413 21421->21418 21423 41bff8 233 API calls 21421->21423 21424 415b36 21422->21424 21423->21421 21425 41cd1e 233 API calls 21424->21425 21426 415b45 21425->21426 21438 41b2cc 233 API calls 21426->21438 21428 415b51 21439 41befb GlobalUnlock GlobalFree 21428->21439 21430 415b59 21440 41befb GlobalUnlock GlobalFree 21430->21440 21432->20671 21433->20671 21434->20676 21435->20679 21436->21410 21437->21421 21438->21428 21439->21430 21440->21409 21441->21409 21443 4229c2 21442->21443 21444 422a35 21442->21444 21445 41cd1e 224 API calls 21443->21445 21447 422a40 GetWindowsDirectoryA lstrlenA 21444->21447 21446 4229d6 RegOpenKeyExA 21445->21446 21446->21444 21450 4229e7 RegQueryValueExA 21446->21450 21448 422a62 21447->21448 21449 422a5b lstrlenA 21447->21449 21451 41cd1e 224 API calls 21448->21451 21449->21448 21452 422a09 21450->21452 21453 422a2c RegCloseKey 21450->21453 21454 422a6c lstrcatA lstrcatA 21451->21454 21455 40df52 GetFileAttributesA 21452->21455 21453->21444 21456 415951 21454->21456 21457 422a15 21455->21457 21456->20697 21457->21453 21458 422a1a lstrcpyA 21457->21458 21458->21456 21459->20687 21460->20687 21462 41a2db 21461->21462 21485 41a35d 21461->21485 21463 41b3b9 233 API calls 21462->21463 21464 41a2eb 21463->21464 21465 41b3b9 233 API calls 21464->21465 21466 41a2f8 21465->21466 21467 41cd1e 233 API calls 21466->21467 21468 41a306 21467->21468 21469 41cd1e 233 API calls 21468->21469 21470 41a311 21469->21470 21471 41dae7 233 API calls 21470->21471 21472 41a31d 21471->21472 21473 41a324 21472->21473 21475 41a365 21472->21475 21474 41bf12 233 API calls 21473->21474 21476 41a333 21474->21476 21477 41d46f 233 API calls 21475->21477 21475->21485 21478 41a355 21476->21478 21479 41a33b lstrlenA 21476->21479 21480 41a379 21477->21480 21482 424dce 4 API calls 21478->21482 21479->21478 21481 41a34c 21479->21481 21737 41b2a8 233 API calls 21480->21737 21484 41bff8 233 API calls 21481->21484 21482->21485 21484->21478 21485->20736 21487 40de6a GetProcAddress GetProcAddress 21486->21487 21493 40deab 21486->21493 21488 40dec6 21487->21488 21489 40de88 GetDiskFreeSpaceExA 21487->21489 21490 40df10 21488->21490 21492 40df11 FreeLibrary 21488->21492 21494 40dee4 FreeLibrary 21488->21494 21489->21490 21491 40de9d FreeLibrary 21489->21491 21490->21492 21491->21493 21492->21493 21493->20739 21493->20742 21494->21493 21501 4184c5 21495->21501 21692 418534 21495->21692 21496 418934 21497 424dd9 6 API calls 21496->21497 21502 4189a3 21496->21502 21498 418950 21497->21498 21499 418957 21498->21499 21500 418967 21498->21500 21505 41cd1e 233 API calls 21499->21505 21778 411ce5 311 API calls 21500->21778 21509 41cd1e 233 API calls 21501->21509 21501->21692 21504 424dd9 6 API calls 21502->21504 21512 418a16 21502->21512 21507 4189ba 21504->21507 21508 418961 21505->21508 21506 418972 21517 41bf12 233 API calls 21506->21517 21531 418976 21506->21531 21510 4189c1 21507->21510 21511 4189d1 21507->21511 21777 41d881 233 API calls 21508->21777 21514 4184f1 21509->21514 21516 41cd1e 233 API calls 21510->21516 21781 411ce5 311 API calls 21511->21781 21520 418c69 21512->21520 21521 418a15 21512->21521 21546 418bd5 21512->21546 21522 41cac5 244 API calls 21514->21522 21523 4189cb 21516->21523 21528 418989 21517->21528 21518 424dd9 6 API calls 21518->21692 21525 424dd9 6 API calls 21520->21525 21535 418e53 21520->21535 21521->21512 21783 40fca0 237 API calls 21521->21783 21526 4184fe 21522->21526 21780 41d881 233 API calls 21523->21780 21524 4189dc 21524->21531 21539 41bf12 233 API calls 21524->21539 21532 418c85 21525->21532 21533 418229 21526->21533 21767 41c2e0 233 API calls 21526->21767 21527 424dce 4 API calls 21527->21533 21779 41e6a9 251 API calls 21528->21779 21529 4188fa 21529->21496 21559 418910 21529->21559 21531->21527 21537 418c9c 21532->21537 21538 418c8c 21532->21538 21533->20744 21533->20777 21729 415c0f 343 API calls 21533->21729 21544 418f5f 21535->21544 21552 424dd9 6 API calls 21535->21552 21560 418fd2 21535->21560 21536 41bdc5 GlobalAlloc GlobalLock 21536->21692 21816 411ce5 311 API calls 21537->21816 21547 41cd1e 233 API calls 21538->21547 21548 4189ef 21539->21548 21541 418994 21541->21531 21558 424dce 4 API calls 21541->21558 21543 418a4f 21551 418a58 21543->21551 21584 418b18 21543->21584 21544->21560 21821 4153f8 245 API calls 21544->21821 21546->21520 21553 424dd9 6 API calls 21546->21553 21554 418c96 21547->21554 21782 41bd55 238 API calls 21548->21782 21550 418510 21557 418514 21550->21557 21550->21692 21561 424dd9 6 API calls 21551->21561 21594 418e86 21552->21594 21563 418bf9 21553->21563 21815 41d881 233 API calls 21554->21815 21556 418ca7 21566 418cb9 21556->21566 21567 418cac 21556->21567 21568 41cd1e 233 API calls 21557->21568 21569 4189a2 21558->21569 21775 419be3 324 API calls 21559->21775 21560->21533 21582 424dd9 6 API calls 21560->21582 21571 418a62 21561->21571 21562 41cd1e 233 API calls 21626 4186c1 21562->21626 21574 418c10 21563->21574 21587 41cd1e 233 API calls 21563->21587 21565 4189fa 21565->21531 21576 418a0f 21565->21576 21578 41bf12 233 API calls 21566->21578 21577 424dce 4 API calls 21567->21577 21579 418520 21568->21579 21569->21502 21583 418a79 21571->21583 21593 41cd1e 233 API calls 21571->21593 21572 418eb4 21604 41cd1e 233 API calls 21572->21604 21683 418ed2 21572->21683 21588 41dbff 241 API calls 21574->21588 21589 424dce 4 API calls 21576->21589 21709 41891d 21577->21709 21590 418cc3 21578->21590 21768 41b2a8 233 API calls 21579->21768 21580 418919 21580->21496 21580->21709 21581 424dd9 6 API calls 21668 418760 21581->21668 21592 419001 21582->21592 21595 41dbff 241 API calls 21583->21595 21584->21546 21596 41dbff 241 API calls 21584->21596 21585 41cac5 244 API calls 21585->21626 21586 418f84 21586->21533 21606 41bf12 233 API calls 21586->21606 21597 418c0a 21587->21597 21620 418c1c 21588->21620 21589->21521 21599 41bf12 233 API calls 21590->21599 21601 419018 21592->21601 21608 41cd1e 233 API calls 21592->21608 21602 418a73 21593->21602 21594->21572 21817 41bdc5 GlobalAlloc GlobalLock 21594->21817 21624 418a85 21595->21624 21625 418b3c 21596->21625 21814 41d881 233 API calls 21597->21814 21598 41cac5 244 API calls 21598->21692 21607 418cce LoadLibraryA 21599->21607 21600 41bdc5 GlobalAlloc GlobalLock 21600->21668 21738 41dbff 21601->21738 21784 41d881 233 API calls 21602->21784 21611 418ecc 21604->21611 21612 418fa0 21606->21612 21613 424dce 4 API calls 21607->21613 21614 419012 21608->21614 21818 41d881 233 API calls 21611->21818 21618 418fbb 21612->21618 21619 418fae 21612->21619 21621 418ce0 21613->21621 21822 41d881 233 API calls 21614->21822 21616 41e87a 233 API calls 21616->21626 21628 41cd1e 233 API calls 21618->21628 21627 41cd1e 233 API calls 21619->21627 21634 410722 295 API calls 21620->21634 21629 418cf1 19 API calls 21621->21629 21621->21709 21623 41bf12 233 API calls 21630 419031 21623->21630 21785 410722 21624->21785 21639 418b72 21625->21639 21644 424dce 4 API calls 21625->21644 21626->21496 21626->21562 21626->21585 21626->21616 21626->21668 21772 41bdc5 GlobalAlloc GlobalLock 21626->21772 21773 41befb GlobalUnlock GlobalFree 21626->21773 21632 418fb3 21627->21632 21628->21632 21629->21535 21635 418e4c 21629->21635 21637 41904d 21630->21637 21641 424dce 4 API calls 21630->21641 21646 41cd1e 233 API calls 21632->21646 21640 418c3c 21634->21640 21635->21535 21636 41cac5 244 API calls 21636->21668 21643 424dd9 6 API calls 21637->21643 21645 424dd9 6 API calls 21639->21645 21647 418c41 21640->21647 21648 418c4e 21640->21648 21641->21637 21651 419055 21643->21651 21644->21639 21652 418b7a 21645->21652 21653 418fcb 21646->21653 21654 424dce 4 API calls 21647->21654 21655 41bf12 233 API calls 21648->21655 21649 418abc 21658 424dd9 6 API calls 21649->21658 21650 418aae 21657 424dce 4 API calls 21650->21657 21663 41cd1e 233 API calls 21651->21663 21685 41906f 21651->21685 21659 418b94 21652->21659 21665 41cd1e 233 API calls 21652->21665 21660 41c467 233 API calls 21653->21660 21654->21533 21656 418c58 21655->21656 21662 41bf12 233 API calls 21656->21662 21657->21709 21664 418ac6 21658->21664 21666 41cd1e 233 API calls 21659->21666 21660->21560 21661 41cd1e 233 API calls 21661->21692 21667 418c63 21662->21667 21669 419069 21663->21669 21670 418add 21664->21670 21676 41cd1e 233 API calls 21664->21676 21671 418b8e 21665->21671 21672 418bad 21666->21672 21674 424dce 4 API calls 21667->21674 21668->21496 21668->21529 21668->21581 21668->21600 21668->21636 21693 41dbff 241 API calls 21668->21693 21699 41bf12 233 API calls 21668->21699 21704 424dce HeapFree VirtualFree VirtualFree HeapFree 21668->21704 21710 41cd1e 233 API calls 21668->21710 21711 41d881 233 API calls 21668->21711 21712 401ac0 302 API calls 21668->21712 21714 418924 21668->21714 21716 41e87a 233 API calls 21668->21716 21774 41befb GlobalUnlock GlobalFree 21668->21774 21823 41d881 233 API calls 21669->21823 21678 41dbff 241 API calls 21670->21678 21813 41d881 233 API calls 21671->21813 21673 401ac0 302 API calls 21672->21673 21679 418bb3 21673->21679 21674->21520 21681 418ad7 21676->21681 21682 418ae9 DeleteFileA 21678->21682 21688 41bf12 233 API calls 21679->21688 21679->21709 21680 41cd1e 233 API calls 21680->21683 21812 41d881 233 API calls 21681->21812 21689 41bf12 233 API calls 21682->21689 21683->21544 21683->21680 21687 41cac5 244 API calls 21683->21687 21691 41bf80 233 API calls 21683->21691 21819 41bdc5 GlobalAlloc GlobalLock 21683->21819 21820 41befb GlobalUnlock GlobalFree 21683->21820 21694 41cd1e 233 API calls 21685->21694 21687->21683 21703 418b11 21688->21703 21690 418b05 21689->21690 21695 424dce 4 API calls 21690->21695 21691->21683 21692->21496 21692->21518 21692->21536 21692->21598 21692->21626 21692->21661 21717 41e87a 233 API calls 21692->21717 21769 41d881 233 API calls 21692->21769 21770 4167aa 233 API calls 21692->21770 21771 41befb GlobalUnlock GlobalFree 21692->21771 21693->21668 21696 4190b9 21694->21696 21697 418b0b 21695->21697 21756 401ac0 CreateFileA 21696->21756 21701 424dce 4 API calls 21697->21701 21699->21668 21701->21703 21703->21546 21704->21668 21705 4190c7 DeleteFileA 21707 424dce 4 API calls 21705->21707 21706 4190d8 21708 424dce 4 API calls 21706->21708 21707->21709 21708->21533 21709->21533 21710->21668 21711->21668 21712->21668 21776 41befb GlobalUnlock GlobalFree 21714->21776 21716->21668 21717->21692 21723 41d480 21720->21723 21727 41d4a4 21720->21727 21722 41cd1e 233 API calls 21728 41d4d5 21722->21728 21724 41d4bc 21723->21724 21723->21727 21954 41c1fa 233 API calls 21723->21954 21725 41d4c2 21724->21725 21724->21727 21955 41aacd 233 API calls 21725->21955 21727->21722 21727->21728 21728->20745 21729->20749 21730->20757 21731->20744 21732->20755 21733->20762 21734->20768 21735->20769 21736->20781 21737->21485 21739 41dc18 21738->21739 21740 424dd9 6 API calls 21739->21740 21741 41dc1e 21740->21741 21742 41cd1e 233 API calls 21741->21742 21748 41dc37 21741->21748 21743 41dc31 21742->21743 21824 41d881 233 API calls 21743->21824 21744 41dc41 GetTempPathA 21746 41dc60 21744->21746 21747 41dc56 lstrcatA 21744->21747 21749 41dc6f GetTickCount lstrlenA 21746->21749 21747->21749 21748->21744 21750 41dc83 21749->21750 21751 41dc98 lstrcatA lstrcatA lstrcatA 21750->21751 21753 41dcbb lstrcatA 21750->21753 21752 40df52 GetFileAttributesA 21751->21752 21752->21750 21754 424dce 4 API calls 21753->21754 21755 419024 21754->21755 21755->21623 21757 401af8 CreateFileA 21756->21757 21758 401aee 21756->21758 21759 401b10 CloseHandle 21757->21759 21760 401b23 lstrcpyA lstrcpyA SetFilePointer 21757->21760 21758->21705 21758->21706 21759->21758 21761 401b5e 21760->21761 21825 401ba9 21761->21825 21763 401b80 21767->21550 21768->21533 21769->21692 21770->21692 21771->21692 21772->21626 21773->21626 21774->21668 21775->21580 21776->21533 21777->21500 21778->21506 21779->21541 21780->21511 21781->21524 21782->21565 21783->21543 21784->21583 21786 410783 21785->21786 21787 410732 21785->21787 21786->21649 21786->21650 21787->21786 21788 41cd1e 233 API calls 21787->21788 21789 410752 CreateFileA 21788->21789 21789->21786 21790 410763 SetFilePointer 21789->21790 21791 41077a CloseHandle 21790->21791 21792 41078c CreateFileA 21790->21792 21791->21786 21792->21786 21793 4107a5 21792->21793 21794 424dd9 6 API calls 21793->21794 21795 4107b0 21794->21795 21796 4107d9 21795->21796 21797 4107be CloseHandle CloseHandle 21795->21797 21801 4111c2 244 API calls 21796->21801 21802 4107d8 21796->21802 21803 41080c ReadFile 21796->21803 21804 410822 WriteFile 21796->21804 21809 41086e 21796->21809 21953 414f7f 272 API calls __aulldiv 21796->21953 21798 41cd1e 233 API calls 21797->21798 21799 4107d2 21798->21799 21952 41d881 233 API calls 21799->21952 21801->21796 21802->21796 21802->21803 21803->21804 21805 410856 21803->21805 21804->21796 21804->21805 21806 424dce 4 API calls 21805->21806 21807 41085e CloseHandle CloseHandle 21806->21807 21807->21786 21810 424dce 4 API calls 21809->21810 21811 410876 FindCloseChangeNotification CloseHandle 21810->21811 21811->21786 21812->21670 21813->21659 21814->21574 21815->21537 21816->21556 21817->21594 21818->21683 21819->21683 21820->21683 21821->21586 21822->21601 21823->21685 21824->21748 21826 401bba 21825->21826 21827 401c0d 21825->21827 21826->21827 21828 401bc2 21826->21828 21831 401bcf 21827->21831 21906 40512d 21827->21906 21830 40512d 250 API calls 21828->21830 21828->21831 21830->21831 21832 40512d 250 API calls 21831->21832 21833 401bf8 21831->21833 21832->21833 21834 40512d 250 API calls 21833->21834 21835 401de2 21833->21835 21839 401c9c 21833->21839 21834->21835 21836 40512d 250 API calls 21835->21836 21837 401e2d 21835->21837 21835->21839 21836->21837 21837->21839 21839->21763 21912 4111c2 SetFilePointer 21906->21912 21913 411205 21912->21913 21914 41120a ReadFile 21912->21914 21913->21914 21952->21802 21953->21796 21954->21723 21955->21727 21957 41248b 21956->21957 21958 4237e4 21956->21958 21962 423832 21957->21962 22619 407b45 233 API calls 21958->22619 21960 4237eb 21960->21957 22620 41a1b5 233 API calls 21960->22620 21963 4238c4 21962->21963 21964 423864 21962->21964 21965 412490 21963->21965 21972 4238ad 21963->21972 22621 407b45 233 API calls 21964->22621 21973 4238f0 21965->21973 21970 42386b 21970->21972 22622 41a1b5 233 API calls 21970->22622 21972->21963 22623 4145f6 21972->22623 22700 423633 21973->22700 21976 423903 21978 4145f6 310 API calls 21976->21978 21977 412495 21982 423920 21977->21982 21979 423912 21978->21979 22707 4112b1 320 API calls 21979->22707 21981 42391b 21981->21977 21983 423633 233 API calls 21982->21983 21984 42392c 21983->21984 21985 423933 21984->21985 21986 41249a 21984->21986 21987 4145f6 310 API calls 21985->21987 21991 423950 21986->21991 21988 423942 21987->21988 22710 4112b1 320 API calls 21988->22710 21990 42394b 21990->21986 21992 423633 233 API calls 21991->21992 21993 42395c 21992->21993 21994 423963 21993->21994 21995 41249f 21993->21995 21996 4145f6 310 API calls 21994->21996 22000 423980 21995->22000 21997 423972 21996->21997 22711 4112b1 320 API calls 21997->22711 21999 42397b 21999->21995 22001 4239b2 22000->22001 22002 423a11 22000->22002 22712 407b45 233 API calls 22001->22712 22004 4124a4 22002->22004 22010 4239fa 22002->22010 22011 423a3d 22004->22011 22005 4145f6 310 API calls 22006 423a23 22005->22006 22714 4112b1 320 API calls 22006->22714 22008 4239b9 22008->22010 22713 41a1b5 233 API calls 22008->22713 22010->22002 22010->22005 22012 423a73 22011->22012 22013 423bd4 22011->22013 22715 407b45 233 API calls 22012->22715 22014 423bbd 22013->22014 22015 4124a9 22013->22015 22014->22013 22017 4145f6 310 API calls 22014->22017 22059 423c00 22015->22059 22019 423be6 22017->22019 22018 423a7a 22020 424dd9 6 API calls 22018->22020 22720 4112b1 320 API calls 22019->22720 22022 423a85 22020->22022 22023 423aa0 22022->22023 22024 41cd1e 233 API calls 22022->22024 22025 424dd9 6 API calls 22023->22025 22027 423a9a 22024->22027 22026 423aa7 22025->22026 22028 423abf 22026->22028 22030 41cd1e 233 API calls 22026->22030 22716 41d881 233 API calls 22027->22716 22031 424dd9 6 API calls 22028->22031 22032 423ab9 22030->22032 22033 423ac6 22031->22033 22717 41d881 233 API calls 22032->22717 22035 41cd1e 233 API calls 22033->22035 22038 423ae0 22033->22038 22036 423ada 22035->22036 22718 41d881 233 API calls 22036->22718 22039 41cd1e 233 API calls 22038->22039 22040 423b0b lstrcatA 22039->22040 22041 41cd1e 233 API calls 22040->22041 22042 423b1f lstrcatA 22041->22042 22060 423c37 22059->22060 22061 423cee 22059->22061 22721 407b45 233 API calls 22060->22721 22062 423cd7 22061->22062 22063 4124ae 22061->22063 22062->22061 22065 4145f6 310 API calls 22062->22065 22083 423d1a 22063->22083 22068 423d00 22065->22068 22066 423c3e 22067 424dd9 6 API calls 22066->22067 22069 423c49 22067->22069 22724 4112b1 320 API calls 22068->22724 22071 423c64 22069->22071 22072 41cd1e 233 API calls 22069->22072 22075 41cd1e 233 API calls 22071->22075 22073 423c5e 22072->22073 22722 41d881 233 API calls 22073->22722 22076 423c7a lstrcatA 22075->22076 22077 423c93 22076->22077 22078 41bf12 233 API calls 22077->22078 22079 423cba 22078->22079 22080 424dce 4 API calls 22079->22080 22081 423cc0 22080->22081 22081->22062 22723 41a1b5 233 API calls 22081->22723 22084 423d51 22083->22084 22085 423e08 22083->22085 22725 407b45 233 API calls 22084->22725 22086 4124b3 22085->22086 22106 423df1 22085->22106 22107 423e34 22086->22107 22088 4145f6 310 API calls 22090 423e1a 22088->22090 22089 423d58 22091 424dd9 6 API calls 22089->22091 22728 4112b1 320 API calls 22090->22728 22093 423d63 22091->22093 22094 423d7e 22093->22094 22095 41cd1e 233 API calls 22093->22095 22097 41cd1e 233 API calls 22094->22097 22096 423d78 22095->22096 22726 41d881 233 API calls 22096->22726 22099 423d94 lstrcatA 22097->22099 22100 423dad 22099->22100 22101 41bf12 233 API calls 22100->22101 22106->22085 22106->22088 22108 423ec6 22107->22108 22109 423e66 22107->22109 22110 4124b8 22108->22110 22115 423eaf 22108->22115 22729 407b45 233 API calls 22109->22729 22118 423ef2 22110->22118 22112 4145f6 310 API calls 22113 423ed8 22112->22113 22731 4112b1 320 API calls 22113->22731 22115->22108 22115->22112 22116 423e6d 22116->22115 22730 41a1b5 233 API calls 22116->22730 22119 423633 233 API calls 22118->22119 22120 423efe 22119->22120 22121 423f05 22120->22121 22122 4124bd 22120->22122 22123 4145f6 310 API calls 22121->22123 22127 41938d 22122->22127 22124 423f14 22123->22124 22128 419bb7 22127->22128 22128->20785 22177 40dc22 22176->22177 22200 40de40 22176->22200 22178 424dd9 6 API calls 22177->22178 22177->22200 22179 40dc38 22178->22179 22181 41cd1e 233 API calls 22179->22181 22186 40dc52 22179->22186 22180 424dd9 6 API calls 22183 40dc59 22180->22183 22182 40dc4c 22181->22182 22805 41d881 233 API calls 22182->22805 22185 40dc6f GetCurrentDirectoryA 22183->22185 22187 41cd1e 233 API calls 22183->22187 22188 40dc80 22185->22188 22201 40dca6 22185->22201 22186->22180 22189 40dc68 22187->22189 22190 40dc86 SetCurrentDirectoryA 22188->22190 22188->22201 22806 41d881 233 API calls 22189->22806 22193 40dd01 GetCurrentDirectoryA lstrlenA 22190->22193 22191 40de21 22197 424dce 4 API calls 22191->22197 22194 40dd2b lstrlenA 22193->22194 22195 40dd1f lstrlenA 22193->22195 22204 40dd39 22194->22204 22195->22194 22196 40dc6e 22196->22185 22198 40de38 22197->22198 22199 424dce 4 API calls 22198->22199 22199->22200 22200->20787 22201->22191 22208 40dcf1 SetCurrentDirectoryA 22201->22208 22202 40dd53 SetCurrentDirectoryA 22202->22204 22205 40dd65 CreateDirectoryA 22202->22205 22203 40de25 SetCurrentDirectoryA 22203->22191 22204->22202 22204->22203 22206 40dd71 SetCurrentDirectoryA 22205->22206 22207 40ddc2 22205->22207 22803 424500 22206->22803 22207->22191 22210 40ddc8 GetLastError 22207->22210 22208->22193 22808 41bdc5 GlobalAlloc GlobalLock 22210->22808 22214 40ddd8 22215 41c467 233 API calls 22214->22215 22216 40dde7 22215->22216 22217 40ddfe 22216->22217 22218 41c047 233 API calls 22216->22218 22219 41cd1e 233 API calls 22217->22219 22218->22217 22220 40de08 22219->22220 22809 41b2a8 233 API calls 22220->22809 22222 40de19 22810 41befb GlobalUnlock GlobalFree 22222->22810 22229 41a6b7 22224->22229 22231 41a742 22224->22231 22225 41251f 22235 414c1b 22225->22235 22226 41a81a 233 API calls 22226->22231 22227 41a81a 233 API calls 22227->22229 22228 41a81a 233 API calls 22232 41a7a9 22228->22232 22229->22227 22229->22231 22234 41b3b9 233 API calls 22229->22234 22230 41b3b9 233 API calls 22230->22231 22231->22226 22231->22230 22231->22232 22232->22225 22232->22228 22233 41b3b9 233 API calls 22232->22233 22233->22232 22234->22229 22236 412532 22235->22236 22237 414c2d 22235->22237 22249 411df7 22236->22249 22243 414c69 __aulldiv 22237->22243 22811 41ee7e 11 API calls 22237->22811 22239 414dbf 22240 414e34 22239->22240 22245 414de7 22239->22245 22814 41a207 PeekMessageA GetMessageA TranslateMessage DispatchMessageA 22240->22814 22243->22239 22812 41ee7e 11 API calls 22243->22812 22244 414e40 22244->22236 22815 41a207 PeekMessageA GetMessageA TranslateMessage DispatchMessageA 22244->22815 22813 40f33b 258 API calls 22245->22813 22248 414df7 GetDC BitBlt ReleaseDC 22248->22240 22300 411e1e 22249->22300 22250 412425 22250->20800 22250->20807 22572 4105ca 245 API calls 22250->22572 22253 411e7f CloseHandle 22253->22300 22254 41dcd0 233 API calls 22254->22300 22255 411e69 22258 412415 22255->22258 22293 41cd1e 233 API calls 22255->22293 22299 41cd1e 233 API calls 22255->22299 22255->22300 22308 41cd1e 233 API calls 22255->22308 22310 41cd1e 233 API calls 22255->22310 23000 413a88 239 API calls 22255->23000 23001 411692 255 API calls 22255->23001 23004 410aa5 276 API calls 22255->23004 23005 414a3d 245 API calls 22255->23005 23006 414f7f 272 API calls __aulldiv 22255->23006 23008 413c46 279 API calls 22255->23008 22257 412ba7 291 API calls 22257->22300 23011 41befb GlobalUnlock GlobalFree 22258->23011 22259 414f7f 272 API calls 22259->22300 22260 4164b1 233 API calls 22260->22300 22262 41241d 23012 41befb GlobalUnlock GlobalFree 22262->23012 22265 41b3b9 233 API calls 22265->22300 22266 41cbf9 233 API calls 22266->22300 22267 41c7db 234 API calls 22267->22300 22268 41be99 233 API calls 22268->22300 22269 41cd1e 233 API calls 22269->22300 22270 40df52 GetFileAttributesA 22270->22300 22271 40dc10 256 API calls 22271->22300 22272 412429 22273 41be35 233 API calls 22272->22273 22274 412436 22273->22274 23013 41c0c5 22274->23013 22278 41cd1e 233 API calls 22280 41244b 22278->22280 22279 41240d 23010 41befb GlobalUnlock GlobalFree 22279->23010 23023 41b2a8 233 API calls 22280->23023 22283 424dd9 6 API calls 22283->22300 22284 412454 23024 41befb GlobalUnlock GlobalFree 22284->23024 22285 41bdc5 GlobalAlloc GlobalLock 22285->22300 22287 41bff8 233 API calls 22287->22300 22289 41e87a 233 API calls 22289->22300 22290 41c0c5 233 API calls 22290->22300 22291 41cd1e 233 API calls 22292 4120e0 GetDlgItem SetWindowTextA 22291->22292 23002 41befb GlobalUnlock GlobalFree 22292->23002 22295 41214c GetFileAttributesA 22293->22295 22296 41cd1e 233 API calls 22295->22296 22297 412160 SetFileAttributesA 22296->22297 22298 41cd1e 233 API calls 22297->22298 22298->22255 22301 4122ea CreateFileA CloseHandle 22299->22301 22300->22250 22300->22254 22300->22255 22300->22257 22300->22259 22300->22260 22300->22265 22300->22266 22300->22267 22300->22268 22300->22269 22300->22270 22300->22271 22300->22272 22300->22279 22300->22283 22300->22285 22300->22287 22300->22289 22300->22290 22300->22291 22303 41cc95 233 API calls 22300->22303 22305 41bf80 233 API calls 22300->22305 22306 410722 295 API calls 22300->22306 22312 401ac0 302 API calls 22300->22312 22314 41cd1e 233 API calls 22300->22314 22318 41c1fa 233 API calls 22300->22318 22319 41befb GlobalUnlock GlobalFree 22300->22319 22320 41c047 233 API calls 22300->22320 22816 41199c 22300->22816 22873 41a81a 22300->22873 22958 414e57 GetTickCount 22300->22958 22995 41455e CreateFileA 22300->22995 23003 414081 247 API calls 22300->23003 23007 421ce6 243 API calls 22300->23007 23009 4101aa 233 API calls 22300->23009 22301->22300 22303->22300 22305->22300 22306->22300 22311 412195 SetFileAttributesA 22308->22311 22310->22255 22311->22255 22312->22300 22316 4123bc MoveFileExA 22314->22316 22316->22300 22318->22300 22319->22300 22320->22300 22321->20834 22323 4133b1 22322->22323 22357 4133c4 22322->22357 22324 41c0c5 233 API calls 22323->22324 22325 4133ba 22324->22325 22328 41bff8 233 API calls 22325->22328 22326 413739 23055 41befb GlobalUnlock GlobalFree 22326->23055 22328->22357 22329 413741 22329->20834 22330 412ba7 291 API calls 22330->22357 22331 412ba7 291 API calls 22337 4135da 22331->22337 22332 4164b1 233 API calls 22332->22337 22333 4164b1 233 API calls 22333->22357 22334 41a81a 233 API calls 22334->22337 22335 41a81a 233 API calls 22335->22357 22336 41b3b9 233 API calls 22336->22337 22337->22326 22337->22331 22337->22332 22337->22334 22337->22336 22338 41cd1e 233 API calls 22337->22338 22341 41cd1e 233 API calls 22337->22341 22342 414c1b 272 API calls 22337->22342 22345 41be99 233 API calls 22337->22345 22346 41cd1e 233 API calls 22337->22346 22348 413399 330 API calls 22337->22348 22339 413640 RegCreateKeyExA 22338->22339 22339->22337 22340 41b3b9 233 API calls 22340->22357 22343 413668 RegCreateKeyExA 22341->22343 22342->22337 22343->22337 22345->22337 22347 413690 RegCreateKeyExA 22346->22347 22347->22337 22349 41371e RegCloseKey 22348->22349 22349->22337 22350 41cbf9 233 API calls 22350->22357 22351 41cd1e 233 API calls 22352 41357b RegSetValueExA 22351->22352 22352->22357 22354 414c1b 272 API calls 22354->22357 22356 41bf12 233 API calls 22356->22357 22357->22330 22357->22333 22357->22335 22357->22337 22357->22340 22357->22350 22357->22351 22357->22354 22357->22356 22358 41bff8 233 API calls 22357->22358 22359 41cd1e 233 API calls 22357->22359 23054 41bdc5 GlobalAlloc GlobalLock 22357->23054 23056 424fc3 6 API calls 22357->23056 23057 41befb GlobalUnlock GlobalFree 22357->23057 22358->22357 22359->22357 22361 41338a WritePrivateProfileSectionA 22360->22361 22368 41322b 22360->22368 22361->20852 22362 412ba7 291 API calls 22362->22368 22363 413387 22363->22361 22364 4164b1 233 API calls 22364->22368 22365 41be99 233 API calls 22365->22368 22366 41c6d0 233 API calls 22366->22368 22367 40df52 GetFileAttributesA 22367->22368 22368->22362 22368->22363 22368->22364 22368->22365 22368->22366 22368->22367 22370 41cc95 233 API calls 22368->22370 22372 4132b2 22368->22372 22375 41bf80 233 API calls 22368->22375 22376 41cd1e 233 API calls 22368->22376 22377 41cd1e 233 API calls 22368->22377 22379 414c1b 272 API calls 22368->22379 22380 41befb GlobalUnlock GlobalFree 22368->22380 22369 41cd1e 233 API calls 22369->22372 22370->22368 22372->22369 22373 41cd1e 233 API calls 22372->22373 23058 421ce6 243 API calls 22372->23058 22374 4132e2 CreateFileA CloseHandle 22373->22374 22374->22368 22375->22368 22376->22368 22378 413340 WritePrivateProfileStringA 22377->22378 22378->22368 22379->22368 22380->22368 22382 4126da 22381->22382 22405 412e74 22381->22405 22382->20865 22382->20866 22383 412ba7 291 API calls 22383->22405 22384 4164b1 233 API calls 22384->22405 22385 41c7db 234 API calls 22385->22405 22386 41cc95 233 API calls 22386->22405 22387 41be99 233 API calls 22387->22405 22388 40dc10 256 API calls 22388->22405 22389 40df52 GetFileAttributesA 22389->22405 22390 41cd1e 233 API calls 22391 412f82 CreateFileA 22390->22391 22394 412f94 SetFilePointer 22391->22394 22391->22405 22393 41cd1e 233 API calls 22393->22405 22396 41cd1e 233 API calls 22397 412f50 CreateFileA CloseHandle 22396->22397 22397->22405 22398 41cac5 244 API calls 22398->22405 22403 41befb GlobalUnlock GlobalFree 22403->22405 22405->22382 22405->22383 22405->22384 22405->22385 22405->22386 22405->22387 22405->22388 22405->22389 22405->22393 22405->22398 22405->22403 22407 414c1b 272 API calls 22405->22407 22408 41c047 233 API calls 22405->22408 22409 41bdc5 GlobalAlloc GlobalLock 22405->22409 22414 41c6d0 233 API calls 22405->22414 22419 412f20 22405->22419 22421 41c0c5 233 API calls 22405->22421 23063 41c92f 233 API calls 22405->23063 23064 41cc5d lstrlenA 22405->23064 22406 41c047 233 API calls 22406->22419 22407->22405 22408->22405 22409->22405 22411 41cd1e 233 API calls 22411->22419 22414->22405 22415 41cbf9 233 API calls 22415->22419 22417 41bf80 233 API calls 22417->22419 22418 41befb GlobalUnlock GlobalFree 22418->22419 22419->22390 22419->22396 22419->22405 22419->22406 22419->22411 22419->22415 22419->22417 22419->22418 23059 421ce6 243 API calls 22419->23059 23061 41ca20 233 API calls 22419->23061 23062 41c416 234 API calls 22419->23062 23065 41ce0e CreateFileA WriteFile CloseHandle 22419->23065 22421->22405 22572->20807 22573->20825 22574->20899 22575->20854 22618->20800 22619->21960 22621->21970 22624 414a16 22623->22624 22650 414614 22623->22650 22656 4112b1 320 API calls 22624->22656 22626 41be99 233 API calls 22626->22650 22627 4164b1 233 API calls 22627->22650 22628 41a81a 233 API calls 22628->22650 22629 41b3b9 233 API calls 22629->22650 22631 41c7db 234 API calls 22631->22650 22632 41cbf9 233 API calls 22632->22650 22634 4145f6 308 API calls 22647 41473e 22634->22647 22635 41be35 233 API calls 22635->22650 22636 41cc95 233 API calls 22636->22650 22638 41bf80 233 API calls 22638->22650 22639 41bf12 233 API calls 22639->22647 22640 41bf80 233 API calls 22642 41483c DialogBoxParamA 22640->22642 22641 41befb GlobalUnlock GlobalFree 22641->22650 22642->22650 22643 41cd1e 233 API calls 22643->22650 22645 41c467 233 API calls 22645->22650 22646 41cd1e 233 API calls 22646->22647 22647->22634 22647->22639 22647->22646 22648 41cd1e 233 API calls 22647->22648 22647->22650 22662 41a1b5 233 API calls 22647->22662 22649 4148f4 ShellExecuteA 22648->22649 22649->22650 22650->22624 22650->22626 22650->22627 22650->22628 22650->22629 22650->22631 22650->22632 22650->22635 22650->22636 22650->22638 22650->22640 22650->22641 22650->22643 22650->22645 22650->22647 22651 41b2cc 233 API calls 22650->22651 22652 41d0fd 234 API calls 22650->22652 22657 412ba7 22650->22657 22663 41bdc5 GlobalAlloc GlobalLock 22650->22663 22664 41c3a9 233 API calls 22650->22664 22665 4114e1 22650->22665 22694 417b15 GlobalAlloc GlobalLock 22650->22694 22695 414a20 GlobalUnlock GlobalFree 22650->22695 22696 41d728 234 API calls 22650->22696 22651->22650 22652->22650 22656->21965 22658 412bb0 22657->22658 22661 412bb4 22657->22661 22658->22650 22659 412c37 22659->22650 22661->22659 22697 41285d 291 API calls 22661->22697 22663->22650 22664->22650 22666 4114f8 CreateDialogParamA 22665->22666 22698 41bdc5 GlobalAlloc GlobalLock 22666->22698 22669 41153f 22670 41d46f 233 API calls 22669->22670 22671 411549 22670->22671 22672 411558 22671->22672 22673 41154d 22671->22673 22674 41bf80 233 API calls 22672->22674 22675 41bf12 233 API calls 22673->22675 22676 411556 22674->22676 22675->22676 22677 41cbf9 233 API calls 22676->22677 22678 41157d 22677->22678 22679 41cd1e 233 API calls 22678->22679 22680 411585 SetDlgItemTextA 22679->22680 22681 41cd1e 233 API calls 22680->22681 22682 41159e SetWindowTextA EnableWindow 22681->22682 22683 4115be 22682->22683 22684 4115cf CreateProcessA 22683->22684 22685 411670 EnableWindow KiUserCallbackDispatcher 22684->22685 22686 411604 22684->22686 22699 41befb GlobalUnlock GlobalFree 22685->22699 22688 411610 MsgWaitForMultipleObjects 22686->22688 22690 411660 CloseHandle CloseHandle 22686->22690 22691 41162b PeekMessageA 22686->22691 22688->22686 22688->22690 22689 41168b 22689->22650 22690->22685 22691->22688 22692 411639 KiUserCallbackDispatcher 22691->22692 22692->22688 22693 41164a TranslateMessage DispatchMessageA 22692->22693 22693->22691 22694->22650 22695->22650 22696->22650 22697->22659 22698->22669 22699->22689 22701 423662 22700->22701 22702 4236b9 22700->22702 22708 407b45 233 API calls 22701->22708 22702->21976 22702->21977 22704 423669 22705 4236a2 22704->22705 22709 41a1b5 233 API calls 22704->22709 22705->22702 22707->21981 22708->22704 22710->21990 22711->21999 22712->22008 22714->22004 22715->22018 22716->22023 22717->22028 22718->22038 22720->22015 22721->22066 22722->22071 22724->22063 22725->22089 22726->22094 22728->22086 22729->22116 22731->22110 22804 40dd83 GetCurrentDirectoryA 22803->22804 22807 421ce6 243 API calls 22804->22807 22805->22186 22806->22196 22807->22204 22808->22214 22809->22222 22810->22191 22811->22243 22812->22239 22813->22248 22814->22244 22815->22244 22817 4119b1 22816->22817 22820 4119e3 22816->22820 22818 41cd1e 233 API calls 22817->22818 22817->22820 22819 4119d4 CreateFileA 22818->22819 22819->22820 22821 4119ea SetFilePointer ReadFile SetFilePointer 22819->22821 22820->22300 22822 411a36 22821->22822 22823 411bfa SetFilePointer 22821->22823 22824 424dd9 6 API calls 22822->22824 22825 424dd9 6 API calls 22823->22825 22826 411a3d 22824->22826 22827 411c1b 22825->22827 22828 411a45 22826->22828 22829 411a56 ReadFile 22826->22829 22830 411c33 ReadFile 22827->22830 22831 41cd1e 233 API calls 22827->22831 22833 41cd1e 233 API calls 22828->22833 22829->22823 22834 411a8c 22829->22834 22832 41bf12 233 API calls 22830->22832 22835 411c2c 22831->22835 22836 411c54 22832->22836 22837 411a4f 22833->22837 22838 424dd9 6 API calls 22834->22838 23027 41d881 233 API calls 22835->23027 22840 424dce 4 API calls 22836->22840 23025 41d881 233 API calls 22837->23025 22848 411a9b 22838->22848 22844 411c5a GetFileTime 22840->22844 22842 411ade 22849 411b03 22842->22849 22852 41cd1e 233 API calls 22842->22852 22843 411c32 22843->22830 22846 411c73 22844->22846 22847 411c79 22844->22847 22845 411a55 22845->22829 22850 424dce 4 API calls 22846->22850 22851 424dd9 6 API calls 22847->22851 22848->22842 22860 41bdc5 GlobalAlloc GlobalLock 22848->22860 22849->22823 22854 411b13 ReadFile 22849->22854 22850->22847 22853 411c86 22851->22853 22855 411afd 22852->22855 22856 411ca1 ReadFile FindCloseChangeNotification 22853->22856 22857 41cd1e 233 API calls 22853->22857 22858 411b58 SetFilePointer ReadFile ReadFile 22854->22858 22859 411b2f SetFilePointer 22854->22859 23026 41d881 233 API calls 22855->23026 22856->22820 22862 411c9a 22857->22862 22864 411bd6 SetFilePointer 22858->22864 22865 411ba9 SetFilePointer 22858->22865 22863 41cd1e 233 API calls 22859->22863 22860->22848 23028 41d881 233 API calls 22862->23028 22867 411b49 22863->22867 22864->22823 22864->22854 22868 41cd1e 233 API calls 22865->22868 22870 41cac5 244 API calls 22867->22870 22871 411bc3 22868->22871 22869 411ca0 22869->22856 22870->22858 22872 41cac5 244 API calls 22871->22872 22872->22864 22874 41cd1e 229 API calls 22873->22874 22875 41a82f 22874->22875 22876 41a846 22875->22876 22877 41cd1e 229 API calls 22875->22877 22876->22300 22878 41a855 22877->22878 22879 41be35 229 API calls 22878->22879 22880 41a85e 22879->22880 22881 41a87e 22880->22881 23029 41c3a9 233 API calls 22880->23029 22883 424dd9 6 API calls 22881->22883 22884 41a88a 22883->22884 22885 41a8a4 22884->22885 22886 41cd1e 229 API calls 22884->22886 22887 424dd9 6 API calls 22885->22887 22888 41a89e 22886->22888 22889 41a8ab 22887->22889 23030 41d881 233 API calls 22888->23030 22891 41cd1e 229 API calls 22889->22891 22894 41a8c3 22889->22894 22892 41a8bd 22891->22892 23031 41d881 233 API calls 22892->23031 22895 41cd1e 229 API calls 22894->22895 22896 41a8e3 GetShortPathNameA 22895->22896 22897 41a910 22896->22897 22898 41a8f8 22896->22898 22899 41a94d 22897->22899 22901 411811 229 API calls 22897->22901 23032 41bdc5 GlobalAlloc GlobalLock 22898->23032 22902 41cd1e 229 API calls 22899->22902 22904 41a923 22901->22904 22905 41a954 GetFileAttributesA 22902->22905 22903 41a906 23033 4251dd 13 API calls 22903->23033 22907 41bf12 229 API calls 22904->22907 22908 41a960 22905->22908 22909 41a974 22905->22909 22916 41a92b 22907->22916 22911 41cd1e 229 API calls 22908->22911 22910 41cd1e 229 API calls 22909->22910 22913 41a97b lstrcpyA 22910->22913 22912 41a96b GetShortPathNameA 22911->22912 22914 41a985 22912->22914 22913->22914 22915 41cd1e 229 API calls 22914->22915 22917 41a993 22915->22917 22916->22899 23034 41c3a9 233 API calls 22916->23034 22919 41cbf9 229 API calls 22917->22919 22920 41a9a3 22919->22920 22921 41cd1e 229 API calls 22920->22921 22959 41be35 233 API calls 22958->22959 22960 414e71 22959->22960 22961 414e8c 22960->22961 22962 41bff8 233 API calls 22960->22962 23045 41bdc5 GlobalAlloc GlobalLock 22961->23045 22962->22961 22964 41bf12 233 API calls 22967 414e94 22964->22967 22965 41cd1e 233 API calls 22965->22967 22966 41c467 233 API calls 22966->22967 22967->22964 22967->22965 22967->22966 22968 40df52 GetFileAttributesA 22967->22968 22969 414ed0 22967->22969 22968->22967 22970 41cd1e 233 API calls 22969->22970 22971 414ee9 CreateFileA 22970->22971 22972 414f52 CloseHandle 22971->22972 22973 414ef5 GetLastError 22971->22973 22974 41cd1e 233 API calls 22972->22974 22975 414f00 22973->22975 22976 414f68 22973->22976 22977 414f61 DeleteFileA 22974->22977 23046 41bdc5 GlobalAlloc GlobalLock 22975->23046 23051 41befb GlobalUnlock GlobalFree 22976->23051 22977->22976 22980 414f08 22982 41c467 233 API calls 22980->22982 22981 414f70 23052 41befb GlobalUnlock GlobalFree 22981->23052 22985 414f19 22982->22985 22984 414f4e 22984->22300 22986 41cd1e 233 API calls 22985->22986 22987 414f25 22986->22987 23047 41b2a8 233 API calls 22987->23047 22989 414f36 23048 41befb GlobalUnlock GlobalFree 22989->23048 22991 414f3e 23049 41befb GlobalUnlock GlobalFree 22991->23049 22993 414f46 23050 41befb GlobalUnlock GlobalFree 22993->23050 22996 4145b5 GetFileAttributesA 22995->22996 22997 414587 SetFileTime CloseHandle 22995->22997 22999 4145c7 SetFileAttributesA 22996->22999 22997->22996 22999->22300 23000->22253 23001->22255 23002->22300 23003->22300 23004->22255 23005->22255 23006->22255 23007->22300 23008->22300 23009->22300 23010->22258 23011->22262 23012->22250 23014 41cd1e 230 API calls 23013->23014 23015 41c0d5 GlobalUnlock GlobalReAlloc 23014->23015 23016 41c109 GlobalLock 23015->23016 23017 41c0f8 23015->23017 23019 412442 23016->23019 23018 41cd1e 230 API calls 23017->23018 23020 41c102 23018->23020 23019->22278 23053 41d881 233 API calls 23020->23053 23022 41c108 23022->23016 23023->22284 23024->22279 23025->22845 23026->22849 23027->22843 23028->22869 23029->22881 23030->22885 23031->22894 23032->22903 23033->22897 23034->22899 23045->22967 23046->22980 23047->22989 23048->22991 23049->22993 23050->22984 23051->22981 23052->22984 23053->23022 23054->22357 23055->22329 23056->22357 23057->22357 23058->22372 23059->22419 23061->22419 23062->22419 23063->22405 23064->22405 23065->22419 23437->20920 23438->20932 20086 423fa2 361 API calls

                  Executed Functions

                  Function 004184A4, Relevance: 111.2, APIs: 22, Strings: 41, Instructions: 972COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E004184A4(signed int __ecx) {
				char _v260;
				intOrPtr _v268;
				signed int _v272;
				signed int _v276;
				char _v288;
				signed int _v292;
				char _v296;
				signed int _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				intOrPtr _v324;
				char _v332;
				char _v336;
				char _v348;
				char _v352;
				signed int _v360;
				char _v364;
				char _v368;
				char _v380;
				char _v404;
				char _v408;
				signed char _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				void* _t113;
				intOrPtr _t117;
				signed int _t118;
				signed int _t119;
				void* _t121;
				signed int _t122;
				void* _t123;
				void* _t124;
				signed int _t126;
				signed int _t136;
				signed int _t144;
				void* _t145;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				signed int _t162;
				struct HINSTANCE__* _t167;
				signed int _t186;
				signed int _t190;
				signed int _t191;
				void* _t194;
				signed int _t196;
				void* _t204;
				void* _t205;
				void* _t209;
				intOrPtr _t210;
				signed int _t211;
				signed int _t212;
				signed int _t215;
				void* _t223;
				signed int _t225;
				signed int _t238;
				signed int _t239;
				signed int _t241;
				signed int _t247;
				signed int _t248;
				signed int _t250;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t258;
				signed int _t260;
				signed int _t273;
				intOrPtr _t274;
				signed int _t275;
				signed int _t276;
				void* _t278;
				signed int _t280;
				signed int _t292;
				signed int _t301;
				void* _t306;
				intOrPtr _t313;
				signed int _t316;
				intOrPtr _t320;
				void* _t324;
				void* _t334;
				void* _t335;
				signed int _t338;
				void* _t341;
				signed int _t343;
				void* _t344;
				void* _t345;
				void* _t346;
				CHAR* _t347;
				signed int _t348;
				void* _t349;
				signed int _t350;
				signed int _t351;
				void* _t352;
				signed int _t353;
				signed int _t354;
				void* _t361;
				void* _t383;
				void* _t408;
				void* _t433;
				void* _t439;
				void* _t478;
				void* _t552;
				signed int _t553;
				signed int _t554;
				void* _t556;
				CHAR* _t557;
				signed int _t559;
				void* _t561;
				signed int _t562;
				void* _t564;
				void* _t565;
				void* _t566;
				void* _t567;
				void* _t568;
				void* _t569;
				void* _t570;
				void* _t571;
				void* _t572;
				signed int* _t575;

				_t575 =  &_v292;
				_t107 =  *0x47e194; // 0x0
				_v276 = __ecx;
				if((_t107 & 0x00000010) == 0 || (_t107 & 0x00000020) == 0 || E0041C8FD(0x47e2f0, 0x4c) == 0) {
					L7:
					__eflags =  *0x47f27c;
					if( *0x47f27c != 0) {
						L41:
						_t108 = E0041C8FD(0x47e2f0, 0x5c);
						__eflags = _t108;
						_t341 = 0x47e880;
						if(_t108 == 0) {
							L49:
							_t109 = E0041C8FD(0x47e2f0, 0x50);
							__eflags = _t109;
							if(_t109 == 0) {
								L59:
								__eflags =  *0x47f27c;
								if( *0x47f27c != 0) {
									L85:
									_t110 = E0041C8FD(0x47e2f0, 0x68);
									__eflags = _t110;
									if(_t110 == 0) {
										L94:
										_t111 = E0041C8FD(0x47e2f0, 0x90);
										__eflags =  *0x47f27c;
										_t553 = _t111;
										if( *0x47f27c != 0) {
											L114:
											_t112 = E0041C8FD(0x47e2f0, 0xa8);
											__eflags = _t112;
											if(_t112 == 0) {
												L125:
												_push(1);
												goto L126;
											}
											__eflags =  *0x47e192 & 0x00000002;
											if(( *0x47e192 & 0x00000002) != 0) {
												goto L125;
											}
											_t554 = E00424DD9(0x104);
											_pop(_t361);
											__eflags = _t554;
											if(_t554 == 0) {
												E0041D881(E0041CD1E(0x47e924));
												_pop(_t361);
											}
											E0041DBFF(_t361, _t554, ".EXE"); // executed
											E0041BF12(0x47e788, _t554);
											_t117 = 1;
											 *0x47f21c = _t117;
											 *0x47e290 = _t117;
											_t118 =  *0x47f28c; // 0x22d1d10
											__eflags = _t118;
											if(_t118 != 0) {
												E00424DCE(_t118);
											}
											_t119 = E00424DD9(4);
											__eflags = _t119;
											 *0x47f28c = _t119;
											if(_t119 == 0) {
												E0041D881(E0041CD1E(0x47e924));
											}
											_v268 = E0041C8FD(0x47e2f0, 0xac);
											_t121 = E0041C8FD(0x47e2f0, 0xa8);
											_t122 =  *0x47f28c; // 0x22d1d10
											 *_t122 = _v272 + _t121;
											_t123 = E0041C8FD(0x47e2f0, 0xa8);
											_t124 = E0041C8FD(0x47e2f0, 0xac);
											_t126 = E00401AC0(E0041CD1E(0x47e6c8), _t554, _t124, _t123); // executed
											__eflags = _t126;
											_push(_t554);
											if(_t126 == 0) {
												E00424DCE();
												goto L125;
											} else {
												DeleteFileA();
												E00424DCE(_t554);
												_push(0xfffffff1);
												goto L126;
											}
										}
										__eflags = _t553;
										if(_t553 <= 0) {
											L108:
											 *0x47e60c = E0041C8FD(0x47e2f0, 0xa0);
											_t136 = E004153F8(0x47dfb8, __eflags, _t135);
											__eflags = _t136;
											if(_t136 != 0) {
												E0041BF12(0x47e700, 0x42e0c8);
												__eflags =  *0x47e18c & 0x00000040;
												if(( *0x47e18c & 0x00000040) == 0) {
													_push(E0041CD1E(0x47e350));
													_t383 = 0x47e900;
												} else {
													_push(E0041CD1E(0x47e350));
													_t383 = 0x47e90c;
												}
												E0041C467(0x47e700, E0041CD1E(_t383));
												_t575 =  &(_t575[3]);
												goto L114;
											}
											_push(0xfffffff0);
											goto L126;
										}
										_t144 = E00424DD9(4 + (_t553 + _t553 * 2) * 4);
										__eflags = _t144;
										if(_t144 == 0) {
											_t343 = 0;
											__eflags = 0;
											L102:
											__eflags = _t343;
											 *0x47e780 = _t343;
											if(_t343 == 0) {
												E0041D881(E0041CD1E(0x47e924));
											}
											 *0x47e784 = _t553;
											_t145 = E0041C8FD(0x47e2f0, 0x94);
											__eflags = _t553;
											_t344 = _t145;
											if(_t553 <= 0) {
												L107:
												__eflags =  *0x47f27c;
												if( *0x47f27c != 0) {
													goto L114;
												}
												goto L108;
											} else {
												_t87 =  &_v292;
												 *_t87 = _v292 & 0x00000000;
												__eflags =  *_t87;
												_v276 = _t553;
												do {
													E0041BDC5( &_v288);
													E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t344, 4);
													_t556 = E0041C8FD( &_v300, 0);
													_t345 = _t344 + 4;
													E0041CAC5( &_v304, E0041CD1E(0x47e6c8), _t345, _t556);
													_t153 =  *0x47e780; // 0x0
													_t344 = _t345 + _t556;
													E0041BF80(_v320 + _t153,  &_v316);
													E0041BEFB( &_v320);
													_v324 = _v324 + 0xc;
													_t99 =  &_v308;
													 *_t99 = _v308 - 1;
													__eflags =  *_t99;
												} while ( *_t99 != 0);
												goto L107;
											}
										}
										 *_t144 = _t553;
										_t78 = _t144 + 4; // 0x4
										_t343 = _t78;
										_t79 = _t553 - 1; // -1
										_t158 = _t79;
										_v292 = _t343;
										__eflags = _t158;
										if(_t158 < 0) {
											goto L102;
										}
										_t159 = _t158 + 1;
										__eflags = _t159;
										_v276 = _t159;
										do {
											E0041BDC5(_v292);
											_v292 = _v292 + 0xc;
											_t85 =  &_v276;
											 *_t85 = _v276 - 1;
											__eflags =  *_t85;
										} while ( *_t85 != 0);
										goto L102;
									}
									_t557 = E00424DD9(0x104);
									__eflags = _t557;
									if(__eflags == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									_t162 = E00411CE5(_t341, __eflags, _t557, 0x6c);
									__eflags = _t162;
									_push(_t557);
									if(_t162 != 0) {
										E0041BF12(0x47df90);
										E0041BF12(0x47f270, _t557);
										 *0x47f26c = LoadLibraryA(_t557);
										E00424DCE(_t557);
										_t167 =  *0x47f26c; // 0x0
										__eflags = _t167;
										if(_t167 != 0) {
											 *0x47f220 = GetProcAddress(_t167, "AdvancedEntry");
											 *0x47f224 = GetProcAddress( *0x47f26c, "EntryPoint0");
											 *0x47f22c = GetProcAddress( *0x47f26c, "EntryPoint1");
											 *0x47f228 = GetProcAddress( *0x47f26c, "EntryPoint1_5");
											 *0x47f230 = GetProcAddress( *0x47f26c, "EntryPoint2");
											 *0x47f234 = GetProcAddress( *0x47f26c, "EntryPoint3");
											 *0x47f238 = GetProcAddress( *0x47f26c, "EntryPoint4");
											 *0x47f23c = GetProcAddress( *0x47f26c, "EntryPoint5");
											 *0x47f240 = GetProcAddress( *0x47f26c, "EntryPoint6");
											 *0x47f244 = GetProcAddress( *0x47f26c, "EntryPoint7");
											 *0x47f248 = GetProcAddress( *0x47f26c, "EntryPoint8");
											 *0x47f24c = GetProcAddress( *0x47f26c, "EntryPoint9");
											 *0x47f250 = GetProcAddress( *0x47f26c, "EntryPoint10");
											 *0x47f254 = GetProcAddress( *0x47f26c, "EntryPoint11");
											 *0x47f258 = GetProcAddress( *0x47f26c, "EntryPoint12");
											 *0x47f25c = GetProcAddress( *0x47f26c, "EntryPoint13");
											 *0x47f260 = GetProcAddress( *0x47f26c, "EntryPointCustom");
											 *0x47f264 = GetProcAddress( *0x47f26c, "SystemInformation");
											_t186 = GetProcAddress( *0x47f26c, "OnMessage");
											__eflags = _t186;
											 *0x47f268 = _t186;
											if(_t186 != 0) {
												 *0x47e18f =  *0x47e18f | 0x00000080;
												__eflags =  *0x47e18f;
											}
											goto L94;
										}
										_push(0xfffffff8);
									} else {
										E00424DCE();
										_push(0xfffffff9);
									}
									goto L126;
								}
								_t190 = E0041C8FD(0x47e2f0, 0x80);
								__eflags = _t190;
								if(_t190 == 0) {
									L78:
									__eflags =  *0x47f27c;
									if( *0x47f27c != 0) {
										goto L85;
									}
									_t191 = E0041C8FD(0x47e2f0, 0x74);
									__eflags = _t191;
									if(_t191 == 0) {
										goto L85;
									}
									_t559 = E00424DD9(0x104);
									_pop(_t408);
									__eflags = _t559;
									if(_t559 == 0) {
										E0041D881(E0041CD1E(0x47e924));
										_pop(_t408);
									}
									E0041DBFF(_t408, _t559, ".mp3");
									_t194 = E0041C8FD(0x47e2f0, 0x7c);
									_t196 = E00410722(_t544, _t559, E0041C8FD(0x47e2f0, 0x78), _t194, 0);
									__eflags = _t196;
									_push(_t559);
									if(_t196 != 0) {
										E0041BF12(0x47e758);
										E0041BF12(0x47dfa8, _t559);
										E00424DCE(_t559);
										goto L85;
									} else {
										E00424DCE();
										_push(0xfffffffa);
										goto L126;
									}
								}
								_t204 = E0040FCA0(__eflags, E0041C8FD(0x47e2f0, 0x88));
								__eflags = _t204 - 2;
								if(_t204 != 2) {
									_t205 = E0041C8FD(0x47e2f0, 0x84);
									__eflags = _t205 - 1;
									if(_t205 != 1) {
										goto L78;
									}
									E0041DBFF(0x47e2f0,  &_v260, ".bmp");
									_t561 = E0041C8FD(0x47e2f0, 0x88);
									_t209 = E0041C8FD(0x47e2f0, 0x8c);
									_t346 = _t209;
									_t210 = 1;
									 *0x47f21c = _t210;
									 *0x47e290 = _t210;
									_t211 =  *0x47f28c; // 0x22d1d10
									__eflags = _t211;
									if(_t211 != 0) {
										E00424DCE(_t211);
									}
									_t212 = E00424DD9(4);
									__eflags = _t212;
									 *0x47f28c = _t212;
									if(_t212 == 0) {
										E0041D881(E0041CD1E(0x47e924));
										_t212 =  *0x47f28c; // 0x22d1d10
									}
									 *_t212 = _t346 + _t561;
									_t215 = E00401AC0(E0041CD1E(0x47e6c8),  &_v260, _t561, _t346);
									_t575 =  &(_t575[4]);
									__eflags = _t215;
									if(_t215 == 0) {
										E0041BF12(0x47df9c,  &_v260);
										L77:
										_t341 = 0x47e880;
										goto L78;
									} else {
										_push(0xffffffd1);
										goto L126;
									}
								}
								_t347 = E00424DD9(0x104);
								_pop(_t433);
								__eflags = _t347;
								if(_t347 == 0) {
									E0041D881(E0041CD1E(0x47e924));
									_pop(_t433);
								}
								E0041DBFF(_t433, _t347, ".jpg");
								_t223 = E0041C8FD(0x47e2f0, 0x8c);
								_t225 = E00410722(_t544, _t347, E0041C8FD(0x47e2f0, 0x88), _t223, 0);
								__eflags = _t225;
								if(_t225 != 0) {
									_t562 = E00424DD9(0x104);
									_pop(_t439);
									__eflags = _t562;
									if(_t562 == 0) {
										E0041D881(E0041CD1E(0x47e924));
										_pop(_t439);
									}
									E0041DBFF(_t439, _t562, ".bmp");
									 *0x47e2d8(_t347, _t562);
									DeleteFileA(_t347);
									E0041BF12(0x47df9c, _t562);
									E00424DCE(_t347);
									E00424DCE(_t562);
									goto L77;
								} else {
									E00424DCE(_t347);
									_push(0xfffffffb);
									goto L126;
								}
							}
							_t238 = E00424DD9(0x104);
							_t563 = _t238;
							__eflags = _t238;
							if(__eflags == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							_t239 = E00411CE5(_t341, __eflags, _t563, 0x54);
							__eflags = _t239;
							if(_t239 != 0) {
								E0041BF12(0x47df78, _t563);
								_t241 = E0041BD55(0x47e2d0, _t563);
								__eflags = _t241;
								if(_t241 != 0) {
									E00424DCE(_t563);
									goto L59;
								}
								_push(0xfffffffc);
								goto L56;
							} else {
								_push(0xfffffffd);
								L56:
								_pop(_t552);
								L57:
								E00424DCE(_t563);
								return _t552;
							}
						}
						_t247 = E00424DD9(0x104);
						_t563 = _t247;
						__eflags = _t247;
						if(__eflags == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						_t248 = E00411CE5(_t341, __eflags, _t563, 0x60);
						__eflags = _t248;
						if(_t248 != 0) {
							E0041BF12(0x47df84, _t563);
							_t250 = E0041E6A9(0x47e710, _t563);
							__eflags = _t250;
							if(_t250 != 0) {
								E00424DCE(_t563);
								goto L49;
							}
							_push(0xfffffffe);
							goto L56;
						} else {
							_t552 = 0xffffffffffffffff;
							goto L57;
						}
					}
					_t254 = E0041C8FD(0x47e2f0, 0x10);
					__eflags = _t254;
					if(_t254 == 0) {
						L17:
						__eflags =  *0x47f27c;
						if( *0x47f27c != 0) {
							goto L41;
						}
						_t255 = E0041C8FD(0x47e2f0, 0x18);
						__eflags = _t255;
						if(_t255 == 0) {
							L22:
							__eflags =  *0x47f27c;
							if( *0x47f27c != 0) {
								goto L41;
							}
							_t256 = E0041C8FD(0x47e2f0, 0x20);
							__eflags = _t256;
							if(_t256 == 0) {
								L36:
								__eflags =  *0x47f27c;
								if( *0x47f27c != 0) {
									goto L41;
								}
								__eflags = E0041C8FD(0x47e2f0, 0x28);
								if(__eflags == 0) {
									goto L41;
								}
								_t258 = E00419BE3(__eflags);
								__eflags = _t258;
								if(_t258 != 0) {
									goto L41;
								}
								_push(0xffffffd3);
								goto L126;
							}
							_t564 = E0041C8FD(0x47e2f0, 0x24);
							_t260 = E0041C8FD(0x47e2f0, 0x20);
							_v300 = _v300 & 0x00000000;
							_v272 = _t260;
							__eflags = _t260;
							if(_t260 <= 0) {
								goto L36;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								_t348 = E00424DD9(0x10);
								__eflags = _t348;
								if(_t348 == 0) {
									_t48 =  &_v272;
									 *_t48 = _v272 & 0x00000000;
									__eflags =  *_t48;
								} else {
									_t46 = _t348 + 4; // 0x4
									E0041BDC5(_t46);
									_v272 = _t348;
								}
								E0041BDC5( &_v288);
								_t349 = 4;
								E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t564, _t349);
								_t565 = _t564 + _t349;
								 *_v288 = E0041C8FD( &_v300, 0);
								E0041CAC5( &_v304, E0041CD1E(0x47e6c8), _t565, _t349);
								_t566 = _t565 + _t349;
								_t350 = E00424DD9(0x104);
								_pop(_t478);
								__eflags = _t350;
								if(_t350 == 0) {
									E0041D881(E0041CD1E(0x47e924));
									_pop(_t478);
								}
								E0041DBFF(_t478, _t350, ".bmp");
								_t56 = _v272 + 4; // 0x4
								E0041BF12(_t56, _t350);
								E00424DCE(_t350);
								_t273 = E0041C8FD( &_v292, 0);
								_t351 = _t273;
								_t274 = 1;
								_v276 = _t351;
								 *0x47f21c = _t274;
								 *0x47e290 = _t274;
								_t275 =  *0x47f28c; // 0x22d1d10
								__eflags = _t275;
								if(_t275 != 0) {
									E00424DCE(_t275);
								}
								_t276 = E00424DD9(4);
								__eflags = _t276;
								 *0x47f28c = _t276;
								if(_t276 == 0) {
									E0041D881(E0041CD1E(0x47e924));
									_t276 =  *0x47f28c; // 0x22d1d10
								}
								_t352 = _t351 + _t566;
								 *_t276 = _t352;
								_t61 = _v272 + 4; // 0x8
								_t278 = E0041CD1E(_t61);
								_t280 = E00401AC0(E0041CD1E(0x47e6c8), _t278, _t566, _v268);
								_t575 =  &(_t575[4]);
								__eflags = _t280;
								if(_t280 != 0) {
									break;
								}
								_t564 = _t352;
								E0041E87A(0x47e520, _v272, 0xffffffff);
								E0041BEFB( &_v296);
								_v300 = _v300 + 1;
								__eflags = _v300 - _v272;
								if(_v300 < _v272) {
									continue;
								}
								goto L36;
							}
							E0041BEFB( &_v288);
							_push(0xffffffd6);
							goto L126;
						}
						_t567 = E0041C8FD(0x47e2f0, 0x1c);
						_t292 = E0041C8FD(0x47e2f0, 0x18);
						__eflags = _t292;
						if(_t292 <= 0) {
							goto L22;
						}
						_t353 = _t292;
						do {
							E0041BDC5( &_v288);
							E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t567, 4);
							_t567 = _t567 + 4;
							_t544 = (E0041C8FD( &_v300, 0) << 0x00000010 | _t296 & 0x0000ff00) << 8;
							E0041E87A(0x47e534, (_t296 & 0x00ff0000 | _t296 >> 0x00000010) >> 0x00000008 | (E0041C8FD( &_v300, 0) << 0x00000010 | _t296 & 0x0000ff00) << 0x00000008, 0xffffffff);
							E0041BEFB( &_v312);
							_t353 = _t353 - 1;
							__eflags = _t353;
						} while (_t353 != 0);
						goto L22;
					}
					_t568 = E0041C8FD(0x47e2f0, 0x14);
					_t301 = E0041C8FD(0x47e2f0, 0x10);
					__eflags = _t301;
					if(_t301 <= 0) {
						goto L17;
					}
					_v292 = _t301;
					do {
						_t354 = E00424DD9(0x18);
						__eflags = _t354;
						if(_t354 == 0) {
							_t354 = 0;
							__eflags = 0;
						} else {
							E0041BDC5(_t354);
						}
						__eflags = _t354;
						if(_t354 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						 *(_t354 + 0x11) =  *(_t354 + 0x11) & 0x00000000;
						E0041BDC5( &_v288);
						E0041CAC5( &_v288, E0041CD1E(0x47e6c8), _t568, 4);
						_t306 = E0041C8FD( &_v300, 0);
						_t12 = _t568 + 4; // 0x4
						E0041CAC5(_t354, E0041CD1E(0x47e6c8), _t12, _t306);
						_t569 = _t568 + E0041C8FD( &_v316, 0) + 4;
						E0041CAC5( &_v320, E0041CD1E(0x47e6c8), _t569, 4);
						_t313 = E0041C8FD( &_v332, 0);
						_t570 = _t569 + 4;
						 *((intOrPtr*)(_t354 + 0xc)) = _t313;
						E0041CAC5( &_v336, E0041CD1E(0x47e6c8), _t570, 4);
						_t316 = E0041C8FD( &_v348, 0);
						__eflags = _t316;
						_t571 = _t570 + 4;
						 *((char*)(_t354 + 0x10)) = _t316 & 0xffffff00 | _t316 != 0x00000000;
						E0041CAC5( &_v352, E0041CD1E(0x47e6c8), _t571, 4);
						_t320 = E0041C8FD( &_v364, 0);
						_t572 = _t571 + 4;
						_v352 = _t320;
						E0041CAC5( &_v368, E0041CD1E(0x47e6c8), _t572, _t320);
						_t568 = _t572 + _v364;
						_v360 = _v360 & 0x00000000;
						_t324 = E0041CD1E( &_v380);
						_t34 = _t354 + 0x14; // 0x14
						E004167AA(__eflags, _t34,  &_v380, _t324,  &_v360);
						E0041E87A(0x47e50c, _t354, 0xffffffff);
						E0041BEFB( &_v404);
						_t37 =  &_v408;
						 *_t37 = _v408 - 1;
						__eflags =  *_t37;
					} while ( *_t37 != 0);
					goto L17;
				} else {
					_t334 = E0041C8FD(0x47e2f0, 0x4c);
					_t335 = E0041C8FD(0x47e2f0, 0x48);
					if(E0041CAC5(0x47e57c, E0041CD1E(0x47e6c8), _t335, _t334) >= 0) {
						_t338 = E0041C2E0(0x47e57c);
						__eflags = _t338;
						if(_t338 != 0) {
							goto L7;
						}
						E0041B2A8(0, E0041CD1E(0x47ebac), 0);
						_push(0xfffffff5);
						L126:
						_pop(_t113);
						return _t113;
					}
					_push(0xfffffff6);
					goto L126;
				}
			}
































































































































                  0x004184a4
                  0x004184aa
                  0x004184b3
                  0x004184c3
                  0x00418534
                  0x00418534
                  0x0041853b
                  0x00418934
                  0x00418938
                  0x0041893d
                  0x0041893f
                  0x00418944
                  0x004189a3
                  0x004189a7
                  0x004189ac
                  0x004189ae
                  0x00418a16
                  0x00418a16
                  0x00418a1d
                  0x00418c6a
                  0x00418c6e
                  0x00418c73
                  0x00418c75
                  0x00418e53
                  0x00418e5a
                  0x00418e5f
                  0x00418e66
                  0x00418e68
                  0x00418fd5
                  0x00418fdd
                  0x00418fe2
                  0x00418fe4
                  0x004190de
                  0x004190de
                  0x00000000
                  0x004190de
                  0x00418fea
                  0x00418ff1
                  0x00000000
                  0x00000000
                  0x00419001
                  0x00419003
                  0x00419004
                  0x00419006
                  0x00419013
                  0x00419018
                  0x00419018
                  0x0041901f
                  0x0041902c
                  0x00419033
                  0x00419034
                  0x00419039
                  0x0041903e
                  0x00419043
                  0x00419045
                  0x00419048
                  0x0041904d
                  0x00419050
                  0x00419055
                  0x00419058
                  0x0041905d
                  0x0041906a
                  0x0041906f
                  0x00419081
                  0x00419085
                  0x00419095
                  0x0041909a
                  0x0041909e
                  0x004190ab
                  0x004190ba
                  0x004190c2
                  0x004190c4
                  0x004190c5
                  0x004190d8
                  0x00000000
                  0x004190c7
                  0x004190c7
                  0x004190ce
                  0x004190d4
                  0x00000000
                  0x004190d4
                  0x004190c5
                  0x00418e6e
                  0x00418e70
                  0x00418f68
                  0x00418f7a
                  0x00418f7f
                  0x00418f84
                  0x00418f86
                  0x00418f9b
                  0x00418fa0
                  0x00418fac
                  0x00418fc0
                  0x00418fc1
                  0x00418fae
                  0x00418fb3
                  0x00418fb4
                  0x00418fb4
                  0x00418fcd
                  0x00418fd2
                  0x00000000
                  0x00418fd2
                  0x00418f88
                  0x00000000
                  0x00418f88
                  0x00418e81
                  0x00418e86
                  0x00418e89
                  0x00418eb6
                  0x00418eb6
                  0x00418eb8
                  0x00418eb8
                  0x00418eba
                  0x00418ec0
                  0x00418ecd
                  0x00418ed2
                  0x00418eda
                  0x00418ee0
                  0x00418ee5
                  0x00418ee7
                  0x00418ee9
                  0x00418f5f
                  0x00418f5f
                  0x00418f66
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00418eeb
                  0x00418eeb
                  0x00418eeb
                  0x00418eeb
                  0x00418ef0
                  0x00418ef4
                  0x00418ef8
                  0x00418f0c
                  0x00418f1c
                  0x00418f1e
                  0x00418f2f
                  0x00418f3d
                  0x00418f44
                  0x00418f46
                  0x00418f4f
                  0x00418f54
                  0x00418f59
                  0x00418f59
                  0x00418f59
                  0x00418f59
                  0x00000000
                  0x00418ef4
                  0x00418ee9
                  0x00418e8b
                  0x00418e8d
                  0x00418e8d
                  0x00418e90
                  0x00418e90
                  0x00418e93
                  0x00418e97
                  0x00418e99
                  0x00000000
                  0x00000000
                  0x00418e9b
                  0x00418e9b
                  0x00418e9c
                  0x00418ea0
                  0x00418ea4
                  0x00418ea9
                  0x00418eae
                  0x00418eae
                  0x00418eae
                  0x00418eae
                  0x00000000
                  0x00418eb4
                  0x00418c85
                  0x00418c88
                  0x00418c8a
                  0x00418c97
                  0x00418c9c
                  0x00418ca2
                  0x00418ca7
                  0x00418ca9
                  0x00418caa
                  0x00418cbe
                  0x00418cc9
                  0x00418cd6
                  0x00418cdb
                  0x00418ce0
                  0x00418ce6
                  0x00418ce8
                  0x00418d04
                  0x00418d16
                  0x00418d28
                  0x00418d3a
                  0x00418d4c
                  0x00418d5e
                  0x00418d70
                  0x00418d82
                  0x00418d94
                  0x00418da6
                  0x00418db8
                  0x00418dca
                  0x00418ddc
                  0x00418dee
                  0x00418e00
                  0x00418e12
                  0x00418e24
                  0x00418e36
                  0x00418e41
                  0x00418e43
                  0x00418e45
                  0x00418e4a
                  0x00418e4c
                  0x00418e4c
                  0x00418e4c
                  0x00000000
                  0x00418e4a
                  0x00418cea
                  0x00418cac
                  0x00418cac
                  0x00418cb2
                  0x00418cb2
                  0x00000000
                  0x00418caa
                  0x00418a2a
                  0x00418a2f
                  0x00418a31
                  0x00418bd5
                  0x00418bd5
                  0x00418bdc
                  0x00000000
                  0x00000000
                  0x00418be6
                  0x00418beb
                  0x00418bed
                  0x00000000
                  0x00000000
                  0x00418bf9
                  0x00418bfb
                  0x00418bfc
                  0x00418bfe
                  0x00418c0b
                  0x00418c10
                  0x00418c10
                  0x00418c17
                  0x00418c24
                  0x00418c37
                  0x00418c3c
                  0x00418c3e
                  0x00418c3f
                  0x00418c53
                  0x00418c5e
                  0x00418c64
                  0x00000000
                  0x00418c41
                  0x00418c41
                  0x00418c47
                  0x00000000
                  0x00418c47
                  0x00418c3f
                  0x00418a4a
                  0x00418a4f
                  0x00418a52
                  0x00418b1f
                  0x00418b24
                  0x00418b27
                  0x00000000
                  0x00000000
                  0x00418b37
                  0x00418b4d
                  0x00418b4f
                  0x00418b56
                  0x00418b58
                  0x00418b59
                  0x00418b5e
                  0x00418b63
                  0x00418b68
                  0x00418b6a
                  0x00418b6d
                  0x00418b72
                  0x00418b75
                  0x00418b7a
                  0x00418b7d
                  0x00418b82
                  0x00418b8f
                  0x00418b94
                  0x00418b99
                  0x00418b9e
                  0x00418bae
                  0x00418bb3
                  0x00418bb6
                  0x00418bb8
                  0x00418bcb
                  0x00418bd0
                  0x00418bd0
                  0x00000000
                  0x00418bba
                  0x00418bba
                  0x00000000
                  0x00418bba
                  0x00418bb8
                  0x00418a62
                  0x00418a64
                  0x00418a65
                  0x00418a67
                  0x00418a74
                  0x00418a79
                  0x00418a79
                  0x00418a80
                  0x00418a90
                  0x00418aa5
                  0x00418aaa
                  0x00418aac
                  0x00418ac6
                  0x00418ac8
                  0x00418ac9
                  0x00418acb
                  0x00418ad8
                  0x00418add
                  0x00418add
                  0x00418ae4
                  0x00418aed
                  0x00418af4
                  0x00418b00
                  0x00418b06
                  0x00418b0c
                  0x00000000
                  0x00418aae
                  0x00418aaf
                  0x00418ab5
                  0x00000000
                  0x00418ab5
                  0x00418aac
                  0x004189b5
                  0x004189ba
                  0x004189bd
                  0x004189bf
                  0x004189cc
                  0x004189d1
                  0x004189d7
                  0x004189dc
                  0x004189de
                  0x004189ea
                  0x004189f5
                  0x004189fa
                  0x004189fc
                  0x00418a10
                  0x00000000
                  0x00418a15
                  0x004189fe
                  0x00000000
                  0x004189e0
                  0x004189e0
                  0x00418a00
                  0x00418a00
                  0x00418a01
                  0x00418a02
                  0x00000000
                  0x00418a08
                  0x004189de
                  0x0041894b
                  0x00418950
                  0x00418953
                  0x00418955
                  0x00418962
                  0x00418967
                  0x0041896d
                  0x00418972
                  0x00418974
                  0x00418984
                  0x0041898f
                  0x00418994
                  0x00418996
                  0x0041899d
                  0x00000000
                  0x004189a2
                  0x00418998
                  0x00000000
                  0x00418976
                  0x00418976
                  0x00000000
                  0x00418976
                  0x00418974
                  0x00418545
                  0x0041854a
                  0x0041854c
                  0x004186c1
                  0x004186c1
                  0x004186c8
                  0x00000000
                  0x00000000
                  0x004186d2
                  0x004186d7
                  0x004186d9
                  0x00418760
                  0x00418760
                  0x00418767
                  0x00000000
                  0x00000000
                  0x00418771
                  0x00418776
                  0x00418778
                  0x004188fa
                  0x004188fa
                  0x00418901
                  0x00000000
                  0x00000000
                  0x0041890c
                  0x0041890e
                  0x00000000
                  0x00000000
                  0x00418914
                  0x00418919
                  0x0041891b
                  0x00000000
                  0x00000000
                  0x0041891d
                  0x00000000
                  0x0041891d
                  0x0041878b
                  0x0041878d
                  0x00418792
                  0x00418797
                  0x0041879b
                  0x0041879d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004187a3
                  0x004187a3
                  0x004187aa
                  0x004187ad
                  0x004187af
                  0x004187bf
                  0x004187bf
                  0x004187bf
                  0x004187b1
                  0x004187b1
                  0x004187b4
                  0x004187b9
                  0x004187b9
                  0x004187c8
                  0x004187d1
                  0x004187de
                  0x004187e9
                  0x004187f6
                  0x00418804
                  0x0041880e
                  0x00418815
                  0x00418817
                  0x00418818
                  0x0041881a
                  0x00418827
                  0x0041882c
                  0x0041882c
                  0x00418833
                  0x0041883e
                  0x00418842
                  0x00418848
                  0x00418854
                  0x0041885b
                  0x0041885d
                  0x0041885e
                  0x00418862
                  0x00418867
                  0x0041886c
                  0x00418871
                  0x00418873
                  0x00418876
                  0x0041887b
                  0x0041887e
                  0x00418883
                  0x00418886
                  0x0041888b
                  0x00418898
                  0x0041889d
                  0x004188a2
                  0x004188a7
                  0x004188a9
                  0x004188b0
                  0x004188b3
                  0x004188c1
                  0x004188c6
                  0x004188c9
                  0x004188cb
                  0x00000000
                  0x00000000
                  0x004188d8
                  0x004188da
                  0x004188e3
                  0x004188e8
                  0x004188f0
                  0x004188f4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004188f4
                  0x00418928
                  0x0041892d
                  0x00000000
                  0x0041892d
                  0x004186ec
                  0x004186ee
                  0x004186f3
                  0x004186f5
                  0x00000000
                  0x00000000
                  0x004186f7
                  0x004186f9
                  0x004186fd
                  0x00418711
                  0x0041871c
                  0x00418744
                  0x0041874f
                  0x00418758
                  0x0041875d
                  0x0041875d
                  0x0041875d
                  0x00000000
                  0x004186f9
                  0x0041855f
                  0x00418561
                  0x00418566
                  0x00418568
                  0x00000000
                  0x00000000
                  0x0041856e
                  0x00418572
                  0x00418579
                  0x0041857c
                  0x0041857e
                  0x00418589
                  0x00418589
                  0x00418580
                  0x00418582
                  0x00418582
                  0x0041858b
                  0x0041858d
                  0x0041859a
                  0x0041859f
                  0x004185a0
                  0x004185a8
                  0x004185bc
                  0x004185c7
                  0x004185cd
                  0x004185db
                  0x004185eb
                  0x004185fe
                  0x00418609
                  0x0041860e
                  0x00418616
                  0x00418623
                  0x0041862e
                  0x00418633
                  0x00418638
                  0x00418640
                  0x0041864d
                  0x00418658
                  0x0041865d
                  0x00418664
                  0x00418672
                  0x00418677
                  0x0041867b
                  0x00418689
                  0x00418694
                  0x0041869c
                  0x004186a9
                  0x004186b2
                  0x004186b7
                  0x004186b7
                  0x004186b7
                  0x004186b7
                  0x00000000
                  0x004184d6
                  0x004184da
                  0x004184e4
                  0x00418500
                  0x0041850b
                  0x00418510
                  0x00418512
                  0x00000000
                  0x00000000
                  0x00418528
                  0x0041852d
                  0x004190e0
                  0x004190e0
                  0x00000000
                  0x004190e0
                  0x00418502
                  0x00000000
                  0x00418502

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocCreateFileLockUnlock
                  • String ID: G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$$G$.EXE$.bmp$.jpg$.mp3$4G$AdvancedEntry$EntryPoint0$EntryPoint1$EntryPoint10$EntryPoint11$EntryPoint12$EntryPoint13$EntryPoint1_5$EntryPoint2$EntryPoint3$EntryPoint4$EntryPoint5$EntryPoint6$EntryPoint7$EntryPoint8$EntryPoint9$EntryPointCustom$OnMessage$PG$SystemInformation$XG$|G
                  • API String ID: 386137224-3186843747
                  • Opcode ID: b9e612b76b28ed45f11c040e0f1b7bf33c36f68f2f0afff178c721e07a82593c
                  • Instruction ID: 069748b118062842f7cf095dcfe8d5fa59bc9307c264f3c7159fc0c8cc25633c
                  • Opcode Fuzzy Hash: b9e612b76b28ed45f11c040e0f1b7bf33c36f68f2f0afff178c721e07a82593c
                  • Instruction Fuzzy Hash: 785226B17443116AD704BB72AC92BFE26899F84358F10057FF606A62E3DF6C8C85875E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00418092, Relevance: 80.8, APIs: 10, Strings: 36, Instructions: 309libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E00418092(intOrPtr* __ecx, intOrPtr __edx) {
				struct HINSTANCE__* _v8;
				void* _v12;
				char _v13;
				char _v14;
				char _v15;
				char _v16;
				struct HWND__* _v20;
				char _v24;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				char _v65;
				char _v66;
				char _v67;
				char _v68;
				char _v69;
				char _v70;
				char _v71;
				char _v72;
				char _v73;
				char _v74;
				char _v75;
				char _v76;
				char _v80;
				char _v340;
				CHAR* _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t96;
				intOrPtr _t97;
				signed int _t103;
				void* _t104;
				struct HINSTANCE__* _t107;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				void* _t123;
				CHAR* _t126;
				CHAR* _t127;
				struct HINSTANCE__* _t133;
				_Unknown_base(*)()* _t134;
				intOrPtr _t168;
				struct HINSTANCE__* _t172;
				struct HINSTANCE__* _t174;
				intOrPtr _t180;
				intOrPtr _t185;
				signed int _t188;
				signed int _t189;
				intOrPtr _t190;
				signed int _t194;
				signed int _t195;

				_t168 = __edx;
				_t1 =  &_v24; // 0x415177
				_v12 = __ecx;
				_v24 = 0x104;
				GetUserNameA( &_v340, _t1); // executed
				E0041BF12(0x47e1b8,  &_v340);
				_t180 =  *0x47e19c; // 0x1
				if(_t180 != 0) {
					_t133 = LoadLibraryA("Secur32.dll"); // executed
					_v8 = _t133;
					if(_t133 != 0) {
						_t134 = GetProcAddress(_t133, "GetUserNameExA");
						if(_t134 != 0) {
							_t7 =  &_v24; // 0x415177
							_v24 = 0x104;
							_push( &_v340);
							_push(3);
							if( *_t134() != 0 && _v24 > 0) {
								E0041BF12(0x47e1b8,  &_v340);
							}
						}
						FreeLibrary(_v8);
					}
				}
				_t185 =  *0x47e19c; // 0x1
				_t172 = 1;
				_t91 = "Software\\Microsoft\\Windows NT\\CurrentVersion";
				_v8 = _t172;
				if(_t185 == 0) {
					_t91 = "Software\\Microsoft\\Windows\\CurrentVersion";
				}
				_t92 = E0041DAE7(0x80000002, _t91, "RegisteredOrganization",  &_v80); // executed
				if(_t92 > 0) {
					E0041BF12(0x47e1c4, _v80);
					E00424DCE(_v80);
				}
				_t93 = E0041A2C6(_v12);
				if(_t93 < 0) {
					L51:
					return _t93;
				}
				_v16 = E0041BFE3(0x47e338, 0);
				_v15 = 0x3a;
				_v14 = 0x5c;
				_v13 = 0;
				_t96 = E0040DE4D( &_v16, _t172);
				_t188 =  *0x47f27c; // 0x1
				 *0x47e648 = _t96;
				 *0x47e64c = _t168;
				_v20 = 0;
				if(_t188 != 0) {
					L19:
					_t147 = _v12;
					_t93 = E004184A4(_v12);
					if(_t93 < 0) {
						goto L51;
					}
					_t194 =  *0x47f27c; // 0x1
					if(_t194 == 0) {
						_t147 = _v12;
						E00415C0F(_v12);
						_t195 =  *0x47f27c; // 0x1
						if(_t195 == 0) {
							_t147 = 0x47f208;
							if(E0040FD20(0x47f208, _t195) < 0) {
								_t123 = E0041CD1E(0x47e850);
								_t147 = 0x47dfb8;
								E0041B2CC(0x47dfb8, 0, "Graphics initialization failed. Dialog image will not be shown", _t123, 0x30);
							}
						}
					}
					_t97 =  *0x47e180; // 0x0
					_v76 = 0x55;
					 *0x47e31c = _t97;
					_v75 = 0xd7;
					_v74 = 0x50;
					_v73 = 0x85;
					_v72 = 0x6b;
					_v71 = 0x19;
					_v70 = 0x32;
					_v69 = 0xcc;
					_v68 = 0x45;
					_v67 = 0xf;
					_v66 = 8;
					_v65 = 0x1e;
					_v64 = 0xb6;
					_v63 = 0xa5;
					_v62 = 0x6a;
					_v61 = 0xe4;
					_v60 = 0xa1;
					_v59 = 0xc7;
					_v58 = 0xc4;
					_v57 = 0x76;
					_v56 = 0x33;
					_v55 = 0x59;
					_v54 = 0x71;
					_v53 = 0x34;
					_v52 = 0x59;
					_v51 = 0x23;
					_v50 = 0x8d;
					_v49 = 0x82;
					_v48 = 0x8b;
					_v47 = 0xa5;
					_v46 = 0x59;
					_v45 = 0xb6;
					_v44 = 0xc5;
					_v43 = 0x50;
					_v42 = 0xe8;
					_v41 = 0x9a;
					_v40 = 0xf4;
					_v39 = 0xf4;
					_v38 = 0xd;
					_v37 = 0xfd;
					_v36 = 0x21;
					_v35 = 0x12;
					_v34 = 0x7a;
					_v33 = 0x32;
					_v32 = 0x91;
					_v31 = 0x35;
					_v30 = 0xd3;
					_v29 = 0xb0;
					_v28 = 0x73;
					_v27 = 0x97;
					E004236CA(_t147);
					if(E0042371F() <= 0) {
						__eflags =  *0x47e114; // 0x0
						if(__eflags != 0) {
							E0041C047(0x47df68,  &_v76, 0x32);
						}
						E0041C2E0(0x47df68);
						E0041DCD0(__eflags, 0x47df68);
						E0041C2E0(0x47df68);
						__eflags =  *0x47e114; // 0x0
						if(__eflags == 0) {
							L31:
							__eflags =  *0x47f27c; // 0x1
							if(__eflags == 0) {
								__eflags =  *0x47e84c & 0x00000002;
								if(( *0x47e84c & 0x00000002) != 0) {
									_push(3);
								} else {
									_push(1);
								}
								ShowWindow( *0x47e178, ??);
								DestroyWindow(_v20);
							}
							goto L36;
						} else {
							__eflags =  *0x47f27c; // 0x1
							if(__eflags != 0) {
								L36:
								__eflags =  *0x47e114; // 0x0
								if(__eflags != 0) {
									_t174 = _v8;
								} else {
									_t174 = E00424DD9(4);
								}
								_t103 = E0041C8FD(0x47e2f0, 0x74);
								__eflags = _t103;
								if(_t103 != 0) {
									__eflags =  *0x47f27c; // 0x1
									if(__eflags == 0) {
										_t108 =  *0x47e72c(0);
										__eflags = _t108;
										if(_t108 != 0) {
											 *0x47f289 = 1;
											 *0x47e744(0, 1);
											_t110 =  *0x47e73c(0, 0, 0);
											__eflags = _t110;
											if(_t110 != 0) {
												_t112 =  *0x47e730(0, E0041CD1E(0x47e758));
												__eflags = _t112;
												if(_t112 != 0) {
													 *0x47e738(0, 0, 0, 0x47e754);
												}
											}
										}
									}
								}
								__eflags =  *0x47e114; // 0x0
								if(__eflags == 0) {
									L48:
									__eflags =  *0x47e610; // 0x0
									if(__eflags == 0) {
										_t174->i = _t174->i + 0xc;
										__eflags = _t174->i;
										E00424DCE(_t174);
									}
									goto L50;
								} else {
									__eflags =  *0x47e610; // 0x0
									if(__eflags != 0) {
										L50:
										_t104 = 1;
										return _t104;
									}
									E0041B2CC(_v12,  *_v12, "This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.\r\n(This message will not be shown in the registered version of Astrum InstallWizard.)", "Astrum Installer", 0x30);
									_t107 = E00424DD9(4);
									_v8 = _t107;
									_t174 = _t107;
									goto L48;
								}
							}
							E0040EFE7();
							goto L31;
						}
					} else {
						return 0;
					}
				}
				_t189 =  *0x47e610; // 0x0
				if(_t189 != 0) {
					goto L19;
				}
				_t190 =  *0x47e614; // 0x0
				if(_t190 != 0) {
					goto L19;
				}
				_v20 = CreateDialogParamA( *0x47e17c, 0x12, 0, E00405811, 0);
				_t126 = E0041D46F("<__Internal_Initializing__>");
				if(_t126 != 0) {
					SetWindowTextA(GetDlgItem(_v20, 0x422), _t126);
				}
				_t127 = E0041D46F("<__Internal_InitializingTitle__>");
				if(_t127 != 0) {
					SetWindowTextA(_v20, _t127);
				}
				goto L19;
			}

























































































                  0x00418092
                  0x0041809d
                  0x004180ad
                  0x004180b1
                  0x004180b4
                  0x004180c8
                  0x004180cf
                  0x004180d5
                  0x004180dc
                  0x004180e4
                  0x004180e7
                  0x004180ef
                  0x004180f7
                  0x004180f9
                  0x004180fc
                  0x00418106
                  0x00418107
                  0x0041810d
                  0x0041811d
                  0x0041811d
                  0x0041810d
                  0x00418125
                  0x00418125
                  0x004180e7
                  0x0041812b
                  0x00418133
                  0x00418134
                  0x00418139
                  0x0041813c
                  0x0041813e
                  0x0041813e
                  0x00418152
                  0x0041815c
                  0x00418166
                  0x0041816e
                  0x00418173
                  0x00418177
                  0x0041817e
                  0x004184a3
                  0x004184a3
                  0x004184a3
                  0x0041818f
                  0x00418197
                  0x0041819b
                  0x0041819f
                  0x004181a2
                  0x004181a7
                  0x004181af
                  0x004181b4
                  0x004181ba
                  0x004181bd
                  0x00418221
                  0x00418221
                  0x00418224
                  0x0041822b
                  0x00000000
                  0x00000000
                  0x00418231
                  0x0041823c
                  0x0041823e
                  0x00418241
                  0x00418246
                  0x0041824c
                  0x0041824e
                  0x00418257
                  0x00418260
                  0x0041826c
                  0x00418271
                  0x00418271
                  0x00418257
                  0x0041824c
                  0x00418276
                  0x0041827b
                  0x0041827f
                  0x00418284
                  0x00418288
                  0x0041828c
                  0x00418290
                  0x00418294
                  0x00418298
                  0x0041829c
                  0x004182a0
                  0x004182a4
                  0x004182a8
                  0x004182ac
                  0x004182b0
                  0x004182b4
                  0x004182b8
                  0x004182bc
                  0x004182c0
                  0x004182c4
                  0x004182c8
                  0x004182cc
                  0x004182d0
                  0x004182d4
                  0x004182d8
                  0x004182dc
                  0x004182e0
                  0x004182e4
                  0x004182e8
                  0x004182ec
                  0x004182f0
                  0x004182f4
                  0x004182f8
                  0x004182fc
                  0x00418300
                  0x00418304
                  0x00418308
                  0x0041830c
                  0x00418310
                  0x00418314
                  0x00418318
                  0x0041831c
                  0x00418320
                  0x00418324
                  0x00418328
                  0x0041832c
                  0x00418330
                  0x00418334
                  0x00418338
                  0x0041833c
                  0x00418340
                  0x00418344
                  0x00418348
                  0x00418354
                  0x0041835d
                  0x00418368
                  0x00418372
                  0x00418372
                  0x00418379
                  0x00418383
                  0x0041838b
                  0x00418390
                  0x00418396
                  0x004183a7
                  0x004183a7
                  0x004183ad
                  0x004183af
                  0x004183b6
                  0x004183bc
                  0x004183b8
                  0x004183b8
                  0x004183b8
                  0x004183c4
                  0x004183cd
                  0x004183cd
                  0x00000000
                  0x00418398
                  0x00418398
                  0x0041839e
                  0x004183d3
                  0x004183d3
                  0x004183d9
                  0x004183e7
                  0x004183db
                  0x004183e3
                  0x004183e3
                  0x004183f1
                  0x004183f6
                  0x004183f8
                  0x004183fa
                  0x00418400
                  0x00418403
                  0x00418409
                  0x0041840c
                  0x00418411
                  0x00418418
                  0x00418421
                  0x0041842a
                  0x0041842c
                  0x0041843a
                  0x00418441
                  0x00418444
                  0x0041844e
                  0x00418454
                  0x00418444
                  0x0041842c
                  0x0041840c
                  0x00418400
                  0x00418457
                  0x0041845d
                  0x0041848a
                  0x0041848a
                  0x00418490
                  0x00418492
                  0x00418492
                  0x00418496
                  0x0041849b
                  0x00000000
                  0x0041845f
                  0x0041845f
                  0x00418465
                  0x0041849c
                  0x0041849e
                  0x00000000
                  0x0041849e
                  0x00418478
                  0x0041847f
                  0x00418485
                  0x00418488
                  0x00000000
                  0x00418488
                  0x0041845d
                  0x004183a2
                  0x00000000
                  0x004183a2
                  0x00418356
                  0x00000000
                  0x00418356
                  0x00418354
                  0x004181bf
                  0x004181c5
                  0x00000000
                  0x00000000
                  0x004181c7
                  0x004181cd
                  0x00000000
                  0x00000000
                  0x004181e9
                  0x004181ec
                  0x004181f9
                  0x0041820b
                  0x0041820b
                  0x00418212
                  0x00418219
                  0x0041821f
                  0x0041821f
                  0x00000000

                  APIs
                  • GetUserNameA.ADVAPI32(?,wQA), ref: 004180B4
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • LoadLibraryA.KERNELBASE(Secur32.dll,?,?,0047DFB8,00000000), ref: 004180DC
                  • GetProcAddress.KERNEL32(00000000,GetUserNameExA), ref: 004180EF
                  • FreeLibrary.KERNELBASE(?,?,0047DFB8,00000000), ref: 00418125
                  • CreateDialogParamA.USER32(00000012,00000000,00405811,00000000,00000000), ref: 004181DE
                  • GetDlgItem.USER32 ref: 00418204
                  • SetWindowTextA.USER32(00000000), ref: 0041820B
                  • SetWindowTextA.USER32(?,00000000), ref: 0041821F
                  • ShowWindow.USER32(00000003,00000000,?,?,0047DFB8,00000000), ref: 004183C4
                  • DestroyWindow.USER32(?,?,0047DFB8,00000000), ref: 004183CD
                    • Part of subcall function 0041BF12: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$Global$LibraryText$AddressAllocCreateDestroyDialogFreeItemLoadLockNameParamProcShowUnlockUserlstrlen
                  • String ID: !$#$2$2$3$4$5$8G$:$<__Internal_InitializingTitle__>$<__Internal_Initializing__>$Astrum Installer$E$GetUserNameExA$Graphics initialization failed. Dialog image will not be shown$P$P$PG$RegisteredOrganization$Secur32.dll$Software\Microsoft\Windows NT\CurrentVersion$Software\Microsoft\Windows\CurrentVersion$This setup program was created using unregistered shareware version of Astrum InstallWizard and distribution of this program is strictly forbidden.(This message will not be shown in the registered version of Astrum InstallWizard.)$U$XG$Y$Y$Y$\$j$k$q$s$v$wQA$z
                  • API String ID: 4258967090-873418493
                  • Opcode ID: 53ec0108de2d384e0cf6598ec89a1f3f3092e023dac03804c953e0beced376f2
                  • Instruction ID: eff9955d6398441ffca9b6b4d566012dda0002604f72869e784a3dfacfae18f8
                  • Opcode Fuzzy Hash: 53ec0108de2d384e0cf6598ec89a1f3f3092e023dac03804c953e0beced376f2
                  • Instruction Fuzzy Hash: 2DC13630D04389AADF21D7B99C456DE7F649F19314F0802AFF154762D2CB790986C76E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041938D, Relevance: 75.9, APIs: 4, Strings: 39, Instructions: 629registryfileCOMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0041938D(intOrPtr __ecx) {
				signed int _v5;
				intOrPtr _v12;
				int _v16;
				char _v28;
				int _v32;
				unsigned int _v36;
				void* _v40;
				char _v52;
				char _v64;
				unsigned int _v68;
				char _v80;
				char _v92;
				char _v104;
				signed short _v108;
				signed int _v112;
				char _v124;
				char _v136;
				char _v148;
				char _v160;
				char _v172;
				char _v184;
				void _v235;
				char _v236;
				void* _t140;
				intOrPtr _t143;
				intOrPtr _t145;
				unsigned int _t147;
				int _t152;
				intOrPtr _t176;
				intOrPtr _t177;
				signed char _t180;
				signed char _t182;
				int _t200;
				void* _t213;
				void* _t231;
				int _t237;
				int _t240;
				void* _t244;
				int _t246;
				int _t273;
				unsigned int _t275;
				void* _t284;
				int _t286;
				void* _t287;
				intOrPtr* _t289;
				unsigned int _t290;
				char* _t314;
				char* _t319;
				char* _t340;
				char* _t366;
				signed int _t371;
				unsigned int _t391;
				int _t402;
				unsigned int _t406;
				void* _t407;
				void* _t413;
				void* _t415;
				void* _t423;
				void* _t426;

				_t402 = 0;
				_t415 =  *0x47e568 - _t402; // 0x1
				_v12 = __ecx;
				_v32 = 0;
				if(_t415 <= 0) {
					return _t140;
				} else {
					goto L1;
				}
				do {
					L1:
					_t289 = E0041E860(0x47e55c, _v32);
					_v16 = _t289;
					if(E00412BA7( *((intOrPtr*)(_t289 + 0x2c))) == 0) {
						goto L111;
					}
					E0041BDC5( &_v28);
					_t145 =  *_t289;
					_v5 = 1;
					_t417 = _t145 - 1;
					if(_t145 != 1) {
						__eflags = _t145 - 2;
						if(_t145 != 2) {
							__eflags = _t145 - 3;
							if(_t145 != 3) {
								__eflags = _t145 - 4;
								if(_t145 != 4) {
									__eflags = _t145 - 5;
									if(_t145 != 5) {
										goto L110;
									}
									_t147 =  *0x47e6f4; // 0x9
									__eflags = _t147 - 0xffffffff;
									if(__eflags == 0) {
										_t147 = E0041FEF9(); // executed
										 *0x47e6f4 = _t147;
									}
									_v108 = _t147;
									_t64 = _t289 + 8; // 0x8
									_t408 = _t64;
									_v112 = _t147 >> 0x10;
									_v16 = 0;
									__eflags = E0041C1FA(_t64, __eflags, "7.0", 1);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t408, __eflags, "8.0", 1);
										if(__eflags == 0) {
											__eflags = E0041C1FA(_t408, __eflags, "8.1", 1);
											if(__eflags == 0) {
												_t152 = E0041C1FA(_t408, __eflags, "9.0", 1);
												__eflags = _t152;
												if(_t152 == 0) {
													goto L75;
												}
												_push(9);
												goto L74;
											}
											_push(8);
											_v16 = 1;
											_pop(0);
											goto L75;
										}
										_push(8);
										goto L74;
									} else {
										_push(7);
										L74:
										_pop(0);
										L75:
										__eflags = _v108 & 0x0000ffff;
										if(__eflags < 0) {
											L78:
											_t71 =  &_v5;
											 *_t71 = _v5 & 0x00000000;
											__eflags =  *_t71;
											L79:
											_push("DirectX");
											goto L80;
										}
										if(__eflags != 0) {
											goto L79;
										}
										__eflags = (_v112 & 0x0000ffff) - _v16;
										if((_v112 & 0x0000ffff) >= _v16) {
											goto L79;
										}
										goto L78;
									}
								}
								E0041BE35( &_v92, 0x42e0c8);
								_t39 = _t289 + 8; // 0x8
								_t409 = _t39;
								__eflags = E0041C1FA(_t39, __eflags, "2.5", 1);
								if(__eflags == 0) {
									__eflags = E0041C1FA(_t409, __eflags, "2.6", 1);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t409, __eflags, "2.7", 1);
										if(__eflags == 0) {
											_t237 = E0041C1FA(_t409, __eflags, "2.8", 1);
											__eflags = _t237;
											if(_t237 == 0) {
												L57:
												E0041BDC5( &_v124);
												_v40 = _t402;
												_t240 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\DataAccess", _t402, 0x20019,  &_v40);
												__eflags = _t240;
												if(_t240 == 0) {
													_v236 = _v236 & _t240;
													_t371 = 0xc;
													memset( &_v235, _t240, _t371 << 2);
													_t413 = _t413 + 0xc;
													asm("stosb");
													_v16 = 0x32;
													RegQueryValueExA(_v40, "FullInstallVer", 0, 0,  &_v236,  &_v16);
													E0041BF12( &_v124,  &_v236);
													RegCloseKey(_v40);
													_t402 = 0;
													__eflags = 0;
												}
												__eflags = _v124 - _t402;
												if(_v124 == _t402) {
													L61:
													_t58 =  &_v5;
													 *_t58 = _v5 & 0x00000000;
													__eflags =  *_t58;
													goto L62;
												} else {
													_t244 = E0041CD1E( &_v124);
													_t246 = E00424A30(E0041CD1E( &_v92), _t244);
													__eflags = _t246;
													if(_t246 <= 0) {
														L62:
														E0041BF12( &_v28, "Microsoft Data Access Components");
														E0041BEFB( &_v124);
														_t366 =  &_v92;
														L13:
														E0041BEFB(_t366);
														goto L82;
													}
													goto L61;
												}
											}
											_push("2.80.1022.3");
											L56:
											E0041BF12( &_v92);
											goto L57;
										}
										_push("2.70.9001.0");
										goto L56;
									}
									_push("2.60.6526.3");
									goto L56;
								}
								_push("2.50.4403.12");
								goto L56;
							} else {
								E0041BE99( &_v172, 0x47e0a0);
								_t406 = 0;
								E0041C047( &_v172, "\\hhctrl.ocx", 0);
								_v36 = 0;
								_v68 = 0;
								E0040D883(E0041CD1E( &_v172),  &_v36,  &_v68);
								_t413 = _t413 + 0xc;
								_t290 = 0;
								_t410 = _v16 + 8;
								__eflags = E0041C1FA(_v16 + 8, __eflags, "1.0", 1);
								if(__eflags == 0) {
									__eflags = E0041C1FA(_t410, __eflags, "1.1", 1);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t410, __eflags, "1.1a", 1);
										if(__eflags == 0) {
											__eflags = E0041C1FA(_t410, __eflags, "1.1b", 1);
											if(__eflags == 0) {
												__eflags = E0041C1FA(_t410, __eflags, "1.2", 1);
												if(__eflags == 0) {
													__eflags = E0041C1FA(_t410, __eflags, "1.21", 1);
													if(__eflags == 0) {
														__eflags = E0041C1FA(_t410, __eflags, "1.21a", 1);
														if(__eflags == 0) {
															__eflags = E0041C1FA(_t410, __eflags, "1.22", 1);
															if(__eflags == 0) {
																__eflags = E0041C1FA(_t410, __eflags, "1.3", 1);
																if(__eflags == 0) {
																	__eflags = E0041C1FA(_t410, __eflags, "1.31", 1);
																	if(__eflags == 0) {
																		__eflags = E0041C1FA(_t410, __eflags, "1.32", 1);
																		if(__eflags == 0) {
																			_t273 = E0041C1FA(_t410, __eflags, "1.33", 1);
																			__eflags = _t273;
																			if(_t273 != 0) {
																				_t406 = 0x4004a;
																				_t290 = 0x24390000;
																			}
																		} else {
																			_t406 = 0x4004a;
																			_t290 = 0x22ab0000;
																		}
																	} else {
																		_t406 = 0x4004a;
																		_t290 = 0x22590000;
																	}
																} else {
																	_t406 = 0x4004a;
																	_t290 = 0x21fe0000;
																}
															} else {
																_t406 = 0x40049;
																_t290 = 0x21710000;
															}
														} else {
															_t406 = 0x40049;
															_t290 = 0x211a0000;
														}
													} else {
														_t406 = 0x40049;
														_t290 = 0x20dc0000;
													}
												} else {
													_t406 = 0x40049;
													_t290 = 0x203c0000;
												}
											} else {
												_t406 = 0x40048;
												_t290 = 0x1fe40000;
											}
										} else {
											_t406 = 0x40048;
											_t290 = 0x1c9d0000;
										}
									} else {
										_t406 = 0x40048;
										_t290 = 0x1c9b0000;
									}
								} else {
									_t406 = 0x40048;
									_t290 = 0x1c7a0000;
								}
								_t275 = _t406 >> 0x10;
								_t391 = _v36 >> 0x10;
								__eflags = _t391 - _t275;
								if(__eflags < 0) {
									L45:
									_t33 =  &_v5;
									 *_t33 = _v5 & 0x00000000;
									__eflags =  *_t33;
									L46:
									E0041BF12( &_v28, "HTML Help Viewer ");
									E0041BEFB( &_v172);
									_t289 = _v16;
									goto L81;
								}
								if(__eflags != 0) {
									L42:
									__eflags = _t391 - _t275;
									if(_t391 != _t275) {
										goto L46;
									}
									__eflags = _v36 - _t406;
									if(_v36 != _t406) {
										goto L46;
									}
									__eflags = _v68 >> 0x10 - _t290 >> 0x10;
									if(_v68 >> 0x10 >= _t290 >> 0x10) {
										goto L46;
									}
									goto L45;
								}
								__eflags = _v36 - _t406;
								if(_v36 < _t406) {
									goto L45;
								}
								goto L42;
							}
						}
						E0041BDC5( &_v160);
						E00420AA9( &_v160);
						__eflags = _v160 - _t402;
						if(_v160 == _t402) {
							L11:
							_t16 =  &_v5;
							 *_t16 = _v5 & 0x00000000;
							__eflags =  *_t16;
							L12:
							E0041BF12( &_v28, "Java ");
							_t366 =  &_v160;
							goto L13;
						}
						_t284 = E0041CD1E( &_v160);
						_t15 = _t289 + 8; // 0x8
						_t286 = E00424A30(E0041CD1E(_t15), _t284);
						__eflags = _t286;
						if(_t286 <= 0) {
							goto L12;
						}
						goto L11;
					} else {
						_t287 = E0041FB81();
						_t8 = _t289 + 8; // 0x8
						_t407 = _t287;
						if(E0041C1FA(_t8, _t417, "1.1", 1) != 0) {
							_push(1);
							_pop(0);
						}
						if(_t407 < 0) {
							_v5 = _v5 & 0x00000000;
						}
						_push(".NET Framework ");
						L80:
						E0041BF12( &_v28);
						L81:
						_t402 = 0;
						L82:
						_t422 = _v5;
						if(_v5 != 0) {
							L110:
							E0041BEFB( &_v28);
							goto L111;
						}
						E0041BE99( &_v80,  &_v28);
						_t77 = _t289 + 0x14; // 0x14
						E0041C0C5( &_v80, _t422, _t77);
						_t79 = _t289 + 8; // 0x8
						E0041C0C5( &_v28, _t422, _t79);
						_t423 =  *0x47e19c - _t402; // 0x1
						if(_t423 == 0 || E0041E3EF() != 0) {
							E0041BDC5( &_v136);
							_push(E0041CD1E( &_v28));
							E0041C467( &_v136, E0041CD1E(0x47f0f8));
							_t413 = _t413 + 0xc;
							__eflags = E0041B2CC(_v12, _t402, E0041CD1E( &_v136), _t402, 4) - 7;
							if(__eflags == 0) {
								E0041A1B5(1);
								E0041BEFB( &_v136);
								E0041BEFB( &_v80);
								return E0041BEFB( &_v28);
							}
							_t314 =  &_v136;
							goto L92;
						} else {
							E0041BDC5( &_v148);
							_push(E0041CD1E( &_v28));
							E0041C467( &_v148, E0041CD1E(0x47f104));
							_t413 = _t413 + 0xc;
							_t231 = E0041B2CC(_v12, _t402, E0041CD1E( &_v148), _t402, 3);
							if(_t231 != 7) {
								__eflags = _t231 - 2;
								if(__eflags == 0) {
									E0041A1B5(1);
								}
								_t314 =  &_v148;
								L92:
								E0041BEFB(_t314);
								_t95 = _t289 + 0x20; // 0x20
								_t411 = _t95;
								E004164B1(_v12, __eflags, _t95);
								E0041A81A(__eflags, _t95);
								E0041B3B9(_v12, _t411, 0x7fffffff);
								E0041BDC5( &_v104);
								_t176 =  *_t289;
								__eflags = _t176 - 3;
								if(_t176 != 3) {
									__eflags = _t176 - 4;
									if(_t176 != 4) {
										L97:
										_t177 =  *((intOrPtr*)(_t289 + 4));
										__eflags = _t177 - _t402;
										if(_t177 != _t402) {
											__eflags = _t177 - 1;
											if(_t177 != 1) {
												L106:
												__eflags =  *_t289 - 4;
												if( *_t289 == 4) {
													_t180 =  *0x47e190; // 0x2080c08
													_t182 = _t180 & 0x000000f3 | 0x00000002;
													__eflags = _t182;
													 *0x47e190 = _t182;
												}
												L108:
												_t319 =  &_v104;
												L109:
												E0041BEFB(_t319);
												E0041BEFB( &_v80);
												goto L110;
											}
											E0041BDC5( &_v64);
											E0041BDC5( &_v52);
											_push(E0041CD1E( &_v28));
											E0041C467( &_v52, "<ResourceDir>\\3rd-party\\%s.exe");
											E0041A81A(__eflags,  &_v52);
											_push(E0041CD1E( &_v80));
											_push(E0041CD1E(_t411));
											_push(E0041CD1E( &_v52));
											E0041C467( &_v64, "\"<ResourceDir>\\3rd-party\\Downloader.exe\" /download /local \"%s\" /url \"%s\" /program \"%s\"");
											_t413 = _t413 + 0x20;
											E0041A81A(__eflags,  &_v64);
											E004114E1(E0041CD1E( &_v64), _t402);
											_t200 = E0040DF52(E0041CD1E( &_v52));
											__eflags = _t200;
											if(_t200 != 0) {
												L104:
												E0041BF12( &_v64, 0x42e0c8);
												_push(E0041CD1E( &_v104));
												_push(E0041CD1E( &_v52));
												E0041C467( &_v64, "\"%s\"%s");
												_t413 = _t413 + 0x10;
												E004114E1(E0041CD1E( &_v64), _t402);
												DeleteFileA(E0041CD1E( &_v52));
												E0041BEFB( &_v52);
												_t340 =  &_v64;
												L105:
												E0041BEFB(_t340);
												goto L106;
											}
											_t213 = E0041B2CC(_v12, _t402, E0041CD1E(0x47f110), _t402, 4);
											__eflags = _t213 - 6;
											if(_t213 != 6) {
												E0041A1B5(1);
												goto L104;
											}
											E0041BEFB( &_v52);
											E0041BEFB( &_v64);
											goto L108;
										}
										E0041BDC5( &_v184);
										_push(E0041CD1E( &_v104));
										_push(E0041CD1E(_t411));
										E0041C467( &_v184, "\"%s\"%s");
										_t413 = _t413 + 0x10;
										E004114E1(E0041CD1E( &_v184), _t402);
										_t340 =  &_v184;
										goto L105;
									}
									_push(" /q:a /c:\"dasetup.exe /q /n\"");
									L96:
									E0041BF12( &_v104);
									goto L97;
								}
								_push(" /r:n /q:a");
								goto L96;
							}
							_t319 =  &_v148;
							goto L109;
						}
					}
					L111:
					_v32 = _v32 + 1;
					_t143 = _v32;
					_t426 = _t143 -  *0x47e568; // 0x1
				} while (_t426 < 0);
				return _t143;
			}






























































                  0x00419399
                  0x0041939b
                  0x004193a1
                  0x004193a4
                  0x004193a7
                  0x00419be2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004193ad
                  0x004193ad
                  0x004193ba
                  0x004193bc
                  0x004193ca
                  0x00000000
                  0x00000000
                  0x004193d3
                  0x004193d8
                  0x004193da
                  0x004193de
                  0x004193e1
                  0x00419414
                  0x00419417
                  0x0041947a
                  0x0041947d
                  0x0041969f
                  0x004196a2
                  0x004197de
                  0x004197e1
                  0x00000000
                  0x00000000
                  0x004197e7
                  0x004197ec
                  0x004197ef
                  0x004197f1
                  0x004197f6
                  0x004197f6
                  0x004197fb
                  0x004197fe
                  0x004197fe
                  0x0041980f
                  0x00419812
                  0x0041981a
                  0x0041981c
                  0x00419830
                  0x00419832
                  0x00419846
                  0x00419848
                  0x0041985f
                  0x00419864
                  0x00419866
                  0x00000000
                  0x00000000
                  0x00419868
                  0x00000000
                  0x00419868
                  0x0041984a
                  0x0041984c
                  0x00419853
                  0x00000000
                  0x00419853
                  0x00419834
                  0x00000000
                  0x0041981e
                  0x0041981e
                  0x0041986a
                  0x0041986a
                  0x0041986b
                  0x0041986f
                  0x00419871
                  0x0041987e
                  0x0041987e
                  0x0041987e
                  0x0041987e
                  0x00419882
                  0x00419882
                  0x00000000
                  0x00419882
                  0x00419873
                  0x00000000
                  0x00000000
                  0x00419879
                  0x0041987c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041987c
                  0x0041981c
                  0x004196b0
                  0x004196b5
                  0x004196b5
                  0x004196c6
                  0x004196c8
                  0x004196df
                  0x004196e1
                  0x004196f8
                  0x004196fa
                  0x0041970c
                  0x00419711
                  0x00419713
                  0x00419722
                  0x00419725
                  0x0041972d
                  0x00419741
                  0x00419747
                  0x00419749
                  0x0041974b
                  0x00419753
                  0x0041975a
                  0x0041975a
                  0x0041975c
                  0x00419760
                  0x0041977b
                  0x0041978b
                  0x00419793
                  0x00419799
                  0x00419799
                  0x00419799
                  0x0041979b
                  0x0041979e
                  0x004197bd
                  0x004197bd
                  0x004197bd
                  0x004197bd
                  0x00000000
                  0x004197a0
                  0x004197a3
                  0x004197b2
                  0x004197b8
                  0x004197bb
                  0x004197c1
                  0x004197c9
                  0x004197d1
                  0x004197d6
                  0x00419470
                  0x00419470
                  0x00000000
                  0x00419470
                  0x00000000
                  0x004197bb
                  0x0041979e
                  0x00419715
                  0x0041971a
                  0x0041971d
                  0x00000000
                  0x0041971d
                  0x004196fc
                  0x00000000
                  0x004196fc
                  0x004196e3
                  0x00000000
                  0x004196e3
                  0x004196ca
                  0x00000000
                  0x00419483
                  0x0041948e
                  0x00419493
                  0x004194a1
                  0x004194b4
                  0x004194b7
                  0x004194c0
                  0x004194c8
                  0x004194cb
                  0x004194cd
                  0x004194de
                  0x004194e0
                  0x004194ff
                  0x00419501
                  0x00419520
                  0x00419522
                  0x00419541
                  0x00419543
                  0x00419562
                  0x00419564
                  0x00419583
                  0x00419585
                  0x004195a4
                  0x004195a6
                  0x004195c5
                  0x004195c7
                  0x004195e3
                  0x004195e5
                  0x00419601
                  0x00419603
                  0x0041961f
                  0x00419621
                  0x00419638
                  0x0041963d
                  0x0041963f
                  0x00419641
                  0x00419646
                  0x00419646
                  0x00419623
                  0x00419623
                  0x00419628
                  0x00419628
                  0x00419605
                  0x00419605
                  0x0041960a
                  0x0041960a
                  0x004195e7
                  0x004195e7
                  0x004195ec
                  0x004195ec
                  0x004195c9
                  0x004195c9
                  0x004195ce
                  0x004195ce
                  0x004195a8
                  0x004195a8
                  0x004195ad
                  0x004195ad
                  0x00419587
                  0x00419587
                  0x0041958c
                  0x0041958c
                  0x00419566
                  0x00419566
                  0x0041956b
                  0x0041956b
                  0x00419545
                  0x00419545
                  0x0041954a
                  0x0041954a
                  0x00419524
                  0x00419524
                  0x00419529
                  0x00419529
                  0x00419503
                  0x00419503
                  0x00419508
                  0x00419508
                  0x004194e2
                  0x004194e2
                  0x004194e7
                  0x004194e7
                  0x00419650
                  0x00419653
                  0x00419656
                  0x00419659
                  0x0041967b
                  0x0041967b
                  0x0041967b
                  0x0041967b
                  0x0041967f
                  0x00419687
                  0x00419692
                  0x00419697
                  0x00000000
                  0x00419697
                  0x0041965b
                  0x00419663
                  0x00419663
                  0x00419666
                  0x00000000
                  0x00000000
                  0x00419668
                  0x0041966c
                  0x00000000
                  0x00000000
                  0x00419677
                  0x00419679
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00419679
                  0x0041965d
                  0x00419661
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00419661
                  0x0041947d
                  0x0041941f
                  0x0041942b
                  0x00419430
                  0x00419437
                  0x00419459
                  0x00419459
                  0x00419459
                  0x00419459
                  0x0041945d
                  0x00419465
                  0x0041946a
                  0x00000000
                  0x0041946a
                  0x0041943f
                  0x00419445
                  0x0041944e
                  0x00419454
                  0x00419457
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004193e3
                  0x004193e3
                  0x004193ef
                  0x004193f2
                  0x004193fd
                  0x004193ff
                  0x00419401
                  0x00419401
                  0x00419404
                  0x00419406
                  0x00419406
                  0x0041940a
                  0x00419887
                  0x0041988a
                  0x0041988f
                  0x0041988f
                  0x00419891
                  0x00419891
                  0x00419895
                  0x00419b9d
                  0x00419ba0
                  0x00000000
                  0x00419ba0
                  0x004198a2
                  0x004198a7
                  0x004198ae
                  0x004198b3
                  0x004198ba
                  0x004198bf
                  0x004198c5
                  0x00419945
                  0x00419952
                  0x00419965
                  0x0041996a
                  0x00419985
                  0x00419988
                  0x00419bbe
                  0x00419bc9
                  0x00419bd1
                  0x00000000
                  0x00419bd9
                  0x0041998e
                  0x00000000
                  0x004198d0
                  0x004198d6
                  0x004198e3
                  0x004198f6
                  0x004198fb
                  0x00419911
                  0x00419919
                  0x00419926
                  0x00419929
                  0x00419932
                  0x00419932
                  0x00419937
                  0x00419994
                  0x00419994
                  0x0041999c
                  0x0041999c
                  0x004199a0
                  0x004199a9
                  0x004199b7
                  0x004199bf
                  0x004199c4
                  0x004199c6
                  0x004199c9
                  0x004199d2
                  0x004199d5
                  0x004199e4
                  0x004199e4
                  0x004199e7
                  0x004199e9
                  0x00419a3d
                  0x00419a40
                  0x00419b7a
                  0x00419b7a
                  0x00419b7d
                  0x00419b7f
                  0x00419b86
                  0x00419b86
                  0x00419b88
                  0x00419b88
                  0x00419b8d
                  0x00419b8d
                  0x00419b90
                  0x00419b90
                  0x00419b98
                  0x00000000
                  0x00419b98
                  0x00419a49
                  0x00419a51
                  0x00419a5e
                  0x00419a68
                  0x00419a77
                  0x00419a84
                  0x00419a8c
                  0x00419a95
                  0x00419a9f
                  0x00419aa7
                  0x00419aae
                  0x00419ac2
                  0x00419ad0
                  0x00419ad5
                  0x00419ad8
                  0x00419b17
                  0x00419b1f
                  0x00419b2c
                  0x00419b35
                  0x00419b3f
                  0x00419b44
                  0x00419b56
                  0x00419b64
                  0x00419b6d
                  0x00419b72
                  0x00419b75
                  0x00419b75
                  0x00000000
                  0x00419b75
                  0x00419aec
                  0x00419af1
                  0x00419af4
                  0x00419b12
                  0x00000000
                  0x00419b12
                  0x00419af9
                  0x00419b01
                  0x00000000
                  0x00419b01
                  0x004199f1
                  0x004199fe
                  0x00419a06
                  0x00419a13
                  0x00419a18
                  0x00419a2d
                  0x00419a32
                  0x00000000
                  0x00419a32
                  0x004199d7
                  0x004199dc
                  0x004199df
                  0x00000000
                  0x004199df
                  0x004199cb
                  0x00000000
                  0x004199cb
                  0x0041991b
                  0x00000000
                  0x0041991b
                  0x004198c5
                  0x00419ba5
                  0x00419ba5
                  0x00419ba8
                  0x00419bab
                  0x00419bab
                  0x00000000

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041FB81: FindFirstFileA.KERNEL32(00000000,?,00000001,00420E9E,0047DFBC), ref: 0041FC08
                    • Part of subcall function 0041FB81: GetFileAttributesA.KERNEL32(00000000,\system.dll,00000000,0000002E,00000000,00420E9F), ref: 0041FC66
                    • Part of subcall function 0041FB81: lstrlenA.KERNEL32(0000002E), ref: 0041FC78
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\DataAccess,00000000,00020019,0047DFB8,2.8,00000001,2.7,00000001,2.6,00000001,2.5,00000001,0042E0C8,00000000,?), ref: 00419741
                  • RegQueryValueExA.ADVAPI32(0047DFB8,FullInstallVer,00000000,00000000,?,?), ref: 0041977B
                  • RegCloseKey.ADVAPI32(0047DFB8,?), ref: 00419793
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0040D883: GetFileVersionInfoSizeA.VERSION(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D891
                  • DeleteFileA.KERNEL32(00000000,00000000,00000000,0042E0C8,00000000,00000000,0000000E,?,?,?,?,FFFFFFFF,00000000,00000000,00000004,?), ref: 00419B64
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocFileLock$Unlocklstrlen$AttributesCloseDeleteFindFirstInfoOpenQuerySizeValueVersion
                  • String ID: /q:a /c:"dasetup.exe /q /n"$ /r:n /q:a$"%s"%s$"<ResourceDir>\3rd-party\Downloader.exe" /download /local "%s" /url "%s" /program "%s"$.NET Framework $1.0$1.1$1.1a$1.1b$1.2$1.21$1.21a$1.22$1.3$1.31$1.32$1.33$2$2.5$2.50.4403.12$2.6$2.60.6526.3$2.7$2.70.9001.0$2.8$2.80.1022.3$7.0$8.0$8.1$9.0$<ResourceDir>\3rd-party\%s.exe$DirectX$FullInstallVer$HTML Help Viewer $Java $Microsoft Data Access Components$Software\Microsoft\DataAccess$\hhctrl.ocx$\G
                  • API String ID: 1102018280-2153218299
                  • Opcode ID: 030333e0018df0888f60f3913a941313b334ee0bf5367e1edcfc2d5dfe4a9605
                  • Instruction ID: 6fa8a9ce8b94bae494bd30facd369e5acc3ed9cdb665eb8de86f93847e4eb968
                  • Opcode Fuzzy Hash: 030333e0018df0888f60f3913a941313b334ee0bf5367e1edcfc2d5dfe4a9605
                  • Instruction Fuzzy Hash: 12227E31A40218A6CF14EBA1DDA2BED7725AF14708F50406FF506B72C2DB6C5ECACA5D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FEF9, Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 234librarynativeloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 34%
                  			E0041FEF9() {
				void* _v8;
				struct HINSTANCE__* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				struct HINSTANCE__* _v28;
				void* _v32;
				void* _v36;
				signed short _v40;
				void* _v44;
				void* _v48;
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				void* _t65;
				long _t67;
				intOrPtr* _t68;
				struct HINSTANCE__* _t70;
				_Unknown_base(*)()* _t71;
				intOrPtr* _t73;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				struct HINSTANCE__* _t83;
				intOrPtr* _t84;
				intOrPtr* _t86;
				struct HINSTANCE__* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				void* _t97;
				intOrPtr* _t98;
				char* _t104;
				intOrPtr* _t105;
				intOrPtr* _t107;
				_Unknown_base(*)()* _t111;
				void* _t113;
				intOrPtr* _t114;
				void* _t117;
				void* _t120;
				intOrPtr* _t121;
				struct HINSTANCE__* _t151;
				void* _t152;

				_v8 = 0;
				_v20 = 0;
				_v36 = 0;
				_v44 = 0;
				_v16 = 0;
				_v24 = 0;
				_v32 = 0;
				_v40 = 0;
				_t61 = LoadLibraryA("DDRAW.DLL"); // executed
				_v12 = _t61;
				if(_t61 != 0) {
					_t62 = GetProcAddress(_t61, "DirectDrawCreate");
					if(_t62 == 0) {
						L16:
						FreeLibrary(_v12);
						return 0;
					}
					_t65 =  *_t62(0,  &_v8, 0); // executed
					if(_t65 < 0) {
						goto L16;
					}
					_push( &_v20);
					_push(0x428818);
					_t67 = NtProtectVirtualMemory(_v8); // executed
					if(_t67 >= 0) {
						_t68 = _v20;
						 *((intOrPtr*)( *_t68 + 8))(_t68);
						_t70 = LoadLibraryA("DINPUT.DLL"); // executed
						_v28 = _t70;
						if(_t70 != 0) {
							_t71 = GetProcAddress(_t70, "DirectInputCreateA");
							if(_t71 == 0) {
								L11:
								_push(2);
								L14:
								_pop(0);
								FreeLibrary(_v28);
								L15:
								_t73 = _v8;
								 *((intOrPtr*)( *_t73 + 8))(_t73);
								goto L16;
							}
							_t75 =  *_t71( *0x47e17c, 0x500,  &_v16, 0); // executed
							if(_t75 == 0) {
								_t76 = _v16;
								_push( &_v24);
								_push(0x4287e8);
								_push(_t76);
								if( *((intOrPtr*)( *_t76))() >= 0) {
									_t78 = _v24;
									 *((intOrPtr*)( *_t78 + 8))(_t78);
									_t80 = _v16;
									 *((intOrPtr*)( *_t80 + 8))(_t80);
									FreeLibrary(_v28); // executed
									_t83 = LoadLibraryA("DINPUT8.DLL"); // executed
									_v28 = _t83;
									if(_t83 == 0) {
										L22:
										_t84 = _v8;
										_push( &_v36);
										_push(0x428808);
										_push(_t84);
										if( *((intOrPtr*)( *_t84))() >= 0) {
											_t86 = _v36;
											 *((intOrPtr*)( *_t86 + 8))(_t86);
											_t88 = LoadLibraryA("DMUSIC.DLL");
											_t151 = _t88;
											if(_t151 != 0) {
												__imp__CoInitialize(0);
												if(_t88 >= 0) {
													_t104 =  &_v48;
													__imp__CoCreateInstance(0x4287c8, 0, 3, 0x4287b8, _t104);
													if(_t104 >= 0) {
														_t105 = _v48;
														 *((intOrPtr*)( *_t105 + 8))(_t105);
														_v40 = 1;
													}
												}
												__imp__CoUninitialize();
												FreeLibrary(_t151);
												_t90 = _v8;
												_push( &_v44);
												_push(0x4287f8);
												_push(_t90);
												if( *((intOrPtr*)( *_t90))() >= 0) {
													_t92 = _v44;
													 *((intOrPtr*)( *_t92 + 8))(_t92);
													_t94 = _v8;
													 *((intOrPtr*)( *_t94 + 8))(_t94);
													FreeLibrary(_v12);
													_t97 = 7;
													return _t97;
												} else {
													_t98 = _v8;
													 *((intOrPtr*)( *_t98 + 8))(_t98);
													FreeLibrary(_v12);
													return (_v40 & 0x0000ffff) << 0x00000010 | 0x00000006;
												}
											}
											_push(6);
											L26:
											_t107 = _v8;
											_pop(_t152);
											 *((intOrPtr*)( *_t107 + 8))(_t107);
											FreeLibrary(_v12);
											return _t152;
										}
										_push(5);
										goto L26;
									}
									_t111 = GetProcAddress(_t83, "DirectInput8Create");
									if(_t111 == 0) {
										L21:
										FreeLibrary(_v28);
										goto L22;
									}
									_t113 =  *_t111( *0x47e17c, 0x800, 0x4287d8,  &_v32, 0); // executed
									if(_t113 < 0) {
										goto L21;
									}
									_t114 = _v32;
									 *((intOrPtr*)( *_t114 + 8))(_t114);
									FreeLibrary(_v28); // executed
									_t117 = _v8;
									 *((intOrPtr*)( *_t117 + 8))(_t117);
									FreeLibrary(_v12); // executed
									_t120 = E0041FD0E( &_v24, 8); // executed
									return _t120;
								}
								_t121 = _v16;
								 *((intOrPtr*)( *_t121 + 8))(_t121);
								_push(3);
								goto L14;
							}
							goto L11;
						}
						_push(2);
						L6:
						_pop(0);
						goto L15;
					}
					_push(1);
					goto L6;
				}
				return 0;
			}














































                  0x0041ff0f
                  0x0041ff12
                  0x0041ff15
                  0x0041ff18
                  0x0041ff1b
                  0x0041ff1e
                  0x0041ff21
                  0x0041ff24
                  0x0041ff27
                  0x0041ff2b
                  0x0041ff2e
                  0x0041ff43
                  0x0041ff47
                  0x0041ffeb
                  0x0041ffee
                  0x00000000
                  0x0041fff4
                  0x0041ff53
                  0x0041ff57
                  0x00000000
                  0x00000000
                  0x0041ff63
                  0x0041ff64
                  0x0041ff6c
                  0x0041ff70
                  0x0041ff77
                  0x0041ff7d
                  0x0041ff85
                  0x0041ff89
                  0x0041ff8c
                  0x0041ff98
                  0x0041ff9c
                  0x0041ffb4
                  0x0041ffb4
                  0x0041ffd8
                  0x0041ffd8
                  0x0041ffdc
                  0x0041ffe2
                  0x0041ffe2
                  0x0041ffe8
                  0x00000000
                  0x0041ffe8
                  0x0041ffae
                  0x0041ffb2
                  0x0041ffb8
                  0x0041ffbe
                  0x0041ffbf
                  0x0041ffc6
                  0x0041ffcb
                  0x0041fffb
                  0x00420001
                  0x00420004
                  0x0042000a
                  0x00420016
                  0x0042001d
                  0x00420021
                  0x00420024
                  0x0042007c
                  0x0042007c
                  0x00420082
                  0x00420083
                  0x0042008a
                  0x0042008f
                  0x00420095
                  0x0042009b
                  0x004200a3
                  0x004200a5
                  0x004200a9
                  0x004200c5
                  0x004200cd
                  0x004200cf
                  0x004200e1
                  0x004200e9
                  0x004200eb
                  0x004200f1
                  0x004200f4
                  0x004200f4
                  0x004200e9
                  0x004200fb
                  0x00420102
                  0x00420104
                  0x0042010a
                  0x0042010b
                  0x00420112
                  0x00420117
                  0x00420132
                  0x00420138
                  0x0042013b
                  0x00420141
                  0x00420147
                  0x0042014b
                  0x00000000
                  0x00420119
                  0x00420119
                  0x0042011f
                  0x00420125
                  0x00000000
                  0x0042012e
                  0x00420117
                  0x004200ab
                  0x004200ad
                  0x004200ad
                  0x004200b0
                  0x004200b4
                  0x004200ba
                  0x00000000
                  0x004200bc
                  0x00420091
                  0x00000000
                  0x00420091
                  0x0042002c
                  0x00420030
                  0x00420077
                  0x0042007a
                  0x00000000
                  0x0042007a
                  0x00420048
                  0x0042004c
                  0x00000000
                  0x00000000
                  0x0042004e
                  0x00420054
                  0x0042005a
                  0x0042005c
                  0x00420062
                  0x00420068
                  0x0042006c
                  0x00000000
                  0x00420071
                  0x0041ffcd
                  0x0041ffd3
                  0x0041ffd6
                  0x00000000
                  0x0041ffd6
                  0x00000000
                  0x0041ffb2
                  0x0041ff8e
                  0x0041ff74
                  0x0041ff74
                  0x00000000
                  0x0041ff74
                  0x0041ff72
                  0x00000000
                  0x0041ff72
                  0x00000000

                  APIs
                  • LoadLibraryA.KERNELBASE(DDRAW.DLL,00000001,00000000,00000000,00000001,<CPUFlags>,00000001,<CPUType>,00000001,<CPUSpeed>,00000001,00000000,00000000,?,?), ref: 0041FF27
                  • GetProcAddress.KERNEL32(00000000,DirectDrawCreate), ref: 0041FF43
                  • NtProtectVirtualMemory.NTDLL(?,00428818,?,?,?,?,00412B18,00000001,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?), ref: 0041FF6C
                  • FreeLibrary.KERNEL32(?,?,?,?,00412B18,00000001,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?,00000000), ref: 0041FFEE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadMemoryProcProtectVirtual
                  • String ID: DDRAW.DLL$DINPUT.DLL$DINPUT8.DLL$DMUSIC.DLL$DirectDrawCreate$DirectInput8Create$DirectInputCreateA
                  • API String ID: 2455427899-3038032637
                  • Opcode ID: 13716e16cda4e295f7d045c615a71956f364686ee3ef6c40b621549153a8947e
                  • Instruction ID: 0ac77204e77cf816d812a61ffea9b3b6a34bdbd4df8a9caef812cf474fc0b842
                  • Opcode Fuzzy Hash: 13716e16cda4e295f7d045c615a71956f364686ee3ef6c40b621549153a8947e
                  • Instruction Fuzzy Hash: FB814071B00119EFDB00DBA4DC45EAEBBB8EF49704F60406AF105EB1A1DB759D42CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411811, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 132stringlibraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00411811() {
				_Unknown_base(*)()* _v8;
				void _v526;
				short _v528;
				int _t29;
				long _t37;
				long _t40;
				CHAR* _t78;
				long _t87;

				if(( *0x47f290 & 0x00000001) == 0) {
					 *0x47f290 =  *0x47f290 | 0x00000001;
					E0041BDC5(0x47f298);
					E004251DD( *0x47f290, E00411992);
				}
				_t78 = E00424DD9(0x104);
				if(_t78 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t78, 0, 0x104);
				if(( *0x47e192 & 0x00000080) == 0) {
					L7:
					_v8 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), "GetShortPathNameW");
					_v528 = 0;
					memset( &_v526, 0, 0x81 << 2);
					asm("stosw");
					__eflags =  *0x47e19c; // 0x1
					if(__eflags == 0) {
						L12:
						E0040DF78(0, 2, _t78);
						goto L13;
					}
					__eflags = _v8;
					if(_v8 == 0) {
						goto L12;
					}
					_t37 = E0040E110(0, 2,  &_v528); // executed
					__eflags = _t37;
					_pop(0);
					if(_t37 == 0) {
						goto L12;
					}
					_t40 = GetShortPathNameW( &_v528,  &_v528, 0x104);
					__eflags = _t40;
					if(_t40 != 0) {
						WideCharToMultiByte(0, 0,  &_v528, 0xffffffff, _t78, 0x104, 0, 0);
					}
					goto L13;
				} else {
					_t87 =  *0x47e19c; // 0x1
					if(_t87 == 0) {
						goto L7;
					}
					lstrcpyA(_t78, E0041CD1E(0x47e064));
					L13:
					if( *((char*)(lstrlenA(_t78) + _t78 - 1)) != 0x5c) {
						lstrcatA(_t78, "\\");
					}
					lstrcatA(_t78, E0041CD1E(0x47e344));
					_t29 = lstrlenA(_t78);
					_t89 =  *((char*)(_t29 + _t78 - 1)) - 0x5c;
					if( *((char*)(_t29 + _t78 - 1)) != 0x5c) {
						lstrcatA(_t78, "\\");
					}
					if(E0041C1FA(0x47f298, _t89, _t78, 1) == 0) {
						E0041BF12(0x47f298, _t78);
					}
					E00424DCE(_t78);
					return E0041CD1E(0x47f298);
				}
			}











                  0x00411821
                  0x00411823
                  0x0041182f
                  0x00411839
                  0x0041183e
                  0x0041184d
                  0x00411854
                  0x00411861
                  0x00411866
                  0x0041186a
                  0x00411879
                  0x0041189a
                  0x004118b1
                  0x004118b4
                  0x004118c8
                  0x004118ca
                  0x004118ce
                  0x004118d4
                  0x0041191c
                  0x0041191f
                  0x00000000
                  0x00411925
                  0x004118d6
                  0x004118d9
                  0x00000000
                  0x00000000
                  0x004118e4
                  0x004118ea
                  0x004118ec
                  0x004118ed
                  0x00000000
                  0x00000000
                  0x004118fe
                  0x00411901
                  0x00411903
                  0x00411914
                  0x00411914
                  0x00000000
                  0x0041187b
                  0x0041187b
                  0x00411881
                  0x00000000
                  0x00000000
                  0x0041188f
                  0x00411926
                  0x0041193a
                  0x00411942
                  0x00411942
                  0x00411950
                  0x00411953
                  0x00411955
                  0x0041195a
                  0x00411962
                  0x00411962
                  0x00411975
                  0x0041197a
                  0x0041197a
                  0x00411980
                  0x00411991
                  0x00411991

                  APIs
                  • lstrcpyA.KERNEL32(00000000,00000000,00000104,0047F2C8,00000000), ref: 0041188F
                  • LoadLibraryA.KERNEL32(KERNEL32.DLL,00000104,0047F2C8,00000000), ref: 0041189F
                  • GetProcAddress.KERNEL32(00000000,GetShortPathNameW), ref: 004118AB
                    • Part of subcall function 0040E110: SHGetSpecialFolderLocation.SHELL32(00000000,00000081,?,00000081,?,004118E9,00000002,?), ref: 0040E11D
                    • Part of subcall function 0040E110: LoadLibraryA.KERNEL32(SHELL32.DLL,?,004118E9,00000002,?), ref: 0040E12C
                    • Part of subcall function 0040E110: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040E138
                    • Part of subcall function 0040E110: SHGetPathFromIDListW.SHELL32(?,?,00000104,?,004118E9,00000002,?), ref: 0040E149
                    • Part of subcall function 0040E110: SHGetMalloc.SHELL32(?), ref: 0040E158
                  • GetShortPathNameW.KERNELBASE(?,?,00000104), ref: 004118FE
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 00411914
                  • lstrlenA.KERNEL32(00000000), ref: 0041192D
                  • lstrcatA.KERNEL32(00000000,0042BC5C), ref: 00411942
                  • lstrcatA.KERNEL32(00000000,00000000), ref: 00411950
                  • lstrlenA.KERNEL32(00000000), ref: 00411953
                  • lstrcatA.KERNEL32(00000000,0042BC5C), ref: 00411962
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrcat$AddressGlobalLibraryLoadPathProclstrlen$AllocByteCharFolderFromListLocationLockMallocMultiNameShortSpecialWidelstrcpy
                  • String ID: $G$DG$GetShortPathNameW$KERNEL32.DLL$dG
                  • API String ID: 34222962-200428141
                  • Opcode ID: 66568acae63ccb5684c66ec1d5b77abda51610691b82027195e93ecbe508e087
                  • Instruction ID: 524a24811f81cc76c8cd29adb63b79f761c01f1d81faf01de5f134878f06db49
                  • Opcode Fuzzy Hash: 66568acae63ccb5684c66ec1d5b77abda51610691b82027195e93ecbe508e087
                  • Instruction Fuzzy Hash: EA3116B16012246AD7206362AC5AFFF275CDF85354F5041AFF614A2193CF7C09C2CA6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040DE4D, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 85libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 55%
                  			E0040DE4D(signed int _a4, intOrPtr _a8) {
				signed int _v8;
				union _ULARGE_INTEGER _v12;
				signed int _v16;
				union _ULARGE_INTEGER _v20;
				signed int _v24;
				union _ULARGE_INTEGER _v28;
				signed int _t26;
				void* _t34;
				int _t40;
				intOrPtr _t44;
				intOrPtr* _t49;
				struct HINSTANCE__* _t57;

				_t57 = LoadLibraryA("KERNEL32.DLL");
				if(_t57 == 0) {
					L16:
					_t26 = 0;
					L17:
					return _t26;
				}
				_t49 = GetProcAddress(_t57, "GetDiskFreeSpaceA");
				if(GetProcAddress(_t57, "GetDiskFreeSpaceExA") == 0) {
					if(_t49 == 0) {
						L14:
						_push(_t57);
						L15:
						FreeLibrary();
						goto L16;
					}
					_t34 =  *_t49(_a4,  &_a4,  &_v8,  &_v24,  &_v16);
					_push(_t57);
					if(_t34 == 0) {
						goto L15;
					}
					FreeLibrary();
					if(_a8 == 1 || _a8 == 3) {
						_t26 = _a4 * _v8 * _v24;
					} else {
						_t26 = _a4 * _v8 * _v16;
					}
					goto L17;
				}
				_t40 = GetDiskFreeSpaceExA(_a4,  &_v28,  &_v12,  &_v20); // executed
				if(_t40 == 0) {
					goto L14;
				}
				FreeLibrary(_t57);
				_t44 = _a8;
				if(_t44 == 0) {
					return _v12.LowPart;
				}
				if(_t44 == 1) {
					return _v20.LowPart;
				}
				return _v28.LowPart;
			}















                  0x0040de60
                  0x0040de64
                  0x0040df17
                  0x0040df17
                  0x0040df19
                  0x00000000
                  0x0040df19
                  0x0040de7f
                  0x0040de86
                  0x0040dec8
                  0x0040df10
                  0x0040df10
                  0x0040df11
                  0x0040df11
                  0x00000000
                  0x0040df11
                  0x0040dedd
                  0x0040dee1
                  0x0040dee2
                  0x00000000
                  0x00000000
                  0x0040dee4
                  0x0040deee
                  0x0040df0a
                  0x0040def6
                  0x0040defd
                  0x0040defd
                  0x00000000
                  0x0040deee
                  0x0040de97
                  0x0040de9b
                  0x00000000
                  0x00000000
                  0x0040de9e
                  0x0040dea8
                  0x0040dea9
                  0x00000000
                  0x0040dec1
                  0x0040deac
                  0x00000000
                  0x0040deb9
                  0x00000000

                  APIs
                  • LoadLibraryA.KERNEL32(KERNEL32.DLL,0047E1B8,00000000,?,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DE5A
                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceA), ref: 0040DE77
                  • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040DE81
                  • GetDiskFreeSpaceExA.KERNELBASE(00000001,004181A7,00000001,004181A7,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DE97
                  • FreeLibrary.KERNEL32(00000000,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DE9E
                  • FreeLibrary.KERNEL32(00000000,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DEE4
                  • FreeLibrary.KERNEL32(00000000,?,004181A7,?,00000001,00000000,?,?,0047DFB8,00000000), ref: 0040DF11
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FreeLibrary$AddressProc$DiskLoadSpace
                  • String ID: GetDiskFreeSpaceA$GetDiskFreeSpaceExA$KERNEL32.DLL
                  • API String ID: 3016050134-1388769091
                  • Opcode ID: cac51339aa37a37c0b38b0e3ec0533b737a0eadd2afa2f44f55be0f5c1c07269
                  • Instruction ID: 99b3d4768c8e1177031908bbf476e072c7793a15ef522b5f6e34da5629c1a8af
                  • Opcode Fuzzy Hash: cac51339aa37a37c0b38b0e3ec0533b737a0eadd2afa2f44f55be0f5c1c07269
                  • Instruction Fuzzy Hash: F0212335A0050AEBCB15DBD4CD84CEFB7B8EB95300B508166E502B7290DB34EE0ACBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00419D70, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 47synchronizationwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00419D70(void* __eflags) {
				char _v16;
				int _t17;
				struct HWND__* _t23;

				E0041BE99( &_v16, 0x47e350);
				_t17 = 0;
				E0041C047( &_v16, "mutex", 0);
				CreateMutexA(0, 1, E0041CD1E( &_v16)); // executed
				if(GetLastError() == 0xb7) {
					_t23 = FindWindowA("AstrumInstaller", E0041CD1E(0x47e850));
					if(_t23 != 0) {
						if(IsIconic(_t23) != 0) {
							ShowWindow(_t23, 3);
						}
						SetForegroundWindow(_t23);
						_t17 = 1;
					}
				}
				E0041BEFB( &_v16);
				return _t17;
			}






                  0x00419d80
                  0x00419d85
                  0x00419d90
                  0x00419da1
                  0x00419db2
                  0x00419dca
                  0x00419dce
                  0x00419dd9
                  0x00419dde
                  0x00419dde
                  0x00419de5
                  0x00419deb
                  0x00419deb
                  0x00419dce
                  0x00419df0
                  0x00419dfa

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,mutex,00000000,0047E350,0047DFB8,00000000,?,00000000), ref: 00419DA1
                  • GetLastError.KERNEL32(?,00000000), ref: 00419DA7
                  • FindWindowA.USER32 ref: 00419DC4
                  • IsIconic.USER32(00000000), ref: 00419DD1
                  • ShowWindow.USER32(00000000,00000003,?,00000000), ref: 00419DDE
                  • SetForegroundWindow.USER32(00000000,?,00000000), ref: 00419DE5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockWindow$Unlock$CreateErrorFindForegroundIconicLastMutexShowlstrlen
                  • String ID: AstrumInstaller$PG$mutex
                  • API String ID: 4030978771-2862990435
                  • Opcode ID: 152182e870bd79bf26f4c8501a28129793e7364b919e6823be7903c24ba0705c
                  • Instruction ID: deed96b6678bf80ed0df7a8068bee0f5e1f9b93537221b2de1741e3818a98fb5
                  • Opcode Fuzzy Hash: 152182e870bd79bf26f4c8501a28129793e7364b919e6823be7903c24ba0705c
                  • Instruction Fuzzy Hash: 7301D131741215ABD720BBB6FC9AAEE3728DF10704B50417EF502A21D1DF280E46C6AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004253CA, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				void* _t17;
				signed int _t26;
				intOrPtr _t28;
				signed int _t34;
				void* _t37;
				unsigned int _t43;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x428828);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t49;
				_push(__esi);
				_v28 = _t49 - 0x58;
				_t15 = GetVersion();
				_t43 = _t15;
				 *0x47f344 = 0;
				_t34 = _t15 & 0x000000ff;
				 *0x47f340 = _t34;
				 *0x47f33c = _t34 << 8;
				 *0x47f338 = _t15 >> 0x10;
				_t17 = E00425509(0);
				_pop(_t37);
				if(_t17 == 0) {
					E004254E5(0x1c);
					_pop(_t37);
				}
				_v8 = 0;
				E00426871();
				 *0x47f840 = GetCommandLineA();
				 *0x47f378 = E0042673F();
				E004264F2();
				E00426439();
				E00424C10();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004263E1();
				_t52 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t26 = 0xa;
				} else {
					_t26 = _v96.wShowWindow & 0x0000ffff;
				}
				_push(_t26);
				_push(_v104);
				_push(0);
				_push(GetModuleHandleA(0)); // executed
				_t28 = E00415089(_t37, _t43, _t52); // executed
				_v100 = _t28;
				E00424C3D(_t28);
				_t30 = _v24;
				_t39 =  *((intOrPtr*)( *_v24));
				_v108 =  *((intOrPtr*)( *_v24));
				return E0042625D(0, _t52, _t39, _t30);
			}


















                  0x004253cd
                  0x004253cf
                  0x004253d4
                  0x004253df
                  0x004253e0
                  0x004253eb
                  0x004253ed
                  0x004253f0
                  0x004253f8
                  0x004253fa
                  0x00425402
                  0x00425408
                  0x00425413
                  0x0042541c
                  0x00425424
                  0x00425429
                  0x0042542c
                  0x00425430
                  0x00425435
                  0x00425435
                  0x00425436
                  0x00425439
                  0x00425444
                  0x0042544e
                  0x00425453
                  0x00425458
                  0x0042545d
                  0x00425462
                  0x00425469
                  0x00425474
                  0x00425477
                  0x0042547b
                  0x00425485
                  0x0042547d
                  0x0042547d
                  0x0042547d
                  0x00425486
                  0x00425487
                  0x0042548a
                  0x00425492
                  0x00425493
                  0x00425498
                  0x0042549c
                  0x004254a1
                  0x004254a6
                  0x004254a8
                  0x004254b4

                  APIs
                  • GetVersion.KERNEL32 ref: 004253F0
                    • Part of subcall function 00425509: HeapCreate.KERNELBASE(00000000,00001000,00000000,00425429,00000000), ref: 0042551A
                    • Part of subcall function 00425509: HeapDestroy.KERNEL32 ref: 00425538
                  • GetCommandLineA.KERNEL32 ref: 0042543E
                  • GetStartupInfoA.KERNEL32(?), ref: 00425469
                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0042548C
                    • Part of subcall function 004254E5: ExitProcess.KERNEL32 ref: 00425502
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                  • String ID: 84m
                  • API String ID: 2057626494-1561363240
                  • Opcode ID: 87327f868d3716a83783dc37d80a842ebd0ba583f1b6c7b4a5a2c1a7df7ab565
                  • Instruction ID: b8b399e28620826e2cfe63395139c0ad9996e83d5300fc954ab68d58050df6ad
                  • Opcode Fuzzy Hash: 87327f868d3716a83783dc37d80a842ebd0ba583f1b6c7b4a5a2c1a7df7ab565
                  • Instruction Fuzzy Hash: CE2183B1A017249FD714BFA6FC45A6EBBB9EF44714F90413EF80597290DB384481CA98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041D0FD, Relevance: 54.3, APIs: 1, Strings: 35, Instructions: 320stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041D0FD(void* __ecx) {
				int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t19;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				signed int _t38;
				void* _t44;
				intOrPtr _t53;
				void* _t55;
				void* _t111;
				intOrPtr _t117;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t126;
				void* _t128;

				_t55 = __ecx;
				_t54 =  *(_t121 + 8);
				_t14 = lstrcmpA( *(_t121 + 8), "<IT_Type>"); // executed
				_t117 =  *((intOrPtr*)(_t121 + 0x18));
				if(_t14 == 0) {
					_t53 = E0042504E(_t55, _t117);
					if(_t53 == 1 || _t53 == 2 || _t53 == 4) {
						 *0x47e65c = _t53;
					}
				}
				_t120 = 0;
				_t126 =  *0x47e4dc - _t120; // 0x8
				if(_t126 <= 0) {
					L8:
					if(E00424A30(_t54, "<CommonFiles>") != 0) {
						_t16 = E00424A30(_t54, "<Date>");
						__eflags = _t16;
						if(_t16 != 0) {
							_t17 = E00424A30(_t54, "<Desktop>");
							__eflags = _t17;
							if(_t17 != 0) {
								_t18 = E00424A30(_t54, "<DesktopNt>");
								__eflags = _t18;
								if(_t18 != 0) {
									_t19 = E00424A30(_t54, "<FontDir>");
									__eflags = _t19;
									if(_t19 != 0) {
										_t20 = E00424A30(_t54, "<InstallDir>");
										__eflags = _t20;
										if(_t20 != 0) {
											_t21 = E00424A30(_t54, "<ProgramFiles>");
											__eflags = _t21;
											if(_t21 != 0) {
												_t22 = E00424A30(_t54, "<Programs>");
												__eflags = _t22;
												if(_t22 != 0) {
													_t23 = E00424A30(_t54, "<ProgramsNt>");
													__eflags = _t23;
													if(_t23 != 0) {
														_t24 = E00424A30(_t54, "<SetupDir>");
														__eflags = _t24;
														if(_t24 != 0) {
															_t25 = E00424A30(_t54, "<ShortcutDir>");
															__eflags = _t25;
															if(_t25 != 0) {
																_t26 = E00424A30(_t54, "<StartMenu>");
																__eflags = _t26;
																if(_t26 != 0) {
																	_t27 = E00424A30(_t54, "<StartMenuNt>");
																	__eflags = _t27;
																	if(_t27 != 0) {
																		_t28 = E00424A30(_t54, "<StartUp>");
																		__eflags = _t28;
																		if(_t28 != 0) {
																			_t29 = E00424A30(_t54, "<StartUpNt>");
																			__eflags = _t29;
																			if(_t29 != 0) {
																				_t30 = E00424A30(_t54, "<SystemDir>");
																				__eflags = _t30;
																				if(_t30 != 0) {
																					_t31 = E00424A30(_t54, "<SystemDrive>");
																					__eflags = _t31;
																					if(_t31 != 0) {
																						_t32 = E00424A30(_t54, "<TempDir>");
																						__eflags = _t32;
																						if(_t32 != 0) {
																							_t33 = E00424A30(_t54, "<WindowsDir>");
																							__eflags = _t33;
																							if(_t33 != 0) {
																								_t34 = E00424A30(_t54, "<UserName>");
																								__eflags = _t34;
																								if(_t34 != 0) {
																									_t35 = E00424A30(_t54, "<UserCompany>");
																									__eflags = _t35;
																									if(_t35 != 0) {
																										_t36 = E00424A30(_t54, "<UserSerial>");
																										__eflags = _t36;
																										if(_t36 != 0) {
																											_t37 = E00424A30(_t54, "<UninstallerName>");
																											__eflags = _t37;
																											if(_t37 != 0) {
																												_t38 = E00424DD9(0x58);
																												__eflags = _t38;
																												if(_t38 == 0) {
																													_t118 = 0;
																													__eflags = 0;
																												} else {
																													_t118 = E00407ADD(_t38);
																												}
																												__eflags = _t118;
																												if(_t118 == 0) {
																													E0041D881(E0041CD1E(0x47e924));
																												}
																												 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0xffffffff;
																												 *(_t118 + 0xc) =  *(_t118 + 0xc) & 0x00000000;
																												_t9 = _t118 + 0x44;
																												 *_t9 =  *(_t118 + 0x44) & 0x00000000;
																												__eflags =  *_t9;
																												_t11 = _t118 + 0x14; // 0x14
																												E0041BF12(_t11, _t117);
																												_t12 = _t118 + 0x48; // 0x48
																												E0041BF12(_t12, _t117);
																												E0041BF12(_t118, _t54);
																												 *((intOrPtr*)(_t118 + 0x54)) = E0042504E(_t118, _t117);
																												E0041E87A(0x47e4d0, _t118, 0xffffffff);
																												goto L62;
																											}
																											_push(_t117);
																											_t111 = 0x47e5ec;
																											L10:
																											E0041BF12(_t111);
																											goto L62;
																										}
																										_push(_t117);
																										_t111 = 0x47e1d0;
																										goto L10;
																									}
																									_push(_t117);
																									_t111 = 0x47e1c4;
																									goto L10;
																								}
																								_push(_t117);
																								_t111 = 0x47e1b8;
																								goto L10;
																							}
																							_push(_t117);
																							_t111 = 0x47dfbc;
																							goto L10;
																						}
																						_push(_t117);
																						_t111 = 0x47e0b8;
																						goto L10;
																					}
																					_push(_t117);
																					_t111 = 0x47e0e8;
																					goto L10;
																				}
																				_push(_t117);
																				_t111 = 0x47e0a0;
																				goto L10;
																			}
																			_push(_t117);
																			_t111 = 0x47e070;
																			goto L10;
																		}
																		_push(_t117);
																		_t111 = 0x47e01c;
																		goto L10;
																	}
																	_push(_t117);
																	_t111 = 0x47e058;
																	goto L10;
																}
																_push(_t117);
																_t111 = 0x47dfec;
																goto L10;
															}
															_push(_t117);
															_t111 = 0x47e344;
															goto L10;
														}
														_push(_t117);
														_t111 = 0x47e0dc;
														goto L10;
													}
													_push(_t117);
													_t111 = 0x47e064;
													goto L10;
												}
												_push(_t117);
												_t111 = 0x47e004;
												goto L10;
											}
											_push(_t117);
											_t111 = 0x47dfd4;
											goto L10;
										}
										_push(_t117);
										_t111 = 0x47e338;
										goto L10;
									}
									_push(_t117);
									_t111 = 0x47e04c;
									goto L10;
								}
								_push(_t117);
								_t111 = 0x47e07c;
								goto L10;
							}
							_push(_t117);
							_t111 = 0x47e034;
							goto L10;
						}
						_push(_t117);
						_t111 = 0x47e0f4;
						goto L10;
					}
					_push(_t117);
					_t111 = 0x47e088;
					goto L10;
				} else {
					while(1) {
						_t119 = E0041E860(0x47e4d0, _t120);
						if(E0041C1FA(_t119, _t126, _t54, 1) != 0) {
							break;
						}
						_t120 = _t120 + 1;
						_t128 = _t120 -  *0x47e4dc; // 0x8
						if(_t128 < 0) {
							continue;
						}
						goto L8;
					}
					_t3 = _t119 + 0x48; // 0x48
					E0041BF12(_t3, _t117);
					 *((intOrPtr*)(_t119 + 0x54)) = E0042504E(_t3, _t117);
					L62:
					_t44 = 1;
					return _t44;
				}
			}






































                  0x0041d0fd
                  0x0041d0fe
                  0x0041d10b
                  0x0041d113
                  0x0041d117
                  0x0041d11a
                  0x0041d123
                  0x0041d12f
                  0x0041d12f
                  0x0041d123
                  0x0041d134
                  0x0041d136
                  0x0041d13c
                  0x0041d162
                  0x0041d171
                  0x0041d1a1
                  0x0041d1a7
                  0x0041d1aa
                  0x0041d1ba
                  0x0041d1c0
                  0x0041d1c3
                  0x0041d1d3
                  0x0041d1d9
                  0x0041d1dc
                  0x0041d1ec
                  0x0041d1f2
                  0x0041d1f5
                  0x0041d208
                  0x0041d20e
                  0x0041d211
                  0x0041d224
                  0x0041d22a
                  0x0041d22d
                  0x0041d240
                  0x0041d246
                  0x0041d249
                  0x0041d25c
                  0x0041d262
                  0x0041d265
                  0x0041d278
                  0x0041d27e
                  0x0041d281
                  0x0041d294
                  0x0041d29a
                  0x0041d29d
                  0x0041d2b0
                  0x0041d2b6
                  0x0041d2b9
                  0x0041d2cc
                  0x0041d2d2
                  0x0041d2d5
                  0x0041d2e8
                  0x0041d2ee
                  0x0041d2f1
                  0x0041d304
                  0x0041d30a
                  0x0041d30d
                  0x0041d320
                  0x0041d326
                  0x0041d329
                  0x0041d33c
                  0x0041d342
                  0x0041d345
                  0x0041d358
                  0x0041d35e
                  0x0041d361
                  0x0041d374
                  0x0041d37a
                  0x0041d37d
                  0x0041d390
                  0x0041d396
                  0x0041d399
                  0x0041d3ac
                  0x0041d3b2
                  0x0041d3b5
                  0x0041d3c8
                  0x0041d3ce
                  0x0041d3d1
                  0x0041d3e4
                  0x0041d3ea
                  0x0041d3ed
                  0x0041d3fc
                  0x0041d401
                  0x0041d404
                  0x0041d411
                  0x0041d411
                  0x0041d406
                  0x0041d40d
                  0x0041d40d
                  0x0041d413
                  0x0041d415
                  0x0041d422
                  0x0041d427
                  0x0041d428
                  0x0041d42c
                  0x0041d430
                  0x0041d430
                  0x0041d430
                  0x0041d435
                  0x0041d438
                  0x0041d43e
                  0x0041d441
                  0x0041d449
                  0x0041d455
                  0x0041d460
                  0x00000000
                  0x0041d460
                  0x0041d3ef
                  0x0041d3f0
                  0x0041d179
                  0x0041d179
                  0x00000000
                  0x0041d179
                  0x0041d3d3
                  0x0041d3d4
                  0x00000000
                  0x0041d3d4
                  0x0041d3b7
                  0x0041d3b8
                  0x00000000
                  0x0041d3b8
                  0x0041d39b
                  0x0041d39c
                  0x00000000
                  0x0041d39c
                  0x0041d37f
                  0x0041d380
                  0x00000000
                  0x0041d380
                  0x0041d363
                  0x0041d364
                  0x00000000
                  0x0041d364
                  0x0041d347
                  0x0041d348
                  0x00000000
                  0x0041d348
                  0x0041d32b
                  0x0041d32c
                  0x00000000
                  0x0041d32c
                  0x0041d30f
                  0x0041d310
                  0x00000000
                  0x0041d310
                  0x0041d2f3
                  0x0041d2f4
                  0x00000000
                  0x0041d2f4
                  0x0041d2d7
                  0x0041d2d8
                  0x00000000
                  0x0041d2d8
                  0x0041d2bb
                  0x0041d2bc
                  0x00000000
                  0x0041d2bc
                  0x0041d29f
                  0x0041d2a0
                  0x00000000
                  0x0041d2a0
                  0x0041d283
                  0x0041d284
                  0x00000000
                  0x0041d284
                  0x0041d267
                  0x0041d268
                  0x00000000
                  0x0041d268
                  0x0041d24b
                  0x0041d24c
                  0x00000000
                  0x0041d24c
                  0x0041d22f
                  0x0041d230
                  0x00000000
                  0x0041d230
                  0x0041d213
                  0x0041d214
                  0x00000000
                  0x0041d214
                  0x0041d1f7
                  0x0041d1f8
                  0x00000000
                  0x0041d1f8
                  0x0041d1de
                  0x0041d1df
                  0x00000000
                  0x0041d1df
                  0x0041d1c5
                  0x0041d1c6
                  0x00000000
                  0x0041d1c6
                  0x0041d1ac
                  0x0041d1ad
                  0x00000000
                  0x0041d1ad
                  0x0041d173
                  0x0041d174
                  0x00000000
                  0x0041d13e
                  0x0041d13e
                  0x0041d149
                  0x0041d157
                  0x00000000
                  0x00000000
                  0x0041d159
                  0x0041d15a
                  0x0041d160
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041d160
                  0x0041d184
                  0x0041d187
                  0x0041d193
                  0x0041d465
                  0x0041d467
                  0x0041d46c
                  0x0041d46c

                  APIs
                  • lstrcmpA.KERNEL32(0047DFB8,<IT_Type>,00000004,00000000,?,00000000,004169A9,<IT_Typical>,0042B9BC,00000000,00000000,00000000,00000004,00000000,?,0047DFB8), ref: 0041D10B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrcmp
                  • String ID: $G$4G$8G$<CommonFiles>$<Date>$<Desktop>$<DesktopNt>$<FontDir>$<IT_Type>$<InstallDir>$<ProgramFiles>$<Programs>$<ProgramsNt>$<SetupDir>$<ShortcutDir>$<StartMenu>$<StartMenuNt>$<StartUp>$<StartUpNt>$<SystemDir>$<SystemDrive>$<TempDir>$<UninstallerName>$<UserCompany>$<UserName>$<UserSerial>$<WindowsDir>$DG$LG$XG$dG$pG$|G$G$G
                  • API String ID: 1534048567-2252700996
                  • Opcode ID: 965772f510daaa82eba5f647ce9a628796fcdb8a04c4c29537554b68901b6f2c
                  • Instruction ID: 4f8bdf6965de488ddb8f2261428f405e9a199b5eb2e7349d158717d0bbde119d
                  • Opcode Fuzzy Hash: 965772f510daaa82eba5f647ce9a628796fcdb8a04c4c29537554b68901b6f2c
                  • Instruction Fuzzy Hash: C281C7F5F48322765628A1377C52AB7839DCEA6729770952FF503E11D2EEACC8C1046E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041199C, Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 302fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0041199C(void* __edi, void* _a4, intOrPtr _a8, struct _FILETIME* _a12, intOrPtr* _a16) {
				long _v8;
				void _v12;
				long _v16;
				long _v20;
				void _v24;
				long _v28;
				intOrPtr _v32;
				long _v36;
				signed int _t117;
				void* _t120;
				long _t125;
				long _t126;
				long _t128;
				void* _t139;
				void* _t142;
				intOrPtr _t147;
				void* _t150;
				intOrPtr _t156;
				signed int _t163;
				intOrPtr* _t166;
				intOrPtr _t167;
				long _t186;
				void* _t187;
				long _t192;
				void* _t193;
				intOrPtr _t198;
				void* _t199;
				long _t232;
				intOrPtr _t238;
				void* _t242;
				void* _t244;

				_t244 = _a4;
				if(_t244 == 0 || _a12 == 0) {
					return _t117 | 0xffffffff;
				} else {
					_t120 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 4, 0x80, 0); // executed
					_a4 = _t120;
					if(_t120 != 0xffffffff) {
						_v8 = 0;
						SetFilePointer(_t120,  *0x47f200,  &_v8, 0); // executed
						ReadFile(_a4, _t244, 0x40,  &_v16, 0); // executed
						_v8 = 0;
						_t125 = SetFilePointer(_a4, 0,  &_v8, 1); // executed
						_v36 = _t125;
						_t12 = _t244 + 0x3c; // 0x221039c
						_t126 =  *_t12;
						_v28 = _t126;
						 *((intOrPtr*)(_t244 + 0x3c)) = 0;
						if(_t126 == 0) {
							L23:
							_v8 = 0;
							_t128 = SetFilePointer(_a4, 0,  &_v8, 1); // executed
							 *_a16 = _t128 - _v36;
							_t102 = _t244 + 0x2c; // 0x0
							_t242 = E00424DD9( *_t102 + 1);
							if(_t242 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							_t104 = _t244 + 0x2c; // 0x0
							ReadFile(_a4, _t242,  *_t104,  &_v16, 0);
							_t106 = _t244 + 0x2c; // 0x0
							 *((char*)(_t242 +  *_t106)) = 0;
							E0041BF12(_a8, _t242);
							E00424DCE(_t242);
							GetFileTime(_a4, 0, 0, _a12);
							_t139 =  *0x47f28c; // 0x22d1d10
							if(_t139 != 0) {
								E00424DCE(_t139);
							}
							_t111 = _t244 + 0x30; // 0x2210394
							_t142 = E00424DD9( *_t111 << 2);
							 *0x47f28c = _t142;
							if(_t142 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							_t113 = _t244 + 0x30; // 0x2210394
							ReadFile(_a4,  *0x47f28c,  *_t113 << 2,  &_v16, 0);
							_t147 =  *0x42bf9c; // 0x1
							 *0x47f21c = _t147;
							_t116 = _t244 + 0x30; // 0x2210394
							 *0x47e290 =  *_t116; // executed
							FindCloseChangeNotification(_a4); // executed
							_push(1);
							L30:
							_pop(_t150);
							return _t150;
						}
						_t156 = E00424DD9(0xc);
						 *((intOrPtr*)(_t244 + 0x3c)) = _t156;
						if(_t156 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						_t16 = _t244 + 0x3c; // 0x221039c
						 *((intOrPtr*)( *_t16)) = _v28;
						_t18 = _t244 + 0x3c; // 0x221039c
						 *((intOrPtr*)( *_t18 + 8)) = 0;
						ReadFile(_a4,  &_v24, 4,  &_v16, 0);
						_t23 = _t244 + 0x3c; // 0x221039c
						 *((intOrPtr*)( *_t23 + 4)) = _v24;
						_t163 = _v24;
						if(_t163 <= 0) {
							goto L23;
						} else {
							_v28 = _t163;
							_t166 = E00424DD9(4 + _t163 * 0x1c);
							if(_t166 == 0) {
								_t167 = 0;
								L14:
								_t43 = _t244 + 0x3c; // 0x221039c
								 *((intOrPtr*)( *_t43 + 8)) = _t167;
								_t45 = _t244 + 0x3c; // 0x221039c
								if( *((intOrPtr*)( *_t45 + 8)) == 0) {
									E0041D881(E0041CD1E(0x47e924));
								}
								_v28 = 0;
								if(_v24 > 0) {
									_v20 = 0;
									do {
										ReadFile(_a4,  &_v12, 4,  &_v16, 0);
										_v8 = 0;
										if(_v12 > 0) {
											_t192 = SetFilePointer(_a4, 0,  &_v8, 1);
											_t193 = E0041CD1E(0x47e6c8);
											_t58 = _t244 + 0x3c; // 0x221039c
											E0041CAC5( *((intOrPtr*)( *_t58 + 8)) + _v20, _t193, _t192, _v12);
										}
										_v8 = 0;
										SetFilePointer(_a4, _v12,  &_v8, 1);
										ReadFile(_a4,  &_v12, 4,  &_v16, 0);
										_t68 = _t244 + 0x3c; // 0x221039c
										 *((intOrPtr*)( *((intOrPtr*)( *_t68 + 8)) + _v20 + 0xc)) = _v12;
										ReadFile(_a4,  &_v12, 4,  &_v16, 0);
										_v8 = 0;
										if(_v12 > 0) {
											_t186 = SetFilePointer(_a4, 0,  &_v8, 1);
											_t187 = E0041CD1E(0x47e6c8);
											_t83 = _t244 + 0x3c; // 0x221039c
											E0041CAC5( *((intOrPtr*)( *_t83 + 8)) + _v20 + 0x10, _t187, _t186, _v12);
										}
										_v8 = 0;
										SetFilePointer(_a4, _v12,  &_v8, 1);
										_v28 = _v28 + 1;
										_v20 = _v20 + 0x1c;
									} while (_v28 < _v24);
								}
								goto L23;
							}
							_t232 = _v28;
							 *_t166 = _t232;
							_t198 = _t166 + 4;
							_v32 = _t198;
							_t238 = _t198;
							_t199 = _t232 - 1;
							_v20 = _t238;
							if(_t199 < 0) {
								L12:
								_t167 = _v32;
								goto L14;
							}
							_v12 = _t238 + 0x10;
							_v28 = _t199 + 1;
							do {
								E0041BDC5(_v20);
								E0041BDC5(_v12);
								_v20 = _v20 + 0x1c;
								_v12 = _v12 + 0x1c;
								_t40 =  &_v28;
								 *_t40 = _v28 - 1;
							} while ( *_t40 != 0);
							goto L12;
						}
					}
					_push(0xfffffffe);
					goto L30;
				}
			}


































                  0x004119a4
                  0x004119ab
                  0x00000000
                  0x004119ba
                  0x004119d5
                  0x004119de
                  0x004119e1
                  0x004119f6
                  0x00411a00
                  0x00411a0d
                  0x00411a1d
                  0x00411a20
                  0x00411a22
                  0x00411a25
                  0x00411a25
                  0x00411a2a
                  0x00411a2d
                  0x00411a30
                  0x00411bfa
                  0x00411c04
                  0x00411c07
                  0x00411c0f
                  0x00411c11
                  0x00411c1b
                  0x00411c20
                  0x00411c2d
                  0x00411c32
                  0x00411c38
                  0x00411c3f
                  0x00411c45
                  0x00411c4c
                  0x00411c4f
                  0x00411c55
                  0x00411c63
                  0x00411c69
                  0x00411c71
                  0x00411c74
                  0x00411c79
                  0x00411c7a
                  0x00411c81
                  0x00411c89
                  0x00411c8e
                  0x00411c9b
                  0x00411ca0
                  0x00411ca6
                  0x00411cb6
                  0x00411cbc
                  0x00411cc4
                  0x00411cc9
                  0x00411ccc
                  0x00411cd1
                  0x00411cd7
                  0x00411cd9
                  0x00411cd9
                  0x00000000
                  0x00411cd9
                  0x00411a38
                  0x00411a40
                  0x00411a43
                  0x00411a50
                  0x00411a55
                  0x00411a56
                  0x00411a5d
                  0x00411a5f
                  0x00411a62
                  0x00411a72
                  0x00411a78
                  0x00411a7e
                  0x00411a81
                  0x00411a86
                  0x00000000
                  0x00411a8c
                  0x00411a8c
                  0x00411a96
                  0x00411a9e
                  0x00411ae3
                  0x00411ae5
                  0x00411ae5
                  0x00411ae8
                  0x00411aeb
                  0x00411af1
                  0x00411afe
                  0x00411b03
                  0x00411b07
                  0x00411b0a
                  0x00411b10
                  0x00411b13
                  0x00411b21
                  0x00411b2a
                  0x00411b2d
                  0x00411b3c
                  0x00411b44
                  0x00411b4a
                  0x00411b53
                  0x00411b53
                  0x00411b5e
                  0x00411b67
                  0x00411b77
                  0x00411b7d
                  0x00411b8a
                  0x00411b9b
                  0x00411ba4
                  0x00411ba7
                  0x00411bb6
                  0x00411bbe
                  0x00411bc7
                  0x00411bd1
                  0x00411bd1
                  0x00411bdc
                  0x00411be5
                  0x00411be7
                  0x00411bea
                  0x00411bf1
                  0x00411b13
                  0x00000000
                  0x00411b0a
                  0x00411aa0
                  0x00411aa3
                  0x00411aa5
                  0x00411aa8
                  0x00411aab
                  0x00411aad
                  0x00411ab0
                  0x00411ab5
                  0x00411ade
                  0x00411ade
                  0x00000000
                  0x00411ade
                  0x00411abb
                  0x00411abe
                  0x00411ac1
                  0x00411ac4
                  0x00411acc
                  0x00411ad1
                  0x00411ad5
                  0x00411ad9
                  0x00411ad9
                  0x00411ad9
                  0x00000000
                  0x00411ac1
                  0x00411a86
                  0x004119e3
                  0x00000000
                  0x004119e3

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000,0047E880,?,?,000000C0,000000BC,00000003,0047E880), ref: 004119D5
                  • SetFilePointer.KERNELBASE(00000000,00000003,00000000,00000003), ref: 00411A00
                  • ReadFile.KERNELBASE(?,0047E880,00000040,?,00000000), ref: 00411A0D
                  • SetFilePointer.KERNELBASE(?,00000000,?,00000001), ref: 00411A20
                  • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00411A72
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Global$PointerRead$AllocCreateLockUnlock
                  • String ID: $G$$G$$G$$G
                  • API String ID: 2060509727-2871775856
                  • Opcode ID: 8cd4d2b2247adbff645a87426702630cb84ac2af7220db2543cf6aa1f784a6c8
                  • Instruction ID: e23cb7d3721408e8b3984eaefd08ecb3d1a621e16b0613ce2ece1385832bfd3b
                  • Opcode Fuzzy Hash: 8cd4d2b2247adbff645a87426702630cb84ac2af7220db2543cf6aa1f784a6c8
                  • Instruction Fuzzy Hash: 44B13AB5900209EFDB10DFA5DC81DEEBBB9FB08344F50856AF605A7261D734AA81CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041246C, Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 292windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0041246C(void* __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr _v0;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t39;
				signed char _t41;
				signed int _t53;
				signed int _t57;
				signed int _t60;
				signed int _t71;
				CHAR* _t74;
				void* _t77;
				CHAR* _t79;
				CHAR* _t82;
				void* _t85;
				CHAR* _t87;
				void* _t90;
				CHAR* _t92;
				void* _t99;
				intOrPtr _t112;
				intOrPtr _t113;
				void* _t114;
				void* _t155;
				int _t156;
				void* _t157;
				void* _t158;
				struct HDC__* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				void* _t167;

				_t155 = __edx;
				_t162 =  &_v24;
				_t158 = __ecx;
				_t114 = 0;
				 *((intOrPtr*)(__ecx + 8)) = _a4;
				_t163 =  *0x47f27c - _t114; // 0x1
				if(_t163 == 0) {
					L5:
					_t156 = 3;
					_t167 =  *0x47e338 - _t156; // 0x10
					if(_t167 <= 0) {
						L7:
						E0041A69C();
						 *0x47e658 = 1;
						E00414C1B(_t155, _t156, _t160, _t114, _t114);
						_t39 = E00411DF7(_t158, _t168); // executed
						if(_t39 == 0) {
							L12:
							return 0;
						}
						_t41 = 2;
						if(( *0x47e18c & _t41) == 0) {
							L10:
							if(( *0x47e18c & 0x00000004) == 0) {
								L13:
								__eflags =  *0x47f27c - _t114; // 0x1
								_t157 = SetWindowTextA;
								_t161 = GetDlgItem;
								 *0x47e658 = 4;
								if(__eflags == 0) {
									_t92 = E0041CD1E(0x47eed0);
									_t7 = _t158 + 8; // 0x0
									SetWindowTextA(GetDlgItem( *_t7, 0x14), _t92);
								}
								E00414C1B(_t155, _t157, _t161, _t114, _t114);
								E00414C1B(_t155, _t157, _t161, _t114, _t114);
								 *0x47e819 = 1;
								_v40 = _t114;
								_v36 = _t114;
								E0041BDC5( &_v28);
								_v12 = 0x47e380;
								do {
									_t162 = _t162 - 0xc;
									_v16 =  *_a4;
									E0041BE99(_t162,  &_v12);
									_push( &_v24);
									_push( &_v28);
									_push(_v0);
									_push(_v20);
									E00413399(_t158); // executed
									_v28 = _v28 + 0x44;
									__eflags = _v28 - 0x47e490;
								} while (_v28 < 0x47e490);
								__eflags = _v32 - _t114;
								if(_v32 <= _t114) {
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 5;
									if(__eflags == 0) {
										_t87 = E0041CD1E(0x47eee8);
										_t24 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t24, 0x14), _t87);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									_t53 = E00413211();
									__eflags = _t53;
									if(_t53 == 0) {
										_t85 = E0041CD1E(0x47eef4);
										_t25 = _t158 + 8; // 0x0
										E0041B2A8( *_t25, _t85, _t114);
									}
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 6;
									if(__eflags == 0) {
										_t82 = E0041CD1E(0x47ef00);
										_t26 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t26, 0x14), _t82);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									E00412E58();
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 7;
									if(__eflags == 0) {
										_t79 = E0041CD1E(0x47ef0c);
										_t27 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t27, 0x14), _t79);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									_t57 = E00410891(_t114, _t158, _t155, _t157, __eflags); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										_t77 = E0041CD1E(0x47ef18);
										_t28 = _t158 + 8; // 0x0
										E0041B2A8( *_t28, _t77, _t114);
									}
									__eflags =  *0x47f27c - _t114; // 0x1
									 *0x47e658 = 8;
									if(__eflags == 0) {
										_t74 = E0041CD1E(0x47ef24);
										_t29 = _t158 + 8; // 0x0
										SetWindowTextA(GetDlgItem( *_t29, 0x14), _t74);
									}
									E00414C1B(_t155, _t157, _t161, _t114, _t114);
									E00413CFF(_t157, __eflags, 0x47e548);
									_t30 = _t158 + 8; // 0x0
									_t60 = E00422E9C(0x47e788,  *_t30); // executed
									__eflags = _t60;
									if(_t60 == 0) {
										L44:
										E0041BEFB( &_v20);
										return _t114;
									} else {
										E00414C1B(_t155, _t157, _t161, 0x64, _t114);
										__eflags =  *0x47e610 - _t114; // 0x0
										if(__eflags != 0) {
											L38:
											__eflags =  *0x47f27c - _t114; // 0x1
											if(__eflags != 0) {
												L40:
												E00423F22(__eflags); // executed
												E00423F52(); // executed
												E00424003();
												L41:
												__eflags =  *0x47e610 - _t114; // 0x0
												if(__eflags == 0) {
													SHChangeNotify(0x8000000, _t114, _t114, _t114);
												}
												_t114 = 1;
												goto L44;
											}
											L39:
											E0040FC45(0x47f208);
											_t159 = GetDC( *0x47e178);
											BitBlt(_t159, _t114, _t114,  *0x47e170,  *0x47e174,  *0x47e184, _t114, _t114, 0xcc0020);
											ReleaseDC( *0x47e178, _t159);
											goto L41;
										}
										__eflags =  *0x47e4a0 - _t114; // 0x1
										_t71 =  *0x47e190; // 0x2080c08
										if(__eflags > 0) {
											L35:
											__eflags =  *0x47f27c - _t114; // 0x1
											if(__eflags != 0) {
												goto L40;
											}
											__eflags = _t71 & 0x00010000;
											if((_t71 & 0x00010000) == 0) {
												goto L39;
											}
											ShellExecuteA(_t114, "open", E00411811(), _t114, 0x42e0c8, 1);
											goto L38;
										}
										__eflags = _t71 & 0x00020000;
										if((_t71 & 0x00020000) != 0) {
											goto L38;
										}
										goto L35;
									}
								}
								_t90 = E0041CD1E(0x47eedc);
								_t23 = _t158 + 8; // 0x0
								E0041B2A8( *_t23, _t90, _t114);
								goto L44;
							}
							 *0x47e658 = _t156;
							E00414C1B(_t155, _t156, _t160, _t114, _t114);
							if(E004102F6(_t158) != 0) {
								goto L13;
							}
							goto L12;
						}
						 *0x47e658 = _t41;
						if(E004105CA(_t158) == 0) {
							goto L12;
						}
						goto L10;
					}
					_t99 = E0040DC10(E0041CD1E(0x47e338), _t114); // executed
					_t168 = _t99;
					if(_t99 == 0) {
						goto L12;
					}
					goto L7;
				}
				E004237B5();
				E00423832();
				E004238F0(_t163);
				E00423920(_t163);
				E00423950(_t163);
				E00423980();
				E00423A3D();
				E00423C00();
				E00423D1A();
				E00423E34();
				E00423EF2(_t163);
				E0041938D(0x47dfb8);
				_t164 =  *0x47f27c - _t114; // 0x1
				if(_t164 == 0) {
					goto L5;
				}
				_t112 =  *0x47e654; // 0x0
				_t165 = _t112 -  *0x47e64c; // 0x13
				if(_t165 < 0) {
					goto L5;
				}
				if(_t165 > 0) {
					goto L12;
				}
				_t113 =  *0x47e650; // 0x207a58a
				_t166 = _t113 -  *0x47e648; // 0xfff01000
				if(_t166 > 0) {
					goto L12;
				}
				goto L5;
			}














































                  0x0041246c
                  0x00412470
                  0x00412476
                  0x00412478
                  0x0041247b
                  0x0041247e
                  0x00412484
                  0x004124f3
                  0x004124f5
                  0x004124f6
                  0x004124fc
                  0x00412515
                  0x0041251a
                  0x00412523
                  0x0041252d
                  0x00412534
                  0x0041253b
                  0x0041257b
                  0x00000000
                  0x0041257b
                  0x0041253f
                  0x00412546
                  0x00412558
                  0x0041255f
                  0x00412582
                  0x00412582
                  0x00412588
                  0x0041258e
                  0x00412594
                  0x0041259e
                  0x004125a5
                  0x004125ad
                  0x004125b3
                  0x004125b3
                  0x004125bc
                  0x004125c5
                  0x004125ce
                  0x004125d5
                  0x004125d9
                  0x004125dd
                  0x004125e2
                  0x004125ea
                  0x004125ee
                  0x004125f5
                  0x004125fe
                  0x00412609
                  0x0041260e
                  0x0041260f
                  0x00412613
                  0x00412617
                  0x0041261c
                  0x00412621
                  0x00412621
                  0x0041262b
                  0x0041262f
                  0x0041264f
                  0x00412655
                  0x0041265f
                  0x00412666
                  0x0041266e
                  0x00412674
                  0x00412674
                  0x0041267a
                  0x00412681
                  0x00412686
                  0x00412688
                  0x00412690
                  0x0041269b
                  0x0041269e
                  0x0041269e
                  0x004126a3
                  0x004126a9
                  0x004126b3
                  0x004126ba
                  0x004126c2
                  0x004126c8
                  0x004126c8
                  0x004126ce
                  0x004126d5
                  0x004126da
                  0x004126e0
                  0x004126ea
                  0x004126f1
                  0x004126f9
                  0x004126ff
                  0x004126ff
                  0x00412705
                  0x0041270c
                  0x00412711
                  0x00412713
                  0x0041271b
                  0x00412726
                  0x00412729
                  0x00412729
                  0x0041272e
                  0x00412734
                  0x0041273e
                  0x00412745
                  0x0041274d
                  0x00412753
                  0x00412753
                  0x00412759
                  0x00412765
                  0x0041276a
                  0x00412772
                  0x00412777
                  0x00412779
                  0x00412848
                  0x0041284c
                  0x00000000
                  0x0041277f
                  0x00412784
                  0x00412789
                  0x0041278f
                  0x004127d0
                  0x004127d0
                  0x004127d6
                  0x00412821
                  0x00412821
                  0x00412826
                  0x0041282b
                  0x00412830
                  0x00412830
                  0x00412836
                  0x00412840
                  0x00412840
                  0x00412846
                  0x00000000
                  0x00412846
                  0x004127d8
                  0x004127dd
                  0x004127f5
                  0x0041280c
                  0x00412819
                  0x00000000
                  0x00412819
                  0x00412791
                  0x00412797
                  0x0041279c
                  0x004127a5
                  0x004127a5
                  0x004127ab
                  0x00000000
                  0x00000000
                  0x004127ad
                  0x004127b2
                  0x00000000
                  0x00000000
                  0x004127ca
                  0x00000000
                  0x004127ca
                  0x0041279e
                  0x004127a3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004127a3
                  0x00412779
                  0x00412637
                  0x00412642
                  0x00412645
                  0x00000000
                  0x00412645
                  0x00412565
                  0x0041256b
                  0x00412579
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412579
                  0x0041254a
                  0x00412556
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412556
                  0x0041250a
                  0x00412510
                  0x00412513
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412513
                  0x00412486
                  0x0041248b
                  0x00412490
                  0x00412495
                  0x0041249a
                  0x0041249f
                  0x004124a4
                  0x004124a9
                  0x004124ae
                  0x004124b3
                  0x004124b8
                  0x004124c2
                  0x004124c7
                  0x004124cd
                  0x00000000
                  0x00000000
                  0x004124cf
                  0x004124d4
                  0x004124da
                  0x00000000
                  0x00000000
                  0x004124dc
                  0x00000000
                  0x00000000
                  0x004124e2
                  0x004124e7
                  0x004124ed
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                    • Part of subcall function 00423A3D: lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B13
                    • Part of subcall function 00423A3D: lstrcatA.KERNEL32(FFFFFFFF,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B23
                    • Part of subcall function 00423A3D: lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B31
                    • Part of subcall function 00423C00: lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423C7C
                    • Part of subcall function 00423D1A: lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423D96
                  • GetDlgItem.USER32 ref: 004125B0
                  • SetWindowTextA.USER32(00000000), ref: 004125B3
                  • GetDlgItem.USER32 ref: 00412671
                  • SetWindowTextA.USER32(00000000), ref: 00412674
                  • GetDlgItem.USER32 ref: 004126C5
                  • SetWindowTextA.USER32(00000000), ref: 004126C8
                  • GetDlgItem.USER32 ref: 004126FC
                  • SetWindowTextA.USER32(00000000), ref: 004126FF
                  • GetDlgItem.USER32 ref: 00412750
                  • SetWindowTextA.USER32(00000000), ref: 00412753
                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,0042E0C8,00000001), ref: 004127CA
                  • GetDC.USER32(00000064), ref: 004127E8
                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 0041280C
                  • ReleaseDC.USER32 ref: 00412819
                  • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00412840
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ItemTextWindowlstrcat$ChangeExecuteNotifyReleaseShell
                  • String ID: $G$8G$D$open$G
                  • API String ID: 3128010893-949649186
                  • Opcode ID: fac09a023166b0941ac6e7ca7f52c8df8d85831ec59260659e9c2906b036ed5e
                  • Instruction ID: 5d0c258a8902059559151b4f9015483af753c4e75ea8ed3ef354697f97ce35a3
                  • Opcode Fuzzy Hash: fac09a023166b0941ac6e7ca7f52c8df8d85831ec59260659e9c2906b036ed5e
                  • Instruction Fuzzy Hash: D99107702002406BDB10BB77AD95AEE3A5EEB9870CF40457FF509922A2CB7D4CC58B6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040DF78, Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 137registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E0040DF78(void* __ecx, void* _a4, void* _a8) {
				struct _ITEMIDLIST* _v8;
				int _v12;
				long _t26;
				void* _t29;
				char* _t31;
				char* _t33;
				long _t34;
				long _t37;
				char* _t38;
				long _t39;
				long _t49;
				int _t51;

				_t51 = _a4;
				if(_t51 == 2 || _t51 == 7 || _t51 == 0x10 || _t51 == 0x14 || _t51 == 0xb || _t51 == 5) {
					_a4 = 0;
					_t26 = RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019,  &_a4); // executed
					if(_t26 != 0) {
						goto L31;
					}
					_v12 = 0x104;
					_t33 = "Programs";
					if(_t51 != 7) {
						if(_t51 != 0x10) {
							if(_t51 != 0x14) {
								if(_t51 != 0xb) {
									if(_t51 == 5) {
										_t33 = "Personal";
									}
								} else {
									_t33 = "Start Menu";
								}
							} else {
								_t33 = "Fonts";
							}
						} else {
							_t33 = "Desktop";
						}
					} else {
						_t33 = "Startup";
					}
					_t34 = RegQueryValueExA(_a4, _t33, 0, 0, _a8,  &_v12); // executed
					_push(_a4);
					_t49 = _t34; // executed
					goto L30;
				} else {
					if(_t51 == 0x17 || _t51 == 0x18 || _t51 == 0x19 || _t51 == 0x16) {
						_a4 = 0;
						_t37 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders", 0, 0x20019,  &_a4); // executed
						if(_t37 == 0) {
							_v12 = 0x104;
							_t38 = "Common Programs";
							if(_t51 != 0x18) {
								if(_t51 != 0x19) {
									if(_t51 == 0x16) {
										_t38 = "Common Start Menu";
									}
								} else {
									_t38 = "Common Desktop";
								}
							} else {
								_t38 = "Common Startup";
							}
							_t39 = RegQueryValueExA(_a4, _t38, 0, 0, _a8,  &_v12); // executed
							_push(_a4);
							_t49 = _t39;
							L30:
							RegCloseKey(); // executed
							if(_t49 == 0) {
								goto L34;
							}
						}
						goto L31;
					} else {
						L31:
						_v8 = 0;
						if(SHGetSpecialFolderLocation(0, _t51,  &_v8) != 0) {
							_t29 = 0;
							L36:
							return _t29;
						}
						__imp__SHGetPathFromIDListA(_v8, _a8);
						_a8 = 0;
						__imp__SHGetMalloc( &_a8);
						_t31 = _a8;
						if(_t31 != 0) {
							 *((intOrPtr*)( *_t31 + 0x14))(_t31, _v8);
						}
						L34:
						_t29 = 1;
						goto L36;
					}
				}
			}















                  0x0040df7f
                  0x0040df88
                  0x0040e043
                  0x0040e057
                  0x0040e05f
                  0x00000000
                  0x00000000
                  0x0040e064
                  0x0040e06b
                  0x0040e070
                  0x0040e07c
                  0x0040e088
                  0x0040e094
                  0x0040e0a0
                  0x0040e0a2
                  0x0040e0a2
                  0x0040e096
                  0x0040e096
                  0x0040e096
                  0x0040e08a
                  0x0040e08a
                  0x0040e08a
                  0x0040e07e
                  0x0040e07e
                  0x0040e07e
                  0x0040e072
                  0x0040e072
                  0x0040e072
                  0x0040e0b4
                  0x0040e0ba
                  0x0040e0bd
                  0x00000000
                  0x0040dfbb
                  0x0040dfbe
                  0x0040dfd6
                  0x0040dfea
                  0x0040dff2
                  0x0040dffb
                  0x0040e002
                  0x0040e007
                  0x0040e013
                  0x0040e01f
                  0x0040e021
                  0x0040e021
                  0x0040e015
                  0x0040e015
                  0x0040e015
                  0x0040e009
                  0x0040e009
                  0x0040e009
                  0x0040e033
                  0x0040e039
                  0x0040e03c
                  0x0040e0bf
                  0x0040e0bf
                  0x0040e0c7
                  0x00000000
                  0x00000000
                  0x0040e0c7
                  0x00000000
                  0x0040e0c9
                  0x0040e0c9
                  0x0040e0cc
                  0x0040e0da
                  0x0040e109
                  0x0040e10b
                  0x0040e10f
                  0x0040e10f
                  0x0040e0e2
                  0x0040e0eb
                  0x0040e0ef
                  0x0040e0f5
                  0x0040e0fa
                  0x0040e102
                  0x0040e102
                  0x0040e105
                  0x0040e105
                  0x00000000
                  0x0040e105
                  0x0040dfbe

                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000081,00000000,00000000,00000104,00000081,00000081,?,00411924,00000002,00000000), ref: 0040DFEA
                  • RegQueryValueExA.KERNELBASE(00000104,Common Programs,00000000,00000000,?,00000104), ref: 0040E033
                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00020019,00000081,00000000,00000000,00000104,00000081,00000081,?,00411924,00000002,00000000), ref: 0040E057
                  • RegQueryValueExA.KERNELBASE(00000104,Programs,00000000,00000000,?,00000104), ref: 0040E0B4
                  • RegCloseKey.KERNELBASE(00000104), ref: 0040E0BF
                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000081,?,?,00411924,00000002,00000000), ref: 0040E0D2
                  • SHGetPathFromIDListA.SHELL32(?,?,?,00411924,00000002,00000000), ref: 0040E0E2
                  • SHGetMalloc.SHELL32(?), ref: 0040E0EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: OpenQueryValue$CloseFolderFromListLocationMallocPathSpecial
                  • String ID: Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Fonts$Personal$Programs$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Start Menu$Startup
                  • API String ID: 175098910-3641352306
                  • Opcode ID: 6591bdff9099b8907568320f9021f16a7d5070ed30756caa1d5b83c3fd258b09
                  • Instruction ID: 22bfc95c8168e83bac89af4885a95f852bd8d2d22320a31b80b39fd04e5471fe
                  • Opcode Fuzzy Hash: 6591bdff9099b8907568320f9021f16a7d5070ed30756caa1d5b83c3fd258b09
                  • Instruction Fuzzy Hash: AD41E671A00138BBDF204F59DC889FE7769DB00354B86883BFA15B7291C3B98D91979A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004160A6, Relevance: 31.8, APIs: 5, Strings: 13, Instructions: 330COMMON
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E004160A6(void* __ecx, void* __eflags) {
				char _v6;
				char _v7;
				char _v8;
				CHAR* _v12;
				char _v16;
				char _v32;
				char _v52;
				void* _t107;
				void* _t111;
				CHAR* _t114;
				int _t133;
				signed int _t140;
				signed int _t203;
				signed int _t204;
				void* _t236;
				void* _t237;
				void* _t238;
				intOrPtr _t248;

				_t236 = __ecx;
				_t1 = _t236 + 0x58; // 0x47e010
				_t2 = _t236 + 0x4c; // 0x47e004
				E00416462(__ecx, 2, _t2, _t1);
				_t3 = _t236 + 0x70; // 0x47e028
				_t4 = _t236 + 0x64; // 0x47e01c
				E00416462(_t236, 7, _t4, _t3);
				_t5 = _t236 + 0x88; // 0x47e040
				_t6 = _t236 + 0x7c; // 0x47e034
				E00416462(_t236, 0x10, _t6, _t5); // executed
				_t7 = _t236 + 0x94; // 0x47e04c
				E00416462(_t236, 0x14, _t7, 0);
				_t8 = _t236 + 0x40; // 0x47dff8
				_t9 = _t236 + 0x34; // 0x47dfec
				E00416462(_t236, 0xb, _t9, _t8);
				_t248 =  *0x47e19c; // 0x1
				_t10 = _t236 + 0xac; // 0x47e064
				_push(0);
				if(_t248 == 0) {
					_push(2);
					E00416462(_t236);
					_t14 = _t236 + 0xb8; // 0x47e070
					E00416462(_t236, 7, _t14, 0);
					_t15 = _t236 + 0xc4; // 0x47e07c
					E00416462(_t236, 0x10, _t15, 0);
					_t16 = _t236 + 0xa0; // 0x47e058
					_push(0);
					_push(0xb);
				} else {
					_push(0x17);
					E00416462(_t236);
					_t11 = _t236 + 0xb8; // 0x47e070
					E00416462(_t236, 0x18, _t11, 0);
					_t12 = _t236 + 0xc4; // 0x47e07c
					E00416462(_t236, 0x19, _t12, 0);
					_t13 = _t236 + 0xa0; // 0x47e058
					_push(0);
					_push(0x16);
				}
				E00416462(_t236);
				_t17 = _t236 + 0x118; // 0x47e0d0
				E00416462(_t236, 5, _t17, 0); // executed
				_t107 = E0041DAE7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir",  &_v16); // executed
				if(_t107 <= 0) {
					_t23 = _t236 + 0x1c; // 0x47dfd4
					E0041BF12(_t23, "C:\\Program Files");
					_t24 = _t236 + 0x28; // 0x47dfe0
					E0041BF12(_t24, "C:\\Progra~1");
				} else {
					_t19 = _t236 + 0x28; // 0x47dfe0
					_t20 = _t236 + 0x1c; // 0x47dfd4
					E00416031(_v16, _t20, _t19); // executed
					E00424DCE(_v16);
				}
				_t111 = E0041DAE7(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir",  &_v16); // executed
				if(_t111 <= 0) {
					_t30 = _t236 + 0xd0; // 0x47e088
					E0041BF12(_t30, "C:\\Program Files\\Common Files");
					_t31 = _t236 + 0x28; // 0x47dfe0
					E0041BF12(_t31, "C:\\Progra~1\\Common~1");
				} else {
					_t26 = _t236 + 0xdc; // 0x47e094
					_t27 = _t236 + 0xd0; // 0x47e088
					E00416031(_v16, _t27, _t26); // executed
					E00424DCE(_v16);
				}
				_t114 = E00424DD9(0x104);
				_v12 = _t114;
				if(_t114 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_v12, 0, 0x104);
				GetWindowsDirectoryA(_v12, 0x104);
				_t35 = _t236 + 0x10; // 0x47dfc8
				_t36 = _t236 + 4; // 0x47dfbc
				E00416031(_v12, _t36, _t35); // executed
				E00424500(_v12, 0, 0x104);
				GetSystemDirectoryA(_v12, 0x104);
				_t40 = _t236 + 0xf4; // 0x47e0ac
				_t41 = _t236 + 0xe8; // 0x47e0a0
				E00416031(_v12, _t41, _t40); // executed
				E00424500(_v12, 0, 0x104);
				GetTempPathA(0x104, _v12);
				_t45 = _t236 + 0x10c; // 0x47e0c4
				_t46 = _t236 + 0x100; // 0x47e0b8
				E00416031(_v12, _t46, _t45); // executed
				E00424DCE(_v12);
				_t49 = _t236 + 0xe8; // 0x47e0a0
				_v8 = E0041BFE3(_t49, 0);
				_t52 = _t236 + 0x130; // 0x47e0e8
				_v7 = 0x3a;
				_v6 = 0;
				E0041BF12(_t52,  &_v8);
				_t133 = GetDateFormatA(0x800, 0, 0, 0, 0, 0); // executed
				GetDateFormatA(0x800, 0, 0, 0,  &_v52, _t133);
				_t57 = _t236 + 0x13c; // 0x47e0f4
				E0041BF12(_t57,  &_v52);
				if(E00424DD9(0x58) == 0) {
					_t237 = 0;
				} else {
					_t237 = E00407ADD(_t138);
				}
				if(_t237 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E0041BF12(_t237, "<DS2000>");
				 *(_t237 + 0x10) =  *(_t237 + 0x10) | 0xffffffff;
				 *((intOrPtr*)(_t237 + 0x44)) = 0;
				 *((intOrPtr*)(_t237 + 0xc)) = 1;
				_t140 = E0041DF41(0x7d0);
				_t203 = 0x3c;
				_t204 = 0x18;
				 *(_t237 + 0x54) = _t140 / _t203 / _t204;
				E004278E9(_t140 / _t203 / _t204,  &_v32, 0xa);
				_t73 = _t237 + 0x48; // 0x48
				E0041BF12(_t73,  &_v32);
				E0041E87A(0x47e4d0, _t237, 0xffffffff);
				if(E00424DD9(0x58) == 0) {
					_t238 = 0;
				} else {
					_t238 = E00407ADD(_t147);
				}
				if(_t238 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E0041BF12(_t238, "<IsAdmin>");
				 *(_t238 + 0x10) =  *(_t238 + 0x10) | 0xffffffff;
				 *((intOrPtr*)(_t238 + 0x44)) = 0;
				 *((intOrPtr*)(_t238 + 0xc)) = 1;
				 *(_t238 + 0x54) = E0041E3EF() & 0x000000ff;
				E004278E9(E0041E3EF() & 0x000000ff,  &_v32, 0xa);
				_t81 = _t238 + 0x48; // 0x48
				E0041BF12(_t81,  &_v32);
				return E0041E87A(0x47e4d0, _t238, 0xffffffff);
			}





















                  0x004160ae
                  0x004160b1
                  0x004160b5
                  0x004160bb
                  0x004160c0
                  0x004160c6
                  0x004160cc
                  0x004160d1
                  0x004160da
                  0x004160e0
                  0x004160e7
                  0x004160f3
                  0x004160f8
                  0x004160fe
                  0x00416104
                  0x00416109
                  0x0041610f
                  0x00416115
                  0x00416117
                  0x00416150
                  0x00416154
                  0x00416159
                  0x00416165
                  0x0041616a
                  0x00416176
                  0x0041617b
                  0x00416181
                  0x00416183
                  0x00416119
                  0x00416119
                  0x0041611d
                  0x00416122
                  0x0041612e
                  0x00416133
                  0x0041613f
                  0x00416144
                  0x0041614a
                  0x0041614c
                  0x0041614c
                  0x00416187
                  0x0041618c
                  0x00416198
                  0x004161b1
                  0x004161bb
                  0x004161df
                  0x004161e2
                  0x004161e7
                  0x004161ef
                  0x004161bd
                  0x004161bd
                  0x004161c3
                  0x004161ca
                  0x004161d2
                  0x004161d7
                  0x00416203
                  0x0041620d
                  0x00416237
                  0x0041623d
                  0x00416247
                  0x0041624a
                  0x0041620f
                  0x0041620f
                  0x00416218
                  0x00416222
                  0x0041622a
                  0x0041622f
                  0x00416255
                  0x0041625d
                  0x00416260
                  0x0041626d
                  0x00416272
                  0x00416278
                  0x00416284
                  0x0041628a
                  0x00416290
                  0x00416297
                  0x004162a1
                  0x004162ad
                  0x004162b3
                  0x004162b9
                  0x004162c6
                  0x004162d0
                  0x004162dc
                  0x004162e2
                  0x004162eb
                  0x004162f5
                  0x004162fd
                  0x00416304
                  0x0041630f
                  0x00416316
                  0x0041631c
                  0x00416320
                  0x00416323
                  0x00416338
                  0x00416347
                  0x0041634c
                  0x00416353
                  0x00416362
                  0x0041636f
                  0x00416364
                  0x0041636b
                  0x0041636b
                  0x00416373
                  0x00416380
                  0x00416385
                  0x0041638d
                  0x00416392
                  0x0041639b
                  0x0041639e
                  0x004163a5
                  0x004163ae
                  0x004163b5
                  0x004163bf
                  0x004163c2
                  0x004163cd
                  0x004163d1
                  0x004163e0
                  0x004163ef
                  0x004163fc
                  0x004163f1
                  0x004163f8
                  0x004163f8
                  0x00416400
                  0x0041640d
                  0x00416412
                  0x0041641a
                  0x0041641f
                  0x00416423
                  0x00416426
                  0x0041643c
                  0x0041643f
                  0x0041644a
                  0x0041644e
                  0x00416461

                  APIs
                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,C:\Progra~1\Common~1,C:\Program Files\Common Files,?,?,C:\Progra~1,C:\Program Files,0047E010,?,0047DFB8), ref: 00416284
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                    • Part of subcall function 0041BF12: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C
                  • GetSystemDirectoryA.KERNEL32 ref: 004162AD
                    • Part of subcall function 00416031: lstrlenA.KERNEL32(?,0047DFB8), ref: 0041603F
                    • Part of subcall function 00416031: GetShortPathNameA.KERNEL32 ref: 0041608B
                  • GetTempPathA.KERNEL32(00000104,00000000,?,?,?,00000000,0047E0A0,0047E0AC,?,C:\Progra~1\Common~1,C:\Program Files\Common Files,?,?,C:\Progra~1,C:\Program Files,0047E010), ref: 004162DC
                  • GetDateFormatA.KERNELBASE(00000800,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,0047E0B8,0047E0C4,?,?,?,00000000,0047E0A0), ref: 00416338
                  • GetDateFormatA.KERNEL32(00000800,00000000,00000000,00000000,?,00000000,?,?,?,00000000,0047E0A0,0047E0AC,?,C:\Progra~1\Common~1,C:\Program Files\Common Files), ref: 00416347
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$DateDirectoryFormatPathlstrlen$AllocLockNameShortSystemTempUnlockWindows
                  • String ID: $G$$G$$G$:$<DS2000>$<IsAdmin>$C:\Program Files$C:\Program Files\Common Files$C:\Progra~1$C:\Progra~1\Common~1$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                  • API String ID: 880143930-1700843775
                  • Opcode ID: 1284512ab85f13844a776da148625e7314c0ea8e3898f022a80803ed96c005fa
                  • Instruction ID: 24f78961b44f3abf352852fb93801fee76432e43d9f7ad736ed7ab52a5e3c0d5
                  • Opcode Fuzzy Hash: 1284512ab85f13844a776da148625e7314c0ea8e3898f022a80803ed96c005fa
                  • Instruction Fuzzy Hash: 10A109B1A006187EDB24F7A1DC82EFF77ACEF44708F00452FF55692181DF68A9858B68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A393, Relevance: 31.8, APIs: 21, Instructions: 286fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0041A393(void* __eflags) {
				void _v5;
				void* _v12;
				long _v16;
				void _v20;
				struct _OVERLAPPED* _v24;
				void _v28;
				void _v32;
				void _v36;
				void _v40;
				void _v44;
				long _v48;
				long _v52;
				long _v56;
				char _v68;
				signed int _t92;
				signed int _t93;
				long _t110;
				void* _t112;
				struct _OVERLAPPED* _t118;
				signed int _t120;
				void* _t129;
				void _t135;
				void* _t136;
				char _t151;
				void* _t152;
				signed char _t160;
				char _t162;
				void* _t185;
				intOrPtr _t187;

				_t92 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t185 = _t92;
				_t93 = _t92 | 0xffffffff;
				_v12 = _t185;
				if(_t185 != _t93) {
					_v16 = 0;
					_v52 = 0;
					_v48 = GetFileSize(_t185,  &_v52);
					_v24 = 8;
					_v40 = 0;
					_v44 = 0;
					SetFilePointer(_t185, 0xfffffff8, 0, 2); // executed
					ReadFile(_t185,  &_v40, 4,  &_v16, 0); // executed
					ReadFile(_v12,  &_v44, 4,  &_v16, 0); // executed
					if(_v40 != 0xb1c2d3e || _v44 != 0x12345678) {
						SetFilePointer(_v12, 0x198, 0, 0);
						_v36 = 0;
						_v28 = 0;
						ReadFile(_v12,  &_v36, 4,  &_v16, 0);
						ReadFile(_v12,  &_v28, 4,  &_v16, 0);
						_t110 = _v36;
						if(_t110 == 0 || _t110 > _v48 || _v28 == 0) {
							L26:
							E0041B2A8(0,  *0x42c488, 0);
							_push(0xfffffffb);
							goto L27;
						} else {
							_v56 = 0;
							SetFilePointer(_v12, _t110,  &_v56, 0);
							_v24 = 0;
							while(1) {
								SetFilePointer(_v12, 0xffffffff, 0, 1);
								_v5 = 0;
								ReadFile(_v12,  &_v5, 1,  &_v16, 0);
								if(_v5 != 0) {
									break;
								}
								SetFilePointer(_v12, 0xffffffff, 0, 1);
								_v24 =  &(_v24->Internal);
								if(_v24 < 8) {
									continue;
								}
								break;
							}
							_t118 = _v24;
							_v36 = _v36 - _t118;
							_v28 = _v28 + _t118;
							_t120 = _v28 + 8;
							_v24 = _t120;
							SetFilePointer(_v12,  ~_t120, 0, 2);
							ReadFile(_v12,  &_v40, 4,  &_v16, 0);
							ReadFile(_v12,  &_v44, 4,  &_v16, 0);
							if(_v40 != 0xb1c2d3e || _v44 != 0x12345678) {
								goto L26;
							} else {
								goto L11;
							}
						}
					} else {
						L11:
						_push(2);
						_push(0);
						_v20 = 0;
						_t129 = 0xfffffffc;
						SetFilePointer(_v12, _t129 - _v24, ??, ??); // executed
						ReadFile(_v12,  &_v20, 4,  &_v16, 0);
						_t135 = _v20;
						if(_t135 == 0xffffffff) {
							_v20 = 0;
							 *0x47e114 = 1;
							L18:
							_push(2);
							_push(0);
							_t136 = 0xfffffff8;
							SetFilePointer(_v12, _t136 - _v20 - _v24, ??, ??); // executed
							_v32 = 0;
							if(ReadFile(_v12,  &_v32, 4,  &_v16, 0) != 0) {
								_t187 = _v48;
								__eflags = _t187 - _v32 - _v20 - _v24 - 8 - 0x3e8;
								if(_t187 - _v32 - _v20 - _v24 - 8 > 0x3e8) {
									L24:
									E0041B2A8(0,  *0x42c48c, 0);
									_push(0xfffffffc);
									L27:
									_pop(_t112);
									return _t112;
								}
								CloseHandle(_v12);
								_t151 = E0041CAC5(0x47e2f0, E0041CD1E(0x47e6c8), _v32, _t187 - _v32 - _v20 - _v24 - 8); // executed
								__eflags = _t151;
								if(_t151 >= 0) {
									_t152 = E0041C8FD(0x47e2f0, 0xe8);
									__eflags = _t152 - _v32;
									if(_t152 == _v32) {
										_push(1);
										goto L27;
									}
									goto L24;
								}
								_push(0xfffffffd);
								goto L27;
							}
							CloseHandle(_v12);
							_push(0xfffffffe);
							goto L27;
						}
						if(_t135 > 0x3e8) {
							goto L24;
						}
						E0041CAC5(0x47df68, E0041CD1E(0x47e6c8), _v48 - _t135 - _v24 - 4, _t135); // executed
						E0041BE99( &_v68, 0x47df68);
						if(E0041C2E0( &_v68) != 0) {
							E0041DCD0(__eflags,  &_v68);
							_t160 = E0041C2E0( &_v68);
							asm("sbb al, al");
							_t162 =  ~_t160 + 1;
							__eflags = _t162;
							 *0x47e114 = _t162;
						} else {
							 *0x47e114 = 1;
						}
						E0041BEFB( &_v68);
						goto L18;
					}
				}
				return _t93;
			}
































                  0x0041a3b9
                  0x0041a3bf
                  0x0041a3c1
                  0x0041a3c6
                  0x0041a3c9
                  0x0041a3d2
                  0x0041a3d7
                  0x0041a3ec
                  0x0041a3ef
                  0x0041a3f6
                  0x0041a3f9
                  0x0041a3fc
                  0x0041a410
                  0x0041a420
                  0x0041a429
                  0x0041a442
                  0x0041a452
                  0x0041a455
                  0x0041a458
                  0x0041a468
                  0x0041a46a
                  0x0041a46f
                  0x0041a682
                  0x0041a68f
                  0x0041a694
                  0x00000000
                  0x0041a487
                  0x0041a490
                  0x0041a493
                  0x0041a495
                  0x0041a498
                  0x0041a4a0
                  0x0041a4b0
                  0x0041a4b3
                  0x0041a4b8
                  0x00000000
                  0x00000000
                  0x0041a4c2
                  0x0041a4c4
                  0x0041a4cb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041a4cb
                  0x0041a4cd
                  0x0041a4d2
                  0x0041a4d5
                  0x0041a4dc
                  0x0041a4df
                  0x0041a4e8
                  0x0041a4f8
                  0x0041a508
                  0x0041a511
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041a511
                  0x0041a524
                  0x0041a524
                  0x0041a524
                  0x0041a526
                  0x0041a529
                  0x0041a52c
                  0x0041a534
                  0x0041a544
                  0x0041a546
                  0x0041a54c
                  0x0041a5c4
                  0x0041a5c7
                  0x0041a5ce
                  0x0041a5ce
                  0x0041a5d0
                  0x0041a5d3
                  0x0041a5de
                  0x0041a5ee
                  0x0041a5f5
                  0x0041a607
                  0x0041a618
                  0x0041a61d
                  0x0041a668
                  0x0041a675
                  0x0041a67a
                  0x0041a696
                  0x0041a696
                  0x00000000
                  0x0041a696
                  0x0041a622
                  0x0041a64a
                  0x0041a64f
                  0x0041a651
                  0x0041a65e
                  0x0041a663
                  0x0041a666
                  0x0041a67e
                  0x00000000
                  0x0041a67e
                  0x00000000
                  0x0041a666
                  0x0041a653
                  0x00000000
                  0x0041a653
                  0x0041a5fa
                  0x0041a600
                  0x00000000
                  0x0041a600
                  0x0041a553
                  0x00000000
                  0x00000000
                  0x0041a576
                  0x0041a583
                  0x0041a592
                  0x0041a5a1
                  0x0041a5aa
                  0x0041a5b1
                  0x0041a5b3
                  0x0041a5b3
                  0x0041a5b5
                  0x0041a594
                  0x0041a594
                  0x0041a594
                  0x0041a5bd
                  0x00000000
                  0x0041a5bd
                  0x0041a429
                  0x0041a69b

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,0047DFB8), ref: 0041A3B9
                  • GetFileSize.KERNEL32(00000000,?,?,0047DFB8), ref: 0041A3DA
                  • SetFilePointer.KERNELBASE(00000000,000000F8,00000000,00000002,?,0047DFB8), ref: 0041A3FC
                  • ReadFile.KERNELBASE(00000000,?,00000004,?,00000000,?,0047DFB8), ref: 0041A410
                  • ReadFile.KERNELBASE(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A420
                  • SetFilePointer.KERNEL32(0047DFB8,00000198,00000000,00000000,?,0047DFB8), ref: 0041A442
                  • ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A458
                  • ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A468
                  • SetFilePointer.KERNEL32(0047DFB8,?,?,00000000,?,0047DFB8), ref: 0041A493
                  • SetFilePointer.KERNEL32(0047DFB8,000000FF,00000000,00000001,?,0047DFB8), ref: 0041A4A0
                  • ReadFile.KERNEL32(0047DFB8,?,00000001,?,00000000,?,0047DFB8), ref: 0041A4B3
                  • SetFilePointer.KERNEL32(0047DFB8,000000FF,00000000,00000001,?,0047DFB8), ref: 0041A4C2
                  • SetFilePointer.KERNEL32(0047DFB8,?,00000000,00000002,?,0047DFB8), ref: 0041A4E8
                  • ReadFile.KERNEL32(0047DFB8,0B1C2D3E,00000004,?,00000000,?,0047DFB8), ref: 0041A4F8
                  • ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A508
                  • SetFilePointer.KERNELBASE(0047DFB8,00000008,00000000,00000002,?,0047DFB8), ref: 0041A534
                  • ReadFile.KERNEL32(0047DFB8,0041690F,00000004,?,00000000,?,0047DFB8), ref: 0041A544
                  • SetFilePointer.KERNELBASE(0047DFB8,00000008,00000000,00000002,?,0047DFB8), ref: 0041A5DE
                  • ReadFile.KERNEL32(0047DFB8,?,00000004,?,00000000,?,0047DFB8), ref: 0041A5F1
                  • CloseHandle.KERNEL32(0047DFB8,?,0047DFB8), ref: 0041A5FA
                  • CloseHandle.KERNEL32(0047DFB8,?,0047DFB8), ref: 0041A622
                    • Part of subcall function 0041CAC5: CreateFileA.KERNELBASE(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,747DFBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Read$Pointer$Global$CloseCreateHandle$AllocLockSizeUnlock
                  • String ID:
                  • API String ID: 903399669-0
                  • Opcode ID: 10fab780dbe6762485953172a9353f9cca6116cf811c5eddf77569a964fb74da
                  • Instruction ID: 8fa286661f634b855119dcbb4edcbf0a63debd4ddf1a163e064186f337e81dee
                  • Opcode Fuzzy Hash: 10fab780dbe6762485953172a9353f9cca6116cf811c5eddf77569a964fb74da
                  • Instruction Fuzzy Hash: 7BA14CB1D4121DBEDF11DBA8CC85EEEBBBCEB04314F10426AF611B2190CB345E858B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A81A, Relevance: 31.7, APIs: 4, Strings: 14, Instructions: 235stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0041A81A(void* __eflags, intOrPtr* _a4) {
				CHAR* _v8;
				CHAR* _v12;
				char _v24;
				void _v283;
				char _v284;
				void* _t29;
				void* _t34;
				signed int _t36;
				long _t42;
				void* _t45;
				void* _t57;
				void* _t71;
				signed int _t73;
				void* _t75;
				signed int _t76;
				int _t90;
				signed int _t117;
				intOrPtr _t140;
				CHAR* _t141;

				_t140 =  *_a4;
				_t29 = E0041CD1E(_a4);
				_t90 = 0;
				if(_t140 <= 0) {
					return _t29;
				}
				while( *((char*)(_t90 + _t29)) != 0x3c) {
					_t90 = _t90 + 1;
					if(_t90 < _t140) {
						continue;
					}
					return _t29;
				}
				E0041BE35( &_v24, E0041CD1E(0x47e338));
				_t34 = E0041BFE3( &_v24, _v24 - 1);
				__eflags = _t34 - 0x5c;
				if(_t34 == 0x5c) {
					__eflags = _v24 - 1;
					E0041C3A9( &_v24, _v24 - 1, 1);
				}
				_t141 = E00424DD9(0x104);
				__eflags = _t141;
				_v12 = _t141;
				if(_t141 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t36 = E00424DD9(0x104);
				__eflags = _t36;
				_v8 = _t36;
				if(_t36 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t141, 0, 0x104);
				E00424500(_v8, 0, 0x104);
				GetShortPathNameA(E0041CD1E( &_v24), _t141, 0x104); // executed
				__eflags =  *0x47f2c4 & 0x00000001;
				if(( *0x47f2c4 & 0x00000001) == 0) {
					 *0x47f2c4 =  *0x47f2c4 | 0x00000001;
					__eflags =  *0x47f2c4;
					E0041BDC5(0x47f2c8);
					E004251DD(__eflags, E0041AAC3);
				}
				__eflags =  *0x47f2c8; // 0x4e
				if(__eflags == 0) {
					_t71 = E00411811(); // executed
					E0041BF12(0x47f2c8, _t71);
					_t73 =  *0x47f2c8; // 0x4e
					_t75 = E0041BFE3(0x47f2c8, _t73 - 1);
					__eflags = _t75 - 0x5c;
					if(_t75 == 0x5c) {
						_t76 =  *0x47f2c8; // 0x4e
						__eflags = _t76 - 1;
						E0041C3A9(0x47f2c8, _t76 - 1, 1);
					}
				}
				_t42 = GetFileAttributesA(E0041CD1E(0x47f2c8)); // executed
				__eflags = _t42 - 0xffffffff;
				if(_t42 == 0xffffffff) {
					lstrcpyA(_v8, E0041CD1E(0x47f2c8));
				} else {
					GetShortPathNameA(E0041CD1E(0x47f2c8), _v8, 0x104); // executed
				}
				_t45 = E0041CD1E(0x47e1b8);
				_t136 = _a4;
				E0041CBF9(_a4, __eflags, "<UserName>", _t45, 0, 0, 1);
				E0041CBF9(_a4, __eflags, "<UserCompany>", E0041CD1E(0x47e1c4), 0, 0, 1);
				E0041CBF9(_a4, __eflags, "<UserSerial>", E0041CD1E(0x47e1d0), 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<ShortInstallDir>", _v12, 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<ShortShortcutDir>", _v8, 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<InstallDir>", E0041CD1E( &_v24), 0, 0, 1);
				E0041CBF9(_t136, __eflags, "<ShortcutDir>", E0041CD1E(0x47f2c8), 0, 0, 1);
				_push(1);
				_push(0);
				_push("<UninstallerName>");
				_t57 = E0041C6D0(_t136);
				__eflags = _t57 - 0xffffffff;
				if(_t57 != 0xffffffff) {
					__eflags = 0;
					_t117 = 0x40;
					_v284 = 0;
					memset( &_v283, 0, _t117 << 2);
					asm("stosw");
					asm("stosb");
					_push( &_v284);
					E00422A86();
					E0041CBF9(_a4, __eflags, "<UninstallerName>", E0041CD1E(0x47e5ec), 0, 0, 1);
					_t136 = _a4;
				}
				E0041CBF9(_t136, __eflags, "<ResourceDir>", E0041CD1E(0x47e628), 0, 0, 1);
				E00424DCE(_v12);
				E00424DCE(_v8);
				return E0041BEFB( &_v24);
			}






















                  0x0041a828
                  0x0041a82a
                  0x0041a831
                  0x0041a835
                  0x0041aac0
                  0x0041aac0
                  0x0041a83b
                  0x0041a841
                  0x0041a844
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041a844
                  0x0041a859
                  0x0041a866
                  0x0041a86b
                  0x0041a86d
                  0x0041a874
                  0x0041a879
                  0x0041a879
                  0x0041a88a
                  0x0041a88d
                  0x0041a88f
                  0x0041a892
                  0x0041a89f
                  0x0041a8a4
                  0x0041a8a6
                  0x0041a8ab
                  0x0041a8ae
                  0x0041a8b1
                  0x0041a8be
                  0x0041a8c3
                  0x0041a8c7
                  0x0041a8d1
                  0x0041a8e4
                  0x0041a8ea
                  0x0041a8f6
                  0x0041a8f8
                  0x0041a8f8
                  0x0041a901
                  0x0041a90b
                  0x0041a910
                  0x0041a911
                  0x0041a917
                  0x0041a91e
                  0x0041a926
                  0x0041a92b
                  0x0041a934
                  0x0041a939
                  0x0041a93b
                  0x0041a93d
                  0x0041a944
                  0x0041a948
                  0x0041a948
                  0x0041a93b
                  0x0041a955
                  0x0041a95b
                  0x0041a95e
                  0x0041a97f
                  0x0041a960
                  0x0041a96c
                  0x0041a96c
                  0x0041a98e
                  0x0041a993
                  0x0041a99e
                  0x0041a9b9
                  0x0041a9d4
                  0x0041a9e7
                  0x0041a9fa
                  0x0041aa13
                  0x0041aa2b
                  0x0041aa30
                  0x0041aa37
                  0x0041aa38
                  0x0041aa3b
                  0x0041aa40
                  0x0041aa43
                  0x0041aa47
                  0x0041aa49
                  0x0041aa50
                  0x0041aa56
                  0x0041aa58
                  0x0041aa5a
                  0x0041aa66
                  0x0041aa67
                  0x0041aa7f
                  0x0041aa84
                  0x0041aa84
                  0x0041aa9d
                  0x0041aaa5
                  0x0041aaad
                  0x00000000

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • GetShortPathNameA.KERNEL32 ref: 0041A8E4
                  • GetFileAttributesA.KERNELBASE(00000000,?,0047E5F8,-00000001,00000000,00000000), ref: 0041A955
                  • GetShortPathNameA.KERNEL32 ref: 0041A96C
                  • lstrcpyA.KERNEL32(00000000,00000000,0047E5F8,-00000001,00000000,00000000), ref: 0041A97F
                    • Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000000,00000001,0042DB90,74786980,0042DB90,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC0B
                    • Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000001,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC12
                    • Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE
                    • Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Globallstrlen$NamePathShortlstrcpy$AllocAttributesFileLockUnlock
                  • String ID: $G$$G$(G$8G$<InstallDir>$<ResourceDir>$<ShortInstallDir>$<ShortShortcutDir>$<ShortcutDir>$<UninstallerName>$<UserCompany>$<UserName>$<UserSerial>$G
                  • API String ID: 1113622837-4177031203
                  • Opcode ID: 3d1607b8f73a2c2afd69416ffdef5a6a823f980733f46d813cb227c95a6c8cda
                  • Instruction ID: 874ebafecc23487caac4c4c48189ade3aae39415cb4fe47aee413111b46b1fdd
                  • Opcode Fuzzy Hash: 3d1607b8f73a2c2afd69416ffdef5a6a823f980733f46d813cb227c95a6c8cda
                  • Instruction Fuzzy Hash: 7561E3B0B401187ADB1477A6ACC6EFE261EDB84748F60006FF105A62D2CF6D4DC6866E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040DC10, Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 191stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0040DC10(char _a4, char _a5, char _a6, signed int _a7, char _a8) {
				CHAR* _v8;
				int _v12;
				signed int _v16;
				CHAR* _v20;
				signed int _v24;
				char _v36;
				CHAR* _t60;
				CHAR* _t61;
				char _t63;
				struct _SECURITY_ATTRIBUTES* _t68;
				int _t75;
				struct _SECURITY_ATTRIBUTES* _t77;
				signed int _t78;
				int _t79;
				long _t80;
				signed int _t102;
				struct _SECURITY_ATTRIBUTES* _t125;
				signed int _t127;
				CHAR* _t129;
				CHAR* _t130;
				CHAR* _t131;
				void* _t132;

				_t129 = _a4;
				if(_t129 == 0 ||  *_t129 == 0) {
					__eflags = 0;
					return 0;
				} else {
					_t60 = E00424DD9(0x104);
					_v8 = _t60;
					if(_t60 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t61 = E00424DD9(0x104);
					_v20 = _t61;
					if(_t61 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					GetCurrentDirectoryA(0x104, _v20);
					_t5 =  &(_t129[1]); // 0x0
					_t63 =  *_t5;
					if(_t63 != 0x3a || _t129[2] != 0x5c) {
						__eflags =  *_t129 - 0x5c;
						if( *_t129 != 0x5c) {
							goto L35;
						}
						__eflags = _t63 - 0x5c;
						if(_t63 != 0x5c) {
							goto L35;
						}
						_t13 =  &(_t129[2]); // 0x47e882
						_t68 = E004248B0(_t13, 0x5c);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L35;
						}
						_t125 = E004248B0( &(_t68->nLength), 0x5c);
						__eflags = _t125;
						if(_t125 == 0) {
							goto L37;
						}
						__eflags = _t125->nLength;
						_t15 =  &(_t125->nLength); // 0x1
						_a4 = _t15;
						if(_t125->nLength == 0) {
							goto L37;
						}
						_t125->nLength = _t125->nLength & 0x00000000;
						__eflags = _t125->nLength;
						SetCurrentDirectoryA(_t129);
						_t130 = _a4;
						 *_t125 = 0x5c;
						goto L15;
					} else {
						_a7 = _a7 & 0x00000000;
						_a4 =  *_t129;
						_a5 = 0x3a;
						_a6 = 0x5c;
						SetCurrentDirectoryA( &_a4); // executed
						_t130 =  &(_t129[3]);
						L15:
						GetCurrentDirectoryA(0x104, _v8);
						_a7 = _a7 & 0x00000000;
						if( *(lstrlenA(_t130) + _t130 - 1) == 0x5c) {
							 *(lstrlenA(_t130) + _t130 - 1) =  *(_t92 + _t130 - 1) & 0x00000000;
							_a7 = 1;
						}
						_v24 = _v24 & 0x00000000;
						_t75 = lstrlenA(_t130);
						_v16 = _v16 & 0x00000000;
						_v12 = _t75;
						while(1) {
							_t127 = _v24;
							while(_t127 < _v12) {
								if( *(_t127 + _t130) == 0x5c) {
									__eflags = _t127 - _v12;
									break;
								}
								_t127 = _t127 + 1;
							}
							if(__eflags > 0) {
								SetCurrentDirectoryA(_v20); // executed
								L37:
								_t102 = 1;
								L38:
								E00424DCE(_v8);
								E00424DCE(_v20);
								return _t102;
							}
							 *(_t127 + _t130) =  *(_t127 + _t130) & 0x00000000;
							_t131 =  &(_t130[_v16]);
							_t77 = SetCurrentDirectoryA(_t131); // executed
							__eflags = _t77;
							if(_t77 != 0) {
								L27:
								_t130 = _t131 - _v16;
								__eflags = _t127 - _v12;
								_t78 = _t127 + 1;
								_v16 = _t78;
								if(__eflags != 0) {
									L29:
									 *(_t127 + _t130) = 0x5c;
									L30:
									_v24 = _t78;
									continue;
								}
								__eflags = _a7;
								if(__eflags == 0) {
									goto L30;
								}
								goto L29;
							}
							_t79 = CreateDirectoryA(_t131, _t77); // executed
							__eflags = _t79;
							if(_t79 == 0) {
								__eflags = _a8;
								if(_a8 == 0) {
									_t80 = GetLastError();
									E0041BDC5( &_v36);
									_push(_t131);
									E0041C467( &_v36, "Couldn\'t create directory \'%s\'.");
									__eflags = _t80 - 5;
									if(_t80 == 5) {
										E0041C047( &_v36, " Error: Access denied; You may not have required privileges for installing this software. Please have your system administrator (or other user with higher privileges) install this software.", 0);
									}
									E0041B2A8( *0x47e178, E0041CD1E( &_v36), 0);
									E0041BEFB( &_v36);
								}
								L35:
								_t102 = 0;
								goto L38;
							}
							SetCurrentDirectoryA(_t131); // executed
							E00424500(_v8, 0, 0x104);
							_t132 = _t132 + 0xc;
							GetCurrentDirectoryA(0x104, _v8);
							_push(0x47e7ac);
							_push(_v8);
							E00421CE6(__eflags);
							goto L27;
						}
					}
				}
			}

























                  0x0040dc17
                  0x0040dc1c
                  0x0040de48
                  0x00000000
                  0x0040dc2b
                  0x0040dc33
                  0x0040dc3b
                  0x0040dc43
                  0x0040dc4d
                  0x0040dc52
                  0x0040dc54
                  0x0040dc5c
                  0x0040dc5f
                  0x0040dc69
                  0x0040dc6e
                  0x0040dc73
                  0x0040dc79
                  0x0040dc79
                  0x0040dc7e
                  0x0040dca6
                  0x0040dca9
                  0x00000000
                  0x00000000
                  0x0040dcaf
                  0x0040dcb1
                  0x00000000
                  0x00000000
                  0x0040dcb7
                  0x0040dcbd
                  0x0040dcc3
                  0x0040dcc6
                  0x00000000
                  0x00000000
                  0x0040dcd5
                  0x0040dcd8
                  0x0040dcdb
                  0x00000000
                  0x00000000
                  0x0040dce1
                  0x0040dce5
                  0x0040dce8
                  0x0040dceb
                  0x00000000
                  0x00000000
                  0x0040dcf1
                  0x0040dcf1
                  0x0040dcf5
                  0x0040dcfb
                  0x0040dcfe
                  0x00000000
                  0x0040dc86
                  0x0040dc88
                  0x0040dc8c
                  0x0040dc93
                  0x0040dc97
                  0x0040dc9b
                  0x0040dca1
                  0x0040dd01
                  0x0040dd05
                  0x0040dd11
                  0x0040dd1d
                  0x0040dd22
                  0x0040dd27
                  0x0040dd27
                  0x0040dd2b
                  0x0040dd30
                  0x0040dd32
                  0x0040dd36
                  0x0040dd39
                  0x0040dd39
                  0x0040dd3c
                  0x0040dd45
                  0x0040dd4a
                  0x00000000
                  0x0040dd4a
                  0x0040dd47
                  0x0040dd47
                  0x0040dd4d
                  0x0040de28
                  0x0040de2e
                  0x0040de2e
                  0x0040de30
                  0x0040de33
                  0x0040de3b
                  0x00000000
                  0x0040de45
                  0x0040dd53
                  0x0040dd57
                  0x0040dd5b
                  0x0040dd61
                  0x0040dd63
                  0x0040dda2
                  0x0040dda2
                  0x0040dda5
                  0x0040dda8
                  0x0040ddab
                  0x0040ddae
                  0x0040ddb6
                  0x0040ddb6
                  0x0040ddba
                  0x0040ddba
                  0x00000000
                  0x0040ddba
                  0x0040ddb0
                  0x0040ddb4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040ddb4
                  0x0040dd67
                  0x0040dd6d
                  0x0040dd6f
                  0x0040ddc2
                  0x0040ddc6
                  0x0040ddc8
                  0x0040ddd3
                  0x0040ddd8
                  0x0040dde2
                  0x0040ddea
                  0x0040dded
                  0x0040ddf9
                  0x0040ddf9
                  0x0040de14
                  0x0040de1c
                  0x0040de1c
                  0x0040de21
                  0x0040de21
                  0x00000000
                  0x0040de21
                  0x0040dd72
                  0x0040dd7e
                  0x0040dd83
                  0x0040dd8a
                  0x0040dd90
                  0x0040dd9a
                  0x0040dd9d
                  0x00000000
                  0x0040dd9d
                  0x0040dd39
                  0x0040dc7e

                  APIs
                  • GetCurrentDirectoryA.KERNEL32(00000104,00000001,00000000,00000004,0047DFB8,00000010,00000004,00000010,00000004,00000001,0047F208,0047E880,00000000), ref: 0040DC73
                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 0040DC9B
                  • SetCurrentDirectoryA.KERNEL32(0047E880,?,?,?,?,?,?,?,?,004237A4,00000000,00000000,0047F208,00000001), ref: 0040DCF5
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,004237A4,00000000,00000000,0047F208,00000001), ref: 0040DD05
                  • lstrlenA.KERNEL32(?), ref: 0040DD16
                  • lstrlenA.KERNEL32(?), ref: 0040DD20
                  • lstrlenA.KERNEL32(?), ref: 0040DD30
                  • SetCurrentDirectoryA.KERNELBASE(00000000), ref: 0040DD5B
                  • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040DD67
                  • SetCurrentDirectoryA.KERNELBASE(00000000), ref: 0040DD72
                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 0040DD8A
                  • GetLastError.KERNEL32 ref: 0040DDC8
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 0040DE28
                  Strings
                  • Couldn't create directory '%s'., xrefs: 0040DDDC
                  • :, xrefs: 0040DC93
                  • Error: Access denied; You may not have required privileges for installing this software. Please have your system administrator (or other user with higher privileges) install this software., xrefs: 0040DDF1
                  • \, xrefs: 0040DC97
                  • $G, xrefs: 0040DC3E
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Directory$Current$lstrlen$Global$AllocLockUnlock$CreateErrorLast
                  • String ID: Error: Access denied; You may not have required privileges for installing this software. Please have your system administrator (or other user with higher privileges) install this software.$$G$:$Couldn't create directory '%s'.$\
                  • API String ID: 2319152935-3132934772
                  • Opcode ID: 10b8187df1e9e5800246315329471cc5e23cdffff360e27cd40447e0cf0cdf6d
                  • Instruction ID: 94c75964f666fcdce0230e0e48fa668c59af869d0efc3a1ff44bd737de7ccc2d
                  • Opcode Fuzzy Hash: 10b8187df1e9e5800246315329471cc5e23cdffff360e27cd40447e0cf0cdf6d
                  • Instruction Fuzzy Hash: 91614571D04615AEEF11ABA0DC05BEE3BA9AF54308F14406FE400762C2DB7C9A46CB9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004114E1, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 152windowprocessCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004114E1(CHAR* _a4, void* _a8) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				char _v24;
				struct _PROCESS_INFORMATION _v40;
				struct tagMSG _v68;
				struct _STARTUPINFOA _v136;
				intOrPtr _t37;
				intOrPtr _t38;
				struct HWND__* _t39;
				struct HWND__* _t40;
				void* _t42;
				int _t56;
				long _t62;
				int _t66;
				int _t68;
				struct HWND__* _t74;
				struct HWND__* _t75;
				long _t76;
				int _t85;

				_t37 =  *0x47e110; // 0x0
				if(_t37 == 0) {
					L2:
					_t38 =  *0x47df60;
					if(_t38 == 0) {
						L4:
						_t39 =  *0x47e178; // 0x0
						_v8 = _t39;
					} else {
						_t74 =  *((intOrPtr*)(_t38 + 4));
						_v8 = _t74;
						if(_t74 == 0) {
							goto L4;
						}
					}
				} else {
					_t75 =  *((intOrPtr*)(_t37 + 4));
					_v8 = _t75;
					if(_t75 == 0) {
						goto L2;
					}
				}
				_t40 = CreateDialogParamA( *0x47e17c, 0x12, _v8, E00405811, 0); // executed
				_v12 = _t40;
				E0041BDC5( &_v24);
				_t42 = E0041D46F("<__Internal_WaitExternal__>");
				_t94 = _t42;
				if(_t42 == 0) {
					E0041BF80( &_v24, 0x47f044);
				} else {
					E0041BF12( &_v24, _t42);
				}
				_t85 = 1;
				E0041CBF9( &_v24, _t94, "<\\n>", "\n", 0, 0, _t85);
				SetDlgItemTextA(_v12, 0x422, E0041CD1E( &_v24)); // executed
				SetWindowTextA(_v12, E0041CD1E(0x47e850)); // executed
				EnableWindow(_v8, 0);
				E00424500( &_v40, 0, 0x10);
				_t76 = 0x44;
				E00424500( &_v136, 0, _t76);
				_v136.cb = _t76;
				_v136.dwFlags = _t85;
				_v136.wShowWindow = _t85;
				_t56 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, _a8,  &_v136,  &_v40); // executed
				if(_t56 != 0) {
					_a8 = _v40.hProcess;
					while(1) {
						L10:
						_t62 = MsgWaitForMultipleObjects(_t85,  &_a8, 0, 0xffffffff, 0xff);
						if(_t62 == 0 || _t62 != _t85) {
							break;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							_t66 = PeekMessageA( &_v68, 0, 0, 0, 0); // executed
							if(_t66 == 0) {
								goto L10;
							}
							_t68 = GetMessageA( &_v68, 0, 0, 0); // executed
							if(_t68 == 0) {
								goto L10;
							} else {
								TranslateMessage( &_v68);
								DispatchMessageA( &_v68); // executed
								continue;
							}
							goto L16;
						}
					}
					CloseHandle(_v40);
					CloseHandle(_v40.hThread);
				}
				L16:
				EnableWindow(_v8, _t85);
				DestroyWindow(_v12); // executed
				return E0041BEFB( &_v24);
			}






















                  0x004114ea
                  0x004114f6
                  0x00411502
                  0x00411502
                  0x00411509
                  0x00411515
                  0x00411515
                  0x0041151a
                  0x0041150b
                  0x0041150b
                  0x00411510
                  0x00411513
                  0x00000000
                  0x00000000
                  0x00411513
                  0x004114f8
                  0x004114f8
                  0x004114fd
                  0x00411500
                  0x00000000
                  0x00000000
                  0x00411500
                  0x0041152e
                  0x00411537
                  0x0041153a
                  0x00411544
                  0x00411549
                  0x0041154b
                  0x00411560
                  0x0041154d
                  0x00411551
                  0x00411551
                  0x0041156a
                  0x00411578
                  0x0041158e
                  0x004115a2
                  0x004115ac
                  0x004115b9
                  0x004115c6
                  0x004115ca
                  0x004115d5
                  0x004115db
                  0x004115e6
                  0x004115fa
                  0x00411602
                  0x0041160d
                  0x00411610
                  0x00411610
                  0x0041161d
                  0x00411625
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041162b
                  0x0041162b
                  0x00411633
                  0x00411637
                  0x00000000
                  0x00000000
                  0x00411640
                  0x00411648
                  0x00000000
                  0x0041164a
                  0x0041164e
                  0x00411658
                  0x00000000
                  0x00411658
                  0x00000000
                  0x00411648
                  0x0041162b
                  0x00411669
                  0x0041166e
                  0x0041166e
                  0x00411670
                  0x00411674
                  0x0041167d
                  0x0041168f

                  APIs
                  • CreateDialogParamA.USER32(00000012,?,00405811,00000000,00000000), ref: 0041152E
                  • SetDlgItemTextA.USER32 ref: 0041158E
                  • SetWindowTextA.USER32(0047F208,00000000), ref: 004115A2
                  • EnableWindow.USER32(?,00000000), ref: 004115AC
                  • CreateProcessA.KERNELBASE(00000000,0047F208,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 004115FA
                  • MsgWaitForMultipleObjects.USER32 ref: 0041161D
                  • PeekMessageA.USER32 ref: 00411633
                  • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00411640
                  • TranslateMessage.USER32(?), ref: 0041164E
                  • DispatchMessageA.USER32 ref: 00411658
                  • CloseHandle.KERNEL32(?), ref: 00411669
                  • CloseHandle.KERNEL32(?), ref: 0041166E
                  • EnableWindow.USER32(?,00000001), ref: 00411674
                  • KiUserCallbackDispatcher.NTDLL(0047F208), ref: 0041167D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: MessageWindow$CallbackCloseCreateDispatcherEnableHandleTextUser$DialogDispatchItemMultipleObjectsParamPeekProcessTranslateWait
                  • String ID: <\n>$<__Internal_WaitExternal__>$PG
                  • API String ID: 2455090494-3350838819
                  • Opcode ID: bfa884291023257a9f65d2972e37a492a43a226f22e9939f5beada10b3afc87a
                  • Instruction ID: 5e3da6e3fdd6bb9da70dcbe3b675b77a8ea80bc7bd688896f831291038cbc6ec
                  • Opcode Fuzzy Hash: bfa884291023257a9f65d2972e37a492a43a226f22e9939f5beada10b3afc87a
                  • Instruction Fuzzy Hash: D2517E71A01119BBCB20DB91DC49DEF7F78EF08754F50406AF605E2161DB399E81CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411DF7, Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 497COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00411DF7(intOrPtr __ecx, void* __eflags) {
				signed int _v5;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v40;
				char _v44;
				struct _SECURITY_ATTRIBUTES* _v48;
				char _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v80;
				char _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _v112;
				intOrPtr _v116;
				signed int _v148;
				signed char _v151;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				char _v172;
				char _v180;
				void* __edi;
				void* __ebp;
				intOrPtr _t178;
				void* _t185;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				char _t199;
				void* _t211;
				signed int _t215;
				void* _t226;
				signed int _t227;
				signed int _t230;
				signed int _t232;
				void* _t243;
				signed int _t247;
				void* _t248;
				signed int _t250;
				intOrPtr _t251;
				signed int _t264;
				void* _t270;
				signed char _t273;
				signed int _t280;
				signed int _t284;
				CHAR* _t297;
				void* _t301;
				signed int _t302;
				signed int _t305;
				void* _t311;
				intOrPtr _t313;
				signed int _t314;
				void* _t317;
				intOrPtr _t318;
				signed int _t319;
				void* _t320;
				signed int _t328;
				intOrPtr _t407;
				signed int _t409;
				long _t410;
				char _t412;
				struct _SECURITY_ATTRIBUTES* _t414;
				long _t415;
				void* _t416;
				void* _t417;
				void* _t429;
				void* _t430;

				_v24 = __ecx;
				 *0x47f28a = 1;
				_v68 = E0041C8FD(0x47e2f0, 0xbc);
				_t178 = E0041C8FD(0x47e2f0, 0xc0);
				_v5 = _v5 & 0x00000000;
				_t412 = 0;
				 *0x47f200 = _t178;
				_v28 = 0;
				if(_v68 <= 0) {
					L82:
					 *0x47f28a =  *0x47f28a & 0x00000000;
					__eflags =  *0x47f28a;
					return 1;
				}
				L1:
				while(1) {
					if(_v5 == 0 && _v28 > _t412) {
						_t188 =  *0x42bf9c; // 0x1
						_t409 =  *0x47e290; // 0x1
						_t189 = _t188 + _t409 - 1;
						 *0x42bf9c = _t189;
						if(_t189 > _t188) {
							_v64 = _v64 | 0xffffffff;
							 *0x42bf9c = _t189 - 1;
							E00413A88(_v24,  &_v64);
							CloseHandle(_v64);
						}
						_t190 =  *0x47f28c; // 0x22d1d10
						_t328 =  *0x47e290; // 0x1
						 *0x47f200 =  *((intOrPtr*)(_t190 + _t328 * 4 - 4));
					}
					_v5 = _v5 & 0x00000000;
					 *0x47e6f8 = _t412;
					 *0x47f204 = _t412;
					E0041BDC5( &_v20);
					_t185 = E0041199C(_t410,  &_v160,  &_v20,  &_v180,  &_v96); // executed
					_t424 = _t185;
					if(_t185 < 0) {
						L77:
						E0041BEFB( &_v20);
						_v28 = _v28 + 1;
						if(_v28 >= _v68) {
							goto L82;
						}
						_t412 = 0;
						continue;
					}
					 *0x47f200 =  *0x47f200 + _v116 + 0x40 + _v112 * 4 + _v96;
					_t199 =  *0x47f200; // 0x168e995
					_v44 = _t199;
					E0041DCD0(_t424,  &_v20);
					if( *0x47f27c != 0) {
						_t317 = 0x47dfb8;
						L19:
						E0041BDC5( &_v40);
						__eflags = _v152 & 0x00000002;
						if(__eflags == 0) {
							L22:
							__eflags = E00412BA7(_v100);
							if(__eflags != 0) {
								E004164B1(_t317, __eflags,  &_v20);
								E0041A81A(__eflags,  &_v20); // executed
								E0041B3B9(_t317,  &_v20, 0x7fffffff);
								_t410 = 1;
								E0041CBF9( &_v20, __eflags, "\\\\", "\\", 2, _t412, _t410);
								_t211 = E0041C7DB( &_v20, "\\", 0, _t410);
								_t414 = 0;
								E0041BE99( &_v60, E0041CC95( &_v20, 0, _t211));
								__eflags = _v60 - 3;
								if(_v60 <= 3) {
									L26:
									_t215 = E0040DF52(E0041CD1E( &_v60));
									__eflags = _t215;
									if(_t215 == 0) {
										L81:
										E0041BE35( &_v80, "Failure while trying to install file ");
										E0041C0C5( &_v80, __eflags,  &_v20);
										E0041B2A8(_t414, E0041CD1E( &_v80), _t414);
										E0041BEFB( &_v80);
										L79:
										E0041BEFB( &_v60);
										L80:
										E0041BEFB( &_v40);
										E0041BEFB( &_v20);
										return 0;
									}
									_t226 = E0041CD1E( &_v60);
									_t318 = _v24;
									_t227 = E00414E57(_t226); // executed
									__eflags = _t227;
									if(_t227 == 0) {
										goto L79;
									}
									__eflags =  *0x47e610 - _t414; // 0x0
									if(__eflags != 0) {
										_t301 = E00424DD9(0xc);
										__eflags = _t301 - _t414;
										if(_t301 == _t414) {
											_t302 = 0;
											__eflags = 0;
										} else {
											_t302 = E0041BE99(_t301,  &_v20);
										}
										E0041E87A(0x47e634, _t302, 0xffffffff);
									}
									__eflags =  *0x47f27c;
									if( *0x47f27c == 0) {
										E0041BE99( &_v80, 0x47ede0);
										E0041BFF8( &_v80, 0x20);
										E0041C0C5( &_v80, __eflags,  &_v20);
										_t297 = E0041CD1E( &_v80);
										SetWindowTextA(GetDlgItem( *(_t318 + 8), 0x14), _t297);
										E0041BEFB( &_v80);
									}
									__eflags = _v148 & 0x00000002;
									if((_v148 & 0x00000002) != 0) {
										__eflags = _v152 >> 0x00000005 & 0x00000001;
										E00414081(E0041CD1E( &_v20), _v152 >> 0x00000005 & 0x00000001);
									}
									_t319 = 0;
									_v48 = _t414;
									E0041BDC5( &_v92);
									_t230 = E0040DF52(E0041CD1E( &_v20));
									__eflags = _t230;
									if(_t230 == 0) {
										L45:
										__eflags = _v152 & 0x00000080;
										if((_v152 & 0x00000080) != 0) {
											L47:
											__eflags = _v148 & 0x00000002;
											if((_v148 & 0x00000002) == 0) {
												__eflags = _v152 & 0x00000040;
												if((_v152 & 0x00000040) == 0) {
													_t270 = E0041CD1E( &_v20);
													_push(0x47e794);
													_push(_t270);
													E00421CE6(__eflags);
												}
											}
											L50:
											__eflags =  *0x47e18c & 0x00000006;
											if(( *0x47e18c & 0x00000006) == 0) {
												L60:
												__eflags = _v108 - _t414;
												_v5 = 1;
												if(_v108 != _t414) {
													_t232 = _v152 & _t410;
													__eflags = _t232;
													if(_t232 != 0) {
														L66:
														__eflags = _t232 - _t414;
														if(_t232 == _t414) {
															__eflags = _v152 & 0x00000002;
															if((_v152 & 0x00000002) != 0) {
																_t243 = E0041CD1E( &_v20);
																E00413C46(_v24, _t409, __eflags, E0041CD1E( &_v40), _t243);
															}
															L71:
															E0041455E(E0041CD1E( &_v20),  &_v160);
															__eflags = _v48 - 2;
															if(_v48 == 2) {
																MoveFileExA(E0041CD1E( &_v92), _t414, 4);
															}
															__eflags = _v152 & 0x00000020;
															if((_v152 & 0x00000020) != 0) {
																E004101AA( &_v20, _v104);
															}
															goto L75;
														}
														_t247 = E00410722(_t409, E0041CD1E( &_v20), _v44, _v108, _t410); // executed
														__eflags = _t247;
														if(_t247 != 0) {
															goto L71;
														}
														L68:
														_v5 = _v5 & 0x00000000;
														goto L75;
													}
													__eflags = _v152 & 0x00000002;
													if((_v152 & 0x00000002) != 0) {
														goto L66;
													}
													_t248 = E0041CD1E( &_v20);
													_t250 = E00401AC0(E0041CD1E(0x47e6c8), _t248, _v44, _v108); // executed
													_t417 = _t417 + 0x10;
													__eflags = _t250;
													if(_t250 != 0) {
														goto L68;
													}
													_t251 =  *0x47e6f8; // 0x12000
													E00414F7F(_t409, _t416, _t251 -  *0x47f204);
													goto L71;
												}
												CloseHandle(CreateFileA(E0041CD1E( &_v20), 0xc0000000, _t410, _t414, 2, 0x80, _t414));
												goto L71;
											}
											E0041BDC5( &_v172);
											E0041BF80( &_v172, E0041CC95( &_v20, _v20 + 0xfffffffd, 3));
											E0041CD68( &_v172);
											__eflags = E0041C1FA( &_v172, __eflags, "JPG", _t410);
											if(__eflags == 0) {
												L55:
												_t264 = E0041C1FA( &_v172, __eflags, "MP3", _t410);
												__eflags = _t264;
												if(_t264 == 0) {
													L59:
													E0041BEFB( &_v172);
													goto L60;
												}
												__eflags =  *0x47e18c & 0x00000002;
												if(__eflags == 0) {
													goto L59;
												}
												_t320 = 0x47e5b0;
												_push( &_v20);
												L58:
												E0041C0C5(_t320, __eflags);
												E0041C047(_t320, "\r\n", _t414);
												goto L59;
											}
											__eflags =  *0x47e18c & 0x00000004;
											if(__eflags == 0) {
												goto L55;
											}
											__eflags = _v151 & 0x00000001;
											if(__eflags != 0) {
												goto L59;
											}
											_t320 = 0x47e5bc;
											_push( &_v20);
											goto L58;
										}
										__eflags = _t319;
										if(_t319 != 0) {
											goto L50;
										}
										goto L47;
									} else {
										_t273 = GetFileAttributesA(E0041CD1E( &_v20));
										_t415 = _t273;
										SetFileAttributesA(E0041CD1E( &_v20), _t273 & 0x000000fe);
										_t319 = 1;
										_t280 = E00410AA5(_v24,  &_v160, E0041CD1E( &_v20),  &_v180);
										__eflags = _t280;
										if(_t280 != 0) {
											_t284 = E00414A3D(_v24,  &_v20,  &_v48,  &_v92);
											__eflags = _t284;
											if(_t284 != 0) {
												__eflags = _v48 - _t410;
												if(_v48 == _t410) {
													_v148 = _v148 & 0xfffffffd;
													_t319 = 0;
													_t97 =  &_v152;
													 *_t97 = _v152 & 0xffffff9f;
													__eflags =  *_t97;
												}
												_t414 = 0;
												__eflags = 0;
												goto L45;
											}
											L41:
											E00414F7F(_t409, _t416, _v108);
											L75:
											E0041BEFB( &_v92);
											E0041BEFB( &_v60);
											L76:
											E0041BEFB( &_v40);
											goto L77;
										}
										SetFileAttributesA(E0041CD1E( &_v20), _t415);
										goto L41;
									}
								}
								_t305 = E0040DC10(E0041CD1E( &_v60), 0); // executed
								__eflags = _t305;
								if(_t305 == 0) {
									goto L81;
								}
								goto L26;
							}
							E00414F7F(_t409, _t416, _v108);
							goto L76;
						}
						_t311 = E00411692(_v24, __eflags,  &_v160,  &_v40,  &_v44,  &_v5);
						__eflags = _t311 - _t412;
						if(_t311 == _t412) {
							goto L76;
						}
						__eflags = _t311 - 0xffffffff;
						if(_t311 == 0xffffffff) {
							goto L80;
						}
						goto L22;
					}
					_t317 = 0x47dfb8;
					_push(9);
					if(E00419E38() != 0) {
						L10:
						_t313 =  *0x47e65c; // 0x2
						if(_t313 != 4) {
							__eflags = _t313 - 2;
							if(_t313 != 2) {
								__eflags = _v156 & 0x00000001;
							} else {
								__eflags = _v156 & 0x00000003;
							}
							L16:
							if(_t430 != 0) {
								goto L19;
							}
							goto L77;
						}
						_t314 = _v160;
						_t429 = _t314 -  *0x47e608; // 0x0
						if(_t429 >= 0) {
							goto L77;
						} else {
							_t407 =  *0x47e604; // 0x0
							_t430 =  *((intOrPtr*)((_t314 << 4) + _t407)) - _t412;
							goto L16;
						}
					}
					_push(0xa);
					if(E00419E38() == 0) {
						goto L19;
					}
					goto L10;
				}
			}










































































                  0x00411e02
                  0x00411e12
                  0x00411e25
                  0x00411e28
                  0x00411e2d
                  0x00411e31
                  0x00411e36
                  0x00411e3b
                  0x00411e3e
                  0x0041245e
                  0x0041245e
                  0x0041245e
                  0x00000000
                  0x00412465
                  0x00000000
                  0x00411e44
                  0x00411e48
                  0x00411e4f
                  0x00411e54
                  0x00411e5c
                  0x00411e62
                  0x00411e67
                  0x00411e69
                  0x00411e71
                  0x00411e7a
                  0x00411e82
                  0x00411e82
                  0x00411e88
                  0x00411e8d
                  0x00411e97
                  0x00411e97
                  0x00411e9c
                  0x00411ea3
                  0x00411ea9
                  0x00411eaf
                  0x00411ecd
                  0x00411ed2
                  0x00411ed4
                  0x004123f3
                  0x004123f6
                  0x004123fb
                  0x00412404
                  0x00000000
                  0x00000000
                  0x00412406
                  0x00000000
                  0x00412406
                  0x00411ee7
                  0x00411eed
                  0x00411ef2
                  0x00411ef9
                  0x00411f06
                  0x00411f6d
                  0x00411f72
                  0x00411f75
                  0x00411f7a
                  0x00411f81
                  0x00411faf
                  0x00411fb7
                  0x00411fba
                  0x00411fd0
                  0x00411fdb
                  0x00411feb
                  0x00411ff5
                  0x00412005
                  0x00412011
                  0x00412016
                  0x00412026
                  0x0041202b
                  0x0041202f
                  0x0041204a
                  0x00412053
                  0x00412058
                  0x0041205b
                  0x00412429
                  0x00412431
                  0x0041243d
                  0x0041244f
                  0x00412457
                  0x0041240d
                  0x00412410
                  0x00412415
                  0x00412418
                  0x00412420
                  0x00000000
                  0x00412425
                  0x00412064
                  0x00412069
                  0x0041206f
                  0x00412074
                  0x00412076
                  0x00000000
                  0x00000000
                  0x0041207c
                  0x00412082
                  0x00412086
                  0x0041208b
                  0x0041208e
                  0x0041209d
                  0x0041209d
                  0x00412090
                  0x00412096
                  0x00412096
                  0x004120a7
                  0x004120a7
                  0x004120ac
                  0x004120b3
                  0x004120bd
                  0x004120c7
                  0x004120d3
                  0x004120db
                  0x004120ed
                  0x004120f6
                  0x004120f6
                  0x004120fb
                  0x00412102
                  0x00412110
                  0x0041211b
                  0x0041211b
                  0x00412123
                  0x00412125
                  0x00412128
                  0x00412136
                  0x0041213b
                  0x0041213e
                  0x004121db
                  0x004121db
                  0x004121e2
                  0x004121e8
                  0x004121e8
                  0x004121ef
                  0x004121f1
                  0x004121f8
                  0x004121fd
                  0x00412202
                  0x00412207
                  0x0041220d
                  0x0041220d
                  0x004121f8
                  0x00412212
                  0x00412212
                  0x00412219
                  0x004122ca
                  0x004122ca
                  0x004122cd
                  0x004122d1
                  0x00412303
                  0x00412303
                  0x00412305
                  0x0041234a
                  0x0041234a
                  0x0041234c
                  0x00412370
                  0x00412377
                  0x0041237c
                  0x0041238e
                  0x0041238e
                  0x00412393
                  0x004123a6
                  0x004123ab
                  0x004123af
                  0x004123bd
                  0x004123bd
                  0x004123c3
                  0x004123ca
                  0x004123d6
                  0x004123d6
                  0x00000000
                  0x004123ca
                  0x00412361
                  0x00412366
                  0x00412368
                  0x00000000
                  0x00000000
                  0x0041236a
                  0x0041236a
                  0x00000000
                  0x0041236a
                  0x00412307
                  0x0041230e
                  0x00000000
                  0x00000000
                  0x00412319
                  0x0041232a
                  0x0041232f
                  0x00412332
                  0x00412334
                  0x00000000
                  0x00000000
                  0x00412336
                  0x00412342
                  0x00000000
                  0x00412347
                  0x004122f2
                  0x00000000
                  0x004122f2
                  0x00412225
                  0x00412242
                  0x0041224d
                  0x00412263
                  0x00412265
                  0x00412284
                  0x00412290
                  0x00412295
                  0x00412297
                  0x004122bf
                  0x004122c5
                  0x00000000
                  0x004122c5
                  0x00412299
                  0x004122a0
                  0x00000000
                  0x00000000
                  0x004122a5
                  0x004122aa
                  0x004122ab
                  0x004122ad
                  0x004122ba
                  0x00000000
                  0x004122ba
                  0x00412267
                  0x0041226e
                  0x00000000
                  0x00000000
                  0x00412270
                  0x00412277
                  0x00000000
                  0x00000000
                  0x0041227c
                  0x00412281
                  0x00000000
                  0x00412281
                  0x004121e4
                  0x004121e6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412144
                  0x0041214d
                  0x00412153
                  0x00412161
                  0x00412171
                  0x00412183
                  0x00412188
                  0x0041218a
                  0x004121ad
                  0x004121b2
                  0x004121b4
                  0x004121c4
                  0x004121c7
                  0x004121c9
                  0x004121d0
                  0x004121d2
                  0x004121d2
                  0x004121d2
                  0x004121d2
                  0x004121d9
                  0x004121d9
                  0x00000000
                  0x004121d9
                  0x004121b6
                  0x004121b9
                  0x004123db
                  0x004123de
                  0x004123e6
                  0x004123eb
                  0x004123ee
                  0x00000000
                  0x004123ee
                  0x00412196
                  0x00000000
                  0x00412196
                  0x0041213e
                  0x0041203b
                  0x00412041
                  0x00412044
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412044
                  0x00411fbf
                  0x00000000
                  0x00411fc4
                  0x00411f99
                  0x00411f9e
                  0x00411fa0
                  0x00000000
                  0x00000000
                  0x00411fa6
                  0x00411fa9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411fa9
                  0x00411f08
                  0x00411f0d
                  0x00411f18
                  0x00411f27
                  0x00411f27
                  0x00411f2f
                  0x00411f51
                  0x00411f54
                  0x00411f5f
                  0x00411f56
                  0x00411f56
                  0x00411f56
                  0x00411f66
                  0x00411f66
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411f68
                  0x00411f31
                  0x00411f37
                  0x00411f3d
                  0x00000000
                  0x00411f43
                  0x00411f43
                  0x00411f4c
                  0x00000000
                  0x00411f4c
                  0x00411f3d
                  0x00411f1a
                  0x00411f25
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00411f25

                  APIs
                  • CloseHandle.KERNEL32(000000FF,000000FF,?,0047E880,?,?,000000C0,000000BC,00000003,0047E880,00000000), ref: 00411E82
                  • GetDlgItem.USER32 ref: 004120E6
                  • SetWindowTextA.USER32(00000000), ref: 004120ED
                    • Part of subcall function 00414F7F: __aulldiv.LIBCMT ref: 00414FC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CloseHandleItemTextWindow__aulldiv
                  • String ID: $4G$Failure while trying to install file $JPG$MP3
                  • API String ID: 1785463942-3341779268
                  • Opcode ID: 3b4ae853b393d679cbaaa81c17081ebe1d8d2a2acb8db90a06e8683954f712a6
                  • Instruction ID: 52c0b1d7d2d423da66c69b76bec9c1fcdb7d517e52c1b212b45019fb69bb26cf
                  • Opcode Fuzzy Hash: 3b4ae853b393d679cbaaa81c17081ebe1d8d2a2acb8db90a06e8683954f712a6
                  • Instruction Fuzzy Hash: 9D02D1319002199ACF14EBA1DD96FEE7778AF14308F1005AFE916E3192DB7C59CACB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00410722, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00410722(void* __edx, void* _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				long _v20;
				long _v24;
				void* __ebp;
				void* _t47;
				long _t48;
				void* _t49;
				void* _t50;
				long _t51;
				int _t57;
				intOrPtr _t79;
				void* _t89;
				void* _t90;

				_t84 = __edx;
				if(_a12 == 0 || _a8 == 0) {
					L5:
					return 0;
				} else {
					_t47 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_v8 = _t47;
					if(_t47 == 0xffffffff) {
						goto L5;
					}
					_v24 = 0;
					_t48 = SetFilePointer(_t47, _a8,  &_v24, 0); // executed
					if(_t48 != 0xffffffff) {
						_t49 = CreateFileA(_a4, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
						_a4 = _t49;
						if(_t49 == 0xffffffff) {
							goto L5;
						}
						_t50 = E00424DD9(0x8000);
						_pop(_t78);
						_a8 = _t50;
						if(_t50 == 0) {
							CloseHandle(_v8);
							CloseHandle(_a4);
							E0041D881(E0041CD1E(0x47e924));
							_pop(_t78);
						}
						_v12 = 0;
						L11:
						while(1) {
							if(_a16 == 0) {
								_t79 = _v12;
								_t51 = 0x8000;
								_t84 = _t79 + 0x8000;
								if(_t79 + 0x8000 > _a12) {
									_t51 = _a12 - _t79;
								}
								_t78 =  &_v20;
								if(ReadFile(_v8, _a8, _t51,  &_v20, 0) == 0) {
									L21:
									E00424DCE(_a8);
									CloseHandle(_v8);
									CloseHandle(_a4);
									goto L5;
								} else {
									L16:
									_t57 = WriteFile(_a4, _a8, _v20,  &_v16, 0); // executed
									if(_t57 == 0) {
										goto L21;
									}
									_t58 = _v16;
									_v12 = _v12 + _v16;
									if(_a16 != 0) {
										E00414F7F(_t84, _t89, _t58);
										_pop(_t78);
									}
									if(_v12 >= _a12) {
										E00424DCE(_a8);
										FindCloseChangeNotification(_v8); // executed
										CloseHandle(_a4);
										return 0 | _v16 == _v20;
									}
									continue;
								}
							}
							E004111C2(_t78,  &_v8, _a8, 0x8000,  &_v20); // executed
							_t90 = _t90 + 0x10;
							goto L16;
						}
					}
					CloseHandle(_v8);
					goto L5;
				}
			}


















                  0x00410722
                  0x00410730
                  0x00410783
                  0x00000000
                  0x00410737
                  0x00410759
                  0x0041075e
                  0x00410761
                  0x00000000
                  0x00000000
                  0x00410768
                  0x0041076f
                  0x00410778
                  0x0041079b
                  0x004107a0
                  0x004107a3
                  0x00000000
                  0x00000000
                  0x004107ab
                  0x004107b8
                  0x004107b9
                  0x004107bc
                  0x004107c1
                  0x004107c6
                  0x004107d3
                  0x004107d8
                  0x004107d8
                  0x004107d9
                  0x00000000
                  0x004107dc
                  0x004107df
                  0x004107f7
                  0x004107fa
                  0x004107fc
                  0x00410805
                  0x0041080a
                  0x0041080a
                  0x0041080c
                  0x00410820
                  0x00410856
                  0x00410859
                  0x00410862
                  0x00410867
                  0x00000000
                  0x00410822
                  0x00410822
                  0x00410830
                  0x00410838
                  0x00000000
                  0x00000000
                  0x0041083a
                  0x0041083d
                  0x00410843
                  0x00410846
                  0x0041084b
                  0x0041084b
                  0x00410852
                  0x00410871
                  0x0041087a
                  0x0041087f
                  0x00000000
                  0x00410889
                  0x00000000
                  0x00410854
                  0x00410820
                  0x004107ed
                  0x004107f2
                  0x00000000
                  0x004107f2
                  0x004107dc
                  0x0041077d
                  0x00000000
                  0x0041077d

                  APIs
                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000000,0047E880,0000005C,0047E1B8,00000001,?,00000000), ref: 00410759
                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00000000), ref: 0041076F
                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0041077D
                  • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,00000000), ref: 0041079B
                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004107C1
                  • CloseHandle.KERNEL32(?,?,00000000), ref: 004107C6
                  • ReadFile.KERNEL32(00000000,00000000,00008000,?,00000000,?,00000000), ref: 00410818
                  • WriteFile.KERNELBASE(?,00000000,?,?,00000000,?,00000000), ref: 00410830
                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00410862
                  • CloseHandle.KERNEL32(?,?,00000000), ref: 00410867
                  • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 0041087A
                  • CloseHandle.KERNEL32(?,?,00000000), ref: 0041087F
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Close$Handle$File$Global$Create$AllocChangeFindLockNotificationPointerReadUnlockWrite
                  • String ID: $G
                  • API String ID: 1992528912-195990108
                  • Opcode ID: b061d70fe9dfc114de7976bbab08d14934786dbddc87a350937ab6b52a7a071e
                  • Instruction ID: dfb52f28007ce37c350004ecbd65c2d7c86bc8646004f923ca0ac160def92735
                  • Opcode Fuzzy Hash: b061d70fe9dfc114de7976bbab08d14934786dbddc87a350937ab6b52a7a071e
                  • Instruction Fuzzy Hash: 20419D7190010CBFDF20AFA5DC84AEE7B79EF04354F20816AF424A61A1CB759E91DB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041CAC5, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 99filememoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041CAC5(long* __ecx, void* _a4, long _a8, long _a12) {
				long _v8;
				long _v12;
				long _v16;
				void* _t30;
				long _t31;
				long _t34;
				void* _t37;
				void* _t52;
				long _t56;
				long _t57;
				long* _t63;

				_t63 = __ecx; // executed
				_t30 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_a4 = _t30;
				if(_t30 != 0xffffffff) {
					_v8 = 0;
					_t31 = SetFilePointer(_t30, 0,  &_v8, 2); // executed
					_v16 = _t31;
					_v8 = 0;
					SetFilePointer(_a4, _a8,  &_v8, 0); // executed
					_t56 = _v16;
					if(_a8 > _t56) {
						_a8 = _t56;
					}
					_t57 = _t56 - _a8;
					_t34 = _a12;
					 *_t63 = _t34;
					if(_t57 < _t34 || _t34 <= 0) {
						 *_t63 = _t57;
					}
					_t15 =  &(_t63[1]); // 0x2210214
					GlobalUnlock( *_t15);
					_t16 =  &(_t63[1]); // 0x2210214
					GlobalFree( *_t16);
					_t37 = GlobalAlloc(0x42,  *_t63);
					_t63[1] = _t37;
					_t63[2] = GlobalLock(_t37);
					if( *_t63 != 0) {
						if(_t63[1] == 0) {
							CloseHandle(_a4);
							E0041D881(E0041CD1E(0x47e924));
						}
						_v12 = 0;
						_t24 =  &(_t63[2]); // 0x6e3ec0
						ReadFile(_a4,  *_t24,  *_t63,  &_v12, 0); // executed
						FindCloseChangeNotification(_a4); // executed
						return ((0 | _v12 ==  *_t63) - 0x00000001 & 0x000000fe) + 1;
					} else {
						CloseHandle(_a4);
						return 0;
					}
				}
				_t52 = 0xfffffffd;
				return _t52;
			}














                  0x0041cae3
                  0x0041cae5
                  0x0041caee
                  0x0041caf1
                  0x0041cb09
                  0x0041cb0c
                  0x0041cb0e
                  0x0041cb19
                  0x0041cb1f
                  0x0041cb21
                  0x0041cb27
                  0x0041cb29
                  0x0041cb29
                  0x0041cb2c
                  0x0041cb2f
                  0x0041cb32
                  0x0041cb36
                  0x0041cb3c
                  0x0041cb3c
                  0x0041cb3e
                  0x0041cb41
                  0x0041cb47
                  0x0041cb4a
                  0x0041cb54
                  0x0041cb5b
                  0x0041cb66
                  0x0041cb69
                  0x0041cb81
                  0x0041cb86
                  0x0041cb93
                  0x0041cb98
                  0x0041cb9e
                  0x0041cba3
                  0x0041cba9
                  0x0041cbb2
                  0x00000000
                  0x0041cb6b
                  0x0041cb6e
                  0x00000000
                  0x0041cb74
                  0x0041cb69
                  0x0041caf5
                  0x00000000

                  APIs
                  • CreateFileA.KERNELBASE(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,747DFBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000002,?,0047DFB8), ref: 0041CB0C
                  • SetFilePointer.KERNELBASE(0047DFB8,?,?,00000000,?,0047DFB8), ref: 0041CB1F
                  • GlobalUnlock.KERNEL32(02210214,?,0047DFB8), ref: 0041CB41
                  • GlobalFree.KERNEL32 ref: 0041CB4A
                  • GlobalAlloc.KERNEL32(00000042,0047E2F0,?,0047DFB8), ref: 0041CB54
                  • GlobalLock.KERNEL32 ref: 0041CB5E
                  • CloseHandle.KERNEL32(0047DFB8,?,0047DFB8), ref: 0041CB6E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$File$Pointer$AllocCloseCreateFreeHandleLockUnlock
                  • String ID: $G
                  • API String ID: 45956072-195990108
                  • Opcode ID: 3656ab980352cb8f8a756b1a1b3a56ded7d35eb993e2abca08c7b1c0df809143
                  • Instruction ID: bab992acd45dbe21d36b9c17f1ecb0a5c71e46b83cab52e5c457c18eb4518899
                  • Opcode Fuzzy Hash: 3656ab980352cb8f8a756b1a1b3a56ded7d35eb993e2abca08c7b1c0df809143
                  • Instruction Fuzzy Hash: 63318DB1501209FFDF20AFA0DC8599EBBB9EF04350B20896EF555D6160CB34A981DF24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004229A8, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 76stringregistryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004229A8(CHAR* _a4) {
				void* _v8;
				int _v12;
				char _v272;
				long _t24;
				CHAR* _t40;
				intOrPtr _t43;

				_t43 =  *0x47e58c; // 0x1b
				if(_t43 <= 0) {
					L6:
					_t40 = _a4;
					E00424500(_t40, 0, 0x104);
					GetWindowsDirectoryA(_t40, 0x104);
					if( *((char*)(lstrlenA(_t40) + _t40 - 1)) != 0x5c) {
						_t40[lstrlenA(_t40)] = 0x5c;
					}
					lstrcatA(_t40, E0041CD1E(0x47e35c));
					lstrcatA(_t40, " Uninstaller.exe");
				} else {
					_t24 = RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8); // executed
					if(_t24 != 0) {
						goto L6;
					} else {
						_v12 = 0x104;
						if(RegQueryValueExA(_v8, "Uninstaller", 0, 0,  &_v272,  &_v12) != 0 || E0040DF52( &_v272) == 0) {
							RegCloseKey(_v8);
							goto L6;
						} else {
							lstrcpyA(_a4,  &_v272);
						}
					}
				}
				return 1;
			}









                  0x004229b4
                  0x004229c0
                  0x00422a35
                  0x00422a37
                  0x00422a3b
                  0x00422a45
                  0x00422a59
                  0x00422a5e
                  0x00422a5e
                  0x00422a74
                  0x00422a7c
                  0x004229c2
                  0x004229dd
                  0x004229e5
                  0x00000000
                  0x004229e7
                  0x004229ea
                  0x00422a07
                  0x00422a2f
                  0x00000000
                  0x00422a1a
                  0x00422a24
                  0x00422a24
                  0x00422a07
                  0x004229e5
                  0x00422a83

                  APIs
                  • RegOpenKeyExA.KERNELBASE(00000000,00020019,00000000,0047DFB8,0047E788), ref: 004229DD
                  • RegQueryValueExA.ADVAPI32(00000000,Uninstaller,00000000,00000000,?,0047E788), ref: 004229FF
                  • lstrcpyA.KERNEL32(0047E788,?), ref: 00422A24
                  • RegCloseKey.ADVAPI32(00000000), ref: 00422A2F
                  • GetWindowsDirectoryA.KERNEL32(0047E788,00000104,?,0047DFB8,0047E788), ref: 00422A45
                  • lstrlenA.KERNEL32(0047E788,?,0047DFB8,0047E788), ref: 00422A52
                  • lstrlenA.KERNEL32(0047E788,?,0047DFB8,0047E788), ref: 00422A5C
                  • lstrcatA.KERNEL32(0047E788,00000000,?,0047DFB8,0047E788), ref: 00422A74
                  • lstrcatA.KERNEL32(0047E788, Uninstaller.exe,?,0047DFB8,0047E788), ref: 00422A7C
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrcatlstrlen$AllocCloseDirectoryLockOpenQueryUnlockValueWindowslstrcpy
                  • String ID: Uninstaller.exe$Uninstaller$\G
                  • API String ID: 3305667709-651829472
                  • Opcode ID: c1f1c48b22dd7b66c719fa597b738276a2fc1b2b4f1d39e557a6f66aa562f100
                  • Instruction ID: 1bc53d22d2b43fdaff41b8ce2ad180c68364dd8d2d8a418ed7790eca1a8cb3a6
                  • Opcode Fuzzy Hash: c1f1c48b22dd7b66c719fa597b738276a2fc1b2b4f1d39e557a6f66aa562f100
                  • Instruction Fuzzy Hash: 5C21A435601528BBDB21AB61ED04EDF7F6CEF55304B8141BAF504A2121DBB85A428FAC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00421D4B, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 201registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00421D4B(int _a4, int _a8) {
				void* _v8;
				int _v12;
				char* _v16;
				char _v20;
				int _v24;
				int _v36;
				int _v48;
				char _v60;
				char _v72;
				char _v84;
				void* __ebx;
				long _t70;
				long _t73;
				char* _t75;
				int _t90;
				int _t91;
				int _t104;
				int _t114;
				char* _t124;
				signed int _t154;

				if(_a4 == 0) {
					L30:
					return _t70;
				}
				_t70 = RegOpenKeyExA(0x80000002, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", 0, 0x2001f,  &_v8); // executed
				if(_t70 != 0) {
					goto L30;
				}
				_t124 = "PendingFileRenameOperations";
				_t73 = RegQueryValueExA(_v8, _t124, 0, 0, 0,  &_v12); // executed
				if(_t73 != 0 || _v12 == 0) {
					L8:
					return RegCloseKey(_v8);
				} else {
					_t75 = E00424DD9(_v12);
					_v16 = _t75;
					if(_t75 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					if(RegQueryValueExA(_v8, _t124, 0, 0, _v16,  &_v12) != 0 || E0041DD95(_t124, _v16, _v12,  &_v20,  &_v24) == 0) {
						goto L8;
					} else {
						E0041BDC5( &_v36);
						E0041BE35( &_v72, "\\??\\");
						E0041BE35( &_v60, "\\??\\");
						E0041C047( &_v72, _a4, 0);
						__eflags = _a8;
						if(_a8 != 0) {
							E0041C047( &_v60, _a8, 0);
						}
						_t154 = 0;
						__eflags = _v24;
						_a4 = 0;
						if(_v24 <= 0) {
							L18:
							E00424DCE(_v20);
							__eflags = _a4;
							if(_a4 != 0) {
								_t90 = _v36;
								__eflags = _t90;
								if(_t90 != 0) {
									_t91 = _t90 + 1;
									__eflags = _t91;
									RegSetValueExA(_v8, _t124, 0, 7, E0041CD1E( &_v36), _t91);
								} else {
									RegDeleteValueA(_v8, _t124);
								}
							}
							RegCloseKey(_v8);
							E0041BEFB( &_v60);
							E0041BEFB( &_v72);
							return E0041BEFB( &_v36);
						} else {
							do {
								E0041BE35( &_v84,  *((intOrPtr*)(_v20 + _t154 * 4)) + _v16);
								_t34 = _t154 * 4; // 0x4be5600
								E0041BE35( &_v48,  *((intOrPtr*)(_v20 + _t34 + 4)) + _v16);
								_t104 = E0041C176( &_v84, __eflags,  &_v72, 0);
								__eflags = _t104;
								if(_t104 != 0) {
									L14:
									__eflags = _v48;
									if(__eflags != 0) {
										if(__eflags <= 0) {
											L25:
											E0041C0C5( &_v36, __eflags,  &_v84);
											E0041BFF8( &_v36, 0);
											__eflags = _v48;
											if(__eflags > 0) {
												E0041C0C5( &_v36, __eflags,  &_v48);
											}
											E0041BFF8( &_v36, 0);
											goto L17;
										}
										__eflags = _a8;
										if(__eflags == 0) {
											goto L25;
										}
										_t114 = E0041C176( &_v48, __eflags,  &_v60, 0);
										__eflags = _t114;
										if(_t114 != 0) {
											L16:
											_t43 =  &_a4;
											 *_t43 = _a4 + 1;
											__eflags =  *_t43;
											goto L17;
										}
										__eflags = E0041C1FA( &_v48, __eflags, E0041CD1E( &_v60) + 4, 0);
										if(__eflags != 0) {
											goto L16;
										}
										goto L25;
									}
									__eflags = _a8;
									if(__eflags != 0) {
										goto L25;
									}
									goto L16;
								}
								__eflags = E0041C1FA( &_v84, __eflags, E0041CD1E( &_v72) + 4, 0);
								if(__eflags == 0) {
									goto L25;
								}
								goto L14;
								L17:
								E0041BEFB( &_v48);
								E0041BEFB( &_v84);
								_t154 = _t154 + 2;
								__eflags = _t154 - _v24;
							} while (_t154 < _v24);
							goto L18;
						}
					}
				}
			}























                  0x00421d59
                  0x00421f7e
                  0x00421f7e
                  0x00421f7e
                  0x00421d73
                  0x00421d7b
                  0x00000000
                  0x00000000
                  0x00421d8d
                  0x00421d97
                  0x00421d9b
                  0x00421df0
                  0x00000000
                  0x00421da2
                  0x00421da5
                  0x00421dad
                  0x00421db0
                  0x00421dbd
                  0x00421dc2
                  0x00421dd4
                  0x00000000
                  0x00421dfe
                  0x00421e01
                  0x00421e0f
                  0x00421e18
                  0x00421e24
                  0x00421e29
                  0x00421e2c
                  0x00421e35
                  0x00421e35
                  0x00421e3a
                  0x00421e3c
                  0x00421e3f
                  0x00421e42
                  0x00421eb7
                  0x00421eba
                  0x00421ebf
                  0x00421ec3
                  0x00421ec9
                  0x00421ecc
                  0x00421ece
                  0x00421f41
                  0x00421f41
                  0x00421f53
                  0x00421ed0
                  0x00421ed4
                  0x00421ed4
                  0x00421ece
                  0x00421f5c
                  0x00421f65
                  0x00421f6d
                  0x00000000
                  0x00421e44
                  0x00421e44
                  0x00421e51
                  0x00421e5c
                  0x00421e64
                  0x00421e71
                  0x00421e76
                  0x00421e78
                  0x00421e93
                  0x00421e93
                  0x00421e96
                  0x00421edc
                  0x00421f0d
                  0x00421f14
                  0x00421f1d
                  0x00421f22
                  0x00421f25
                  0x00421f2e
                  0x00421f2e
                  0x00421f37
                  0x00000000
                  0x00421f37
                  0x00421ede
                  0x00421ee1
                  0x00000000
                  0x00000000
                  0x00421eeb
                  0x00421ef0
                  0x00421ef2
                  0x00421e9d
                  0x00421e9d
                  0x00421e9d
                  0x00421e9d
                  0x00000000
                  0x00421e9d
                  0x00421f09
                  0x00421f0b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421f0b
                  0x00421e98
                  0x00421e9b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421e9b
                  0x00421e8f
                  0x00421e91
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421ea0
                  0x00421ea3
                  0x00421eab
                  0x00421eb1
                  0x00421eb2
                  0x00421eb2
                  0x00000000
                  0x00421e44
                  0x00421e42
                  0x00421dd4

                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000000,0002001F,00000000,00000000,747DFC30,00000000), ref: 00421D73
                  • RegQueryValueExA.KERNELBASE(00000000,PendingFileRenameOperations,00000000,00000000,00000000,00000000), ref: 00421D97
                  • RegQueryValueExA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000000,00422FC8,00000000), ref: 00421DD0
                  • RegCloseKey.ADVAPI32(00000000), ref: 00421DF3
                  • RegDeleteValueA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000000,\??\,\??\), ref: 00421ED4
                  • RegSetValueExA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000007,00000000,?,00000000,00000000,\??\,\??\), ref: 00421F53
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,\??\,\??\), ref: 00421F5C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Value$Global$CloseQuery$AllocDeleteLockOpenUnlock
                  • String ID: $G$PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\??\
                  • API String ID: 2436353709-4009966565
                  • Opcode ID: 68a34fbecb34493b647c86804f01456a104d3ce6cf1cee37737e5b6993b5fb37
                  • Instruction ID: e53f80f437188961418d61aab9e43297795e155952d25771359bb87d0b56d4ed
                  • Opcode Fuzzy Hash: 68a34fbecb34493b647c86804f01456a104d3ce6cf1cee37737e5b6993b5fb37
                  • Instruction Fuzzy Hash: 2B614172D00129EBCF15EBA1ED85DEEB738FF24344B51402BF515B2161DB386A45CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00422E9C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 123fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E00422E9C(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				long _v12;
				void _v16;
				long _v28;
				char _v288;
				signed int _t30;
				void* _t40;
				long _t41;
				long _t64;
				void* _t81;
				intOrPtr _t83;

				_t83 = __ecx;
				_v8 = __ecx;
				if(( *0x47e192 & 0x00000002) == 0 || ( *0x47e18c & 0x00000040) != 0) {
					_push( &_v288);
					E00422A86();
					_t30 = E0040DF52( &_v288);
					__eflags = _t30;
					if(_t30 == 0) {
						__eflags =  *0x47e18c & 0x00000040;
						if(__eflags == 0) {
							E0041BDC5( &_v28);
							E004221B8(_t83, __eflags,  &_v28); // executed
							_t64 = 0;
							CopyFileA(E0041CD1E(_t83),  &_v288, 0); // executed
							DeleteFileA(E0041CD1E(_t83)); // executed
							_t40 = CreateFileA( &_v288, 0xc0000000, 1, 0, 3, 0x80, 0); // executed
							_t81 = _t40;
							_t41 = GetFileSize(_t81, 0);
							__eflags = _t81 - 0xffffffff;
							_v16 = _t41;
							if(_t81 == 0xffffffff) {
								L10:
								CloseHandle(_t81);
								DeleteFileA( &_v288);
								E0041B2A8(_a4, E0041CD1E(0x47ef30), _t64);
								L11:
								E0041BEFB( &_v28);
								return _t64;
							}
							__eflags = _t41;
							if(_t41 == 0) {
								goto L10;
							}
							SetFilePointer(_t81, 0, 0, 2); // executed
							WriteFile(_t81, E0041CD1E( &_v28), _v28,  &_v12, 0); // executed
							WriteFile(_t81,  &_v16, 4,  &_v12, 0); // executed
							CloseHandle(_t81);
							_t77 = _v8;
							 *((char*)(_v8 + 0x90)) = 1;
							E00421F81(_t77,  &_v288); // executed
							_t64 = 1;
							goto L11;
						}
						L6:
						return E00423006(_t83, __eflags);
					}
					E00421F81(_t83,  &_v288);
					goto L6;
				} else {
					return 1;
				}
			}














                  0x00422ead
                  0x00422eaf
                  0x00422eb2
                  0x00422ecc
                  0x00422ecd
                  0x00422ed9
                  0x00422ede
                  0x00422ee1
                  0x00422ef3
                  0x00422efa
                  0x00422f0d
                  0x00422f18
                  0x00422f1d
                  0x00422f2f
                  0x00422f43
                  0x00422f5c
                  0x00422f62
                  0x00422f66
                  0x00422f6c
                  0x00422f6f
                  0x00422f72
                  0x00422fcc
                  0x00422fcd
                  0x00422fda
                  0x00422ff0
                  0x00422ff5
                  0x00422ff8
                  0x00000000
                  0x00423000
                  0x00422f74
                  0x00422f76
                  0x00000000
                  0x00000000
                  0x00422f7d
                  0x00422f9b
                  0x00422fa9
                  0x00422fac
                  0x00422fb2
                  0x00422fbc
                  0x00422fc3
                  0x00422fc8
                  0x00000000
                  0x00422fc8
                  0x00422efc
                  0x00000000
                  0x00422efe
                  0x00422eec
                  0x00000000
                  0x00422ebd
                  0x00000000
                  0x00422ebd

                  APIs
                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 00422F2F
                  • DeleteFileA.KERNELBASE(00000000), ref: 00422F43
                  • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00422F5C
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00422F66
                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 00422F7D
                  • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00422F9B
                  • WriteFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 00422FA9
                  • CloseHandle.KERNEL32(00000000), ref: 00422FAC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Write$CloseCopyCreateDeleteHandlePointerSize
                  • String ID: 0G
                  • API String ID: 2532723989-2664342302
                  • Opcode ID: ca4144e62418bdba7195bb517f03a4dcb76d34b809e772969f8e9d80428c3b2b
                  • Instruction ID: b98738f73ffab4765dc9a84c4427e3d4cbec2d01dd80aca18e9737d41bc0417b
                  • Opcode Fuzzy Hash: ca4144e62418bdba7195bb517f03a4dcb76d34b809e772969f8e9d80428c3b2b
                  • Instruction Fuzzy Hash: 1041A771A0011C7ADB24A7A1AD86FEE7B7CDF05348F80416BF60593181CB784E46DBB9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041DBFF, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 84stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041DBFF(void* __ecx, CHAR* _a4, CHAR* _a8) {
				long _v8;
				char _v24;
				long _t18;
				CHAR* _t19;
				signed char* _t36;
				CHAR* _t43;
				void* _t46;
				void* _t47;
				void* _t48;

				E00424500(_a4, 0, 0x104);
				_t43 = E00424DD9(0x104);
				_t47 = _t46 + 0x10;
				if(_t43 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t43, 0, 0x104);
				_t48 = _t47 + 0xc;
				_t18 = GetTempPathA(0x104, _t43); // executed
				if(_t18 != 0) {
					_t19 =  &(_t43[_t18]);
					if( *((char*)(_t19 - 1)) != 0x5c) {
						 *_t19 = 0x5c;
						_t19[1] = _t19[1] & 0x00000000;
					}
				} else {
					lstrcatA(_t43, "C:\\");
				}
				_v8 = GetTickCount();
				_t36 = lstrlenA(_t43) + 1 + _t43;
				do {
					 *_t36 =  *_t36 & 0x00000000;
					_v8 = _v8 + 1;
					E004278BF(_v8,  &_v24, 0xa);
					_t48 = _t48 + 0xc;
					lstrcatA(_t43, "aiw");
					lstrcatA(_t43,  &_v24);
					lstrcatA(_t43, _a8);
				} while (E0040DF52(_t43) != 0);
				lstrcatA(_a4, _t43);
				E00424DCE(_t43);
				return _a4;
			}












                  0x0041dc13
                  0x0041dc1e
                  0x0041dc20
                  0x0041dc25
                  0x0041dc32
                  0x0041dc37
                  0x0041dc3c
                  0x0041dc41
                  0x0041dc46
                  0x0041dc54
                  0x0041dc60
                  0x0041dc66
                  0x0041dc68
                  0x0041dc6b
                  0x0041dc6b
                  0x0041dc56
                  0x0041dc5c
                  0x0041dc5c
                  0x0041dc76
                  0x0041dc80
                  0x0041dc83
                  0x0041dc86
                  0x0041dc89
                  0x0041dc93
                  0x0041dc98
                  0x0041dca1
                  0x0041dca8
                  0x0041dcae
                  0x0041dcb8
                  0x0041dcbf
                  0x0041dcc2
                  0x0041dccf

                  APIs
                  • GetTempPathA.KERNELBASE(00000104,00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC46
                  • lstrcatA.KERNEL32(00000000,C:\,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC5C
                  • GetTickCount.KERNEL32 ref: 0041DC6F
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC79
                  • lstrcatA.KERNEL32(00000000,aiw,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA1
                  • lstrcatA.KERNEL32(00000000,0000005C,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA8
                  • lstrcatA.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCAE
                  • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCBF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrcat$Global$AllocCountLockPathTempTickUnlocklstrlen
                  • String ID: $G$C:\$aiw
                  • API String ID: 3489367307-134002492
                  • Opcode ID: 4e07409cfee2efb9507d2a4139d42ef7d9eff0a91c427968297d4f32c2d88f12
                  • Instruction ID: 21fd020d6b833b70e9635ac0daadd9853640b5548da898f286ea95a036024011
                  • Opcode Fuzzy Hash: 4e07409cfee2efb9507d2a4139d42ef7d9eff0a91c427968297d4f32c2d88f12
                  • Instruction Fuzzy Hash: 8921F872E00224BBD7117761AC49FEF3F68DF81754F50006AF50466151EAB85942D6A9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FD0E, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 170stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0041FD0E(void* __edx, intOrPtr _a4) {
				unsigned int _v8;
				char _v12;
				void _v523;
				char _v524;
				void _v1035;
				char _v1036;
				void* _t56;
				void* _t64;
				void* _t72;
				unsigned int _t74;
				void* _t79;
				unsigned int _t80;
				void* _t83;
				void* _t85;
				void* _t87;
				signed int _t90;
				void* _t102;
				void* _t107;
				intOrPtr _t108;
				void* _t111;
				void* _t113;

				_t102 = __edx;
				_v1036 = _v1036 & 0x00000000;
				_t90 = 0x7f;
				_v524 = _v524 & 0x00000000;
				memset( &_v1035, 0, _t90 << 2);
				asm("stosw");
				asm("stosb");
				_push(0x7f);
				memset( &_v523, 0, 0 << 2);
				_t113 = _t111 + 0x18;
				_t108 = _a4;
				asm("stosw");
				asm("stosb");
				_a4 = _t108;
				if(GetSystemDirectoryA( &_v1036, 0x104) != 0) {
					lstrcpyA( &_v524,  &_v1036);
					lstrcatA( &_v524, "\\d3d8.dll");
					_t56 = E0041F9CC(0,  &_v524,  &_v12); // executed
					_t95 = _t87;
					_t107 = 4;
					if(_t56 < 0) {
						L9:
						lstrcpyA( &_v524,  &_v1036);
						lstrcatA( &_v524, "\\dpnet.dll");
						_t64 = E0041F9CC(_t95,  &_v524,  &_v12); // executed
						_pop(_t97);
						if(_t64 < 0) {
							L16:
							lstrcpyA( &_v524,  &_v1036);
							lstrcatA( &_v524, "\\d3d9.dll");
							_t72 = E0041F9CC(_t97,  &_v524,  &_v12); // executed
							if(_t72 >= 0) {
								_a4 = 9;
							}
							return _a4;
						}
						_t74 = _v8;
						_t97 = _t74 >> 0x10;
						if(_t74 >> 0x10 != _t107) {
							L13:
							if(_t74 >> 0x10 == 5 && E0041FA8A(_v12, _v8, E0041FA6B(5, 2, 0xe5d, 0x86), _t102) >= 0) {
								L15:
								_a4 = 0x20008;
							}
							goto L16;
						}
						_t79 = E0041FA8A(_v12, _v8, E0041FA6B(_t107, 9, 0, 0x86), _t102);
						_t113 = _t113 + 0x20;
						if(_t79 >= 0) {
							goto L15;
						}
						_t74 = _v8;
						goto L13;
					}
					_t80 = _v8;
					_t95 = _t80 >> 0x10;
					if(_t80 >> 0x10 != _t107) {
						L6:
						if(_t80 >> 0x10 != 5) {
							goto L9;
						}
						_t83 = E0041FA8A(_v12, _v8, E0041FA6B(5, 1, 0xa28, 0x371), _t102);
						_t113 = _t113 + 0x20;
						if(_t83 < 0) {
							goto L9;
						}
						L8:
						_a4 = 0x10008;
						goto L9;
					}
					_t85 = E0041FA8A(_v12, _v8, E0041FA6B(_t107, 8, 1, 0x371), _t102);
					_t113 = _t113 + 0x20;
					if(_t85 >= 0) {
						goto L8;
					}
					_t80 = _v8;
					goto L6;
				}
				return _t108;
			}
























                  0x0041fd0e
                  0x0041fd17
                  0x0041fd22
                  0x0041fd2b
                  0x0041fd32
                  0x0041fd34
                  0x0041fd36
                  0x0041fd37
                  0x0041fd42
                  0x0041fd42
                  0x0041fd44
                  0x0041fd4c
                  0x0041fd4e
                  0x0041fd55
                  0x0041fd61
                  0x0041fd7f
                  0x0041fd8d
                  0x0041fd9e
                  0x0041fda4
                  0x0041fda9
                  0x0041fdaa
                  0x0041fe13
                  0x0041fe21
                  0x0041fe2f
                  0x0041fe40
                  0x0041fe48
                  0x0041fe49
                  0x0041feb2
                  0x0041fec0
                  0x0041fece
                  0x0041fedf
                  0x0041fee9
                  0x0041feeb
                  0x0041feeb
                  0x00000000
                  0x0041fef2
                  0x0041fe4b
                  0x0041fe55
                  0x0041fe5b
                  0x0041fe7f
                  0x0041fe86
                  0x0041feab
                  0x0041feab
                  0x0041feab
                  0x00000000
                  0x0041fe86
                  0x0041fe70
                  0x0041fe75
                  0x0041fe7a
                  0x00000000
                  0x00000000
                  0x0041fe7c
                  0x00000000
                  0x0041fe7c
                  0x0041fdac
                  0x0041fdb6
                  0x0041fdbc
                  0x0041fde0
                  0x0041fde7
                  0x00000000
                  0x00000000
                  0x0041fe00
                  0x0041fe05
                  0x0041fe0a
                  0x00000000
                  0x00000000
                  0x0041fe0c
                  0x0041fe0c
                  0x00000000
                  0x0041fe0c
                  0x0041fdd1
                  0x0041fdd6
                  0x0041fddb
                  0x00000000
                  0x00000000
                  0x0041fddd
                  0x00000000
                  0x0041fddd
                  0x00000000

                  APIs
                  • GetSystemDirectoryA.KERNEL32 ref: 0041FD59
                  • lstrcpyA.KERNEL32(00000000,00000000,74784EE0), ref: 0041FD7F
                  • lstrcatA.KERNEL32(00000000,\d3d8.dll), ref: 0041FD8D
                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 0041FE21
                  • lstrcatA.KERNEL32(00000000,\dpnet.dll), ref: 0041FE2F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrcatlstrcpy$DirectorySystem
                  • String ID: \d3d8.dll$\d3d9.dll$\dpnet.dll
                  • API String ID: 3373222834-1488632820
                  • Opcode ID: 1b981c1a0dbe33aa39520a2f075f097f621f4da949a6d66ba52bc3160ce5be0a
                  • Instruction ID: 732007284f3f90403335b0d5d4dcae0cc413df0729f14511fe8dea38f26fffe4
                  • Opcode Fuzzy Hash: 1b981c1a0dbe33aa39520a2f075f097f621f4da949a6d66ba52bc3160ce5be0a
                  • Instruction Fuzzy Hash: 6751C972900318BAEF21DA95CC45FDF777CEF04354F5004BAF644E61A1EA789ACA8B58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401AC0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 84fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00401AC0(CHAR* _a4, CHAR* _a8, long _a12, intOrPtr _a16) {
				void* _v8;
				long _v12;
				void* __ecx;
				void* _t12;
				void* _t13;
				intOrPtr _t18;
				void* _t19;
				void* _t22;
				void* _t28;
				void* _t34;
				void* _t39;

				_push(_t28);
				_push(_t28);
				_t12 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v8 = _t12;
				if(_t12 != 0xffffffff) {
					_t13 = CreateFileA(_a8, 0xc0000000, 1, 0, 2, 0x80, 0); // executed
					_t34 = _t13;
					if(_t34 != 0xffffffff) {
						lstrcpyA("C:\Users\engineer\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe", _a4);
						lstrcpyA("C:\\ztg\\fillProxy\\spy++\\spyxxhk.dll", _a8);
						_t39 = _v8;
						_v12 = 0;
						SetFilePointer(_t39, _a12,  &_v12, 0); // executed
						_t18 = _a16;
						 *0x43aa58 = _t18;
						if(_t18 == 0) {
							 *0x43aa58 = 0x7fffffff;
						}
						_push(_t39);
						 *0x46ab78 = 0;
						 *0x42e1fc = _t39;
						 *0x436240 = _t34; // executed
						_t19 = E00401BA9(_t28); // executed
						if(_t19 >= 0) {
							 *0x43aa5c = 0; // executed
							_t19 = E00404CF3(_t39, _t34); // executed
						}
						FindCloseChangeNotification(_t39); // executed
						CloseHandle(_t34);
						_t22 = _t19;
					} else {
						CloseHandle(_v8);
						_t22 = 0xffff8002;
					}
				} else {
					_t22 = 0xffff8001;
				}
				return _t22;
			}














                  0x00401ac3
                  0x00401ac4
                  0x00401ae4
                  0x00401ae9
                  0x00401aec
                  0x00401b07
                  0x00401b09
                  0x00401b0e
                  0x00401b31
                  0x00401b3b
                  0x00401b3d
                  0x00401b48
                  0x00401b4c
                  0x00401b52
                  0x00401b57
                  0x00401b5c
                  0x00401b5e
                  0x00401b5e
                  0x00401b68
                  0x00401b69
                  0x00401b6f
                  0x00401b75
                  0x00401b7b
                  0x00401b83
                  0x00401b87
                  0x00401b8d
                  0x00401b93
                  0x00401b9d
                  0x00401ba0
                  0x00401ba2
                  0x00401b10
                  0x00401b13
                  0x00401b19
                  0x00401b19
                  0x00401aee
                  0x00401aee
                  0x00401aee
                  0x00401ba8

                  APIs
                  • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000000,000000A8,?,?,0047E6C8,004190BF,00000000,00000000), ref: 00401AE4
                  • CreateFileA.KERNELBASE(00000001,C0000000,00000001,00000000,00000002,00000080,00000000,?,?,0047E6C8,004190BF,00000000,00000000,00000000,000000AC,00000000), ref: 00401B07
                  • CloseHandle.KERNEL32(00000000,?,?,0047E6C8,004190BF,00000000,00000000,00000000,000000AC,00000000,000000A8,000000A8,000000AC,00000000,000000A8,00000090), ref: 00401B13
                  Strings
                  • C:\ztg\fillProxy\spy++\spyxxhk.dll, xrefs: 00401B36
                  • C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe, xrefs: 00401B2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CreateFile$CloseHandle
                  • String ID: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe$C:\ztg\fillProxy\spy++\spyxxhk.dll
                  • API String ID: 1443461169-1909998237
                  • Opcode ID: f2cfa1f3ccd08063f9a4c4fc870ed02d8b161ee20ec0011e9c264b7ae7db8ae6
                  • Instruction ID: 5bf05c727c74ca85f6202fa9bd64455a3e455176caad83a63985d6f1fde3d942
                  • Opcode Fuzzy Hash: f2cfa1f3ccd08063f9a4c4fc870ed02d8b161ee20ec0011e9c264b7ae7db8ae6
                  • Instruction Fuzzy Hash: 1921B071A01218BFDB105F69DC84E9E3B6CEB09364F60423BF910B32E0D7B46D419B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004145F6, Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 346COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E004145F6(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				char _v104;
				char _v116;
				char _v128;
				void* _v132;
				void* _t94;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t113;
				intOrPtr _t114;
				void* _t121;
				void* _t123;
				intOrPtr _t126;
				void* _t131;
				char* _t135;
				char* _t136;
				char* _t137;
				void* _t144;
				int _t156;
				void* _t158;
				void* _t169;
				void* _t175;
				char* _t226;
				intOrPtr* _t258;
				void* _t260;
				intOrPtr _t261;
				void* _t281;

				_t261 =  *0x47e4f0; // 0x4
				_v8 = __ecx;
				_v12 = 0;
				if(_t261 <= 0) {
					L56:
					_t94 = 1;
					return _t94;
				} else {
					do {
						_t258 = E0041E860(0x47e4e4, _v12);
						if( *((intOrPtr*)(_t258 + 0x28)) == _a4 && E00412BA7( *((intOrPtr*)(_t258 + 0x34))) != 0 &&  *((intOrPtr*)(_t258 + 0x2c)) != 0) {
							_t8 = _t258 + 4; // 0x4
							E0041BE99( &_v28, _t8);
							_t10 = _t258 + 0x10; // 0x10
							E0041BE99( &_v40, _t10);
							_t12 = _t258 + 0x1c; // 0x1c
							E0041BE99( &_v52, _t12);
							_t265 =  *_t258 - 9;
							if( *_t258 != 9) {
								E004164B1(0x47dfb8, _t265,  &_v28);
							}
							E004164B1(0x47dfb8, _t265,  &_v40);
							_t107 =  *_t258;
							if(_t107 != 7) {
								_t267 = _t107 - 8;
								if(_t107 != 8) {
									E004164B1(0x47dfb8, _t267,  &_v52);
								}
							}
							_t268 =  *_t258 - 9;
							if( *_t258 != 9) {
								E0041A81A(_t268,  &_v28); // executed
							}
							E0041A81A(_t268,  &_v40);
							_t110 =  *_t258;
							if(_t110 != 7) {
								_t270 = _t110 - 8;
								if(_t110 != 8) {
									E0041A81A(_t270,  &_v52);
								}
							}
							if( *_t258 != 9) {
								E0041B3B9(0x47dfb8,  &_v28, 0x7fffffff);
							}
							E0041B3B9(0x47dfb8,  &_v40, 0x7fffffff);
							_t113 =  *_t258;
							if(_t113 != 7 && _t113 != 8) {
								E0041B3B9(0x47dfb8,  &_v52, 0x7fffffff);
							}
							_t114 =  *_t258;
							if(_t114 == 4 || _t114 == 7) {
								E0041CBF9( &_v28, __eflags, "<\\t>", "\t", 0, 0, 1);
								E0041CBF9( &_v28, __eflags, "<\\r>", "\r", 0, 0, 1);
								E0041CBF9( &_v28, __eflags, "<\\n>", "\n", 0, 0, 1);
								E0041CBF9( &_v40, __eflags, "<\\t>", "\t", 0, 0, 1);
								E0041CBF9( &_v40, __eflags, "<\\r>", "\r", 0, 0, 1);
								E0041CBF9( &_v40, __eflags, "<\\n>", "\n", 0, 0, 1);
								__eflags =  *_t258 - 4;
								if( *_t258 != 4) {
									_t121 = E0041CD1E( &_v40);
									_t123 = E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v28), _t121, 4);
									_t123 - 6 = (_t123 != 6) + 1;
									E0041D728(E0041CD1E( &_v52), (_t123 != 6) + 1);
								} else {
									_t131 = E0041CD1E( &_v40);
									E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v28), _t131, 0);
								}
							} else {
								if(_t114 != 5) {
									__eflags = _t114 - 6;
									if(_t114 != 6) {
										__eflags = _t114 - 8;
										if(_t114 != 8) {
											__eflags = _t114 - 9;
											if(_t114 != 9) {
												__eflags = _t114;
												if(_t114 != 0) {
													 *(_v8 + 8) = 0;
												}
												E0041BE35( &_v76, "open");
												__eflags =  *_t258 - 3;
												if( *_t258 == 3) {
													E0041BF12( &_v76, "explore");
												}
												_t135 = E0041CD1E( &_v52);
												_t136 = E0041CD1E( &_v40);
												_t137 = E0041CD1E( &_v28);
												ShellExecuteA( *(_v8 + 8), E0041CD1E( &_v76), _t137, _t136, _t135, 1);
												_t226 =  &_v76;
												L36:
												E0041BEFB(_t226);
												L51:
												_t126 =  *((intOrPtr*)(_t258 + 0x2c));
												if(_t126 != 0xffffffff) {
													 *((intOrPtr*)(_t258 + 0x2c)) = _t126 - 1;
												}
												E0041BEFB( &_v52);
												E0041BEFB( &_v40);
												E0041BEFB( &_v28);
												goto L54;
											}
											_t144 = E0041CD1E( &_v40);
											E0041D0FD( &_v28, E0041CD1E( &_v28), _t144);
											goto L51;
										}
										E00417B15( &_v132);
										E0041BF80( &_v116,  &_v40);
										E0041BF80( &_v128,  &_v28);
										E0041BF80( &_v104,  &_v52);
										_t156 = DialogBoxParamA( *0x47e17c, 0x9a,  *(_v8 + 8), E0040585D,  &_v132);
										__eflags = _t156 - 1;
										if(_t156 == 1) {
											_t158 = E0041CD1E( &_v104);
											E0041D0FD( &_v52, E0041CD1E( &_v52), _t158);
										}
										E00414A20( &_v132);
										goto L51;
									}
									__eflags = _v52;
									_v16 = 0;
									if(_v52 != 0) {
										L31:
										_v16 = E0041CD1E( &_v52);
										L32:
										E0041BDC5( &_v64);
										_push(E0041CD1E( &_v40));
										_push(E0041CD1E( &_v28));
										E0041C467( &_v64, "\"%s\" %s");
										_t260 = _t260 + 0x10;
										while(1) {
											_t169 = E0041BFE3( &_v64, _v64 - 1);
											__eflags = _t169 - 0x20;
											if(_t169 != 0x20) {
												break;
											}
											E0041C3A9( &_v64, _v64 - 1, 1);
										}
										E004114E1(E0041CD1E( &_v64), _v16); // executed
										_t226 =  &_v64;
										goto L36;
									}
									_t175 = E0041C7DB( &_v28, "\\", 0, 1);
									__eflags = _t175 - 0xffffffff;
									if(_t175 == 0xffffffff) {
										goto L32;
									}
									E0041BF80( &_v52, E0041CC95( &_v28, 0, _t175));
									goto L31;
								}
								if(( *(_t258 + 0x30) & 0x00000001) != 0 && _a4 != 0xd) {
									 *((intOrPtr*)(_t258 + 0x2c)) = 0;
									E004145F6(_v8, 0xd);
								}
								E0041A1B5(1);
							}
							goto L51;
						}
						L54:
						_v12 = _v12 + 1;
						_t281 = _v12 -  *0x47e4f0; // 0x4
					} while (_t281 < 0);
					goto L56;
				}
			}





































                  0x00414602
                  0x00414608
                  0x0041460b
                  0x0041460e
                  0x00414a18
                  0x00414a1a
                  0x00414a1d
                  0x00414614
                  0x0041461b
                  0x00414628
                  0x00414630
                  0x00414650
                  0x00414657
                  0x0041465c
                  0x00414663
                  0x00414668
                  0x0041466f
                  0x00414674
                  0x00414677
                  0x0041467f
                  0x0041467f
                  0x0041468a
                  0x0041468f
                  0x00414694
                  0x00414696
                  0x00414699
                  0x004146a1
                  0x004146a1
                  0x00414699
                  0x004146a6
                  0x004146a9
                  0x004146b1
                  0x004146b1
                  0x004146bc
                  0x004146c1
                  0x004146c6
                  0x004146c8
                  0x004146cb
                  0x004146d3
                  0x004146d3
                  0x004146cb
                  0x004146db
                  0x004146e8
                  0x004146e8
                  0x004146f8
                  0x004146fd
                  0x00414702
                  0x00414714
                  0x00414714
                  0x00414719
                  0x0041471e
                  0x0041491a
                  0x00414930
                  0x00414946
                  0x0041495c
                  0x00414972
                  0x00414988
                  0x0041498d
                  0x00414993
                  0x004149af
                  0x004149c3
                  0x004149d0
                  0x004149db
                  0x00414995
                  0x00414995
                  0x004149a8
                  0x004149a8
                  0x0041472d
                  0x00414730
                  0x00414759
                  0x0041475c
                  0x0041480b
                  0x0041480e
                  0x00414885
                  0x00414888
                  0x004148a6
                  0x004148a8
                  0x004148ad
                  0x004148ad
                  0x004148b8
                  0x004148bd
                  0x004148c0
                  0x004148ca
                  0x004148ca
                  0x004148d4
                  0x004148dd
                  0x004148e6
                  0x004148fb
                  0x00414901
                  0x00414801
                  0x00414801
                  0x004149e0
                  0x004149e0
                  0x004149e6
                  0x004149e9
                  0x004149e9
                  0x004149ef
                  0x004149f7
                  0x004149ff
                  0x00000000
                  0x004149ff
                  0x0041488d
                  0x0041489c
                  0x00000000
                  0x0041489c
                  0x00414813
                  0x0041481f
                  0x0041482b
                  0x00414837
                  0x00414856
                  0x0041485c
                  0x0041485f
                  0x00414864
                  0x00414873
                  0x00414873
                  0x0041487b
                  0x00000000
                  0x0041487b
                  0x00414762
                  0x00414765
                  0x00414768
                  0x00414792
                  0x0041479a
                  0x0041479d
                  0x004147a0
                  0x004147ad
                  0x004147b6
                  0x004147c0
                  0x004147c5
                  0x004147c8
                  0x004147d0
                  0x004147d5
                  0x004147d7
                  0x00000000
                  0x00000000
                  0x004147e3
                  0x004147e3
                  0x004147f9
                  0x004147fe
                  0x00000000
                  0x004147fe
                  0x00414775
                  0x0041477a
                  0x0041477d
                  0x00000000
                  0x00000000
                  0x0041478d
                  0x00000000
                  0x0041478d
                  0x00414736
                  0x00414743
                  0x00414746
                  0x00414746
                  0x0041474f
                  0x0041474f
                  0x00000000
                  0x0041471e
                  0x00414a04
                  0x00414a04
                  0x00414a0a
                  0x00414a0a
                  0x00000000
                  0x00414a17

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                  • DialogBoxParamA.USER32 ref: 00414856
                    • Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9
                    • Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
                    • Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
                    • Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC
                  • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,00000000,00000001), ref: 004148FB
                    • Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000000,00000001,0042DB90,74786980,0042DB90,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC0B
                    • Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000001,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC12
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041B2CC: MessageBoxA.USER32 ref: 0041B36B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLocklstrlen$Unlock$DialogExecuteMessageParamShell
                  • String ID: "%s" %s$<\n>$<\r>$<\t>$explore$open$G
                  • API String ID: 1452395284-1601309190
                  • Opcode ID: b32ea6b8dc2e2386d5696beb7c0628860914b136f3fc6d3117ff7bfb37aeea9b
                  • Instruction ID: 1105ea7d2091e7ab335364e9980375d120ac9637aeae49fae9bfff40a707f2e4
                  • Opcode Fuzzy Hash: b32ea6b8dc2e2386d5696beb7c0628860914b136f3fc6d3117ff7bfb37aeea9b
                  • Instruction Fuzzy Hash: 46C15270A40209AACB24EBA1DCD6DEEB7B8EF55748F60052FF112A2191DB385DC5CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00421F81, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 132stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00421F81(void* __ecx, CHAR* _a4) {
				char _v8;
				char _v20;
				char _v32;
				char _v44;
				int _t28;
				CHAR* _t31;
				CHAR* _t41;
				CHAR* _t48;
				void* _t58;
				CHAR* _t61;
				CHAR* _t62;
				CHAR* _t86;
				intOrPtr _t95;

				_t95 =  *0x47e19c; // 0x1
				if(_t95 == 0) {
					_t86 = E00424DD9(0x104);
					__eflags = _t86;
					if(_t86 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t86, 0, 0x104);
					GetWindowsDirectoryA(_t86, 0x104);
					_t28 = lstrlenA(_t86);
					__eflags =  *((char*)(_t28 + _t86 - 1)) - 0x5c;
					if( *((char*)(_t28 + _t86 - 1)) != 0x5c) {
						_t86[lstrlenA(_t86)] = 0x5c;
					}
					lstrcatA(_t86, "wininit.ini");
					E0041BDC5( &_v20);
					_t31 = E0041CAC5( &_v20, _t86, 0, 0);
					__eflags = _t31;
					if(_t31 <= 0) {
						L15:
						E00424DCE(_t86);
						return E0041BEFB( &_v20);
					} else {
						E0041BE35( &_v32, "NUL=");
						_t61 = E00424DD9(0x104);
						__eflags = _t61;
						if(_t61 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						E00424500(_t61, 0, 0x104);
						GetShortPathNameA(_a4, _t61, 0x104);
						E0041C047( &_v32, _t61, 0);
						E00424DCE(_t61);
						_v8 = 0;
						_t62 = 0;
						__eflags = 0;
						E0041BDC5( &_v44);
						_push(_v8);
						while(1) {
							_t41 = E0041C9D2( &_v20);
							__eflags = _t41;
							if(_t41 == 0) {
								break;
							}
							_t48 = E0041C176(E0041C92F( &_v20,  &_v8,  &_v44), __eflags,  &_v32, 0);
							__eflags = _t48;
							if(_t48 != 0) {
								__eflags = _v8 - _t62;
								E0041C3A9( &_v20, _t62, _v8 - _t62);
								E0041CE0E( &_v20, _t86);
								break;
							}
							_t62 = _v8;
							_push(_t62);
						}
						E0041BEFB( &_v44);
						E0041BEFB( &_v32);
						goto L15;
					}
				}
				_t58 = E00421D4B(_a4, 0); // executed
				return _t58;
			}
















                  0x00421f8a
                  0x00421f90
                  0x00421fad
                  0x00421fb0
                  0x00421fb2
                  0x00421fbf
                  0x00421fc4
                  0x00421fc8
                  0x00421fd2
                  0x00421fdf
                  0x00421fe1
                  0x00421fe6
                  0x00421feb
                  0x00421feb
                  0x00421ff5
                  0x00421ffe
                  0x0042200b
                  0x00422010
                  0x00422012
                  0x004220d7
                  0x004220d8
                  0x00000000
                  0x00422018
                  0x00422020
                  0x0042202b
                  0x0042202e
                  0x00422030
                  0x0042203d
                  0x00422042
                  0x00422047
                  0x00422054
                  0x00422061
                  0x00422067
                  0x0042206d
                  0x00422073
                  0x00422073
                  0x00422075
                  0x0042207a
                  0x0042207d
                  0x00422080
                  0x00422085
                  0x00422087
                  0x00000000
                  0x00000000
                  0x004220a0
                  0x004220a5
                  0x004220a7
                  0x004220b5
                  0x004220b9
                  0x004220c2
                  0x00000000
                  0x004220c2
                  0x004220a9
                  0x004220ac
                  0x004220ac
                  0x004220ca
                  0x004220d2
                  0x00000000
                  0x004220d2
                  0x00422012
                  0x00421f96
                  0x00000000

                  APIs
                  • GetWindowsDirectoryA.KERNEL32(00000000,00000104,00000000,747DFC30,00000000,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FD2
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FDF
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FE9
                  • lstrcatA.KERNEL32(00000000,wininit.ini,?,?,?,?,?,?,?,?,00422FC8,?), ref: 00421FF5
                  • GetShortPathNameA.KERNEL32 ref: 00422054
                    • Part of subcall function 00421D4B: RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000000,0002001F,00000000,00000000,747DFC30,00000000), ref: 00421D73
                    • Part of subcall function 00421D4B: RegQueryValueExA.KERNELBASE(00000000,PendingFileRenameOperations,00000000,00000000,00000000,00000000), ref: 00421D97
                    • Part of subcall function 00421D4B: RegQueryValueExA.ADVAPI32(00000000,PendingFileRenameOperations,00000000,00000000,00422FC8,00000000), ref: 00421DD0
                    • Part of subcall function 00421D4B: RegCloseKey.ADVAPI32(00000000), ref: 00421DF3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: QueryValuelstrlen$CloseDirectoryNameOpenPathShortWindowslstrcat
                  • String ID: $G$$G$NUL=$wininit.ini
                  • API String ID: 1977061548-1344308195
                  • Opcode ID: c19b345b2d664a0fb17d6cee8ed464d375989861d1c9d259e1e147767dbda658
                  • Instruction ID: 77597a4c33dad6ede26680724295a841512df21fae1a842a703a7e267151be97
                  • Opcode Fuzzy Hash: c19b345b2d664a0fb17d6cee8ed464d375989861d1c9d259e1e147767dbda658
                  • Instruction Fuzzy Hash: 174192B2A00229AACB14BBB2EDC6DFF7B6CDF55358F50002FB20162092DE3C5945C668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004158E2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 114registryfileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004158E2(intOrPtr __ecx) {
				void* _v8;
				char _v268;
				void* __esi;
				long _t19;
				long _t21;
				long _t27;
				CHAR* _t35;
				long _t41;
				intOrPtr _t49;
				void* _t66;
				intOrPtr _t70;
				long _t71;

				_t70 =  *0x47e58c; // 0x1b
				_t49 = __ecx;
				if(_t70 != 0) {
					L2:
					_t72 =  *0x47e18c & 0x00000040;
					if(( *0x47e18c & 0x00000040) == 0) {
						_t19 = RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8); // executed
						__eflags = _t19;
						if(_t19 == 0) {
							__eflags =  *0x47e598; // 0x0
							if(__eflags != 0) {
								_t21 = RegQueryValueExA(_v8, E0041CD1E(0x47e598), 0, 0, 0, 0);
								RegCloseKey(_v8);
								__eflags = _t21;
								if(_t21 == 0) {
									L9:
									return E004155D2(_t49, 0, 0);
								}
								E004229A8( &_v268);
								_t27 = E0040DF52( &_v268);
								__eflags = _t27;
								if(_t27 == 0) {
									L15:
									return 1;
								}
								E0041BF12(0x47e688,  &_v268);
								E0041C047(0x47e688, ".bak", 0);
								CopyFileA( &_v268, E0041CD1E(0x47e688), 0);
								_t35 =  &_v268;
								L14:
								DeleteFileA(_t35);
								goto L15;
							}
							RegCloseKey(_v8);
							goto L9;
						}
						E004229A8( &_v268); // executed
						_t41 = E0040DF52( &_v268);
						__eflags = _t41;
						if(_t41 == 0) {
							goto L15;
						}
						E0041BF12(0x47e688,  &_v268);
						E0041C047(0x47e688, ".bak", 0);
						CopyFileA( &_v268, E0041CD1E(0x47e688), 0);
						_t35 =  &_v268;
						goto L14;
					}
					return E0041B61B(_t49, _t66, _t72);
				}
				_t71 =  *0x47e598; // 0x0
				if(_t71 == 0) {
					goto L15;
				}
				goto L2;
			}















                  0x004158f0
                  0x004158f6
                  0x004158f8
                  0x00415906
                  0x00415906
                  0x0041590d
                  0x00415936
                  0x0041593c
                  0x0041593e
                  0x004159a7
                  0x004159ad
                  0x004159d8
                  0x004159e3
                  0x004159e9
                  0x004159eb
                  0x004159b8
                  0x00000000
                  0x004159bc
                  0x004159f9
                  0x00415a05
                  0x00415a0a
                  0x00415a0d
                  0x00415a52
                  0x00000000
                  0x00415a52
                  0x00415a1d
                  0x00415a2a
                  0x00415a3f
                  0x00415a45
                  0x00415a4b
                  0x00415a4c
                  0x00000000
                  0x00415a4c
                  0x004159b2
                  0x00000000
                  0x004159b2
                  0x0041594c
                  0x00415958
                  0x0041595d
                  0x00415960
                  0x00000000
                  0x00000000
                  0x00415974
                  0x00415981
                  0x00415996
                  0x0041599c
                  0x00000000
                  0x0041599c
                  0x00000000
                  0x00415911
                  0x004158fa
                  0x00415900
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • RegOpenKeyExA.KERNELBASE(00000000,00000000,00020019,?,?,0047DFB8,00000000), ref: 00415936
                  • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00415996
                  • RegCloseKey.ADVAPI32(?,?,0047DFB8,00000000), ref: 004159B2
                    • Part of subcall function 004229A8: RegOpenKeyExA.KERNELBASE(00000000,00020019,00000000,0047DFB8,0047E788), ref: 004229DD
                    • Part of subcall function 004229A8: RegQueryValueExA.ADVAPI32(00000000,Uninstaller,00000000,00000000,?,0047E788), ref: 004229FF
                    • Part of subcall function 004229A8: lstrcpyA.KERNEL32(0047E788,?), ref: 00422A24
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,?,0047DFB8,00000000), ref: 004159D8
                  • RegCloseKey.ADVAPI32(?,?,0047DFB8,00000000), ref: 004159E3
                  • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00415A3F
                  • DeleteFileA.KERNEL32(?,?,0047DFB8,00000000), ref: 00415A4C
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocFileLockUnlock$CloseCopyOpenQueryValue$Deletelstrcpylstrlen
                  • String ID: .bak
                  • API String ID: 1416132717-2357000809
                  • Opcode ID: 08ca60a45c3ec22fe705449950ea663ad066e449a9e26c8904edd6dda386771a
                  • Instruction ID: 1342aa0dab926122372a12ed8d5b88198d96f9849dab4552937482bddcd53820
                  • Opcode Fuzzy Hash: 08ca60a45c3ec22fe705449950ea663ad066e449a9e26c8904edd6dda386771a
                  • Instruction Fuzzy Hash: C431E270600218EBCB20A7A69C85DEF767D9FD4704F4001BFB44AA2141DF3C4EC29A6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414E57, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00414E57(intOrPtr _a4) {
				char _v16;
				char _v28;
				char _v40;
				void* _t35;
				long _t71;
				void* _t73;

				_t71 = GetTickCount();
				E0041BE35( &_v28, _a4);
				if(E0041BFE3( &_v28, _v28 - 1) != 0x5c) {
					E0041BFF8( &_v28, 0x5c);
				}
				E0041BDC5( &_v16);
				do {
					E0041BF12( &_v16, 0x42e0c8);
					_push(_t71);
					_push(E0041CD1E( &_v28));
					E0041C467( &_v16, "%s%d.tmp");
					_t73 = _t73 + 0x10;
					_t71 = _t71 + 1;
				} while (E0040DF52(E0041CD1E( &_v16)) != 0);
				_t35 = CreateFileA(E0041CD1E( &_v16), 0x40000000, 0, 0, 2, 0x80, 0); // executed
				if(_t35 != 0xffffffff) {
					CloseHandle(_t35);
					DeleteFileA(E0041CD1E( &_v16)); // executed
					L8:
					E0041BEFB( &_v16);
					E0041BEFB( &_v28);
					return 1;
				}
				if(GetLastError() != 5) {
					goto L8;
				}
				E0041BDC5( &_v40);
				_push(_a4);
				E0041C467( &_v40, "You don\'t have write privilege to directory \'%s\'. Please have your system administrator (or other user with higher privileges) install this software.");
				E0041B2A8( *0x47e178, E0041CD1E( &_v40), 0);
				E0041BEFB( &_v40);
				E0041BEFB( &_v16);
				E0041BEFB( &_v28);
				return 0;
			}









                  0x00414e6a
                  0x00414e6c
                  0x00414e80
                  0x00414e87
                  0x00414e87
                  0x00414e8f
                  0x00414e94
                  0x00414e9c
                  0x00414ea1
                  0x00414eaa
                  0x00414eb4
                  0x00414eb9
                  0x00414ebf
                  0x00414ecd
                  0x00414eea
                  0x00414ef3
                  0x00414f53
                  0x00414f62
                  0x00414f68
                  0x00414f6b
                  0x00414f73
                  0x00000000
                  0x00414f78
                  0x00414efe
                  0x00000000
                  0x00000000
                  0x00414f03
                  0x00414f08
                  0x00414f14
                  0x00414f31
                  0x00414f39
                  0x00414f41
                  0x00414f49
                  0x00000000

                  APIs
                  • GetTickCount.KERNEL32 ref: 00414E5E
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                  • CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00414EEA
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042E0C8,?,?), ref: 00414EF5
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0042E0C8,?,?), ref: 00414F53
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • DeleteFileA.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,0042E0C8,?,?), ref: 00414F62
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  • You don't have write privilege to directory '%s'. Please have your system administrator (or other user with higher privileges) install this software., xrefs: 00414F0E
                  • %s%d.tmp, xrefs: 00414EAE
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock$File$CloseCountCreateDeleteErrorFreeHandleLastTicklstrlen
                  • String ID: %s%d.tmp$You don't have write privilege to directory '%s'. Please have your system administrator (or other user with higher privileges) install this software.
                  • API String ID: 4251651704-4254885240
                  • Opcode ID: 4dd871ea1558a27bb0bc6f9293b9cb6e81303aa579d2dada56ab6fabc6f365c3
                  • Instruction ID: c2928e067eda20b2372ff203eb25b86f2129ffeaec6873f0e91b4a6b5d8251e1
                  • Opcode Fuzzy Hash: 4dd871ea1558a27bb0bc6f9293b9cb6e81303aa579d2dada56ab6fabc6f365c3
                  • Instruction Fuzzy Hash: 11314371940119A6CF14F7B2EC96DEE7738DF14308F90416EF502A2191DF385A86CAAC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E110, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E0040E110(void* __ecx, signed int _a4, intOrPtr _a8) {
				struct _ITEMIDLIST* _v8;
				long _t14;
				_Unknown_base(*)()* _t17;
				void* _t18;
				int _t20;
				signed int _t23;
				signed int _t24;

				_t14 = SHGetSpecialFolderLocation(0, _a4,  &_v8); // executed
				if(_t14 != 0) {
					L5:
					return 0;
				} else {
					_t17 = GetProcAddress(LoadLibraryA("SHELL32.DLL"), "SHGetPathFromIDListW");
					if(_t17 == 0) {
						goto L5;
					} else {
						_t18 =  *_t17(_v8, _a8, _t23); // executed
						_t24 = _t23 & 0xffffff00 | _t18 != 0x00000000;
						_a4 = _a4 & 0x00000000;
						__imp__SHGetMalloc( &_a4);
						_t20 = _a4;
						if(_t20 != 0) {
							 *((intOrPtr*)( *_t20 + 0x14))(_t20, _v8);
						}
						return _t24;
					}
				}
			}










                  0x0040e11d
                  0x0040e125
                  0x0040e173
                  0x0040e176
                  0x0040e127
                  0x0040e138
                  0x0040e140
                  0x00000000
                  0x0040e142
                  0x0040e149
                  0x0040e150
                  0x0040e153
                  0x0040e158
                  0x0040e15e
                  0x0040e163
                  0x0040e16b
                  0x0040e16b
                  0x0040e172
                  0x0040e172
                  0x0040e140

                  APIs
                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000081,?,00000081,?,004118E9,00000002,?), ref: 0040E11D
                  • LoadLibraryA.KERNEL32(SHELL32.DLL,?,004118E9,00000002,?), ref: 0040E12C
                  • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 0040E138
                  • SHGetPathFromIDListW.SHELL32(?,?,00000104,?,004118E9,00000002,?), ref: 0040E149
                  • SHGetMalloc.SHELL32(?), ref: 0040E158
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AddressFolderFromLibraryListLoadLocationMallocPathProcSpecial
                  • String ID: SHELL32.DLL$SHGetPathFromIDListW
                  • API String ID: 2352187698-3662343678
                  • Opcode ID: 8fc71861e52f366a85564bc4e681427beed619db2cbf639fb9f84344a72cc2fc
                  • Instruction ID: dfdffaa8b940ae14909e32c2bb16bffc942fafb9d917f1c150c9c4fd006f454b
                  • Opcode Fuzzy Hash: 8fc71861e52f366a85564bc4e681427beed619db2cbf639fb9f84344a72cc2fc
                  • Instruction Fuzzy Hash: 4CF04F35301209FBDF119FA1ED49F9F3BACAF04785F5044AAF805E6190DB35CA11AA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413399, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 336registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00413399(intOrPtr __ecx, void* _a4, intOrPtr _a8, intOrPtr* _a12, signed int* _a16, char _a20) {
				signed char _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				char _v28;
				int _v32;
				int _v44;
				void* __edi;
				void* __ebp;
				intOrPtr* _t105;
				void* _t108;
				long _t117;
				signed int _t118;
				signed int _t119;
				void* _t143;
				int _t152;
				char* _t153;
				long _t155;
				signed int* _t156;
				signed int _t157;
				int _t168;
				void* _t173;
				signed char _t176;
				signed char _t180;
				intOrPtr _t187;
				signed int* _t189;
				int* _t190;
				int _t192;
				signed int _t202;
				signed int _t209;
				signed int _t222;
				signed int _t230;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t249;
				void* _t251;
				void* _t252;

				_t187 = _a8;
				_t105 = _t187 + 4;
				_t247 = 0;
				_v20 = __ecx;
				_t253 =  *_t105;
				if( *_t105 > 0) {
					E0041C0C5( &_a20, _t253, _t105);
					E0041BFF8( &_a20, 0x5c);
				}
				_v16 = _t247;
				if( *((intOrPtr*)(_t187 + 0x1c)) <= _t247) {
					L39:
					_v12 = _t247;
					if( *((intOrPtr*)(_t187 + 0x30)) <= _t247) {
						L54:
						return E0041BEFB( &_a20);
					} else {
						goto L40;
					}
					do {
						L40:
						_t248 = E0041E860(_t187 + 0x24, _v12);
						_t108 = E00412BA7( *((intOrPtr*)(_t187 + 0x40)));
						_t265 = _t108;
						if(_t108 != 0) {
							_t65 = _t248 + 4; // 0x4
							_t188 = _t65;
							E004164B1(0x47dfb8, _t265, _t65);
							E0041A81A(_t265, _t65);
							E0041B3B9(0x47dfb8, _t65, 0x7fffffff);
							_t117 = RegCreateKeyExA(_a4, E0041CD1E(_t188), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v24); // executed
							if(_t117 == 0 || RegCreateKeyExA(_a4, E0041CD1E(_t188), 0, 0, 0, 0x20006, 0,  &_v16,  &_v24) == 0 || RegCreateKeyExA(_a4, E0041CD1E(_t188), 0, 0, 0, 0x20019, 0,  &_v16,  &_v24) == 0) {
								_t189 = _a16;
								 *_t189 =  *_t189 + 1;
								_t202 =  *0x47e490; // 0xc
								_t118 =  *_t189;
								__eflags = _t202;
								if(_t202 > 0) {
									__eflags = _t118 * 0x64 % _t202;
									E00414C1B(_t118 * 0x64 % _t202, _t248, _t251, _t118 * 0x64 / _t202, 0);
								}
								_t119 = 1;
								__eflags = _v24 - _t119;
								if(_v24 != _t119) {
									_t90 = _t248 + 0x38;
									 *_t90 =  *(_t248 + 0x38) & 0x00000000;
									__eflags =  *_t90;
								} else {
									 *(_t248 + 0x38) = _t119;
								}
								_t92 = _t248 + 0x38;
								 *_t92 =  *(_t248 + 0x38) | 0x00000002;
								__eflags =  *_t92;
								_t252 = _t252 - 0xc;
								E0041BE99(_t252,  &_a20);
								_push(_t189);
								_push(_a12);
								_push(_t248);
								_push(_v16);
								E00413399(_v20); // executed
								RegCloseKey(_v16);
							} else {
								 *_a16 =  *_a16 + 1;
								 *_a12 =  *_a12 + 1;
								_t209 =  *0x47e490; // 0xc
								if(_t209 > 0) {
									E00414C1B( *_t137 * 0x64 % _t209, _t248, _t251,  *_t137 * 0x64 / _t209, 0);
								}
							}
							_t187 = _a8;
						}
						_v12 = _v12 + 1;
					} while (_v12 <  *((intOrPtr*)(_t187 + 0x30)));
					goto L54;
				} else {
					goto L3;
				}
				do {
					L3:
					_t249 = E0041E860(_t187 + 0x10, _v16);
					_t143 = E00412BA7( *((intOrPtr*)(_t249 + 0x24)));
					_t255 = _t143;
					if(_t143 == 0) {
						goto L37;
					}
					E004164B1(0x47dfb8, _t255, _t249);
					_t11 = _t249 + 0xc; // 0xc
					_t190 = _t11;
					E004164B1(0x47dfb8, _t255, _t190);
					E0041A81A(_t255, _t249);
					E0041A81A(_t255, _t190); // executed
					E0041B3B9(0x47dfb8, _t249, 0x7fffffff);
					E0041B3B9(0x47dfb8, _t190, 0x7fffffff);
					E0041BDC5( &_v44);
					_t152 =  *(_t249 + 0x18);
					if(_t152 == 1 || _t152 == 2) {
						L30:
						_t153 = E0041CD1E(_t190);
						_t192 =  *_t190 + 1;
						__eflags = _t192;
						goto L31;
					} else {
						if(_t152 != 4) {
							__eflags = _t152 - 3;
							if(__eflags != 0) {
								E0041CBF9(_t190, __eflags, "<\\0>", 0x42c1f0, 0, 0, 1);
								E0041CBC9(_t190, __eflags, 1, 0, 0, 0);
								_t168 = E0041BFE3(_t190,  *_t190 - 1);
								__eflags = _t168;
								if(_t168 != 0) {
									E0041BFF8(_t190, 0);
								}
								goto L30;
							}
							_v12 = _v12 & 0x00000000;
							__eflags =  *_t190;
							if( *_t190 <= 0) {
								L27:
								_t153 = E0041CD1E( &_v44);
								_t192 = _v44;
								goto L31;
							} else {
								goto L10;
							}
							do {
								L10:
								_t230 = 3;
								_t246 = _v12 % _t230;
								__eflags = _t246 - 2;
								_v32 = _t246;
								if(_t246 == 2) {
									goto L26;
								}
								_t173 = E0041BFE3(_t190, _v12);
								__eflags = _t173 - 0x30;
								if(_t173 < 0x30) {
									L14:
									__eflags = _t173 - 0x41;
									if(_t173 < 0x41) {
										L17:
										__eflags = _t173 - 0x61;
										if(_t173 < 0x61) {
											L21:
											E0041BF12( &_v44, 0x42e0c8);
											E0041CD1E( &_v44);
											L22:
											_t176 = _v8;
											L23:
											__eflags = _v32;
											if(_v32 != 0) {
												_t32 =  &_v24;
												 *_t32 = _v24 + _t176;
												__eflags =  *_t32;
												E0041BFF8( &_v44, _v24);
											} else {
												_v24 = _t176 << 4;
											}
											goto L26;
										}
										__eflags = _t173 - 0x66;
										if(_t173 > 0x66) {
											goto L21;
										}
										_t180 = _t173 - 0x57;
										__eflags = _t180;
										L20:
										_v8 = _t180;
										goto L22;
									}
									__eflags = _t173 - 0x46;
									if(_t173 > 0x46) {
										goto L17;
									}
									_t180 = _t173 - 0x37;
									goto L20;
								}
								__eflags = _t173 - 0x39;
								if(_t173 > 0x39) {
									goto L14;
								}
								_t176 = _t173 - 0x30;
								_v8 = _t176;
								goto L23;
								L26:
								_v12 = _v12 + 1;
								__eflags = _v12 -  *_t190;
							} while (_v12 <  *_t190);
							goto L27;
						} else {
							_v28 = E00424FC3(_t190, E0041CD1E(_t190));
							_t153 =  &_v28;
							_t192 = 4;
							L31:
							_t155 = RegSetValueExA(_a4, E0041CD1E(_t249), 0,  *(_t249 + 0x18), _t153, _t192); // executed
							if(_t155 == 0) {
								 *(_t249 + 0x1c) = 1;
							} else {
								 *_a12 =  *_a12 + 1;
								 *(_t249 + 0x1c) = 0;
							}
							_t156 = _a16;
							 *(_t249 + 0x1c) =  *(_t249 + 0x1c) | 0x00000002;
							 *_t156 =  *_t156 + 1;
							_t222 =  *0x47e490; // 0xc
							_t157 =  *_t156;
							if(_t222 > 0) {
								E00414C1B(_t157 * 0x64 % _t222, _t249, _t251, _t157 * 0x64 / _t222, 0);
							}
							E0041BEFB( &_v44);
							_t187 = _a8;
							goto L37;
						}
					}
					L37:
					_v16 = _v16 + 1;
				} while (_v16 <  *((intOrPtr*)(_t187 + 0x1c)));
				_t247 = 0;
				goto L39;
			}










































                  0x004133a0
                  0x004133a5
                  0x004133a8
                  0x004133aa
                  0x004133ad
                  0x004133af
                  0x004133b5
                  0x004133bf
                  0x004133bf
                  0x004133c7
                  0x004133cf
                  0x004135dc
                  0x004135df
                  0x004135e2
                  0x00413739
                  0x00413745
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004135e8
                  0x004135e8
                  0x004135f6
                  0x004135f8
                  0x004135fd
                  0x00413600
                  0x00413606
                  0x00413606
                  0x0041360c
                  0x00413614
                  0x00413621
                  0x00413644
                  0x0041364c
                  0x004136c8
                  0x004136cb
                  0x004136cd
                  0x004136d3
                  0x004136d5
                  0x004136d7
                  0x004136e0
                  0x004136e6
                  0x004136e6
                  0x004136ed
                  0x004136ee
                  0x004136f1
                  0x004136f8
                  0x004136f8
                  0x004136f8
                  0x004136f3
                  0x004136f3
                  0x004136f3
                  0x004136fc
                  0x004136fc
                  0x004136fc
                  0x00413700
                  0x00413709
                  0x0041370e
                  0x00413712
                  0x00413715
                  0x00413716
                  0x00413719
                  0x00413721
                  0x0041369e
                  0x004136a4
                  0x004136a6
                  0x004136a8
                  0x004136b0
                  0x004136c1
                  0x004136c1
                  0x004136b0
                  0x00413727
                  0x00413727
                  0x0041372a
                  0x00413730
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004133d5
                  0x004133d5
                  0x004133e0
                  0x004133e5
                  0x004133ea
                  0x004133ed
                  0x00000000
                  0x00000000
                  0x004133f6
                  0x004133fb
                  0x004133fb
                  0x00413401
                  0x00413409
                  0x00413411
                  0x0041341e
                  0x0041342b
                  0x00413433
                  0x00413438
                  0x0041343e
                  0x00413562
                  0x00413564
                  0x0041356b
                  0x0041356b
                  0x00000000
                  0x0041344d
                  0x00413450
                  0x0041346e
                  0x00413471
                  0x00413537
                  0x00413545
                  0x00413550
                  0x00413555
                  0x00413557
                  0x0041355d
                  0x0041355d
                  0x00000000
                  0x00413557
                  0x00413477
                  0x0041347b
                  0x0041347e
                  0x00413518
                  0x0041351b
                  0x00413520
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413484
                  0x00413484
                  0x0041348b
                  0x0041348c
                  0x0041348e
                  0x00413491
                  0x00413494
                  0x00000000
                  0x00000000
                  0x0041349b
                  0x004134a0
                  0x004134a2
                  0x004134b3
                  0x004134b3
                  0x004134b5
                  0x004134c3
                  0x004134c3
                  0x004134c5
                  0x004134d6
                  0x004134de
                  0x004134e6
                  0x004134eb
                  0x004134eb
                  0x004134ee
                  0x004134ee
                  0x004134f2
                  0x004134fc
                  0x004134fc
                  0x004134fc
                  0x00413505
                  0x004134f4
                  0x004134f7
                  0x004134f7
                  0x00000000
                  0x004134f2
                  0x004134c7
                  0x004134c9
                  0x00000000
                  0x00000000
                  0x004134ce
                  0x004134ce
                  0x004134d1
                  0x004134d1
                  0x00000000
                  0x004134d1
                  0x004134b7
                  0x004134b9
                  0x00000000
                  0x00000000
                  0x004134be
                  0x00000000
                  0x004134be
                  0x004134a4
                  0x004134a6
                  0x00000000
                  0x00000000
                  0x004134ab
                  0x004134ae
                  0x00000000
                  0x0041350a
                  0x0041350a
                  0x00413510
                  0x00413510
                  0x00000000
                  0x00413452
                  0x00413460
                  0x00413465
                  0x00413468
                  0x0041356c
                  0x0041357f
                  0x00413587
                  0x00413593
                  0x00413589
                  0x0041358c
                  0x0041358e
                  0x0041358e
                  0x0041359a
                  0x0041359d
                  0x004135a1
                  0x004135a3
                  0x004135a9
                  0x004135ad
                  0x004135bb
                  0x004135bb
                  0x004135c3
                  0x004135c8
                  0x00000000
                  0x004135c8
                  0x00413450
                  0x004135cb
                  0x004135cb
                  0x004135d1
                  0x004135da
                  0x00000000

                  APIs
                  • RegSetValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,0000000C,7FFFFFFF,00000000,7FFFFFFF,0000000C,00000000,0000000C,00000000,?,770B8BA0), ref: 0041357F
                    • Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
                    • Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
                    • Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  • RegCreateKeyExA.KERNELBASE(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,00000004,7FFFFFFF,00000004,00000004,?,770B8BA0,0047E880), ref: 00413644
                  • RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00020006,00000000,?,?,?,?,?,770B48C0,0041261C,?,?), ref: 0041366C
                  • RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,00020019,00000000,?,?,?,?,?,770B48C0,0041261C,?,?), ref: 00413694
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,770B48C0,0041261C,?,?,?,?,?,0047DFB8,?,00000000,0041520C), ref: 00413721
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Create$AllocLockUnlock$CloseValue
                  • String ID: <\0>
                  • API String ID: 1559821772-3761792137
                  • Opcode ID: 1e44c12d3141eaf93ce3f9a38760ec2083d20e5ef8763f70ce3a285e504954af
                  • Instruction ID: 2f0f564a490fdef3454958fd33de17c8413e31ca42576e57c851ba0932c96666
                  • Opcode Fuzzy Hash: 1e44c12d3141eaf93ce3f9a38760ec2083d20e5ef8763f70ce3a285e504954af
                  • Instruction Fuzzy Hash: CDB17070A00109BBDF14EF66CC85AFE7779EB44745F10446FE802E6292CB389A86CA58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00419EB2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100registryprocessCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00419EB2(void* __edi, void* __eflags) {
				void* _v8;
				char _v20;
				int _v24;
				struct _PROCESS_INFORMATION _v40;
				struct _STARTUPINFOA _v108;
				void _v419;
				char _v420;
				int _t26;
				long _t31;
				CHAR* _t49;
				signed int _t51;
				long _t64;

				_t49 = 0;
				_v8 = 0;
				_t26 = RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8); // executed
				if(_t26 != 0) {
					L2:
					return 0;
				}
				_t51 = 0x4d;
				_v420 = 0;
				_v24 = 0x136;
				memset( &_v419, _t26, _t51 << 2);
				asm("stosb");
				_t31 = RegQueryValueExA(_v8, "AutorunCommand", 0, 0,  &_v420,  &_v24);
				RegCloseKey(_v8);
				if(_t31 == 0) {
					E0041BE35( &_v20,  &_v420);
					if(E0041BFE3( &_v20, 0) != 0x22) {
						E0041CA01(0x22, 0);
						E0041BFF8( &_v20, 0x22);
					}
					_t64 = 0x44;
					E00424500( &_v108, _t49, _t64);
					_v108.cb = _t64;
					E00424500( &_v40, _t49, 0x10);
					if(CreateProcessA(_t49, E0041CD1E( &_v20), _t49, _t49, _t49, 0x4000000, _t49, _t49,  &_v108,  &_v40) != 0) {
						CloseHandle(_v40);
						_t49 = 1;
					}
					E0041BEFB( &_v20);
					return _t49;
				}
				goto L2;
			}















                  0x00419ec0
                  0x00419ece
                  0x00419edd
                  0x00419ee5
                  0x00419f2c
                  0x00000000
                  0x00419f2c
                  0x00419eea
                  0x00419ef1
                  0x00419ef7
                  0x00419efe
                  0x00419f00
                  0x00419f16
                  0x00419f21
                  0x00419f2a
                  0x00419f3d
                  0x00419f4d
                  0x00419f55
                  0x00419f5f
                  0x00419f5f
                  0x00419f69
                  0x00419f6d
                  0x00419f79
                  0x00419f7c
                  0x00419fa8
                  0x00419fad
                  0x00419fb3
                  0x00419fb3
                  0x00419fb8
                  0x00000000
                  0x00419fbd
                  0x00000000

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • RegOpenKeyExA.KERNELBASE(00000000,00000000,00020019,?,0047DFB8), ref: 00419EDD
                  • RegQueryValueExA.ADVAPI32(?,AutorunCommand,00000000,00000000,?,00000136), ref: 00419F16
                  • RegCloseKey.ADVAPI32(?), ref: 00419F21
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,?,?,?,00000000,?), ref: 00419FA0
                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00419FAD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Close$AllocCreateHandleLockOpenProcessQueryUnlockValue
                  • String ID: AutorunCommand
                  • API String ID: 1534462961-524555554
                  • Opcode ID: 356a647b93b262bc02b6de906de0307610b2515476185d37be7defd4c496741e
                  • Instruction ID: 45c70dd0ee7c2c5c157e3503934c4b3842aff91b93e299f74d0a38b54150a939
                  • Opcode Fuzzy Hash: 356a647b93b262bc02b6de906de0307610b2515476185d37be7defd4c496741e
                  • Instruction Fuzzy Hash: E7317071A4121CBEEB11EBA1DC85EEFB77CEB04348F40046AF105A2191EB355E46CA69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041DAE7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0041DAE7(void* _a4, int _a8, char* _a12, signed int _a16) {
				signed int _t16;
				long _t18;
				void* _t19;
				long _t21;
				long _t29;
				char* _t36;

				_t16 = _a16;
				if(_t16 == 0) {
					return _t16 | 0xffffffff;
				}
				 *_t16 = 0;
				_t18 = RegOpenKeyExA(_a4, _a8, 0, 1,  &_a4); // executed
				if(_t18 != 0) {
					_push(0xfffffffc);
				} else {
					_a8 = 0;
					_t21 = RegQueryValueExA(_a4, _a12, 0, 0, 0,  &_a8); // executed
					if(_t21 != 0) {
						_push(0xfffffffd);
					} else {
						_t36 = E00424DD9(_a8 + 1);
						if(_t36 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						E00424500(_t36, 0,  &(_a8[1]));
						_t29 = RegQueryValueExA(_a4, _a12, 0, 0, _t36,  &_a8); // executed
						if(_t29 != 0) {
							E00424DCE(_t36);
							_push(0xfffffffe);
						} else {
							 *_a16 = _t36; // executed
							RegCloseKey(_a4); // executed
							_push(1);
						}
					}
				}
				_pop(_t19);
				return _t19;
			}









                  0x0041daea
                  0x0041daf4
                  0x00000000
                  0x0041daf6
                  0x0041dafe
                  0x0041db0d
                  0x0041db15
                  0x0041db9c
                  0x0041db1b
                  0x0041db2b
                  0x0041db31
                  0x0041db35
                  0x0041db98
                  0x0041db37
                  0x0041db41
                  0x0041db46
                  0x0041db53
                  0x0041db58
                  0x0041db60
                  0x0041db75
                  0x0041db79
                  0x0041db8e
                  0x0041db94
                  0x0041db7b
                  0x0041db81
                  0x0041db83
                  0x0041db89
                  0x0041db89
                  0x0041db79
                  0x0041db35
                  0x0041db9e
                  0x00000000

                  APIs
                  • RegOpenKeyExA.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000020,00000000,00000000,?,0041AE3A,00000000,00000000,7FFFFFFF,7FFFFFFF,7FFFFFFF,0000000D), ref: 0041DB0D
                  • RegQueryValueExA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,?,0041AE3A,00000000,00000000,7FFFFFFF,7FFFFFFF,7FFFFFFF,0000000D,00000000,00000000), ref: 0041DB31
                  • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041DB75
                  • RegCloseKey.KERNELBASE(?), ref: 0041DB83
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID: $G
                  • API String ID: 1586453840-195990108
                  • Opcode ID: 8547bf2eccfc9803a6ea741f39ad0e586afbdc04502b290910525e8f85405c75
                  • Instruction ID: 6feac726a0c399204c17f1fea59bfd65b2e621c23acb991bed09306465f74e76
                  • Opcode Fuzzy Hash: 8547bf2eccfc9803a6ea741f39ad0e586afbdc04502b290910525e8f85405c75
                  • Instruction Fuzzy Hash: 8521D1F2608228BFDF109F55EC44EEB3F1CEF053B4B114226F92AC6191D634D9818BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004111C2, Relevance: 7.6, APIs: 5, Instructions: 87fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004111C2(void* __ecx, long _a4, void* _a8, long _a12, intOrPtr* _a16) {
				long _v8;
				long _t26;
				int _t28;
				long _t30;
				void* _t31;
				intOrPtr _t32;
				long _t36;
				intOrPtr* _t42;
				intOrPtr _t45;
				intOrPtr _t47;
				long _t48;
				intOrPtr _t49;
				intOrPtr _t52;
				long _t54;
				intOrPtr _t58;
				intOrPtr _t60;
				long _t62;
				long _t64;
				void** _t66;

				_t66 = _a4;
				_v8 = 0;
				_t26 = SetFilePointer( *_t66, 0,  &_v8, 1);
				_t45 =  *0x42bf9c; // 0x1
				_t58 =  *0x47f28c; // 0x22d1d10
				_t62 = _a12;
				_a4 = 0;
				_a12 = _t62;
				_t47 =  *((intOrPtr*)(_t58 + (_t45 -  *0x47f21c) * 4));
				if(_t47 < _t26 + _t62) {
					_a12 = _t47 - _t26;
				}
				_t28 = ReadFile( *_t66, _a8, _a12,  &_a4, 0); // executed
				_t42 = _a16;
				_t48 = _a4;
				 *_t42 = _t48;
				if(_t28 != 0 && _t48 < _t62) {
					_t32 =  *0x42bf9c; // 0x1
					_t49 =  *0x47e290; // 0x1
					if(_t32 -  *0x47f21c < _t49 - 1) {
						CloseHandle( *_t66);
						E00413A88(0x47e880, _t66);
						_t52 =  *0x42bf9c; // 0x1
						_t60 =  *0x47f28c; // 0x22d1d10
						_t36 = _a4;
						_t64 = _t62 - _t36;
						_t54 =  *(_t60 + (_t52 -  *0x47f21c) * 4);
						if(_t54 < _t64) {
							_t64 = _t54;
						}
						ReadFile( *_t66, _t36 + _a8, _t64,  &_a4, 0);
						 *_t42 =  *_t42 + _a4;
					}
				}
				_v8 = _v8 & 0x00000000;
				_t30 = SetFilePointer( *_t66, 0,  &_v8, 1); // executed
				 *0x47f200 = _t30;
				_t31 = 1;
				return _t31;
			}






















                  0x004111c8
                  0x004111d5
                  0x004111da
                  0x004111e0
                  0x004111e6
                  0x004111f2
                  0x004111f5
                  0x004111f8
                  0x004111fb
                  0x00411203
                  0x00411207
                  0x00411207
                  0x00411217
                  0x0041121d
                  0x00411220
                  0x00411225
                  0x00411227
                  0x0041122d
                  0x00411232
                  0x00411241
                  0x00411245
                  0x00411251
                  0x00411256
                  0x0041125c
                  0x00411268
                  0x0041126b
                  0x0041126d
                  0x00411272
                  0x00411274
                  0x00411274
                  0x00411285
                  0x0041128e
                  0x0041128e
                  0x00411241
                  0x00411290
                  0x0041129e
                  0x004112a6
                  0x004112ab
                  0x004112b0

                  APIs
                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,00000000,00000000,00000000,?,?,00405157,0042E1FC,0042E200,00008000,00000000), ref: 004111DA
                  • ReadFile.KERNELBASE(?,00000001,0047E1B8,?,00000000,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31,00000000), ref: 00411217
                  • CloseHandle.KERNEL32(?,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31,00000000,00000000,00000000,00000000), ref: 00411245
                  • ReadFile.KERNEL32(?,?,0047E1B8,?,00000000,?,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31), ref: 00411285
                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,?,00405157,0042E1FC,0042E200,00008000,00000000,?,?,00401C31,00000000,00000000), ref: 0041129E
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$PointerRead$CloseHandle
                  • String ID:
                  • API String ID: 3662329253-0
                  • Opcode ID: 9a715f74af9aced97fa2cc7814702e630d9b06d3ec473aa5b857c9868b8616ec
                  • Instruction ID: 87e902479429b15a8da91e8312970394fd3861b8bc12bb4a4602a52f1f62b848
                  • Opcode Fuzzy Hash: 9a715f74af9aced97fa2cc7814702e630d9b06d3ec473aa5b857c9868b8616ec
                  • Instruction Fuzzy Hash: C1316F79201108EFEF14CF58EC80EA97BA9FB48344B5085BEF905D7260DB71A940CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041455E, Relevance: 7.6, APIs: 5, Instructions: 57filetimeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0041455E(CHAR* _a4, intOrPtr _a8) {
				void* _t20;
				long _t21;
				int _t22;
				signed char _t29;
				signed char _t30;
				void* _t37;
				intOrPtr _t38;

				_t20 = CreateFileA(_a4, 0xc0000000, 1, 0, 3, 0x80, 0); // executed
				_t38 = _a8;
				_t37 = _t20;
				if(_t37 != 0xffffffff) {
					_t23 =  *(_t38 + 8);
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					SetFileTime(_t37,  ~( *(_t38 + 8) & 0x00000008) & _t38 + 0x00000018, 0,  ~(_t23 & 0x00000010) & _t38 + 0x00000010); // executed
					CloseHandle(_t37);
				}
				_t21 = GetFileAttributesA(_a4); // executed
				_t29 =  *(_t38 + 8);
				if((_t29 & 0x00000002) == 0 || (_t29 & 0x00000004) == 0) {
					_t30 =  *(_t38 + 0xc);
					_t21 = _t21 & 0x000000dc;
					if((_t30 & 0x00000004) != 0) {
						_t21 = _t21 | 0x00000002;
					}
					if((_t30 & 0x00000008) != 0) {
						_t21 = _t21 | 0x00000020;
					}
					if((_t30 & 0x00000010) != 0) {
						_t21 = _t21 | 0x00000001;
					}
				}
				_t22 = SetFileAttributesA(_a4, _t21); // executed
				return _t22;
			}










                  0x00414576
                  0x0041457c
                  0x00414580
                  0x00414585
                  0x00414587
                  0x00414594
                  0x004145a0
                  0x004145a8
                  0x004145af
                  0x004145af
                  0x004145b9
                  0x004145bf
                  0x004145c5
                  0x004145cc
                  0x004145cf
                  0x004145d4
                  0x004145d6
                  0x004145d6
                  0x004145db
                  0x004145dd
                  0x004145dd
                  0x004145e2
                  0x004145e4
                  0x004145e4
                  0x004145e2
                  0x004145eb
                  0x004145f3

                  APIs
                  • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000080,00000000,00000001,00000000,004123AB,00000000,?,00000000,00000000,00000000,00000000), ref: 00414576
                  • SetFileTime.KERNELBASE(00000000,?,00000000,?), ref: 004145A8
                  • CloseHandle.KERNEL32(00000000), ref: 004145AF
                  • GetFileAttributesA.KERNELBASE(?), ref: 004145B9
                  • SetFileAttributesA.KERNELBASE(?,00000000), ref: 004145EB
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Attributes$CloseCreateHandleTime
                  • String ID:
                  • API String ID: 2679023027-0
                  • Opcode ID: 5e6bf49b0514fb5268a2b7a99824789660fcd7f88bd95708de08d64637c02bd7
                  • Instruction ID: 0ead6d7b38629994b517463a0e507b76f53350e195b9fe46be8a038f77a91ca1
                  • Opcode Fuzzy Hash: 5e6bf49b0514fb5268a2b7a99824789660fcd7f88bd95708de08d64637c02bd7
                  • Instruction Fuzzy Hash: D6118231300B05AFEB354A14CC5AFEB77A6EBD0711F048A1CFA92961E1DB785896D628
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415A59, Relevance: 6.2, APIs: 4, Instructions: 150registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00415A59(intOrPtr __ecx, void* __eflags, void* _a4, intOrPtr _a8, char _a11, char* _a12, int _a16) {
				void* _v8;
				long _v12;
				char* _v16;
				intOrPtr _v20;
				char _v32;
				char _v44;
				char* _t52;
				long _t53;
				int _t54;
				int _t62;
				int* _t86;
				signed int _t88;
				intOrPtr _t109;
				void* _t110;
				char* _t111;

				_t109 = _a8;
				_v20 = __ecx;
				_t86 = _t109 + 4;
				_t52 = E0041CD1E(_t86);
				_v16 = _t52;
				_t53 = RegOpenKeyExA(_a4, _t52, 0, 0x20006,  &_v8); // executed
				_t111 = _a12;
				_v12 = _t53;
				if( *_t86 > 0) {
					E0041E87A(_t111, _v16, 0xffffffff);
				}
				_a11 = _v12 == 5;
				_t54 = 0;
				if(_v12 == 0) {
					L14:
					__eflags = _a11;
					if(_a11 == 0) {
						L16:
						__eflags =  *((intOrPtr*)(_t109 + 0x30)) - _t54;
						_a16 = _t54;
						if( *((intOrPtr*)(_t109 + 0x30)) <= _t54) {
							L20:
							RegCloseKey(_v8); // executed
							__eflags =  *_t86;
							goto L21;
						}
						__eflags = _a11;
						_t39 =  &_a4;
						 *_t39 = _a11 == 0;
						__eflags =  *_t39;
						while(1) {
							_t62 = E00415A59(_v20, __eflags, _v8, E0041E860(_t109 + 0x24, _a16), _t111, _a4); // executed
							__eflags = _t62;
							if(_t62 == 0) {
								break;
							}
							_a16 = _a16 + 1;
							__eflags = _a16 -  *((intOrPtr*)(_t109 + 0x30));
							if(_a16 <  *((intOrPtr*)(_t109 + 0x30))) {
								continue;
							}
							goto L20;
						}
						RegCloseKey(_v8);
						goto L10;
					}
					_t54 = RegOpenKeyExA(_a4, _v16, _t54, 0x20019,  &_v8);
					__eflags = _t54;
					if(_t54 != 0) {
						goto L10;
					}
					goto L16;
				} else {
					if(_a11 == 0) {
						__eflags = _v12 - 2;
						if(_v12 != 2) {
							L13:
							__eflags =  *_t86 - _t54;
							L21:
							if(__eflags > 0) {
								__eflags =  *((intOrPtr*)(_t111 + 0xc)) - 1;
								E0041E9EA(_t111, E0041E860(_t111,  *((intOrPtr*)(_t111 + 0xc)) - 1));
							}
							return 1;
						}
						__eflags = _a16;
						if(_a16 == 0) {
							L5:
							E0041BDC5( &_v44);
							E0041BDC5( &_v32);
							_t110 = 0;
							_t88 = 0 | _a11 == 0x00000000;
							if( *((intOrPtr*)(_t111 + 0xc)) - _t88 <= 0) {
								L9:
								_push(E0041CD1E( &_v32));
								E0041C467( &_v44, E0041CD1E(0x47e890));
								E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v44), 0, 0);
								E0041BEFB( &_v32);
								E0041BEFB( &_v44);
								L10:
								return 0;
							} else {
								goto L6;
							}
							do {
								L6:
								E0041C047( &_v32, E0041E860(_t111, _t110), 0);
								_t110 = _t110 + 1;
								if(_t110 !=  *((intOrPtr*)(_t111 + 0xc)) - _t88) {
									E0041BFF8( &_v32, 0x5c);
								}
							} while (_t110 <  *((intOrPtr*)(_t111 + 0xc)) - _t88);
							goto L9;
						}
						goto L13;
					}
					if( *((intOrPtr*)(_t109 + 0x1c)) == 0) {
						goto L14;
					}
					goto L5;
				}
			}


















                  0x00415a62
                  0x00415a65
                  0x00415a68
                  0x00415a6d
                  0x00415a75
                  0x00415a84
                  0x00415a8d
                  0x00415a90
                  0x00415a93
                  0x00415a9c
                  0x00415a9c
                  0x00415aa5
                  0x00415aa9
                  0x00415aae
                  0x00415b7c
                  0x00415b7c
                  0x00415b80
                  0x00415b9c
                  0x00415b9c
                  0x00415b9f
                  0x00415ba2
                  0x00415bd6
                  0x00415bd9
                  0x00415bdf
                  0x00000000
                  0x00415bdf
                  0x00415ba4
                  0x00415ba8
                  0x00415ba8
                  0x00415ba8
                  0x00415bac
                  0x00415bc2
                  0x00415bc7
                  0x00415bc9
                  0x00000000
                  0x00000000
                  0x00415bcb
                  0x00415bd1
                  0x00415bd4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415bd4
                  0x00415c04
                  0x00000000
                  0x00415c04
                  0x00415b92
                  0x00415b98
                  0x00415b9a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415ab4
                  0x00415ab7
                  0x00415b68
                  0x00415b6c
                  0x00415b78
                  0x00415b78
                  0x00415be2
                  0x00415be2
                  0x00415be9
                  0x00415bf3
                  0x00415bf3
                  0x00000000
                  0x00415bf8
                  0x00415b6e
                  0x00415b72
                  0x00415ac6
                  0x00415ac9
                  0x00415ad1
                  0x00415adb
                  0x00415ae0
                  0x00415ae7
                  0x00415b19
                  0x00415b21
                  0x00415b31
                  0x00415b4c
                  0x00415b54
                  0x00415b5c
                  0x00415b61
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415ae9
                  0x00415ae9
                  0x00415af7
                  0x00415aff
                  0x00415b04
                  0x00415b0b
                  0x00415b0b
                  0x00415b15
                  0x00000000
                  0x00415ae9
                  0x00000000
                  0x00415b72
                  0x00415ac0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415ac0

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020006,0047DFB8,0047DFB8,0047E380,00000000,0041BB74,0047E380,0047E380,?,00000000,00000000,000000FF,HKEY_USERS), ref: 00415A84
                    • Part of subcall function 0041E87A: GlobalUnlock.KERNEL32(022100AC,00000000,0047E4D0,00407A66,00000000,000000FF), ref: 0041E899
                    • Part of subcall function 0041E87A: GlobalReAlloc.KERNEL32 ref: 0041E8AE
                    • Part of subcall function 0041E87A: GlobalLock.KERNEL32 ref: 0041E8B8
                  • RegOpenKeyExA.ADVAPI32(00000005,?,00000000,00020019,0047DFB8), ref: 00415B92
                  • RegCloseKey.KERNELBASE(0047DFB8), ref: 00415BD9
                  • RegCloseKey.ADVAPI32(0047DFB8,00000005,00000005), ref: 00415C04
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocCloseLockOpenUnlock
                  • String ID:
                  • API String ID: 881642839-0
                  • Opcode ID: f3c6f8124622fcd55c1765f062e7bfd10f6d675911e2c533d8208ea5bb27512d
                  • Instruction ID: 546902de1e45ab1e86f28b1f82b87d02cc3b91e633f15d591abc38803a8bd178
                  • Opcode Fuzzy Hash: f3c6f8124622fcd55c1765f062e7bfd10f6d675911e2c533d8208ea5bb27512d
                  • Instruction Fuzzy Hash: 8651A431A00609EFCF21EFA5DC85AEEBB75EF44344F10406EF405A6191DB38AE85CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040DB2C, Relevance: 6.1, APIs: 4, Instructions: 90comCOMMON
                  Download Yara Rule
                  C-Code - Quality: 35%
                  			E0040DB2C(void* __eax, intOrPtr _a4, char* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* _v12;
				short _v532;
				char* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr* _t41;
				int _t45;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t52;

				_t45 = 0;
				__imp__CoInitialize(0); // executed
				if(__eax < 0) {
					return 0;
				}
				_t26 =  &_v8;
				__imp__CoCreateInstance(0x428788, 0, 1, 0x428798, _t26); // executed
				if(_t26 == 0) {
					_t28 = _v8;
					_push( &_v12);
					_push(0x4287a8);
					_push(_t28);
					if( *((intOrPtr*)( *_t28))() == 0) {
						_t30 = _v8;
						 *((intOrPtr*)( *_t30 + 0x50))(_t30, _a4);
						_t32 = _a16;
						if( *_t32 != 0) {
							_t52 = _v8;
							 *((intOrPtr*)( *_t52 + 0x24))(_t52, _t32);
						}
						_t48 = _a20;
						if( *_t48 != _t45) {
							_t41 = _v8;
							 *((intOrPtr*)( *_t41 + 0x44))(_t41, _t48, _a24);
						}
						_t49 = _a12;
						if( *_t49 != _t45) {
							_t39 = _v8;
							 *((intOrPtr*)( *_t39 + 0x1c))(_t39, _t49);
						}
						_t50 = _a28;
						if( *_t50 != _t45) {
							_t37 = _v8;
							 *((intOrPtr*)( *_t37 + 0x2c))(_t37, _t50);
						}
						MultiByteToWideChar(_t45, _t45, _a8, 0xffffffff,  &_v532, 0x104);
						_t35 = _v12;
						_push(_t45);
						_push( &_v532);
						_push(_t35); // executed
						if( *((intOrPtr*)( *_t35 + 0x18))() == 0) {
							_t45 = 1; // executed
						}
					}
				}
				__imp__CoUninitialize(); // executed
				return _t45;
			}



















                  0x0040db36
                  0x0040db39
                  0x0040db41
                  0x00000000
                  0x0040db43
                  0x0040db4a
                  0x0040db5b
                  0x0040db63
                  0x0040db69
                  0x0040db6f
                  0x0040db70
                  0x0040db77
                  0x0040db7c
                  0x0040db82
                  0x0040db8b
                  0x0040db8e
                  0x0040db93
                  0x0040db95
                  0x0040db9c
                  0x0040db9c
                  0x0040db9f
                  0x0040dba4
                  0x0040dba6
                  0x0040dbb0
                  0x0040dbb0
                  0x0040dbb3
                  0x0040dbb8
                  0x0040dbba
                  0x0040dbc1
                  0x0040dbc1
                  0x0040dbc4
                  0x0040dbc9
                  0x0040dbcb
                  0x0040dbd2
                  0x0040dbd2
                  0x0040dbe8
                  0x0040dbee
                  0x0040dbf7
                  0x0040dbf8
                  0x0040dbfb
                  0x0040dc01
                  0x0040dc03
                  0x0040dc03
                  0x0040dc01
                  0x0040db7c
                  0x0040dc05
                  0x00000000

                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040DB39
                  • CoCreateInstance.OLE32(00428788,00000000,00000001,00428798,0047E880), ref: 0040DB5B
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0040DBE8
                  • CoUninitialize.OLE32 ref: 0040DC05
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ByteCharCreateInitializeInstanceMultiUninitializeWide
                  • String ID:
                  • API String ID: 2968213145-0
                  • Opcode ID: 5b9b4fa9f3a0fcc0dea00caa49044db537f486f935e54cf1d83e50821e8d2bff
                  • Instruction ID: d362e5221cfb36fa889861a4efd92f0fc1305b6baf1cca1b60ba2698d4b61a28
                  • Opcode Fuzzy Hash: 5b9b4fa9f3a0fcc0dea00caa49044db537f486f935e54cf1d83e50821e8d2bff
                  • Instruction Fuzzy Hash: A8316FB4A00209BFEB00CFA0CC88DAA7BBDBF45304B200199F401DB291DB75AD45DB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00425BE2, Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00425BE2() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x47f834; // 0x1
				_t26 =  *0x47f824; // 0x10
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x47f838; // 0x2490488
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = RtlAllocateHeap( *0x47f83c, 8, 0x41c4); // executed
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4); // executed
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x47f834 =  *0x47f834 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x47f83c, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x60
				_t25 = HeapReAlloc( *0x47f83c, 0,  *0x47f838, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x47f824 =  *0x47f824 + 0x10;
				 *0x47f838 = _t25;
				_t15 =  *0x47f834; // 0x1
				goto L3;
			}










                  0x00425be2
                  0x00425be7
                  0x00425bf3
                  0x00425c25
                  0x00425c25
                  0x00425c3b
                  0x00425c3e
                  0x00425c46
                  0x00425c49
                  0x00425c75
                  0x00000000
                  0x00425c75
                  0x00425c58
                  0x00425c60
                  0x00425c63
                  0x00425c79
                  0x00425c7d
                  0x00425c7f
                  0x00425c82
                  0x00425c8b
                  0x00000000
                  0x00425c8e
                  0x00425c6f
                  0x00000000
                  0x00425c6f
                  0x00425bf5
                  0x00425c0a
                  0x00425c12
                  0x00000000
                  0x00000000
                  0x00425c14
                  0x00425c1b
                  0x00425c20
                  0x00000000

                  APIs
                  • HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C0A
                  • RtlAllocateHeap.NTDLL(00000008,000041C4,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C3E
                  • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C58
                  • HeapFree.KERNEL32(00000000,?,?,00000000,004259AA,?,?,?,00000100,?,00000000), ref: 00425C6F
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Heap$Alloc$AllocateFreeVirtual
                  • String ID:
                  • API String ID: 1005975451-0
                  • Opcode ID: 7bfc0fe135117dfce8c54155b27920ee4db732f6a73948ea5b42ad1791b0d3f7
                  • Instruction ID: e85dd14357cfd133c46ce20e6f70fc831c02b401b74bc27b0f8f5883340438cb
                  • Opcode Fuzzy Hash: 7bfc0fe135117dfce8c54155b27920ee4db732f6a73948ea5b42ad1791b0d3f7
                  • Instruction Fuzzy Hash: 8C118F30201700AFD730AF29EC4492A7BF5FF46310795453EE15AC65B4D731A89BCB19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00422A86, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 23stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00422A86() {
				CHAR* _v12;
				void* _t14;

				E0041A81A(_t14, 0x47e5ec); // executed
				E004164B1(0x47dfb8, _t14, 0x47e5ec);
				E0041B3B9(0x47dfb8, 0x47e5ec, 0x7fffffff);
				lstrcpyA(_v12, E0041CD1E(0x47e5ec));
				return 1;
			}





                  0x00422a95
                  0x00422a9d
                  0x00422aaa
                  0x00422abe
                  0x00422ac8

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlocklstrcpy
                  • String ID: <UninstallerName>$G$G
                  • API String ID: 4161858792-2357334803
                  • Opcode ID: 6ba68a0f358dbcf42ca9cf462f0cd6bf89d2e458b5780ff8d98569d2b6766966
                  • Instruction ID: 9b5c910863a563f3ea1e258623e4cebb4c69ed5078cec323f7359b7f97f4b65a
                  • Opcode Fuzzy Hash: 6ba68a0f358dbcf42ca9cf462f0cd6bf89d2e458b5780ff8d98569d2b6766966
                  • Instruction Fuzzy Hash: DAE0C231300424634A00362B5C048DEE5AE9FF1B24300823FF426972E2CF5C4C4345BD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415089, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E00415089(void* __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4, signed int _a7) {
				char _v16;
				void* __edi;
				void* __esi;
				void* _t33;
				signed int _t36;
				void* _t37;
				signed int _t39;
				signed int _t42;
				signed char _t44;
				signed int _t47;
				signed char _t48;
				signed int _t54;
				signed int _t56;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				signed int _t71;
				signed int _t73;
				intOrPtr _t103;
				void* _t105;
				void* _t106;
				signed int _t107;
				void* _t113;
				void* _t115;

				_t113 = __eflags;
				_t103 = __edx;
				__imp__#17(); // executed
				E0040D808(); // executed
				E00419146(0x47dfb8, _a4);
				E004160A6(0x47dfb8, _t113); // executed
				_t33 = E004168FE(0x47dfb8); // executed
				if(_t33 >= 0) {
					E0041B09C(0x47dfb8); // executed
					E0041A04C(0x47dfb8, __eflags);
					_t36 = E00419EB2(_t105, __eflags); // executed
					__eflags = _t36;
					if(_t36 == 0) {
						_t73 = 0;
						__eflags =  *0x47e610 - _t73; // 0x0
						if(__eflags != 0) {
							L10:
							__eflags =  *0x47e18c & 0x00000040;
							if(( *0x47e18c & 0x00000040) != 0) {
								__eflags =  *0x47e193 & 0x00000008;
								if(( *0x47e193 & 0x00000008) != 0) {
									 *0x47e193 =  *0x47e193 & 0x000000f7;
									__eflags =  *0x47e193;
								}
							}
							__eflags =  *0x47e610 - _t73; // 0x0
							if(__eflags != 0) {
								L15:
								_t37 = E00418092(0x47dfb8, _t103); // executed
								_t106 = _t37;
								__eflags = _t106 - _t73;
								if(_t106 >= _t73) {
									__eflags =  *0x47e160 - _t73; // 0x1
									if(__eflags != 0) {
										_t56 = E0041E3EF();
										__eflags = _t56;
										if(_t56 == 0) {
											E0041B2A8(_t73, E0041CD1E(0x47f0ec), _t73);
											E0041A1B5(1);
										}
									}
									__eflags =  *0x47f27c - _t73; // 0x1
									_push(_t73);
									if(__eflags == 0) {
										E00417EA6(0x47dfb8);
										_t39 = E0041A256(0x47dfb8);
										__eflags =  *0x47e610 - _t73; // 0x0
										_t107 = _t39;
										if(__eflags != 0) {
											_t44 = E00415DC6(0x47dfb8, __eflags);
											asm("sbb eax, eax");
											_t107 =  ~( ~_t44);
										}
										E0041B45D(0x47dfb8, 1);
										__eflags =  *0x47f2d5 - _t73; // 0x0
										if(__eflags == 0) {
											return _t107;
										} else {
											_t42 = 0;
											__eflags = _t107 - _t73;
											goto L44;
										}
									} else {
										_t47 = E0041246C(0x47e880, _t103);
										__eflags = _t47 - _t73;
										_a7 = _t47;
										if(_t47 != _t73) {
											__eflags =  *0x47e610 - _t73; // 0x0
											if(__eflags == 0) {
												_t48 =  *0x47e190; // 0x2080c08
												__eflags = _t48 & 0x00000002;
												if((_t48 & 0x00000002) == 0) {
													__eflags = _t48 & 0x00000004;
													if((_t48 & 0x00000004) == 0) {
														L31:
														__eflags = 0;
														L32:
														__eflags = _t48 & 0x00000008;
														if((_t48 & 0x00000008) == 0) {
															L35:
															__eflags = 0;
															L36:
															_t50 = _t48 >> 0x0000001b & 0x00000001;
															__eflags = _t48 >> 0x0000001b & 0x00000001;
															E00412C58(0, 0, _t50);
															L37:
															__eflags =  *0x47f2d5 - _t73; // 0x0
															if(__eflags == 0) {
																return _a7 & 0x000000ff;
															}
															_t42 = 0;
															__eflags = _a7 - _t73;
															L44:
															return _t42 & 0xffffff00 | __eflags == 0x00000000;
														}
														__eflags = _t48 & 0x00000040;
														if((_t48 & 0x00000040) == 0) {
															goto L35;
														}
														_push(1);
														_pop(0);
														goto L36;
													}
													__eflags = _t48 & 0x00000080;
													if((_t48 & 0x00000080) == 0) {
														goto L31;
													}
													_push(1);
													_pop(0);
													goto L32;
												}
												E00411D82();
												goto L37;
											}
											_a7 = E00415DC6(0x47dfb8, __eflags);
											goto L37;
										}
										goto L22;
									}
								}
								E0041BDC5( &_v16);
								_push(_t106);
								E0041C467( &_v16, "Initialization failed. Aborting. Error code: %d");
								E0041B2A8(_t73, E0041CD1E( &_v16), _t73);
								__eflags =  *0x47f2d5 - _t73; // 0x0
								E0041BEFB( &_v16);
								return 0 | __eflags != 0x00000000;
							} else {
								_t68 = E0041BBAF(0x47dfb8, 0x47dfb8);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								goto L15;
							}
						}
						_t69 = E00419D70(__eflags); // executed
						__eflags = _t69;
						if(_t69 != 0) {
							goto L22;
						}
						__eflags =  *0x47e610 - _t73; // 0x0
						if(__eflags != 0) {
							goto L10;
						}
						_t70 = E0041BAEC(0x47dfb8); // executed
						__eflags = _t70;
						if(_t70 == 0) {
							goto L22;
						}
						__eflags =  *0x47e610 - _t73; // 0x0
						if(__eflags != 0) {
							goto L10;
						}
						_t71 = E004158E2(0x47dfb8); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							goto L22;
						}
						goto L10;
					}
					_t54 = 0;
					__eflags =  *0x47f2d5 - _t54; // 0x0
					goto L23;
				} else {
					_t73 = 0;
					E0041B2A8(0, "Couldn\'t read TOC. Aborting.", 0);
					L22:
					_t54 = 0;
					_t115 =  *0x47f2d5 - _t73; // 0x0
					L23:
					return _t54 & 0xffffff00 | _t115 != 0x00000000;
				}
			}



























                  0x00415089
                  0x00415089
                  0x00415092
                  0x00415098
                  0x004150a7
                  0x004150ae
                  0x004150b5
                  0x004150bc
                  0x004150d5
                  0x004150dc
                  0x004150e3
                  0x004150e8
                  0x004150ea
                  0x004150f9
                  0x004150fb
                  0x00415101
                  0x00415140
                  0x00415140
                  0x00415147
                  0x00415149
                  0x00415150
                  0x00415152
                  0x00415152
                  0x00415152
                  0x00415150
                  0x00415159
                  0x0041515f
                  0x00415170
                  0x00415172
                  0x00415177
                  0x00415179
                  0x0041517b
                  0x004151c5
                  0x004151cb
                  0x004151cd
                  0x004151d2
                  0x004151d4
                  0x004151e5
                  0x004151ee
                  0x004151ee
                  0x004151d4
                  0x004151f3
                  0x004151f9
                  0x004151fa
                  0x0041528f
                  0x00415296
                  0x0041529b
                  0x004152a1
                  0x004152a3
                  0x004152a7
                  0x004152ae
                  0x004152b2
                  0x004152b2
                  0x004152b8
                  0x004152bd
                  0x004152c3
                  0x00000000
                  0x004152c5
                  0x004152c5
                  0x004152c7
                  0x00000000
                  0x004152c7
                  0x00415200
                  0x00415207
                  0x0041520c
                  0x0041520e
                  0x00415211
                  0x00415223
                  0x00415229
                  0x00415237
                  0x0041523c
                  0x0041523e
                  0x00415249
                  0x0041524b
                  0x00415257
                  0x00415257
                  0x00415259
                  0x00415259
                  0x0041525b
                  0x00415267
                  0x00415267
                  0x00415269
                  0x0041526c
                  0x0041526c
                  0x00415273
                  0x00415278
                  0x00415278
                  0x0041527e
                  0x00000000
                  0x00415287
                  0x00415280
                  0x00415282
                  0x004152c9
                  0x00000000
                  0x004152c9
                  0x0041525d
                  0x00415260
                  0x00000000
                  0x00000000
                  0x00415262
                  0x00415264
                  0x00000000
                  0x00415264
                  0x0041524d
                  0x00415250
                  0x00000000
                  0x00000000
                  0x00415252
                  0x00415254
                  0x00000000
                  0x00415254
                  0x00415242
                  0x00000000
                  0x00415242
                  0x00415232
                  0x00000000
                  0x00415232
                  0x00000000
                  0x00415211
                  0x004151fa
                  0x00415180
                  0x00415185
                  0x0041518f
                  0x004151a4
                  0x004151ab
                  0x004151b9
                  0x00000000
                  0x00415161
                  0x00415163
                  0x00415168
                  0x0041516a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041516a
                  0x0041515f
                  0x00415105
                  0x0041510a
                  0x0041510c
                  0x00000000
                  0x00000000
                  0x00415112
                  0x00415118
                  0x00000000
                  0x00000000
                  0x0041511c
                  0x00415121
                  0x00415123
                  0x00000000
                  0x00000000
                  0x00415129
                  0x0041512f
                  0x00000000
                  0x00000000
                  0x00415133
                  0x00415138
                  0x0041513a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041513a
                  0x004150ec
                  0x004150ee
                  0x00000000
                  0x004150be
                  0x004150be
                  0x004150c9
                  0x00415213
                  0x00415213
                  0x00415215
                  0x0041521b
                  0x00000000
                  0x0041521b

                  APIs
                  • #17.COMCTL32(?,00000000), ref: 00415092
                    • Part of subcall function 0040D808: GetTempPathA.KERNEL32(00000104,00000000), ref: 0040D835
                    • Part of subcall function 0040D808: GetFileAttributesA.KERNELBASE(00000000), ref: 0040D842
                    • Part of subcall function 0040D808: CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040D857
                    • Part of subcall function 00419146: GetVersionExA.KERNEL32(0047E1DC,?,0047DFB8), ref: 004191A1
                    • Part of subcall function 00419146: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00419287
                    • Part of subcall function 00419146: GetCommandLineA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 004192A3
                    • Part of subcall function 00415DC6: DestroyWindow.USER32(00000000,0047DFB8,00000000), ref: 00415DDA
                    • Part of subcall function 00415DC6: GetModuleFileNameA.KERNEL32(00000000,?,00000104,0047E61C), ref: 00415E11
                    • Part of subcall function 00415DC6: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,?,?,?,?,?,0042BC5C), ref: 00415EE9
                  Strings
                  • Initialization failed. Aborting. Error code: %d, xrefs: 00415189
                  • Couldn't read TOC. Aborting., xrefs: 004150C3
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$CreateModuleName$AttributesCommandDestroyDirectoryLinePathProcessTempVersionWindow
                  • String ID: Couldn't read TOC. Aborting.$Initialization failed. Aborting. Error code: %d
                  • API String ID: 454116223-1093334040
                  • Opcode ID: 3de539716ba0038346de810c3990d51d0818943ae38c30ddeb02794bc9af9942
                  • Instruction ID: b07b9ce401f6ec812fb25504cbe02601ec4789527652b2dd7e5e6d407422e868
                  • Opcode Fuzzy Hash: 3de539716ba0038346de810c3990d51d0818943ae38c30ddeb02794bc9af9942
                  • Instruction Fuzzy Hash: 10515632B00A50E6CF167B7268526FF16564BD5348B4805BFE906472C2DF7D4EC68B8E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041F9CC, Relevance: 4.6, APIs: 3, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041F9CC(void* __ecx, void* _a4, int _a8) {
				int _v8;
				void* _t16;
				int _t18;
				int _t20;
				char* _t25;
				char* _t35;
				void* _t38;

				if(_a4 == 0) {
					L11:
					_t16 = 0x80070057;
				} else {
					_t35 = _a8;
					if(_t35 == 0) {
						goto L11;
					} else {
						_t18 = GetFileVersionInfoSizeA(_a4,  &_v8); // executed
						_a8 = _t18;
						if(_t18 <= 0) {
							L10:
							_t16 = 0x80004005;
						} else {
							_t38 = E00424DD9(_t18);
							if(_t38 != 0) {
								_t20 = GetFileVersionInfoA(_a4, 0, _a8, _t38); // executed
								if(_t20 == 0) {
									L9:
									E00424DCE(_t38);
									goto L10;
								} else {
									_a4 = _a4 & 0x00000000;
									if(VerQueryValueA(_t38, "\\",  &_a4,  &_a8) == 0) {
										goto L9;
									} else {
										_t25 = _a4;
										if(_t25 == 0) {
											goto L9;
										} else {
											_t35[4] = _t25[8];
											 *_t35 = _t25[0xc];
											E00424DCE(_t38);
											_t16 = 0;
										}
									}
								}
							} else {
								_t16 = 0x8007000e;
							}
						}
					}
				}
				return _t16;
			}










                  0x0041f9d6
                  0x0041fa62
                  0x0041fa62
                  0x0041f9dc
                  0x0041f9dc
                  0x0041f9e1
                  0x00000000
                  0x0041f9e3
                  0x0041f9ea
                  0x0041f9f1
                  0x0041f9f4
                  0x0041fa5b
                  0x0041fa5b
                  0x0041f9f6
                  0x0041f9fc
                  0x0041fa01
                  0x0041fa13
                  0x0041fa1a
                  0x0041fa54
                  0x0041fa55
                  0x00000000
                  0x0041fa1c
                  0x0041fa1c
                  0x0041fa35
                  0x00000000
                  0x0041fa37
                  0x0041fa37
                  0x0041fa3c
                  0x00000000
                  0x0041fa3e
                  0x0041fa42
                  0x0041fa48
                  0x0041fa4a
                  0x0041fa50
                  0x0041fa50
                  0x0041fa3c
                  0x0041fa35
                  0x0041fa03
                  0x0041fa03
                  0x0041fa03
                  0x0041fa01
                  0x0041f9f4
                  0x0041f9e1
                  0x0041fa6a

                  APIs
                  • GetFileVersionInfoSizeA.VERSION(00000000,?,?,?,?,?,0041FDA3), ref: 0041F9EA
                  • GetFileVersionInfoA.VERSION(00000000,00000000,0041FDA3,00000000,00000000,?,?,?,?,?,0041FDA3), ref: 0041FA13
                  • VerQueryValueA.VERSION(00000000,0042BC5C,00000000,0041FDA3,00000000,00000000,0041FDA3,00000000,00000000,?,?,?,?,?,0041FDA3), ref: 0041FA2E
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FileInfoVersion$QuerySizeValue
                  • String ID:
                  • API String ID: 2179348866-0
                  • Opcode ID: 1f44381f4f1867ad494ef8ec683769e12b5e869821d9e96c7b395d348cdb3dd9
                  • Instruction ID: 1f93746f0757c1243a97e16a57e9a2b1c48c6ef5f1f15e271ecef6eb9eb84ff0
                  • Opcode Fuzzy Hash: 1f44381f4f1867ad494ef8ec683769e12b5e869821d9e96c7b395d348cdb3dd9
                  • Instruction Fuzzy Hash: FE114276210115BACB109E25D800BDB3B98DF447E4F10812BBD0CDB251EB3CDA86C798
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D808, Relevance: 4.5, APIs: 3, Instructions: 28COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E0040D808() {
				void _v263;
				char _v264;
				long _t13;
				signed int _t16;

				_v264 = _v264 & 0x00000000;
				_t16 = 0x40;
				memset( &_v263, 0, _t16 << 2);
				asm("stosw");
				asm("stosb");
				GetTempPathA(0x104,  &_v264);
				_t13 = GetFileAttributesA( &_v264); // executed
				if(_t13 == 0xffffffff) {
					return CreateDirectoryA( &_v264, 0);
				}
				return _t13;
			}







                  0x0040d811
                  0x0040d81d
                  0x0040d824
                  0x0040d826
                  0x0040d828
                  0x0040d835
                  0x0040d842
                  0x0040d84c
                  0x00000000
                  0x0040d857
                  0x0040d85e

                  APIs
                  • GetTempPathA.KERNEL32(00000104,00000000), ref: 0040D835
                  • GetFileAttributesA.KERNELBASE(00000000), ref: 0040D842
                  • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040D857
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AttributesCreateDirectoryFilePathTemp
                  • String ID:
                  • API String ID: 3518157937-0
                  • Opcode ID: 22dbea3a5e86ba2f5d732e63e82f8cecc9fec2e0ebb150cf55f691dcafc1b103
                  • Instruction ID: 26542657461be143d5f360e3921356412d4476b8e76cacc8970c96e366d55aee
                  • Opcode Fuzzy Hash: 22dbea3a5e86ba2f5d732e63e82f8cecc9fec2e0ebb150cf55f691dcafc1b103
                  • Instruction Fuzzy Hash: 4CF065B2A00519ABEB2097B4DD89BCA777CA764314F5005F5E3A4E10D0DAF49AC98A15
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004220ED, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E004220ED(void* __ecx, void* __eflags) {
				void _v263;
				char _v264;
				void* _t14;
				signed int _t18;
				void* _t24;

				_v264 = _v264 & 0x00000000;
				_t24 = __ecx;
				_t18 = 0x40;
				memset( &_v263, 0, _t18 << 2);
				asm("stosw");
				asm("stosb");
				_push( &_v264);
				E00422A86();
				_t14 = E0040DF52( &_v264);
				if(_t14 == 0) {
					_t14 = CreateFileA( &_v264, 0x40000000, 1, 0, 1, 0x80, 0); // executed
					if(_t14 != 0xffffffff) {
						 *((char*)(_t24 + 0x93)) = 1;
						return CloseHandle(_t14);
					}
				}
				return _t14;
			}








                  0x004220f6
                  0x004220ff
                  0x00422105
                  0x0042210c
                  0x0042210e
                  0x00422110
                  0x00422119
                  0x0042211a
                  0x00422126
                  0x0042212e
                  0x00422149
                  0x00422152
                  0x00422155
                  0x00000000
                  0x0042215c
                  0x00422152
                  0x00422165

                  APIs
                    • Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE
                  • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000001,00000080,00000000,00000000,770B8BA0,00000000), ref: 00422149
                  • CloseHandle.KERNEL32(00000000), ref: 0042215C
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CloseCreateFileHandlelstrcpy
                  • String ID:
                  • API String ID: 3205445448-0
                  • Opcode ID: c5f7fb4a45ef95dec3c97b459b31658b4b7dc29c3574f163453a57723c1105db
                  • Instruction ID: 9fbf33d1153e8f23a7b95228387ab3429903e99e354b960db3d1885316b66d90
                  • Opcode Fuzzy Hash: c5f7fb4a45ef95dec3c97b459b31658b4b7dc29c3574f163453a57723c1105db
                  • Instruction Fuzzy Hash: 32F0FC717002247BEF309274DD4AFDA775C9B50714F5005E6F349F20C1DAF46E888568
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00416031, Relevance: 3.0, APIs: 2, Instructions: 40stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E00416031(CHAR* _a4, long* _a8, long* _a12) {
				void _v263;
				char _v264;
				int _t15;
				void* _t16;
				signed char* _t23;
				signed int _t25;
				CHAR* _t32;

				_t32 = _a4;
				_t15 = lstrlenA(_t32);
				if(_t15 > 0) {
					_t23 = _t15 + _t32 - 1;
					if( *(_t15 + _t32 - 1) == 0x5c) {
						 *_t23 =  *_t23 & 0x00000000;
					}
				}
				_t16 = E0041BF12(_a8, _t32);
				if(_a12 == 0) {
					return _t16;
				} else {
					_v264 = _v264 & 0x00000000;
					_t25 = 0x40;
					memset( &_v263, 0, _t25 << 2);
					asm("stosw");
					asm("stosb");
					GetShortPathNameA(_t32,  &_v264, 0x104); // executed
					return E0041BF12(_a12,  &_v264);
				}
			}










                  0x0041603b
                  0x0041603f
                  0x00416047
                  0x0041604e
                  0x00416052
                  0x00416054
                  0x00416054
                  0x00416052
                  0x0041605b
                  0x00416064
                  0x004160a3
                  0x00416066
                  0x00416066
                  0x00416072
                  0x00416079
                  0x0041607b
                  0x0041607d
                  0x0041608b
                  0x00000000
                  0x004160a0

                  APIs
                  • lstrlenA.KERNEL32(?,0047DFB8), ref: 0041603F
                  • GetShortPathNameA.KERNEL32 ref: 0041608B
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: NamePathShortlstrlen
                  • String ID:
                  • API String ID: 283637753-0
                  • Opcode ID: 77996722eeb767453b962ff37f99368d2d9649ef3d1da6c7eaff12de2ab75ab0
                  • Instruction ID: 55d437d64f90e084321ce4f602505d722649a2d51fb0552c0b71639499450712
                  • Opcode Fuzzy Hash: 77996722eeb767453b962ff37f99368d2d9649ef3d1da6c7eaff12de2ab75ab0
                  • Instruction Fuzzy Hash: 6E0186B65042586FEF21DB64CC44FDE3B68AF56304F0044AAE64097180DBF8DAC5CB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00425509, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00425509(intOrPtr _a4) {
				void* _t6;
				void* _t9;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x47f83c = _t6;
				if(_t6 == 0) {
					L3:
					return 0;
				} else {
					if(E00425545() != 0) {
						_t9 = 1;
						return _t9;
					} else {
						HeapDestroy( *0x47f83c);
						goto L3;
					}
				}
			}





                  0x0042551a
                  0x00425522
                  0x00425527
                  0x0042553e
                  0x00425540
                  0x00425529
                  0x00425530
                  0x00425543
                  0x00425544
                  0x00425532
                  0x00425538
                  0x00000000
                  0x00425538
                  0x00425530

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00001000,00000000,00425429,00000000), ref: 0042551A
                    • Part of subcall function 00425545: HeapAlloc.KERNEL32(00000000,00000140,0042552E), ref: 00425552
                  • HeapDestroy.KERNEL32 ref: 00425538
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Heap$AllocCreateDestroy
                  • String ID:
                  • API String ID: 2236781399-0
                  • Opcode ID: 685862c25b9e257a1a33d9820af5b4d56f55cfe13c318de4e02fdf89a4f5bd88
                  • Instruction ID: 56260dfde5bbf666cb3f8c2d4c1c05bfe55a9b91487234851ec9a7a54d7ee8be
                  • Opcode Fuzzy Hash: 685862c25b9e257a1a33d9820af5b4d56f55cfe13c318de4e02fdf89a4f5bd88
                  • Instruction Fuzzy Hash: 35E012703113107AEB601B31BC4677A36D99F44792F94843AB409C41F8EB7485D2DA09
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BDC5, Relevance: 3.0, APIs: 2, Instructions: 16memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BDC5(intOrPtr* __ecx) {
				void* _t6;
				long* _t10;

				_t10 = __ecx;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				_t6 = GlobalAlloc(0x42, 0); // executed
				 *(_t10 + 4) = _t6;
				 *((intOrPtr*)(_t10 + 8)) = GlobalLock(_t6);
				return _t10;
			}





                  0x0041bdc8
                  0x0041bdcd
                  0x0041bdcf
                  0x0041bdd2
                  0x0041bdd5
                  0x0041bddc
                  0x0041bde5
                  0x0041bdeb

                  APIs
                  • GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                  • GlobalLock.KERNEL32 ref: 0041BDDF
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock
                  • String ID:
                  • API String ID: 15508794-0
                  • Opcode ID: 5b657dc407b8ba465fa7e35246d598dfe78b5aa2e00fb7615759032df6ccab74
                  • Instruction ID: 4cb256bf1a12df4fe306abb846aa9358ba0d094adca8592e463de78986b3397d
                  • Opcode Fuzzy Hash: 5b657dc407b8ba465fa7e35246d598dfe78b5aa2e00fb7615759032df6ccab74
                  • Instruction Fuzzy Hash: 56D09EB1A05B21DFD7A0DF78ED08656BAE4FB08701750C87EA5DEC3610E67498418B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405213, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405213(void* __ecx, void* __edi, void* __esi, void* _a4, void* _a8, long _a12) {
				void* __ebp;
				int _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t13;
				intOrPtr _t16;
				void* _t21;

				_t8 = WriteFile(_a4, _a8, _a12,  &_a12, 0); // executed
				_t22 = _t8;
				if(_t8 == 0) {
					E00405408(__edi, __esi, _t22);
				}
				_t9 =  *0x47e6f8; // 0x12000
				_t16 =  *0x47f204; // 0x10000
				_t10 = _t9 + _a12;
				 *0x47e6f8 = _t10;
				_t6 = _t10 - 0x8400; // 0x3fca9e
				_t18 = _t6;
				if(_t6 > _t16 &&  *0x47f28a != 0) {
					E00414F7F(_t18, _t21, _t10 - _t16);
					_t13 =  *0x47e6f8; // 0x12000
					 *0x47f204 = _t13;
					return _t13;
				}
				return _t10;
			}










                  0x00405225
                  0x0040522b
                  0x0040522d
                  0x0040522f
                  0x0040522f
                  0x00405234
                  0x00405239
                  0x0040523f
                  0x00405242
                  0x00405247
                  0x00405247
                  0x0040524f
                  0x0040525d
                  0x00405262
                  0x00405268
                  0x00000000
                  0x00405268
                  0x0040526e

                  APIs
                  • WriteFile.KERNELBASE(00000000,00000000,00404E9E,00404E9E,00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001), ref: 00405225
                    • Part of subcall function 00405408: GetLastError.KERNEL32(0045AA60), ref: 00405412
                    • Part of subcall function 00405408: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000,00000000), ref: 00405487
                    • Part of subcall function 00405408: GetActiveWindow.USER32 ref: 004054D3
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ActiveErrorFileFormatLastMessageWindowWrite
                  • String ID:
                  • API String ID: 3502244913-0
                  • Opcode ID: 0688dff4318755a594bd27b086e0045b8f4095a176ae734f45c46700945b5c92
                  • Instruction ID: c053740d9be796ded0a1399382876f6564ef076206494c8869437cd6c88d37de
                  • Opcode Fuzzy Hash: 0688dff4318755a594bd27b086e0045b8f4095a176ae734f45c46700945b5c92
                  • Instruction Fuzzy Hash: 6CF0B4312042069FDB01DF65EC44BAA3765FB08300F4445FAF818DA261DB3498908F1C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00422166, Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00422166(void* __ecx) {
				void _v263;
				char _v264;
				char* _t8;
				int _t14;
				signed int _t17;

				_t2 = __ecx + 0x93; // 0x47e81b
				_t8 = _t2;
				if( *((intOrPtr*)(__ecx + 0x93)) != 0) {
					 *_t8 = 0;
					_v264 = 0;
					_t17 = 0x40;
					memset( &_v263, 0, _t17 << 2);
					asm("stosw");
					asm("stosb");
					_push( &_v264);
					E00422A86();
					_t14 = DeleteFileA( &_v264); // executed
					return _t14;
				}
				return _t8;
			}








                  0x00422179
                  0x00422179
                  0x0042217f
                  0x00422184
                  0x00422186
                  0x0042218c
                  0x00422195
                  0x00422197
                  0x00422199
                  0x004221a2
                  0x004221a3
                  0x004221af
                  0x00000000
                  0x004221b5
                  0x004221b7

                  APIs
                    • Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE
                  • DeleteFileA.KERNELBASE(?,?,770B8BA0), ref: 004221AF
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DeleteFilelstrcpy
                  • String ID:
                  • API String ID: 273707478-0
                  • Opcode ID: 01d26465f659ceecabc542848d8a6bc1af02ee4b43eb77d485ea363210d6997a
                  • Instruction ID: 7a16dd1c3e483f41c56ace4e77e305f4910fda4a27a36192b4b0db7fc35bc19e
                  • Opcode Fuzzy Hash: 01d26465f659ceecabc542848d8a6bc1af02ee4b43eb77d485ea363210d6997a
                  • Instruction Fuzzy Hash: D4F0ABB2A04299BBCF24C638D941BC7BBBC6B91300F0405F5C34897102C5B09EC8CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424BDA, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 40%
                  			E00424BDA(intOrPtr _a4) {
				void* _t2;
				void* _t3;
				intOrPtr _t5;
				void* _t8;

				_t5 = _a4;
				_t8 = _t5 -  *0x42dc3c; // 0x3f8
				if(_t8 > 0) {
					L2:
					if(_t5 == 0) {
						_t5 = 1;
					}
					_t2 = RtlAllocateHeap( *0x47f83c, 0, _t5 + 0x0000000f & 0xfffffff0); // executed
					return _t2;
				}
				_push(_t5); // executed
				_t3 = E004258D9(); // executed
				if(_t3 == 0) {
					goto L2;
				}
				return _t3;
			}







                  0x00424bdb
                  0x00424bdf
                  0x00424be5
                  0x00424bf2
                  0x00424bf4
                  0x00424bf8
                  0x00424bf8
                  0x00424c08
                  0x00000000
                  0x00424c08
                  0x00424be7
                  0x00424be8
                  0x00424bf0
                  0x00000000
                  0x00000000
                  0x00424c0f

                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000,00424BBE,000000E0,00424BAB,?,00426882,00000100,?,00000000), ref: 00424C08
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: e22c159e31fa6e31e118dcc324b50a6a923428170a7179d3c4037aad0beac77e
                  • Instruction ID: d12446acdfa87ad338cebe496af38748ed8633463c9b05a537c1587fe7eccc4c
                  • Opcode Fuzzy Hash: e22c159e31fa6e31e118dcc324b50a6a923428170a7179d3c4037aad0beac77e
                  • Instruction Fuzzy Hash: C0E08C32A5653156DA306719BC00BCB2A44DF41720F974122FD48BA2E48BA4AC8281DC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040DF52, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040DF52(CHAR* _a4) {
				long _t6;

				if(E0040DB19(_a4) == 0) {
					_t6 = GetFileAttributesA(_a4); // executed
					return 0 | _t6 != 0xffffffff;
				} else {
					return 0;
				}
			}




                  0x0040df5e
                  0x0040df67
                  0x0040df77
                  0x0040df60
                  0x0040df62
                  0x0040df62

                  APIs
                  • GetFileAttributesA.KERNELBASE(?,00415702,?), ref: 0040DF67
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 823a333a0e4a5f3cd726773fbc63680087cdb6b230765bf0e44b85422161d674
                  • Instruction ID: 96a0c72c5dfe155228d7528a4aa9cc0aed8d5236fd48d6e5c05c662c63777e89
                  • Opcode Fuzzy Hash: 823a333a0e4a5f3cd726773fbc63680087cdb6b230765bf0e44b85422161d674
                  • Instruction Fuzzy Hash: 34C0127910010157CD141B709E420DF37915F867E5B6446BDA072660F1CB34485A7905
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00425C93, Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00425C93(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _t45;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				void* _t69;
				void* _t70;
				void* _t77;
				signed int _t78;
				intOrPtr _t81;

				_t60 = _a4;
				_t81 =  *((intOrPtr*)(_t60 + 0x10));
				_t45 =  *(_t60 + 8);
				_t57 = 0;
				while(_t45 >= 0) {
					_t45 = _t45 << 1;
					_t57 = _t57 + 1;
				}
				_t69 = 0x3f;
				_t48 = _t57 * 0x204 + _t81 + 0x144;
				_v8 = _t48;
				do {
					 *((intOrPtr*)(_t48 + 8)) = _t48;
					 *((intOrPtr*)(_t48 + 4)) = _t48;
					_t48 = _t48 + 8;
					_t69 = _t69 - 1;
				} while (_t69 != 0);
				_t77 = (_t57 << 0xf) +  *((intOrPtr*)(_t60 + 0xc));
				_t49 = VirtualAlloc(_t77, 0x8000, 0x1000, 4); // executed
				if(_t49 != 0) {
					_t70 = _t77 + 0x7000;
					if(_t77 <= _t70) {
						_t55 = _t77 + 0x10;
						do {
							 *(_t55 - 8) =  *(_t55 - 8) | 0xffffffff;
							 *(_t55 + 0xfec) =  *(_t55 + 0xfec) | 0xffffffff;
							 *((intOrPtr*)(_t55 - 4)) = 0xff0;
							 *_t55 = _t55 + 0xffc;
							 *((intOrPtr*)(_t55 + 4)) = _t55 - 0x1004;
							 *((intOrPtr*)(_t55 + 0xfe8)) = 0xff0;
							_t55 = _t55 + 0x1000;
						} while (_t55 - 0x10 <= _t70);
					}
					_t61 = _t77 + 0xc;
					_t51 = _v8 + 0x1f8;
					_t78 = 1;
					 *((intOrPtr*)(_t51 + 4)) = _t61;
					 *((intOrPtr*)(_t61 + 8)) = _t51;
					_t62 = _t70 + 0xc;
					 *((intOrPtr*)(_t51 + 8)) = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t51;
					 *(_t81 + 0x44 + _t57 * 4) =  *(_t81 + 0x44 + _t57 * 4) & 0x00000000;
					 *(_t81 + 0xc4 + _t57 * 4) = _t78;
					_t52 =  *((intOrPtr*)(_t81 + 0x43));
					_t53 = _a4;
					 *((char*)(_t81 + 0x43)) = _t52 + 1;
					if(_t52 == 0) {
						 *(_t53 + 4) =  *(_t53 + 4) | _t78;
					}
					 *(_t53 + 8) =  *(_t53 + 8) &  !(0x80000000 >> _t57);
					_t54 = _t57;
				} else {
					_t54 = _t49 | 0xffffffff;
				}
				return _t54;
			}





















                  0x00425c97
                  0x00425c9d
                  0x00425ca0
                  0x00425ca3
                  0x00425ca5
                  0x00425ca9
                  0x00425cab
                  0x00425cab
                  0x00425cb8
                  0x00425cb9
                  0x00425cc0
                  0x00425cc3
                  0x00425cc3
                  0x00425cc6
                  0x00425cc9
                  0x00425ccc
                  0x00425ccc
                  0x00425cd6
                  0x00425ce4
                  0x00425cec
                  0x00425cf6
                  0x00425cfe
                  0x00425d00
                  0x00425d03
                  0x00425d03
                  0x00425d07
                  0x00425d14
                  0x00425d1b
                  0x00425d23
                  0x00425d26
                  0x00425d30
                  0x00425d38
                  0x00425d03
                  0x00425d3f
                  0x00425d42
                  0x00425d49
                  0x00425d4a
                  0x00425d4d
                  0x00425d50
                  0x00425d53
                  0x00425d56
                  0x00425d59
                  0x00425d5e
                  0x00425d65
                  0x00425d6e
                  0x00425d71
                  0x00425d74
                  0x00425d76
                  0x00425d76
                  0x00425d84
                  0x00425d87
                  0x00425cee
                  0x00425cee
                  0x00425cee
                  0x00425d8d

                  APIs
                  • VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,?,00000000,000000E0,?,?,004259B9,000000E0,?,?,?,00000100), ref: 00425CE4
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: b33778613888d7d30b70c6c83a6793fee3212429f56bb8057e77a0c8f4aad707
                  • Instruction ID: 8bad7c566d353cdeb6ffff60e7d63a565d2dfb3871eae733b84a679171b490ba
                  • Opcode Fuzzy Hash: b33778613888d7d30b70c6c83a6793fee3212429f56bb8057e77a0c8f4aad707
                  • Instruction Fuzzy Hash: 18319C71600A069FD314CF19D488BA5BBE0FF54368F64C2BED1598B3A1E774D946CB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 0040E2EE, Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 156stringfileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040E2EE(CHAR* _a4, CHAR* _a8, intOrPtr _a12, CHAR** _a16) {
				void* _v8;
				intOrPtr _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t38;
				void* _t56;
				int _t65;
				CHAR* _t99;
				CHAR* _t101;
				CHAR* _t103;
				void* _t105;

				if(_a4 == 0 || _a8 == 0 || _a16 == 0) {
					return _t38 | 0xffffffff;
				} else {
					_t99 = E00424DD9(lstrlenA(_a4) + 4);
					if(_t99 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					lstrcpyA(_t99, _a4);
					lstrcatA(_t99, "*.*");
					_v8 = FindFirstFileA(_t99,  &_v332);
					E00424DCE(_t99);
					if(_v8 != 0xffffffff) {
						L8:
						while(1) {
							if((_v332.dwFileAttributes & 0x00000010) == 0) {
								if(lstrcmpiA( &(_v332.cFileName), _a8) == 0) {
									FindClose(_v8);
									_t103 = E00424DD9(lstrlenA(_a4) + 1);
									if(_t103 == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									lstrcpyA(_t103, _a4);
									_push(1);
									 *_a16 = _t103;
									goto L23;
								}
								L17:
								if(FindNextFileA(_v8,  &_v332) == 0) {
									FindClose(_v8);
									do {
									} while (E0041A207() == 1);
									return 0;
								}
								continue;
							}
							if(_v332.cFileName == 0x2e) {
								goto L17;
							}
							_t65 = lstrlenA( &(_v332.cFileName));
							_t16 = E00424970(_a4) + 2; // 0x2
							_t101 = E00424DD9(_t65 + _t16);
							if(_t101 == 0) {
								FindClose(_v8);
								E0041D881(E0041CD1E(0x47e924));
							}
							lstrcpyA(_t101, _a4);
							lstrcatA(_t101,  &(_v332.cFileName));
							if( *((char*)(lstrlenA(_t101) + _t101 - 1)) != 0x5c) {
								E00425090(_t101, "\\");
							}
							_v12 = E0040E2EE(_t101, _a8, _a12, _a16);
							E00424DCE(_t101);
							_t105 = _t105 + 0x14;
							if(_v12 > 0) {
								FindClose(_v8);
								return _v12;
							} else {
								goto L17;
							}
						}
					} else {
						_push(0xfffffffd);
						L23:
						_pop(_t56);
						return _t56;
					}
				}
			}













                  0x0040e2ff
                  0x00000000
                  0x0040e317
                  0x0040e32b
                  0x0040e330
                  0x0040e33d
                  0x0040e342
                  0x0040e347
                  0x0040e353
                  0x0040e368
                  0x0040e36b
                  0x0040e375
                  0x00000000
                  0x0040e384
                  0x0040e38b
                  0x0040e43d
                  0x0040e465
                  0x0040e473
                  0x0040e478
                  0x0040e485
                  0x0040e48a
                  0x0040e48f
                  0x0040e498
                  0x0040e49a
                  0x00000000
                  0x0040e49a
                  0x0040e43f
                  0x0040e451
                  0x0040e4a2
                  0x0040e4a9
                  0x0040e4b0
                  0x00000000
                  0x0040e4b5
                  0x00000000
                  0x0040e453
                  0x0040e398
                  0x00000000
                  0x00000000
                  0x0040e3a5
                  0x0040e3b1
                  0x0040e3bb
                  0x0040e3c1
                  0x0040e3c6
                  0x0040e3d3
                  0x0040e3d8
                  0x0040e3dd
                  0x0040e3eb
                  0x0040e3f9
                  0x0040e401
                  0x0040e407
                  0x0040e418
                  0x0040e41b
                  0x0040e420
                  0x0040e427
                  0x0040e45b
                  0x00000000
                  0x0040e429
                  0x00000000
                  0x0040e429
                  0x0040e427
                  0x0040e377
                  0x0040e377
                  0x0040e49c
                  0x0040e49c
                  0x00000000
                  0x0040e49c
                  0x0040e375

                  APIs
                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000), ref: 0040E320
                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 0040E347
                  • lstrcatA.KERNEL32(00000000,*.*), ref: 0040E353
                  • lstrlenA.KERNEL32(0000002E), ref: 0040E3A5
                  • FindClose.KERNEL32(000000FF), ref: 0040E3C6
                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 0040E3DD
                  • lstrcatA.KERNEL32(00000000,0000002E), ref: 0040E3EB
                  • lstrlenA.KERNEL32(00000000), ref: 0040E3F2
                  • lstrcmpiA.KERNEL32(?,00000000), ref: 0040E435
                  • FindNextFileA.KERNEL32(000000FF,00000010), ref: 0040E449
                  • FindClose.KERNEL32(000000FF), ref: 0040E45B
                  • FindClose.KERNEL32(000000FF), ref: 0040E465
                  • lstrlenA.KERNEL32(00000000), ref: 0040E46A
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0040E361
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 0040E48F
                  • FindClose.KERNEL32(000000FF), ref: 0040E4A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Find$Closelstrlen$Globallstrcpy$Filelstrcat$AllocFirstLockNextUnlocklstrcmpi
                  • String ID: $G$$G$$G$*.*$.
                  • API String ID: 2468804411-3051321286
                  • Opcode ID: 932cd015faee0c205a51ef20c64411850b7a7af107f71e13ededf9564f1c7d93
                  • Instruction ID: c1a7d0a76dffc011eed6e96b777b55868100850359ffe466908486324d22cad6
                  • Opcode Fuzzy Hash: 932cd015faee0c205a51ef20c64411850b7a7af107f71e13ededf9564f1c7d93
                  • Instruction Fuzzy Hash: BA51D672900119EBCF11AFB2EC859EE7B68EF44314B1045BFF605A21A1DF3C89529B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C96B, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 233stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C96B(intOrPtr __ecx, intOrPtr* _a4, char _a7) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v35;
				char _v36;
				void* _t76;
				intOrPtr _t90;
				void* _t91;
				intOrPtr _t98;
				intOrPtr _t101;
				signed int _t103;
				int _t105;
				int _t110;
				intOrPtr _t114;
				void* _t117;
				intOrPtr _t119;
				intOrPtr _t121;
				CHAR* _t122;
				intOrPtr _t126;
				intOrPtr _t128;
				void* _t129;
				signed int _t131;
				void* _t132;
				signed int _t134;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr _t157;
				intOrPtr* _t158;
				void* _t169;

				_t158 = _a4;
				_t121 = __ecx;
				 *_t158 = 0;
				 *((intOrPtr*)(_t158 + 4)) = 0;
				 *0x47e698 = 0;
				 *0x47e69c = 0;
				 *0x47e6a0 = 0;
				 *0x47e6a4 = 0;
				 *0x47e6a8 = 0;
				 *0x47e6ac = 0;
				_t124 =  *((intOrPtr*)(__ecx + 0xb0));
				_v24 = __ecx;
				_a4 = 0;
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xb0)) + 4)) > 0) {
					do {
						_t117 = E00406060(_t124, _a4);
						if(_t117 != 0 &&  *((intOrPtr*)(_t117 + 8)) != 0) {
							_t119 =  *((intOrPtr*)(_t117 + 4));
							 *_t158 =  *_t158 +  *((intOrPtr*)(_t119 + 0xc));
							asm("adc [esi+0x4], edi");
							 *0x47e698 =  *0x47e698 +  *((intOrPtr*)(_t119 + 0x14));
							asm("adc [0x47e69c], edi");
							 *0x47e6a0 =  *0x47e6a0 +  *((intOrPtr*)(_t119 + 0x10));
							asm("adc [0x47e6a4], edi");
							 *0x47e6a8 =  *0x47e6a8 +  *((intOrPtr*)(_t119 + 0x18));
							asm("adc [0x47e6ac], edi");
						}
						_a4 = _a4 + 1;
						_t124 =  *((intOrPtr*)(_t121 + 0xb0));
					} while (_a4 <  *((intOrPtr*)( *((intOrPtr*)(_t121 + 0xb0)) + 4)));
				}
				_t122 = E00424DD9(0x32);
				if(_t122 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t122, 0, 0x32);
				_t145 =  *_t158;
				_t126 =  *0x47e648; // 0xfff01000
				_v12 = _t145;
				_v20 = _t126 - _t145;
				_t128 =  *0x47e64c; // 0x13
				_t146 = _t128;
				asm("sbb edx, eax");
				_t169 =  *((intOrPtr*)(_t158 + 4)) - _t128;
				if(_t169 >= 0) {
					if(_t169 > 0) {
						L10:
						_v20 = 0;
						_t146 = 0;
					} else {
						_t114 =  *0x47e648; // 0xfff01000
						if(_v12 > _t114) {
							goto L10;
						}
					}
				}
				_push(_t122);
				_t129 = 0xa;
				_t76 = E00425060(_v20, _t129, _t146);
				_push(_t146);
				_push(_t76);
				E0041DE38();
				_v36 = _v36 & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosb");
				if(GetLocaleInfoA(0x400, 0x17,  &_v36, 0xa) == 0) {
					lstrcpyA( &_v36, " ");
				}
				_a7 = _v36;
				if(lstrlenA( &_v36) > 1) {
					_a7 = 0x20;
				}
				_v16 = lstrlenA(_t122);
				_t131 = lstrlenA(_t122) - 1;
				_v8 = _t131;
				if(_t131 != 0) {
					while(1) {
						_t138 = 3;
						if((_v16 - _t131) % _t138 != 0) {
							goto L23;
						}
						_t110 = lstrlenA(_t122);
						_t139 = _v8;
						while(_t110 >= _t139) {
							_t122[_t110] =  *((intOrPtr*)(_t110 + _t122 - 1));
							_t110 = _t110 - 1;
						}
						 *((char*)(_t139 + _t122)) = _a7;
						L23:
						_t48 =  &_v8;
						 *_t48 = _v8 - 1;
						__eflags =  *_t48;
						if( *_t48 != 0) {
							_t131 = _v8;
							continue;
						}
						goto L24;
					}
				}
				L24:
				lstrcatA(_t122, " K");
				SetDlgItemTextA( *(_v24 + 4), 0x1a, _t122);
				E00424500(_t122, 0, 0x32);
				_t90 =  *0x47e648; // 0xfff01000
				_t147 =  *0x47e64c; // 0x13
				_push(_t122);
				_t132 = 0xa;
				_t91 = E00425060(_t90, _t132, _t147);
				_push(_t147);
				_push(_t91);
				E0041DE38();
				_v16 = lstrlenA(_t122);
				_t134 = lstrlenA(_t122) - 1;
				__eflags = _t134;
				_v8 = _t134;
				if(_t134 != 0) {
					while(1) {
						_t103 = _v16 - _t134;
						_t136 = 3;
						__eflags = _t103 % _t136;
						if(_t103 % _t136 != 0) {
							goto L32;
						}
						_t105 = lstrlenA(_t122);
						_t137 = _v8;
						while(1) {
							__eflags = _t105 - _t137;
							if(_t105 < _t137) {
								break;
							}
							_t122[_t105] =  *((intOrPtr*)(_t105 + _t122 - 1));
							_t105 = _t105 - 1;
						}
						 *((char*)(_t137 + _t122)) = _a7;
						L32:
						_t66 =  &_v8;
						 *_t66 = _v8 - 1;
						__eflags =  *_t66;
						if( *_t66 != 0) {
							_t134 = _v8;
							continue;
						}
						goto L33;
					}
				}
				L33:
				lstrcatA(_t122, " K");
				_t157 = _v24;
				SetDlgItemTextA( *(_t157 + 4), 0x19, _t122);
				E00424DCE(_t122);
				_t98 =  *0x47e64c; // 0x13
				__eflags = _t98 -  *((intOrPtr*)(_t158 + 4));
				if(__eflags > 0) {
					L37:
					_push(1);
				} else {
					if(__eflags < 0) {
						L36:
						_push(0);
					} else {
						_t101 =  *0x47e648; // 0xfff01000
						__eflags = _t101 -  *_t158;
						if(_t101 >=  *_t158) {
							goto L37;
						} else {
							goto L36;
						}
					}
				}
				return EnableWindow(GetDlgItem( *(_t157 + 4), 1), ??);
			}







































                  0x0040c973
                  0x0040c979
                  0x0040c97b
                  0x0040c97d
                  0x0040c980
                  0x0040c986
                  0x0040c98c
                  0x0040c992
                  0x0040c998
                  0x0040c99e
                  0x0040c9a4
                  0x0040c9aa
                  0x0040c9ad
                  0x0040c9b3
                  0x0040c9b5
                  0x0040c9b8
                  0x0040c9bf
                  0x0040c9c6
                  0x0040c9cc
                  0x0040c9ce
                  0x0040c9d4
                  0x0040c9da
                  0x0040c9e3
                  0x0040c9e9
                  0x0040c9f2
                  0x0040c9f8
                  0x0040c9f8
                  0x0040c9fe
                  0x0040ca01
                  0x0040ca0a
                  0x0040c9b5
                  0x0040ca16
                  0x0040ca1b
                  0x0040ca28
                  0x0040ca2d
                  0x0040ca32
                  0x0040ca37
                  0x0040ca39
                  0x0040ca47
                  0x0040ca4a
                  0x0040ca4d
                  0x0040ca53
                  0x0040ca55
                  0x0040ca57
                  0x0040ca59
                  0x0040ca5b
                  0x0040ca67
                  0x0040ca67
                  0x0040ca6a
                  0x0040ca5d
                  0x0040ca5d
                  0x0040ca65
                  0x00000000
                  0x00000000
                  0x0040ca65
                  0x0040ca5b
                  0x0040ca6f
                  0x0040ca72
                  0x0040ca73
                  0x0040ca78
                  0x0040ca79
                  0x0040ca7a
                  0x0040ca7f
                  0x0040ca8b
                  0x0040ca8c
                  0x0040ca8d
                  0x0040caa3
                  0x0040caae
                  0x0040caae
                  0x0040cabd
                  0x0040cac9
                  0x0040cacb
                  0x0040cacb
                  0x0040cad3
                  0x0040cada
                  0x0040cadb
                  0x0040cade
                  0x0040cae5
                  0x0040caee
                  0x0040caf3
                  0x00000000
                  0x00000000
                  0x0040caf6
                  0x0040caf8
                  0x0040cafb
                  0x0040cb03
                  0x0040cb06
                  0x0040cb06
                  0x0040cb0c
                  0x0040cb0f
                  0x0040cb0f
                  0x0040cb0f
                  0x0040cb0f
                  0x0040cb12
                  0x0040cae2
                  0x00000000
                  0x0040cae2
                  0x00000000
                  0x0040cb12
                  0x0040cae5
                  0x0040cb14
                  0x0040cb1a
                  0x0040cb29
                  0x0040cb34
                  0x0040cb39
                  0x0040cb3e
                  0x0040cb47
                  0x0040cb4a
                  0x0040cb4b
                  0x0040cb50
                  0x0040cb51
                  0x0040cb52
                  0x0040cb5e
                  0x0040cb65
                  0x0040cb65
                  0x0040cb66
                  0x0040cb69
                  0x0040cb70
                  0x0040cb75
                  0x0040cb79
                  0x0040cb7c
                  0x0040cb7e
                  0x00000000
                  0x00000000
                  0x0040cb81
                  0x0040cb83
                  0x0040cb86
                  0x0040cb86
                  0x0040cb88
                  0x00000000
                  0x00000000
                  0x0040cb8e
                  0x0040cb91
                  0x0040cb91
                  0x0040cb97
                  0x0040cb9a
                  0x0040cb9a
                  0x0040cb9a
                  0x0040cb9a
                  0x0040cb9d
                  0x0040cb6d
                  0x00000000
                  0x0040cb6d
                  0x00000000
                  0x0040cb9d
                  0x0040cb70
                  0x0040cb9f
                  0x0040cba5
                  0x0040cbab
                  0x0040cbb4
                  0x0040cbbb
                  0x0040cbc0
                  0x0040cbc6
                  0x0040cbc9
                  0x0040cbda
                  0x0040cbda
                  0x0040cbcb
                  0x0040cbcb
                  0x0040cbd6
                  0x0040cbd6
                  0x0040cbcd
                  0x0040cbcd
                  0x0040cbd2
                  0x0040cbd4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040cbd4
                  0x0040cbcb
                  0x0040cbf2

                  APIs
                  • GetLocaleInfoA.KERNEL32(00000400,00000017,00000000,0000000A,?,?,?,770B3BB0,?,00000000), ref: 0040CA9B
                  • lstrcpyA.KERNEL32(00000000,0042BCFC,?,?,?,770B3BB0,?,00000000), ref: 0040CAAE
                  • lstrlenA.KERNEL32(00000000,?,?,?,770B3BB0,?,00000000), ref: 0040CAC4
                  • lstrlenA.KERNEL32(00000000,?,?,?,770B3BB0,?,00000000), ref: 0040CAD0
                  • lstrlenA.KERNEL32(00000000,?,?,?,770B3BB0,?,00000000), ref: 0040CAD6
                  • lstrlenA.KERNEL32(00000000,?,?,?,770B3BB0,?,00000000), ref: 0040CAF6
                  • lstrcatA.KERNEL32(00000000,0042BCF8,?,?,?,770B3BB0,?,00000000), ref: 0040CB1A
                  • SetDlgItemTextA.USER32 ref: 0040CB29
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,770B3BB0,?,00000000), ref: 0040CB5B
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,770B3BB0,?,00000000), ref: 0040CB61
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,770B3BB0,?,00000000), ref: 0040CB81
                  • lstrcatA.KERNEL32(00000000,0042BCF8,?,?,?,?,?,?,?,?,?,770B3BB0,?,00000000), ref: 0040CBA5
                  • SetDlgItemTextA.USER32 ref: 0040CBB4
                  • GetDlgItem.USER32 ref: 0040CBE1
                  • EnableWindow.USER32(00000000), ref: 0040CBE8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrlen$Item$Textlstrcat$EnableInfoLocaleWindowlstrcpy
                  • String ID: $$G
                  • API String ID: 2738947291-56673411
                  • Opcode ID: d41b59d147c222b39ebc6405e50d06d0baf1d898eb1c3b3290b133c6bb598b4b
                  • Instruction ID: 5daeb72c31c3a18955e431724f6f6e82507b4141b754b0cf24e52faea933d9ee
                  • Opcode Fuzzy Hash: d41b59d147c222b39ebc6405e50d06d0baf1d898eb1c3b3290b133c6bb598b4b
                  • Instruction Fuzzy Hash: ED81C770A00204EFDB14DF66EDC1A5EB7B9EF58710F54456FE405AB292CA789940CF18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E3EF, Relevance: 28.7, APIs: 19, Instructions: 171memorythreadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0041E3EF() {
				int _v8;
				intOrPtr _v20;
				int _v32;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				struct _SID_IDENTIFIER_AUTHORITY _v44;
				long _v48;
				struct _GENERIC_MAPPING _v64;
				long _v68;
				void* _v72;
				long _v76;
				int _v80;
				struct _PRIVILEGE_SET _v100;
				void* _v104;
				int _v112;
				long _v116;
				void* _v120;
				long _v124;
				void* __ebx;
				void* __ebp;
				signed int _t63;
				struct _SECURITY_DESCRIPTOR* _t67;
				struct _ACL* _t70;
				intOrPtr _t94;
				long _t96;
				long _t99;
				long _t100;
				intOrPtr _t101;

				_push(0xffffffff);
				_push(0x4285e8);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_v80 = 0;
				_t96 = 0x14;
				_v48 = _t96;
				_v32 = 0;
				_v104 = 0;
				_v120 = 0;
				_v72 = 0;
				_v112 = 0;
				_v44.Value = 0;
				_v43 = 0;
				_v42 = 0;
				_v41 = 0;
				_v40 = 0;
				_v39 = 5;
				if(GetVersion() < 0x80000000) {
					_v8 = 0;
					if(OpenThreadToken(GetCurrentThread(), 0xa, 1,  &_v120) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 0xa,  &_v120) != 0) {
						if(DuplicateToken(_v120, 2,  &_v72) != 0 && AllocateAndInitializeSid( &_v44, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v104) != 0) {
							_t67 = LocalAlloc(0x40, _t96);
							_v112 = _t67;
							if(_t67 != 0 && InitializeSecurityDescriptor(_t67, 1) != 0) {
								_t99 = GetLengthSid(_v104) + 0x10;
								_v68 = _t99;
								_t70 = LocalAlloc(0x40, _t99);
								_v32 = _t70;
								if(_t70 != 0 && InitializeAcl(_t70, _t99, 2) != 0) {
									_t94 = 3;
									_v124 = LocalAlloc;
									if(AddAccessAllowedAce(_v32, 2, LocalAlloc, _v104) != 0) {
										_push(0);
										_push(_v32);
										_t100 = 1;
										if(SetSecurityDescriptorDacl(_v112, _t100, ??, ??) != 0) {
											SetSecurityDescriptorGroup(_v112, _v104, 0);
											SetSecurityDescriptorOwner(_v112, _v104, 0);
											if(IsValidSecurityDescriptor(_v112) != 0) {
												_v116 = _t100;
												_v64.GenericRead = _t100;
												_v64.GenericWrite = 2;
												_v64.GenericExecute = 0;
												_v64.GenericAll = _t94;
												if(AccessCheck(_v112, _v72, _t100,  &_v64,  &_v100,  &_v48,  &_v76,  &_v80) == 0) {
													_v80 = 0;
												}
											}
										}
									}
								}
							}
						}
					}
					_v8 = _v8 | 0xffffffff;
					E0041E5E3(0);
					_t63 = 0 | _v80 != 0x00000000;
					goto L17;
				} else {
					_t63 = 1;
					L17:
					 *[fs:0x0] = _v20;
					return _t63;
				}
			}


































                  0x0041e3f2
                  0x0041e3f4
                  0x0041e3f9
                  0x0041e404
                  0x0041e405
                  0x0041e414
                  0x0041e419
                  0x0041e41a
                  0x0041e41d
                  0x0041e420
                  0x0041e423
                  0x0041e426
                  0x0041e429
                  0x0041e42c
                  0x0041e42f
                  0x0041e432
                  0x0041e435
                  0x0041e438
                  0x0041e43b
                  0x0041e44a
                  0x0041e453
                  0x0041e46d
                  0x0041e4ac
                  0x0041e4e0
                  0x0041e4e2
                  0x0041e4e7
                  0x0041e509
                  0x0041e50c
                  0x0041e512
                  0x0041e514
                  0x0041e519
                  0x0041e533
                  0x0041e534
                  0x0041e548
                  0x0041e54a
                  0x0041e54b
                  0x0041e550
                  0x0041e55d
                  0x0041e566
                  0x0041e573
                  0x0041e584
                  0x0041e586
                  0x0041e589
                  0x0041e58c
                  0x0041e593
                  0x0041e596
                  0x0041e5bc
                  0x0041e5be
                  0x0041e5be
                  0x0041e5bc
                  0x0041e584
                  0x0041e55d
                  0x0041e548
                  0x0041e519
                  0x0041e4e7
                  0x0041e4ac
                  0x0041e5c1
                  0x0041e5c5
                  0x0041e5cf
                  0x00000000
                  0x0041e44c
                  0x0041e44c
                  0x0041e5d2
                  0x0041e5d5
                  0x0041e5e0
                  0x0041e5e0

                  APIs
                  • GetVersion.KERNEL32(0047E4D0,00000000,00000000), ref: 0041E43F
                  • GetCurrentThread.KERNEL32 ref: 0041E45E
                  • OpenThreadToken.ADVAPI32(00000000), ref: 0041E465
                  • GetLastError.KERNEL32 ref: 0041E46F
                  • GetCurrentProcess.KERNEL32(0000000A,?), ref: 0041E486
                  • OpenProcessToken.ADVAPI32(00000000), ref: 0041E48D
                  • DuplicateToken.ADVAPI32(?,00000002,?), ref: 0041E4A4
                  • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0041E4C9
                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 0041E4E0
                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0041E4F0
                  • GetLengthSid.ADVAPI32(?), ref: 0041E501
                  • LocalAlloc.KERNEL32(00000040,-00000010), ref: 0041E512
                  • InitializeAcl.ADVAPI32(00000000,-00000010,00000002), ref: 0041E523
                  • AddAccessAllowedAce.ADVAPI32(000000FF,00000002,00000003,?), ref: 0041E540
                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,000000FF,00000000), ref: 0041E555
                  • SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 0041E566
                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 0041E573
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DescriptorSecurity$InitializeToken$AllocCurrentLocalOpenProcessThread$AccessAllocateAllowedDaclDuplicateErrorGroupLastLengthOwnerVersion
                  • String ID:
                  • API String ID: 391627019-0
                  • Opcode ID: 7b02ce2a8fc91034838d54e4a35e2769ec14eedf515d51013f3af73f8ad06c83
                  • Instruction ID: ee05deb8910de79d19cf895011cf8c6bae4496e441d7c3eb43d7ad16ae5a6ca7
                  • Opcode Fuzzy Hash: 7b02ce2a8fc91034838d54e4a35e2769ec14eedf515d51013f3af73f8ad06c83
                  • Instruction Fuzzy Hash: AE512671E41208ABDF209FE6DD89BDEBBBDFB08750F50402AE605E7190DA748945CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040EE9C, Relevance: 19.6, APIs: 13, Instructions: 107windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0040EE9C() {
				void* _v36;
				void* _v80;
				void* __ecx;
				int _t10;
				void* _t14;
				signed int _t15;
				int _t27;
				void* _t34;
				void* _t35;
				signed int _t36;
				void* _t44;
				struct HDC__* _t46;
				signed int _t47;
				struct HDC__* _t48;
				void* _t49;

				_t49 = _t35;
				_t46 = GetDC( *0x47e178);
				if(_t46 == 0) {
					L6:
					return 0;
				}
				 *0x47e184 = CreateCompatibleDC(_t46);
				_t10 = GetDeviceCaps(_t46, 0xa);
				_t44 = CreateCompatibleBitmap(_t46, GetDeviceCaps(_t46, 8), _t10);
				_v36 = _t44;
				ReleaseDC( *0x47e178, _t46);
				if(_t44 != 0) {
					_t14 = SelectObject( *0x47e184, _t44);
					__eflags = _t14;
					if(_t14 != 0) {
						_t47 =  *0x47e174; // 0x0
						_t15 =  *0x47e82c; // 0x32
						_t36 = 0x64;
						_t45 = _t15 * _t47 / _t36;
						E0040F1B2( *0x47e820,  *0x47e824, _t15 * _t47 / _t36, _t15 * _t47 / _t36, 0);
						E0040F1B2( *0x47e824,  *0x47e828, _t47, _t47 - _t45 - 1, _t45);
						E0040F999(_t49, __eflags);
						E0040F47A();
						_t48 = GetDC( *0x47e178);
						_t27 = BitBlt(_t48, 0, 0,  *0x47e170,  *0x47e174,  *0x47e184, 0, 0, 0xcc0020);
						__eflags = _t27;
						if(_t27 != 0) {
							ReleaseDC( *0x47e178, _t48);
							_t34 = 1;
							L8:
							DeleteObject(_v80);
							return _t34;
						}
						goto L6;
					}
					DeleteDC( *0x47e184);
					 *0x47e184 =  *0x47e184 & 0x00000000;
					_t34 = 0;
					goto L8;
				}
				DeleteDC( *0x47e184);
				 *0x47e184 =  *0x47e184 & _t44;
				goto L6;
			}


















                  0x0040eea7
                  0x0040eeb1
                  0x0040eeb5
                  0x0040efc2
                  0x00000000
                  0x0040efc2
                  0x0040eecb
                  0x0040eed0
                  0x0040eee1
                  0x0040eee9
                  0x0040eeed
                  0x0040eef5
                  0x0040ef15
                  0x0040ef1b
                  0x0040ef1d
                  0x0040ef39
                  0x0040ef3f
                  0x0040ef4b
                  0x0040ef52
                  0x0040ef62
                  0x0040ef7d
                  0x0040ef84
                  0x0040ef8b
                  0x0040ef98
                  0x0040efb8
                  0x0040efbe
                  0x0040efc0
                  0x0040efcd
                  0x0040efd3
                  0x0040efd5
                  0x0040efd9
                  0x00000000
                  0x0040efdf
                  0x00000000
                  0x0040efc0
                  0x0040ef25
                  0x0040ef2b
                  0x0040ef32
                  0x00000000
                  0x0040ef32
                  0x0040eefd
                  0x0040ef03
                  0x00000000

                  APIs
                  • GetDC.USER32(7712B290), ref: 0040EEAF
                  • CreateCompatibleDC.GDI32(00000000), ref: 0040EEBC
                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040EED0
                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040EED6
                  • CreateCompatibleBitmap.GDI32(00000000,00000000), ref: 0040EEDA
                  • ReleaseDC.USER32 ref: 0040EEED
                  • DeleteDC.GDI32 ref: 0040EEFD
                  • SelectObject.GDI32(00000000), ref: 0040EF15
                  • DeleteDC.GDI32 ref: 0040EF25
                  • ReleaseDC.USER32 ref: 0040EFCD
                  • DeleteObject.GDI32(?), ref: 0040EFD9
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Delete$CapsCompatibleCreateDeviceObjectRelease$BitmapSelect
                  • String ID:
                  • API String ID: 3914743975-0
                  • Opcode ID: f046746491cd2f5c9336f52545cfd5d6fa3729b5f8fa359b5acca7dd697ca9de
                  • Instruction ID: c40cb558d7516ac9f94f8ff682cf68fd21e8b6fec1b385c180aef17db7d780d4
                  • Opcode Fuzzy Hash: f046746491cd2f5c9336f52545cfd5d6fa3729b5f8fa359b5acca7dd697ca9de
                  • Instruction Fuzzy Hash: C7316631202110FFEB215F23ED0AE2B3BAEFB897117850179F50996170CE365C569B6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EEE8, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 198librarystringloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E0041EEE8(void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v24;
				void* _v35;
				char _v36;
				struct HINSTANCE__* _v40;
				unsigned int _v360;
				char _v420;
				char _v1484;
				_Unknown_base(*)()* _t62;
				int _t63;
				intOrPtr* _t65;
				int _t66;
				int _t67;
				intOrPtr* _t70;
				int _t77;
				int _t93;
				int _t102;
				int _t106;
				int _t107;
				int _t108;
				signed int _t125;
				void* _t142;
				signed int _t144;
				struct HINSTANCE__* _t147;

				_t142 = __edi;
				 *0x47e2b0 =  *0x47e2b0 + 1;
				E0041BE99( &_v24, 0x47eaec);
				_push( *0x47e2b0);
				E0041C467( &_v24, " %d:\t");
				_v12 = 0;
				_v8 = 0;
				_t147 = LoadLibraryA("DDRAW.DLL");
				_v40 = _t147;
				if(_t147 == 0) {
					L22:
					E0041BEFB( &_v24);
					return 0;
				}
				_t62 = GetProcAddress(_t147, "DirectDrawCreate");
				if(_t62 != 0) {
					_t63 =  *_t62(_a4,  &_v12, 0);
					__eflags = _t63;
					if(_t63 < 0) {
						goto L2;
					}
					_t65 = _v12;
					_t66 =  *((intOrPtr*)( *_t65))(_t65, 0x428808,  &_v8);
					__eflags = _t66;
					if(_t66 < 0) {
						_v8 = 0;
					}
					_t67 = _v8;
					__eflags = _t67;
					if(_t67 == 0) {
						L12:
						E00424500( &_v420, 0, 0x17c);
						_t70 = _v12;
						_v420 = 0x17c;
						 *((intOrPtr*)( *_t70 + 0x2c))(_t70,  &_v420, 0, _t142);
						E0041C047( &_v24, _a8, 0);
						E0041EEC5(_a16,  &_v24);
						_v36 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosb");
						_t77 = GetLocaleInfoA(0x400, 0xe,  &_v36, 0xa);
						__eflags = _t77;
						if(_t77 == 0) {
							lstrcpyA( &_v36, ",");
						}
						E0041BF12( &_v24, 0x42e0c8);
						_t125 = 0x64;
						_t144 = (_v360 - (_v360 >> 0x14 << 0x14) >> 0xa) / _t125;
						__eflags = _t144 - 9;
						if(_t144 > 9) {
							_t144 = 9;
						}
						E0041BFF8( &_v24, 9);
						E0041C0C5( &_v24, __eflags, 0x47eaf8);
						_push(_t144);
						_push( &_v36);
						_push(_v360 >> 0x14);
						E0041C467( &_v24, ": %d%s%d MB");
						E0041EEC5(_a16,  &_v24);
						E0041BF12( &_v24, 0x42e0c8);
						__eflags = _v8;
						if(_v8 != 0) {
							_push( &_v1484);
							_push(E0041CD1E(0x47eb04));
							E0041C467( &_v24, "\t%s: %s");
							_t102 = _v8;
							__eflags = _t102;
							if(_t102 != 0) {
								 *((intOrPtr*)( *_t102 + 8))(_t102);
							}
						}
						_t93 = _v12;
						__eflags = _t93;
						if(_t93 != 0) {
							 *((intOrPtr*)( *_t93 + 8))(_t93);
						}
						FreeLibrary(_v40);
						E0041EEC5(_a16,  &_v24);
						_push(1);
						_pop(0);
						goto L22;
					}
					_t106 =  *((intOrPtr*)( *_t67 + 0x6c))(_t67,  &_v1484, 0);
					__eflags = _t106;
					if(_t106 >= 0) {
						goto L12;
					}
					_t107 = _v8;
					__eflags = _t107;
					if(_t107 != 0) {
						 *((intOrPtr*)( *_t107 + 8))(_t107);
					}
					_t108 = _v12;
					__eflags = _t108;
					if(_t108 != 0) {
						 *((intOrPtr*)( *_t108 + 8))(_t108);
					}
				}
				L2:
				FreeLibrary(_t147);
				goto L22;
			}




























                  0x0041eee8
                  0x0041eef1
                  0x0041ef01
                  0x0041ef06
                  0x0041ef15
                  0x0041ef1f
                  0x0041ef22
                  0x0041ef30
                  0x0041ef34
                  0x0041ef37
                  0x0041f104
                  0x0041f107
                  0x0041f111
                  0x0041f111
                  0x0041ef43
                  0x0041ef4b
                  0x0041ef61
                  0x0041ef63
                  0x0041ef65
                  0x00000000
                  0x00000000
                  0x0041ef67
                  0x0041ef76
                  0x0041ef78
                  0x0041ef7a
                  0x0041ef7c
                  0x0041ef7c
                  0x0041ef7f
                  0x0041ef82
                  0x0041ef84
                  0x0041efb4
                  0x0041efc3
                  0x0041efc8
                  0x0041efd4
                  0x0041efdf
                  0x0041efe9
                  0x0041eff5
                  0x0041efff
                  0x0041f004
                  0x0041f005
                  0x0041f006
                  0x0041f012
                  0x0041f018
                  0x0041f01a
                  0x0041f025
                  0x0041f025
                  0x0041f034
                  0x0041f04d
                  0x0041f053
                  0x0041f055
                  0x0041f058
                  0x0041f05c
                  0x0041f05c
                  0x0041f062
                  0x0041f06f
                  0x0041f077
                  0x0041f078
                  0x0041f082
                  0x0041f08c
                  0x0041f09b
                  0x0041f0a4
                  0x0041f0a9
                  0x0041f0ad
                  0x0041f0ba
                  0x0041f0c0
                  0x0041f0ca
                  0x0041f0cf
                  0x0041f0d5
                  0x0041f0d7
                  0x0041f0dc
                  0x0041f0dc
                  0x0041f0d7
                  0x0041f0df
                  0x0041f0e2
                  0x0041f0e4
                  0x0041f0e9
                  0x0041f0e9
                  0x0041f0ef
                  0x0041f0fc
                  0x0041f101
                  0x0041f103
                  0x00000000
                  0x0041f103
                  0x0041ef91
                  0x0041ef94
                  0x0041ef96
                  0x00000000
                  0x00000000
                  0x0041ef98
                  0x0041ef9b
                  0x0041ef9d
                  0x0041efa2
                  0x0041efa2
                  0x0041efa5
                  0x0041efa8
                  0x0041efaa
                  0x0041efaf
                  0x0041efaf
                  0x0041efaa
                  0x0041ef4d
                  0x0041ef4e
                  0x00000000

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  • LoadLibraryA.KERNEL32(DDRAW.DLL), ref: 0041EF2A
                  • GetProcAddress.KERNEL32(00000000,DirectDrawCreate), ref: 0041EF43
                  • FreeLibrary.KERNEL32(00000000), ref: 0041EF4E
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • GetLocaleInfoA.KERNEL32(00000400,0000000E,?,0000000A,?,?,00000000), ref: 0041F012
                  • lstrcpyA.KERNEL32(?,0042C0C8), ref: 0041F025
                  • FreeLibrary.KERNEL32(?,?,?,?,0047EAF8,00000009,0042E0C8), ref: 0041F0EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$Library$AllocFreeLock$AddressInfoLoadLocaleProcUnlocklstrcpy
                  • String ID: %s: %s$ %d:$: %d%s%d MB$DDRAW.DLL$DirectDrawCreate
                  • API String ID: 3724619349-2030211027
                  • Opcode ID: 846f708f0c6553d162b05b4e78bb1a539fc0c38a84fe2610caf7778b5554cf9b
                  • Instruction ID: 3012dda7d57b04b111c5f8892c497247f7c2b1382b76468a7d00b522a6367528
                  • Opcode Fuzzy Hash: 846f708f0c6553d162b05b4e78bb1a539fc0c38a84fe2610caf7778b5554cf9b
                  • Instruction Fuzzy Hash: 9D617071A00219AFDB00DBE5DC85DEE7779EF48304F50046AF505E7281DB399E86CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041D95E, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 162stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E0041D95E(signed int _a4, int _a8, intOrPtr _a12) {
				void* _v15;
				char _v16;
				signed int _t20;
				signed int _t22;
				int _t25;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				void* _t32;
				void* _t35;
				void* _t41;
				void* _t46;
				signed int _t53;
				int _t54;
				void* _t55;
				void* _t59;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t67;
				void* _t69;
				int _t70;
				int _t71;
				int _t76;
				signed int _t77;
				void* _t83;
				void* _t84;
				int _t88;

				E0041BF12(_a12, 0x42e0c8);
				_t70 = _a8;
				_t20 = _a4 & 0xfffffc00;
				_t88 = _t70;
				if(_t88 > 0 || _t88 >= 0 && _t20 >= 0x100000) {
					_t59 = 0xa;
					_t22 = E00425060(_a4, _t59, _t70);
					_v16 = _v16 & 0x00000000;
					_t53 = _t22;
					asm("stosd");
					asm("stosd");
					asm("stosb");
					_a8 = _t70;
					_t25 = GetLocaleInfoA(0x400, 0xe,  &_v16, 0xa);
					__eflags = _t25;
					if(_t25 == 0) {
						lstrcpyA( &_v16, ",");
					}
					_t76 = _a8;
					_t27 = _t53 & 0xfffffc00;
					__eflags = _t76;
					if(__eflags > 0) {
						L12:
						_t61 = 0xa;
						_t71 = _t76;
						_t29 = E00425060(_t53, _t61, _t71);
						_t77 = _t29;
						_t54 = _t71;
						_t30 = _t29 & 0xfffffc00;
						__eflags = _t54;
						if(__eflags > 0) {
							L18:
							_t62 = 0xa;
							_t72 = _t54;
							_t32 = E00425060(_t77, _t62, _t54);
							_t63 = 0xa;
							_t55 = E00425060(_t32, _t63, _t72);
							asm("sbb edi, ecx");
							_t35 = E00425250(_t32 - (_t33 << 0xa), _t72, 0x64, 0);
							__eflags = _t35 - 0xa;
							if(_t35 >= 0xa) {
								_t35 = 9;
							}
							_push(_t35);
							_push( &_v16);
							_push(_t55);
							_push("%d%s%d TB");
							goto L21;
						}
						if(__eflags < 0) {
							L15:
							_t65 = 0xa;
							_t83 = E00425060(_t77, _t65, _t54);
							asm("sbb ebx, ecx");
							_t41 = E00425250(_t77 - (_t39 << 0xa), _t54, 0x64, 0);
							__eflags = _t41 - 0xa;
							if(_t41 >= 0xa) {
								_t41 = 9;
							}
							_push(_t41);
							_push( &_v16);
							_push(_t83);
							_push("%d%s%d GB");
							goto L21;
						}
						__eflags = _t30 - 0x100000;
						if(_t30 >= 0x100000) {
							goto L18;
						}
						goto L15;
					} else {
						if(__eflags < 0) {
							L9:
							_t67 = 0xa;
							_t84 = E00425060(_t53, _t67, _t76);
							asm("sbb edi, ecx");
							_t46 = E00425250(_t53 - (_t44 << 0xa), _t76, 0x64, 0);
							__eflags = _t46 - 0xa;
							if(_t46 >= 0xa) {
								_t46 = 9;
							}
							_push(_t46);
							_push( &_v16);
							_push(_t84);
							_push("%d%s%d MB");
							L21:
							_push(_a12);
							return E0041C467();
						}
						__eflags = _t27 - 0x100000;
						if(_t27 >= 0x100000) {
							goto L12;
						}
						goto L9;
					}
				} else {
					_t69 = 0xa;
					_push(E00425060(_a4, _t69, _t70));
					return E0041C467(_a12, "%d KB");
				}
			}
































                  0x0041d96f
                  0x0041d974
                  0x0041d981
                  0x0041d983
                  0x0041d985
                  0x0041d9b6
                  0x0041d9b7
                  0x0041d9bc
                  0x0041d9c0
                  0x0041d9c7
                  0x0041d9c8
                  0x0041d9c9
                  0x0041d9d7
                  0x0041d9da
                  0x0041d9e0
                  0x0041d9e2
                  0x0041d9ed
                  0x0041d9ed
                  0x0041d9f3
                  0x0041d9fa
                  0x0041d9fc
                  0x0041d9fe
                  0x0041da42
                  0x0041da46
                  0x0041da47
                  0x0041da49
                  0x0041da4e
                  0x0041da50
                  0x0041da52
                  0x0041da54
                  0x0041da56
                  0x0041da97
                  0x0041da9b
                  0x0041da9c
                  0x0041da9e
                  0x0041daa7
                  0x0041daaf
                  0x0041dab9
                  0x0041dabf
                  0x0041dac4
                  0x0041dac7
                  0x0041dacb
                  0x0041dacb
                  0x0041dacc
                  0x0041dad0
                  0x0041dad1
                  0x0041dad2
                  0x00000000
                  0x0041dad2
                  0x0041da58
                  0x0041da61
                  0x0041da65
                  0x0041da6d
                  0x0041da77
                  0x0041da7d
                  0x0041da82
                  0x0041da85
                  0x0041da89
                  0x0041da89
                  0x0041da8a
                  0x0041da8e
                  0x0041da8f
                  0x0041da90
                  0x00000000
                  0x0041da90
                  0x0041da5a
                  0x0041da5f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041da00
                  0x0041da00
                  0x0041da09
                  0x0041da0d
                  0x0041da15
                  0x0041da1f
                  0x0041da25
                  0x0041da2a
                  0x0041da2d
                  0x0041da31
                  0x0041da31
                  0x0041da32
                  0x0041da36
                  0x0041da37
                  0x0041da38
                  0x0041dad7
                  0x0041dad7
                  0x00000000
                  0x0041dadf
                  0x0041da02
                  0x0041da07
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041da07
                  0x0041d990
                  0x0041d995
                  0x0041d99b
                  0x00000000
                  0x0041d9a9

                  APIs
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • GetLocaleInfoA.KERNEL32(00000400,0000000E,00000000,0000000A,0042E0C8,00000000,00000000,00000000), ref: 0041D9DA
                  • lstrcpyA.KERNEL32(00000000,0042C0C8), ref: 0041D9ED
                  • __aulldiv.LIBCMT ref: 0041DA25
                  • __aulldiv.LIBCMT ref: 0041DA7D
                  • __aulldiv.LIBCMT ref: 0041DABF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global__aulldiv$AllocInfoLocaleLockUnlocklstrcpy
                  • String ID: %d KB$%d%s%d GB$%d%s%d MB$%d%s%d TB
                  • API String ID: 2912751820-1851159777
                  • Opcode ID: 61237b5f1ee841af03de9891e0d30280989a1bdbeb4c3c3c60aed83f3c037d64
                  • Instruction ID: bfa3e1734765f5e35e2b0a15e4957904babfb08cd35756a16585f01112cbd073
                  • Opcode Fuzzy Hash: 61237b5f1ee841af03de9891e0d30280989a1bdbeb4c3c3c60aed83f3c037d64
                  • Instruction Fuzzy Hash: 384125B2B403147AEB18D564AC92FBF2759DB81B94F54453BFA01EB2C0D9BCC98142AC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FB81, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119filestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041FB81() {
				int _v8;
				char _v20;
				char _v32;
				char _v44;
				char _v317;
				struct _WIN32_FIND_DATAA _v364;
				void _v623;
				char _v624;
				signed int _t92;
				void* _t103;
				void* _t105;
				void* _t106;
				int _t108;

				E0041BE99( &_v20, 0x47dfbc);
				if(E0041BFE3( &_v20, _v20 - 1) != 0x5c) {
					E0041BFF8( &_v20, 0x5c);
				}
				E0041C047( &_v20, "Microsoft.NET\\Framework\\", 0);
				_v8 = _v8 | 0xffffffff;
				E0041BE99( &_v44,  &_v20);
				E0041C047( &_v44, "*.*", 0);
				E00424500( &_v364, 0, 0x140);
				_t106 = _t105 + 0xc;
				_t103 = FindFirstFileA(E0041CD1E( &_v44),  &_v364);
				_t108 = _t103 - 0xffffffff;
				while(_t108 != 0) {
					if((_v364.dwFileAttributes & 0x00000010) == 0 || _v364.cFileName == 0x2e) {
						L12:
						_t108 = FindNextFileA(_t103,  &_v364);
						continue;
					} else {
						E0041BE99( &_v32,  &_v20);
						E0041C047( &_v32,  &(_v364.cFileName), 0);
						E0041C047( &_v32, "\\system.dll", 0);
						if(GetFileAttributesA(E0041CD1E( &_v32)) == 0xffffffff || lstrlenA( &(_v364.cFileName)) < 4) {
							L11:
							E0041BEFB( &_v32);
							goto L12;
						} else {
							_t92 = 0x40;
							_v624 = 0;
							memset( &_v623, 0, _t92 << 2);
							_t106 = _t106 + 0xc;
							asm("stosw");
							asm("stosb");
							E00425080( &_v624,  &_v317);
							if(_v624 == 0x31) {
								_v8 = 1;
								E0041BEFB( &_v32);
								break;
							}
							if(_v624 == 0x30) {
								_v8 = 0;
							}
							goto L11;
						}
					}
				}
				FindClose(_t103);
				E0041BEFB( &_v44);
				E0041BEFB( &_v20);
				return _v8;
			}
















                  0x0041fb92
                  0x0041fba6
                  0x0041fbad
                  0x0041fbad
                  0x0041fbc0
                  0x0041fbc5
                  0x0041fbd0
                  0x0041fbde
                  0x0041fbf0
                  0x0041fbf5
                  0x0041fc0e
                  0x0041fc10
                  0x0041fc13
                  0x0041fc20
                  0x0041fccb
                  0x0041fcd9
                  0x00000000
                  0x0041fc33
                  0x0041fc3a
                  0x0041fc4a
                  0x0041fc58
                  0x0041fc6f
                  0x0041fcc3
                  0x0041fcc6
                  0x00000000
                  0x0041fc83
                  0x0041fc87
                  0x0041fc8e
                  0x0041fc94
                  0x0041fc94
                  0x0041fc96
                  0x0041fc98
                  0x0041fca7
                  0x0041fcb5
                  0x0041fce3
                  0x0041fcea
                  0x00000000
                  0x0041fcea
                  0x0041fcbe
                  0x0041fcc0
                  0x0041fcc0
                  0x00000000
                  0x0041fcbe
                  0x0041fc6f
                  0x0041fc20
                  0x0041fcf0
                  0x0041fcf9
                  0x0041fd01
                  0x0041fd0d

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                  • FindFirstFileA.KERNEL32(00000000,?,00000001,00420E9E,0047DFBC), ref: 0041FC08
                  • GetFileAttributesA.KERNEL32(00000000,\system.dll,00000000,0000002E,00000000,00420E9F), ref: 0041FC66
                  • lstrlenA.KERNEL32(0000002E), ref: 0041FC78
                  • FindNextFileA.KERNEL32(00000000,00000010), ref: 0041FCD3
                  • FindClose.KERNEL32(00000000), ref: 0041FCF0
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$FileFind$AllocLock$AttributesCloseFirstNextUnlocklstrlen
                  • String ID: *.*$Microsoft.NET\Framework\$\system.dll
                  • API String ID: 1301902778-4236999259
                  • Opcode ID: 23e69a58573cbe043e2e4b7cc6a2ed4d1c5bdbe2034a486dc8d181821954c2ac
                  • Instruction ID: 0c49fdb927465f1edeeb5f710294b29b2c00870386440977898a730bf9e491ee
                  • Opcode Fuzzy Hash: 23e69a58573cbe043e2e4b7cc6a2ed4d1c5bdbe2034a486dc8d181821954c2ac
                  • Instruction Fuzzy Hash: 04419771D0061D9ADF14EBA5DC85EEF7778EF04308F50046BE511A21D1EB385E8ACB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B6B3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71windowfilestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040B6B3(void* __eflags, struct HWND__* _a4, void* _a8) {
				long _v8;
				struct _WIN32_FIND_DATAA _v328;
				char _v588;
				void* _t24;
				long _t28;
				int _t42;

				_t24 = FindFirstFileA(E0041CD1E(_a8),  &_v328);
				_a8 = _t24;
				if(_t24 != 0xffffffff) {
					do {
						if((_v328.dwFileAttributes & 0x00000010) != 0 && _v328.cFileName != 0x2e && _v328.cFileName != 0) {
							_t28 = SendDlgItemMessageA(_a4, 0xb, 0x18b, 0, 0);
							_t42 = 0;
							_v8 = _t28;
							if(_t28 <= 0) {
								L8:
								SendDlgItemMessageA(_a4, 0xb, 0x180, 0,  &(_v328.cFileName));
							} else {
								while(1) {
									_v588 = 0;
									SendDlgItemMessageA(_a4, 0xb, 0x189, _t42,  &_v588);
									if(lstrcmpiA( &_v588,  &(_v328.cFileName)) == 0) {
										goto L9;
									}
									_t42 = _t42 + 1;
									if(_t42 < _v8) {
										continue;
									} else {
										goto L8;
									}
									goto L9;
								}
							}
						}
						L9:
					} while (FindNextFileA(_a8,  &_v328) != 0);
				}
				return FindClose(_a8);
			}









                  0x0040b6cc
                  0x0040b6d5
                  0x0040b6d8
                  0x0040b6e9
                  0x0040b6f0
                  0x0040b70f
                  0x0040b711
                  0x0040b715
                  0x0040b718
                  0x0040b752
                  0x0040b764
                  0x00000000
                  0x0040b71a
                  0x0040b720
                  0x0040b732
                  0x0040b74a
                  0x00000000
                  0x00000000
                  0x0040b74c
                  0x0040b750
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b750
                  0x0040b71a
                  0x0040b718
                  0x0040b766
                  0x0040b776
                  0x0040b780
                  0x0040b78b

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • FindFirstFileA.KERNEL32(00000000,?), ref: 0040B6CC
                  • SendDlgItemMessageA.USER32(?,0000000B,0000018B,00000000,00000000), ref: 0040B70F
                  • SendDlgItemMessageA.USER32(?,0000000B,00000189,00000000,?), ref: 0040B732
                  • lstrcmpiA.KERNEL32(?,0000002E), ref: 0040B742
                  • SendDlgItemMessageA.USER32(?,0000000B,00000180,00000000,0000002E), ref: 0040B764
                  • FindNextFileA.KERNEL32(?,00000010), ref: 0040B770
                  • FindClose.KERNEL32(?), ref: 0040B784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FindGlobalItemMessageSend$File$AllocCloseFirstLockNextUnlocklstrcmpi
                  • String ID: .
                  • API String ID: 1519698938-248832578
                  • Opcode ID: 73f62b74efa56c8f7f30f9d3253f8eaf9d6e2ae22a43afcaa83a08a3e9caaa7d
                  • Instruction ID: f0f2f29fac367435beece934399d940b04a20419ed95f58ff49edb3295910553
                  • Opcode Fuzzy Hash: 73f62b74efa56c8f7f30f9d3253f8eaf9d6e2ae22a43afcaa83a08a3e9caaa7d
                  • Instruction Fuzzy Hash: 6921627194021CBADB219F64DC85BEE7B6CEB40344F5045B6B508E71E0CB749F868BA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411D82, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37shutdownCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00411D82() {
				void* _v8;
				int _v12;
				struct _TOKEN_PRIVILEGES _v24;
				intOrPtr _t23;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				E0041B45D(0x47dfb8, 1);
				ExitWindowsEx(2, 0);
				_t23 =  *0x47f2d5; // 0x0
				ExitProcess(0 | _t23 == 0x00000000);
			}







                  0x00411d96
                  0x00411da8
                  0x00411db9
                  0x00411dc0
                  0x00411dc7
                  0x00411dd4
                  0x00411ddc
                  0x00411de4
                  0x00411dee

                  APIs
                  • GetCurrentProcess.KERNEL32(00000028,?,00000000,00000000,?,?,00000000), ref: 00411D8F
                  • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 00411D96
                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00411DA8
                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000), ref: 00411DC7
                    • Part of subcall function 0041B45D: DeleteDC.GDI32(00000000), ref: 0041B482
                    • Part of subcall function 0041B45D: FreeLibrary.KERNEL32(00000000), ref: 0041B4D7
                    • Part of subcall function 0041B45D: DeleteFileA.KERNEL32(00000000), ref: 0041B509
                    • Part of subcall function 0041B45D: DeleteFileA.KERNEL32(00000000), ref: 0041B541
                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00411DDC
                  • ExitProcess.KERNEL32 ref: 00411DEE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DeleteProcess$ExitFileToken$AdjustCurrentFreeLibraryLookupOpenPrivilegePrivilegesValueWindows
                  • String ID: SeShutdownPrivilege
                  • API String ID: 734271878-3733053543
                  • Opcode ID: 3fdd3162940341f4b6ce602b71c2e9c46b16e3be0a0e270c8c1905840b76af95
                  • Instruction ID: 27af0f3acf54203deb88264b71c3d0253eb2b99b993e4cc3fa31c3676b6438a9
                  • Opcode Fuzzy Hash: 3fdd3162940341f4b6ce602b71c2e9c46b16e3be0a0e270c8c1905840b76af95
                  • Instruction Fuzzy Hash: D5F012B5601208BFE710ABF09D8EEBF7B7CEF04348F504469B50195191DA755E498B39
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004068F2, Relevance: 12.2, APIs: 8, Instructions: 189threadCOMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E004068F2(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				signed int _v32;
				int _v36;
				int _v40;
				intOrPtr _v44;
				union _LARGE_INTEGER _v48;
				intOrPtr _v52;
				union _LARGE_INTEGER _v56;
				union _LARGE_INTEGER _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				int _t115;
				void* _t120;
				signed int _t126;
				signed int _t141;
				int _t157;
				int _t160;
				signed int _t162;
				unsigned int _t168;
				signed int _t171;
				signed int _t197;
				unsigned int _t199;
				signed int _t201;
				signed int _t203;
				signed int _t206;
				void* _t208;
				signed int _t209;

				_t203 = 0;
				_t162 = 0;
				_v8 = 0;
				_v20 = 0;
				_v24 = 0;
				_v12 = GetCurrentThread();
				E00424500( &_v80, 0, 0x10);
				if(QueryPerformanceFrequency( &_v64) != 0) {
					while(1) {
						_v8 = _v8 + 1;
						_v32 = _t203;
						_v16 = _t162;
						QueryPerformanceCounter( &_v56);
						_v48.LowPart = _v56.LowPart;
						_v44 = _v52;
						_t115 = GetThreadPriority(_v12);
						_v28 = _t115;
						if(_t115 != 0x7fffffff) {
							SetThreadPriority(_v12, 0xf);
						}
						while(_v48.LowPart - _v56.LowPart < 0x32) {
							_t160 = QueryPerformanceCounter( &_v48);
							asm("rdtsc");
							_v40 = _t160;
						}
						_v56.LowPart = _v48.LowPart;
						_v52 = _v44;
						_t120 = 0;
						while(_t120 < 0x3e8) {
							_t157 = QueryPerformanceCounter( &_v48);
							asm("rdtsc");
							_v36 = _t157;
							_t120 = _v48.LowPart - _v56.LowPart;
						}
						if(_v28 != 0x7fffffff) {
							SetThreadPriority(_v12, _v28);
						}
						_v28 = _v48.LowPart * 0x186a0 - _v56.LowPart * 0x186a0;
						_t168 = _v64.LowPart;
						_t197 = 0xa;
						_t206 = _v36 - _v40;
						_v20 = _v20 + _t206;
						_t126 = _v28 / _t168 / _t197;
						_t199 = _t126;
						_v24 = _v24 + _t199;
						if(_t126 % _t168 > _t168 >> 1) {
							_t199 = _t199 + 1;
						}
						_t162 = _t206 / _t199;
						if(_t206 % _t199 > _t199 >> 1) {
							_t162 = _t162 + 1;
						}
						_t208 = _v32 + _v16 + _t162;
						if(_v8 < 3 || _v8 < 0x14 && (E00424FB8(_t162 + _t162 * 2 - _t208) > 3 || E00424FB8(_v16 + _v16 * 2 - _t208) > 3 || E00424FB8(_v32 + _v32 * 2 - _t208) > 3)) {
							_t203 = _v16;
							continue;
						} else {
							_t209 = _v20;
							_t201 = _v24;
							_t171 = (_t209 + _t209 * 4 << 1) / _t201;
							if(_t209 * 0x64 / _t201 - (_t171 + _t171 * 4 << 1) >= 6) {
								_t171 = _t171 + 1;
							}
							_t141 = _t209 / _t201;
							_v72 = _t141;
							_v68 = _t141;
							if(_t171 - (_t141 + _t141 * 4 << 1) >= 6) {
								_v68 = _t141 + 1;
							}
							_v76 = _t201;
							_v80 = _t209;
							L26:
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							return _a4;
						}
					}
				}
				goto L26;
			}





































                  0x004068fa
                  0x004068fd
                  0x004068ff
                  0x00406902
                  0x00406905
                  0x0040690e
                  0x00406918
                  0x0040692c
                  0x00406936
                  0x00406936
                  0x0040693c
                  0x00406946
                  0x00406949
                  0x00406951
                  0x00406957
                  0x0040695a
                  0x00406965
                  0x0040696a
                  0x00406971
                  0x00406971
                  0x00406977
                  0x00406986
                  0x00406988
                  0x0040698a
                  0x0040698a
                  0x00406997
                  0x0040699d
                  0x004069a0
                  0x004069a2
                  0x004069aa
                  0x004069ac
                  0x004069ae
                  0x004069b4
                  0x004069b4
                  0x004069bc
                  0x004069c4
                  0x004069c4
                  0x004069e0
                  0x004069e3
                  0x004069ea
                  0x004069f2
                  0x004069f5
                  0x004069fd
                  0x00406a01
                  0x00406a05
                  0x00406a0c
                  0x00406a0e
                  0x00406a0e
                  0x00406a17
                  0x00406a21
                  0x00406a23
                  0x00406a23
                  0x00406a2d
                  0x00406a33
                  0x00406933
                  0x00000000
                  0x00406a84
                  0x00406a84
                  0x00406a87
                  0x00406a95
                  0x00406aa8
                  0x00406aaa
                  0x00406aaa
                  0x00406aaf
                  0x00406ab1
                  0x00406ab4
                  0x00406ac1
                  0x00406ac4
                  0x00406ac4
                  0x00406ac7
                  0x00406aca
                  0x00406acd
                  0x00406ad5
                  0x00406ad6
                  0x00406ad7
                  0x00406ad8
                  0x00406add
                  0x00406add
                  0x00406a33
                  0x00406936
                  0x00000000

                  APIs
                  • GetCurrentThread.KERNEL32 ref: 00406908
                  • QueryPerformanceFrequency.KERNEL32(?), ref: 00406924
                  • QueryPerformanceCounter.KERNEL32(?), ref: 00406949
                  • GetThreadPriority.KERNEL32(00000000), ref: 0040695A
                  • SetThreadPriority.KERNEL32(00000000,0000000F), ref: 00406971
                  • QueryPerformanceCounter.KERNEL32(?), ref: 00406986
                  • QueryPerformanceCounter.KERNEL32(?), ref: 004069AA
                  • SetThreadPriority.KERNEL32(00000000,?), ref: 004069C4
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: PerformanceQueryThread$CounterPriority$CurrentFrequency
                  • String ID:
                  • API String ID: 2690025377-0
                  • Opcode ID: 21c5f011b2195c8c9bff15734cc6403b1004b299103327292053f7440adbf331
                  • Instruction ID: 4741820a0f69f9f72e1260d4724c1cc29db21601ea20d2f0773cff9e7e866b8d
                  • Opcode Fuzzy Hash: 21c5f011b2195c8c9bff15734cc6403b1004b299103327292053f7440adbf331
                  • Instruction Fuzzy Hash: B4615C71E002299FCF14DFA9D9849DDBBF6FF88310B25812AE416F7250DB349A528F94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E4C1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0040E4C1(void* __ecx, CHAR* _a4, intOrPtr _a8, signed int _a12) {
				CHAR* _v8;
				signed int _t12;
				signed int _t13;
				CHAR* _t15;
				long _t33;
				signed int _t34;
				CHAR* _t38;
				void* _t39;

				_push(__ecx);
				if(_a4 == 0) {
					L14:
					_t13 = _t12 | 0xffffffff;
				} else {
					_t12 = _a12;
					if(_t12 == 0) {
						goto L14;
					} else {
						 *_t12 = 0;
						_t33 = GetLogicalDriveStringsA(0, 0);
						if(_t33 != 0) {
							_t15 = E00424DD9(_t33);
							_v8 = _t15;
							if(_t15 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							if(GetLogicalDriveStringsA(_t33, _v8) != 0) {
								_t38 = _v8;
								_t34 = 0;
								while( *_t38 != 0) {
									if(GetDriveTypeA(_t38) != 3) {
										L13:
										_t38 =  &(_t38[lstrlenA(_t38) + 1]);
										continue;
									} else {
										_t34 = E0040E2EE(_t38, _a4, _a8, _a12);
										_t39 = _t39 + 0x10;
										if(_t34 > 0) {
											goto L8;
										} else {
											goto L13;
										}
									}
									L16:
								}
							} else {
								_t34 = 0xfffffffc;
							}
							L8:
							E00424DCE(_v8);
							_t13 = _t34;
						} else {
							_t13 = 0xfffffffe;
						}
					}
				}
				return _t13;
				goto L16;
			}











                  0x0040e4c4
                  0x0040e4cd
                  0x0040e568
                  0x0040e568
                  0x0040e4d3
                  0x0040e4d3
                  0x0040e4d8
                  0x00000000
                  0x0040e4de
                  0x0040e4e6
                  0x0040e4ea
                  0x0040e4ee
                  0x0040e4f6
                  0x0040e4fe
                  0x0040e501
                  0x0040e50e
                  0x0040e513
                  0x0040e51c
                  0x0040e52e
                  0x0040e531
                  0x0040e533
                  0x0040e541
                  0x0040e55b
                  0x0040e562
                  0x00000000
                  0x0040e543
                  0x0040e552
                  0x0040e554
                  0x0040e559
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040e559
                  0x00000000
                  0x0040e541
                  0x0040e51e
                  0x0040e520
                  0x0040e520
                  0x0040e521
                  0x0040e524
                  0x0040e52a
                  0x0040e4f0
                  0x0040e4f2
                  0x0040e4f2
                  0x0040e4ee
                  0x0040e4d8
                  0x0040e56f
                  0x00000000

                  APIs
                  • GetLogicalDriveStringsA.KERNEL32 ref: 0040E4E8
                  • GetLogicalDriveStringsA.KERNEL32 ref: 0040E518
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DriveLogicalStrings
                  • String ID: $G
                  • API String ID: 2022863570-195990108
                  • Opcode ID: 3d1d540a6a88f082cc1a3ba0afdbfb45200d432d18d79c6dca5e1d0268ba5307
                  • Instruction ID: 8f66edfa5cea6a3be9a48e500a5b831e0e92dd8d919ec7223e24ad8b1a82bd81
                  • Opcode Fuzzy Hash: 3d1d540a6a88f082cc1a3ba0afdbfb45200d432d18d79c6dca5e1d0268ba5307
                  • Instruction Fuzzy Hash: E2110632505415FBCF116FAA9C8086F3A69EA453A83600D7FF111B72C1EA389E629719
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405408, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00405408(void* __edi, void* __esi, void* __eflags) {
				char _v16;
				char _v28;
				void _v539;
				char _v540;
				void* _t26;
				void* _t27;
				signed int _t50;
				long _t59;
				void* _t61;
				void* _t62;

				_t59 = GetLastError();
				E00401A5C();
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47f038));
				E0041C467( &_v16, E0041CD1E(0x47efd8));
				_t62 = _t61 + 0xc;
				E0041BDC5( &_v28);
				if(_t59 == 0) {
					E0041BF80( &_v28,  &_v16);
				} else {
					_t50 = 0x7f;
					_v540 = 0;
					memset( &_v539, 0, _t50 << 2);
					asm("stosw");
					asm("stosb");
					FormatMessageA(0x1000, 0, _t59, 0x400,  &_v540, 0x200, 0);
					_push( &_v540);
					_push(E0041CD1E( &_v16));
					E0041C467( &_v28, "%s (%s)");
					_t62 = _t62 + 0x1c;
				}
				_t26 = E0041CD1E(0x47e700);
				_t27 = E0041CD1E( &_v28);
				if(E0041D0E2(GetActiveWindow(), _t27, _t26, 4) == 7) {
					E0041D0D5(_t29);
				}
				E0041BEFB( &_v28);
				return E0041BEFB( &_v16);
			}













                  0x00405418
                  0x0040541a
                  0x00405422
                  0x00405431
                  0x00405441
                  0x00405446
                  0x0040544c
                  0x00405455
                  0x004054b8
                  0x00405457
                  0x0040545a
                  0x00405463
                  0x00405469
                  0x0040546b
                  0x0040546d
                  0x00405487
                  0x00405496
                  0x0040549c
                  0x004054a6
                  0x004054ab
                  0x004054ae
                  0x004054c4
                  0x004054cd
                  0x004054e6
                  0x004054e8
                  0x004054e8
                  0x004054f0
                  0x004054fe

                  APIs
                  • GetLastError.KERNEL32(0045AA60), ref: 00405412
                    • Part of subcall function 00401A5C: CloseHandle.KERNEL32(00000000,00405328), ref: 00401A72
                    • Part of subcall function 00401A5C: CloseHandle.KERNEL32 ref: 00401A7A
                    • Part of subcall function 00401A5C: DeleteFileA.KERNEL32(C:\ztg\fillProxy\spy++\spyxxhk.dll), ref: 00401A81
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000,00000000), ref: 00405487
                  • GetActiveWindow.USER32 ref: 004054D3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$AllocCloseHandleLock$ActiveDeleteErrorFileFormatLastMessageUnlockWindow
                  • String ID: %s (%s)
                  • API String ID: 2124624523-1363028141
                  • Opcode ID: 9926dca7a21f68fba4a6149231b11a340a5456c6529c6873e1fe70bef8a37943
                  • Instruction ID: a826c34f9ea8de3a7754797514cf1cef73ed9f77526bf85fb78512e69db77130
                  • Opcode Fuzzy Hash: 9926dca7a21f68fba4a6149231b11a340a5456c6529c6873e1fe70bef8a37943
                  • Instruction Fuzzy Hash: DB21B3B1D4010966CB14F7B2DC8AEEE772C9F54308F5041BFF205A21C2EF3856868AA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042037B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0042037B(void* __ecx) {
				char _v16;
				struct _SYSTEM_INFO _v52;
				void* _t21;

				_t21 = __ecx;
				E00424500( &_v52, 0, 0x24);
				GetSystemInfo( &_v52);
				E0041BE99( &_v16, 0x47eae0);
				_push(_v52.dwNumberOfProcessors);
				E0041C467( &_v16, "\t%d");
				E0041EEC5(_t21,  &_v16);
				return E0041BEFB( &_v16);
			}






                  0x00420389
                  0x0042038c
                  0x00420398
                  0x004203a6
                  0x004203ab
                  0x004203b7
                  0x004203c5
                  0x004203d4

                  APIs
                  • GetSystemInfo.KERNEL32(?,?,?,00000000,?,?,?,?,?,0041F2E6,0047EAA4,00000000,0042E0C8,00000000,00000001,00000001), ref: 00420398
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$AllocFreeInfoLockSystemUnlock
                  • String ID: %d
                  • API String ID: 1419721734-1388091195
                  • Opcode ID: def3bb214524da11732d8fb86412fc1ad98892293c4584f52fc3f0f417dcfd7a
                  • Instruction ID: 9e698bb6c94f990cdf2613955bba22d743c49f97e2d58bdffb568d269f19e01b
                  • Opcode Fuzzy Hash: def3bb214524da11732d8fb86412fc1ad98892293c4584f52fc3f0f417dcfd7a
                  • Instruction Fuzzy Hash: 73F0FEB5D0021977CF00F6E2EC4AEEEB76CAB04748F44446ABA15A2181FB78964986D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041DF41, Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0041DF41(signed int _a4) {
				struct _SYSTEMTIME _v20;
				void* _t55;
				void* _t69;
				void* _t77;
				signed short _t79;
				void* _t80;
				signed int _t83;
				signed int _t85;
				signed int _t86;
				signed short _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;

				GetSystemTime( &_v20);
				_t79 = _a4;
				_a4 = _a4 & 0x00000000;
				_t95 = _t79;
				if(_t79 < _v20.wYear) {
					_t98 = _t79 & 0x0000ffff;
					_t69 = (_v20.wYear & 0x0000ffff) - _t98;
					_t77 = _t69;
					_t95 = _t69 + _t79;
					do {
						asm("cdq");
						_t85 = 4;
						if(_t98 % _t85 != 0) {
							L6:
							_a4 = _a4 + 0x16d;
						} else {
							asm("cdq");
							_t86 = 0x64;
							if(_t98 % _t86 != 0) {
								L5:
								_a4 = _a4 + 0x16e;
							} else {
								asm("cdq");
								if(_t98 % 0x190 != 0) {
									goto L6;
								} else {
									goto L5;
								}
							}
						}
						_t98 = _t98 + 1;
						_t77 = _t77 - 1;
					} while (_t77 != 0);
				}
				_t80 = 0;
				_t55 = (_v20.wMonth & 0x0000ffff) - 1;
				if(_t55 > 0) {
					do {
						_t25 = _t80 + 0x42d538; // 0x1e1f1c1f
						_a4 = _a4 + ( *_t25 & 0x000000ff);
						_t80 = _t80 + 1;
					} while (_t80 < _t55);
				}
				if(_v20.wMonth > 2) {
					_t83 = _t95 & 0x0000ffff;
					asm("cdq");
					_t96 = 4;
					if(_t83 % _t96 == 0) {
						asm("cdq");
						_t97 = 0x64;
						if(_t83 % _t97 != 0) {
							L15:
							_a4 = _a4 + 1;
						} else {
							asm("cdq");
							if(_t83 % 0x190 == 0) {
								goto L15;
							}
						}
					}
				}
				return ((_v20.wHour & 0x0000ffff) + ((_v20.wDay & 0x0000ffff) + _a4 + ((_v20.wDay & 0x0000ffff) + _a4) * 2) * 8) * 0x3c + (_v20.wMinute & 0x0000ffff) - 0x5a0;
			}
















                  0x0041df4d
                  0x0041df53
                  0x0041df56
                  0x0041df5e
                  0x0041df60
                  0x0041df66
                  0x0041df69
                  0x0041df6c
                  0x0041df6e
                  0x0041df71
                  0x0041df75
                  0x0041df76
                  0x0041df7b
                  0x0041dfa0
                  0x0041dfa0
                  0x0041df7d
                  0x0041df81
                  0x0041df82
                  0x0041df87
                  0x0041df97
                  0x0041df97
                  0x0041df89
                  0x0041df90
                  0x0041df95
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041df95
                  0x0041df87
                  0x0041dfa7
                  0x0041dfa8
                  0x0041dfa8
                  0x0041dfab
                  0x0041dfb0
                  0x0041dfb2
                  0x0041dfb5
                  0x0041dfb7
                  0x0041dfb7
                  0x0041dfbe
                  0x0041dfc1
                  0x0041dfc2
                  0x0041dfb7
                  0x0041dfcb
                  0x0041dfcd
                  0x0041dfd4
                  0x0041dfd5
                  0x0041dfda
                  0x0041dfe0
                  0x0041dfe1
                  0x0041dfe6
                  0x0041dff6
                  0x0041dff6
                  0x0041dfe8
                  0x0041dfef
                  0x0041dff4
                  0x00000000
                  0x00000000
                  0x0041dff4
                  0x0041dfe6
                  0x0041dfda
                  0x0041e01b

                  APIs
                  • GetSystemTime.KERNEL32(004163AA,74787410,00000000,004163AA,000007D0,<DS2000>,?,?,?,?,00000000,0047E0A0,0047E0AC,?,C:\Progra~1\Common~1,C:\Program Files\Common Files), ref: 0041DF4D
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: SystemTime
                  • String ID:
                  • API String ID: 2656138-0
                  • Opcode ID: 04075d0329c4232b47023c1f67a198e412aec773a428f5dab92961e47bb612c5
                  • Instruction ID: 393f1518c483c4a74f0349017b4f4b7990fdcbe3f63e43843c9d5bb9b10d14ad
                  • Opcode Fuzzy Hash: 04075d0329c4232b47023c1f67a198e412aec773a428f5dab92961e47bb612c5
                  • Instruction Fuzzy Hash: 84213AB6F0032A57DB185B0AD8456FF77B6EB90718F10401FF906CA184E675CAC2C298
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004054FF, Relevance: 1.5, Strings: 1, Instructions: 211COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E004054FF(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __esi;
				void* __ebp;
				char _t25;
				unsigned int _t26;
				unsigned int _t27;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t53;
				void* _t59;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t72;
				char _t76;
				char _t77;
				unsigned int _t83;
				unsigned int _t85;
				unsigned int _t87;
				unsigned int _t88;
				intOrPtr _t115;
				void* _t118;
				intOrPtr _t121;
				intOrPtr _t125;

				_push(__ecx);
				_push(__ecx);
				 *0x42e1fc = _a4;
				 *0x436240 = _a8;
				_t76 =  *0x42b160; // 0x1f
				 *0x436258 = _t76;
				_t77 =  *0x42b161; // -117
				_t25 = 0;
				_t121 =  *0x42e0f0; // 0x0
				_t115 = 8;
				_v12 = 0;
				_v8 = 0;
				 *0x42b0f4 = _t115;
				 *0x436259 = _t77;
				 *0x43625a = 8;
				if(_t121 != 0) {
					_t25 = 8;
				}
				 *0x43625b = _t25;
				_t26 =  *0x42e0ec; // 0x0
				 *0x43625c = _t26;
				 *0x43625d = _t26;
				_t27 = _t26 >> 0x10;
				 *0x43625e = _t27;
				 *0x43625f = _t27;
				 *0x436254 = _t115;
				 *0x47df40 = E004050EA(_t27, 0, 0);
				E00401000(_t28);
				E00403050( &_v12, 0x42b0f4);
				E004012BC(_t27,  *0x42b0f8,  &_v8);
				_t34 =  *0x436254; // 0x0
				_t82 = _v8;
				 *((char*)(_t34 + 0x436258)) = _v8;
				_t35 = _t34 + 1;
				 *0x436254 = _t35;
				if(_t35 == 0x4000) {
					E00405199();
				}
				_t36 =  *0x436254; // 0x0
				 *((char*)(_t36 + 0x436258)) = 0xb;
				_t37 = _t36 + 1;
				 *0x436254 = _t37;
				if(_t37 == 0x4000) {
					E00405199();
				}
				_t125 =  *0x42e0f0; // 0x0
				if(_t125 == 0) {
					L11:
					_t38 =  *0x436254; // 0x0
					 *0x47df44 = _t38;
					E004015E9(0, 0x4000, _t118);
					_t40 =  *0x436254; // 0x0
					_t83 =  *0x47df40;
					 *(_t40 + 0x436258) = _t83;
					_t41 = _t40 + 1;
					if(_t41 >= 0) {
						 *0x436254 = _t41;
						if(_t41 == 0x4000) {
							E00405199();
							_t41 =  *0x436254; // 0x0
							_t83 =  *0x47df40;
						}
						_t42 = _t41 + 1;
						 *(_t42 + 0x436257) = _t83;
						 *0x436254 = _t42;
						if(_t42 == 0x4000) {
							E00405199();
							_t42 =  *0x436254; // 0x0
							_t83 =  *0x47df40;
						}
					} else {
						_t42 = _t41 + 1;
						 *(_t42 + 0x436257) = _t83;
					}
					if(_t42 >= 0x3ffe) {
						 *(_t42 + 0x436258) = _t83 >> 0x10;
						_t43 = _t42 + 1;
						 *0x436254 = _t43;
						if(_t43 == 0x4000) {
							E00405199();
							_t43 =  *0x436254; // 0x0
							_t83 =  *0x47df40;
						}
						_t44 = _t43 + 1;
						 *((char*)(_t44 + 0x436257)) = _t83 >> 0x10;
						 *0x436254 = _t44;
						if(_t44 == 0x4000) {
							E00405199();
							_t44 =  *0x436254; // 0x0
						}
					} else {
						_t88 = _t83 >> 0x10;
						 *(_t42 + 0x436258) = _t88;
						_t59 = _t42 + 1;
						 *(_t59 + 0x436258) = _t88;
						_t44 = _t59 + 1;
					}
					_t85 =  *0x46ab68; // 0x165e367
					 *(_t44 + 0x436258) = _t85;
					_t45 = _t44 + 1;
					if(_t45 >= 0) {
						 *0x436254 = _t45;
						if(_t45 == 0x4000) {
							E00405199();
							_t45 =  *0x436254; // 0x0
							_t85 =  *0x46ab68; // 0x165e367
						}
						_t46 = _t45 + 1;
						 *(_t46 + 0x436257) = _t85;
						 *0x436254 = _t46;
						if(_t46 == 0x4000) {
							E00405199();
							_t46 =  *0x436254; // 0x0
							_t85 =  *0x46ab68; // 0x165e367
						}
					} else {
						_t46 = _t45 + 1;
						 *(_t46 + 0x436257) = _t85;
					}
					if(_t46 >= 0x3ffe) {
						 *(_t46 + 0x436258) = _t85 >> 0x10;
						_t47 = _t46 + 1;
						 *0x436254 = _t47;
						if(_t47 == 0x4000) {
							E00405199();
							_t47 =  *0x436254; // 0x0
							_t85 =  *0x46ab68; // 0x165e367
						}
						_t48 = _t47 + 1;
						 *((char*)(_t48 + 0x436257)) = _t85 >> 0x10;
						 *0x436254 = _t48;
						if(_t48 == 0x4000) {
							E00405199();
						}
					} else {
						_t87 = _t85 >> 0x10;
						 *(_t46 + 0x436258) = _t87;
						_t53 = _t46 + 1;
						 *(_t53 + 0x436258) = _t87;
						 *0x436254 = _t53 + 1;
					}
					 *0x47df44 =  *0x47df44 + 8;
					E00405199();
					return 0;
				}
				_t72 = E0040526F(_t82, "C:\Users\engineer\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe");
				do {
					_t63 =  *0x436254; // 0x0
					 *((char*)(_t63 + 0x436258)) =  *_t72;
					_t64 = _t63 + 1;
					 *0x436254 = _t64;
					if(_t64 == 0x4000) {
						E00405199();
					}
					_t65 =  *_t72;
					_t72 = _t72 + 1;
				} while (_t65 != 0);
				goto L11;
			}









































                  0x00405502
                  0x00405503
                  0x00405508
                  0x00405512
                  0x00405518
                  0x00405523
                  0x00405529
                  0x0040552f
                  0x00405531
                  0x00405537
                  0x00405538
                  0x0040553b
                  0x0040553e
                  0x00405544
                  0x0040554a
                  0x00405551
                  0x00405553
                  0x00405553
                  0x00405555
                  0x0040555a
                  0x00405561
                  0x00405569
                  0x00405571
                  0x00405577
                  0x0040557c
                  0x00405582
                  0x0040558d
                  0x00405592
                  0x004055a0
                  0x004055af
                  0x004055b4
                  0x004055b9
                  0x004055c4
                  0x004055ca
                  0x004055cd
                  0x004055d2
                  0x004055d4
                  0x004055d4
                  0x004055d9
                  0x004055de
                  0x004055e5
                  0x004055e8
                  0x004055ed
                  0x004055ef
                  0x004055ef
                  0x004055f4
                  0x004055fa
                  0x0040562c
                  0x0040562c
                  0x00405631
                  0x00405636
                  0x0040563b
                  0x00405640
                  0x0040564d
                  0x00405653
                  0x00405654
                  0x00405665
                  0x0040566a
                  0x0040566c
                  0x00405671
                  0x00405676
                  0x00405676
                  0x0040567e
                  0x00405683
                  0x00405689
                  0x0040568e
                  0x00405690
                  0x00405695
                  0x0040569a
                  0x0040569a
                  0x00405656
                  0x00405658
                  0x0040565b
                  0x0040565b
                  0x004056a2
                  0x004056c0
                  0x004056c6
                  0x004056c9
                  0x004056ce
                  0x004056d0
                  0x004056d5
                  0x004056da
                  0x004056da
                  0x004056e5
                  0x004056ea
                  0x004056f0
                  0x004056f5
                  0x004056f7
                  0x004056fc
                  0x004056fc
                  0x004056a4
                  0x004056a4
                  0x004056a7
                  0x004056af
                  0x004056b2
                  0x004056b8
                  0x004056b8
                  0x00405701
                  0x00405709
                  0x0040570f
                  0x00405710
                  0x00405721
                  0x00405726
                  0x00405728
                  0x0040572d
                  0x00405732
                  0x00405732
                  0x0040573a
                  0x0040573f
                  0x00405745
                  0x0040574a
                  0x0040574c
                  0x00405751
                  0x00405756
                  0x00405756
                  0x00405712
                  0x00405714
                  0x00405717
                  0x00405717
                  0x0040575e
                  0x00405781
                  0x00405787
                  0x0040578a
                  0x0040578f
                  0x00405791
                  0x00405796
                  0x0040579b
                  0x0040579b
                  0x004057a6
                  0x004057ab
                  0x004057b1
                  0x004057b6
                  0x004057b8
                  0x004057b8
                  0x00405760
                  0x00405760
                  0x00405763
                  0x0040576b
                  0x0040576e
                  0x00405775
                  0x00405775
                  0x004057bd
                  0x004057c4
                  0x004057cf
                  0x004057cf
                  0x00405607
                  0x00405609
                  0x00405609
                  0x00405610
                  0x00405616
                  0x00405619
                  0x0040561e
                  0x00405620
                  0x00405620
                  0x00405625
                  0x00405627
                  0x00405628
                  0x00000000

                  Strings
                  • C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe, xrefs: 004055FC
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID: C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                  • API String ID: 0-3047028675
                  • Opcode ID: 89c60029d23e2c111f0756f3e622102273aa2a2f9fffd08b3253f037f41585e2
                  • Instruction ID: 31e7195787edc1ead20c002d7c0b1effab7620ffafd4d63cf561ab72b5c9ba81
                  • Opcode Fuzzy Hash: 89c60029d23e2c111f0756f3e622102273aa2a2f9fffd08b3253f037f41585e2
                  • Instruction Fuzzy Hash: CE81D130A045C3AFD320EB6AA88552BBBE6E7A9304317A4FFD149D7362D5780409CF6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00425D8E, Relevance: .3, Instructions: 259COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00425D8E(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t5 = _t222 + 0xc; // 0x80084689
				_t6 = _t222 + 0x10; // 0x8b000124
				_t186 =  *_t6;
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *_t5 >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t164 = _t186 + 4; // 0x6415ff04
							_t233 =  *((intOrPtr*)(_t295 + _t164));
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t174 = _t295 - 0x20; // 0x41cd2f
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t174;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t181 = _t295 - 0x20; // 0x41cd2f
								_t235 = _t181;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						_t184 = _t196 - 4; // 0x476ff59
						 *((intOrPtr*)(_t188 + _t184)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t36 = _t186 + 4; // 0x826415ff
							_t267 = _v12 + _t36;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t26 = _t186 + 4; // 0x826415ff
							_t270 = _v12 + _t26;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t95 = _t292 - 4; // -4
						_t192 = _t277 + _t95;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}
























































                  0x00425d94
                  0x00425d9d
                  0x00425da5
                  0x00425da8
                  0x00425da8
                  0x00425dab
                  0x00425dae
                  0x00425dc0
                  0x00425dc6
                  0x00425dc9
                  0x00425dcc
                  0x00425dd0
                  0x00425dd4
                  0x00425dd7
                  0x00425f3c
                  0x00425f42
                  0x00425f45
                  0x00425f48
                  0x00425f4b
                  0x00425f4e
                  0x00425f55
                  0x00425f5b
                  0x00425f5c
                  0x00425f5f
                  0x00425f62
                  0x00425f66
                  0x00425f66
                  0x00425f67
                  0x00425f6b
                  0x00425f77
                  0x00425f78
                  0x00425f7b
                  0x00425f7f
                  0x00425f7f
                  0x00425f83
                  0x00425f86
                  0x00425f88
                  0x00425f8b
                  0x00425fab
                  0x00425fb5
                  0x00425fb5
                  0x00425fb9
                  0x00425fbb
                  0x00425fc2
                  0x00425fc2
                  0x00425fc4
                  0x00425fc6
                  0x00425fc9
                  0x00425fc9
                  0x00425fc9
                  0x00425fc9
                  0x00425f8d
                  0x00425f96
                  0x00425f9a
                  0x00425f9c
                  0x00425fa0
                  0x00425fa0
                  0x00425fa2
                  0x00425fa7
                  0x00425fa7
                  0x00425fa2
                  0x00425fcc
                  0x00425fcc
                  0x00425fd5
                  0x00425fde
                  0x00425fe4
                  0x00425fe7
                  0x00425fed
                  0x00425fee
                  0x00425ff1
                  0x00425ff5
                  0x00425ff5
                  0x00425ff1
                  0x00425ff6
                  0x00425ffd
                  0x00426000
                  0x00426003
                  0x00426006
                  0x0042600c
                  0x00426012
                  0x00426015
                  0x00426017
                  0x00426017
                  0x0042601b
                  0x0042601e
                  0x00426021
                  0x00426021
                  0x00426023
                  0x00426027
                  0x0042604a
                  0x0042604e
                  0x00426050
                  0x0042605a
                  0x0042605d
                  0x0042605d
                  0x0042605d
                  0x0042605d
                  0x00426060
                  0x00426067
                  0x00426067
                  0x0042606a
                  0x00426029
                  0x00426029
                  0x0042602d
                  0x00426038
                  0x0042603b
                  0x0042603b
                  0x0042603b
                  0x0042603d
                  0x00426041
                  0x00426046
                  0x00426046
                  0x00426071
                  0x00426071
                  0x00426071
                  0x00426073
                  0x00426076
                  0x00426078
                  0x00426078
                  0x00426078
                  0x0042607c
                  0x0042607e
                  0x00000000
                  0x0042607e
                  0x00425de0
                  0x00000000
                  0x00425df0
                  0x00425df6
                  0x00425dfa
                  0x00425dfd
                  0x00425e01
                  0x00425e02
                  0x00425e02
                  0x00425e0b
                  0x00425e10
                  0x00425e3e
                  0x00425e3e
                  0x00425e42
                  0x00425e44
                  0x00425e4b
                  0x00425e4b
                  0x00425e4d
                  0x00425e4f
                  0x00425e52
                  0x00425e52
                  0x00425e52
                  0x00425e52
                  0x00425e12
                  0x00425e1c
                  0x00425e1c
                  0x00425e20
                  0x00425e22
                  0x00425e26
                  0x00425e28
                  0x00425e2d
                  0x00425e2d
                  0x00425e28
                  0x00425e10
                  0x00425e5b
                  0x00425e64
                  0x00425e6c
                  0x00425e73
                  0x00425f23
                  0x00425e79
                  0x00425e82
                  0x00425e83
                  0x00425e8a
                  0x00425e8e
                  0x00425e8e
                  0x00425e92
                  0x00425e95
                  0x00425e9b
                  0x00425e9e
                  0x00425ea1
                  0x00425ea4
                  0x00425eaa
                  0x00425eb3
                  0x00425eb5
                  0x00425ebc
                  0x00425ebf
                  0x00425ec1
                  0x00425ec5
                  0x00425ee8
                  0x00425eec
                  0x00425eee
                  0x00425ef8
                  0x00425efb
                  0x00425efb
                  0x00425efb
                  0x00425efb
                  0x00425efe
                  0x00425f05
                  0x00425f05
                  0x00425f08
                  0x00425ec7
                  0x00425ecb
                  0x00425ed9
                  0x00425ed9
                  0x00425edb
                  0x00425edf
                  0x00425ee4
                  0x00425ee4
                  0x00425f0f
                  0x00425f0f
                  0x00425f11
                  0x00425f14
                  0x00425f17
                  0x00425f17
                  0x00425f1b
                  0x00425f1d
                  0x00425f1d
                  0x00425f26
                  0x00425f29
                  0x00425f2c
                  0x00000000
                  0x00425f2c

                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                  • Instruction ID: c4621f83079c2b295144d07c399f912a9076ad7fb258d784a0cfb602abd1e52e
                  • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                  • Instruction Fuzzy Hash: BAB19F31A0061ADFDB15CF04D5D0AA9FBA1BF48314F55C19ED81A5B382C735EE42CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406575, Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  C-Code - Quality: 43%
                  			E00406575(void* __ecx) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				intOrPtr _t21;

				_push(0xffffffff);
				_push(0x4285a0);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t21;
				_v28 = _t21;
				_v8 = _v8 & 0x00000000;
				asm("cpuid");
				_v8 = _v8 | 0xffffffff;
				 *[fs:0x0] = _v20;
				return 0;
			}







                  0x00406578
                  0x0040657a
                  0x0040657f
                  0x0040658a
                  0x0040658b
                  0x00406597
                  0x0040659a
                  0x004065a6
                  0x004065a8
                  0x004065c0
                  0x004065cb

                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c6ad53483d4e9a70b08509dec6a19da61fc9bce7f9b9a50697fa689c3e07880a
                  • Instruction ID: 88203458e02d4d55aa16c308c74dcae1cd9d43e1f7f29c91fe00b44d5d76ba1c
                  • Opcode Fuzzy Hash: c6ad53483d4e9a70b08509dec6a19da61fc9bce7f9b9a50697fa689c3e07880a
                  • Instruction Fuzzy Hash: FFF0E572708654FFD714CF99DC46B6BF769E741A70F20833EE022926C0D7B9650086A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A8C4, Relevance: 133.5, APIs: 74, Strings: 2, Instructions: 483windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0040A8C4(void* __ebx, char __ecx, struct HWND__* _a4) {
				char _v12;
				char _v24;
				char _v28;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v100;
				intOrPtr _v112;
				signed char _t135;
				signed char _t141;
				intOrPtr _t146;
				signed char _t150;
				signed char _t191;
				int _t194;
				int _t195;
				int _t199;
				int _t204;
				int _t214;
				void* _t228;
				CHAR* _t229;
				void* _t235;
				int _t260;
				int _t267;
				intOrPtr _t281;
				struct HWND__* _t286;
				void* _t304;

				_t228 = __ebx;
				 *((char*)(__ecx + 0xb0)) = 1;
				_t286 = _a4;
				_v40 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t286, 3), 0);
				}
				_t235 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t235 = 0x47eb94;
				}
				SetWindowTextA(_t286, E0041CD1E(_t235));
				SetDlgItemTextA(_t286, 0x2d, E0041CD1E(0x47eba0));
				SetDlgItemTextA(_t286, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t286, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t286, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t286, 1, E0041CD1E(0x47e8c4));
				}
				_push(_t228);
				E0041BE99( &_v12, 0x47ebb8);
				E0041BE99( &_v28, 0x47ebc4);
				E0041BE99( &_v44, 0x47ebd0);
				E0041BFF8( &_v24, 0x3a);
				E0041BFF8( &_v40, 0x3a);
				E0041BFF8( &_v56, 0x3a);
				SetDlgItemTextA(_t286, 0xa, E0041CD1E( &_v36));
				SetDlgItemTextA(_t286, 0xb, E0041CD1E( &_v48));
				SetDlgItemTextA(_t286, 0xc, E0041CD1E( &_v60));
				_t229 = "-";
				SetDlgItemTextA(_t286, 0x1f, _t229);
				SetDlgItemTextA(_t286, 0x20, _t229);
				SendDlgItemMessageA(_t286, 0x14, 0xc5, 0x103, 0);
				SendDlgItemMessageA(_t286, 0x15, 0xc5, 0x103, 0);
				SendDlgItemMessageA(_t286, 0x16, 0xc5, 0x103, 0);
				E0041C3A9( &_v36, _v36 - 1, 1);
				E0041C3A9( &_v56, _v56 - 1, 1);
				E0041C3A9( &_v76, _v76 - 1, 1);
				E0041C047( &_v60, " *:", 0);
				E0041C047( &_v80, " *:", 0);
				E0041C047( &_v100, " *:", 0);
				 *((char*)(_v112 + 0xb1)) = 1;
				_t135 =  *0x47e194; // 0x0
				if((_t135 & 0x00000001) == 0) {
					ShowWindow(GetDlgItem(_t286, 0xa), 0);
					ShowWindow(GetDlgItem(_t286, 0x14), 0);
				} else {
					if((_t135 & 0x00000002) != 0) {
						SetDlgItemTextA(_t286, 0xa, E0041CD1E( &_v12));
					}
					SetDlgItemTextA(_t286, 0x14, E0041CD1E(0x47e1b8));
					if(( *0x47e194 & 0x00000002) != 0) {
						 *((char*)(_v40 + 0xb1)) = GetWindowTextLengthA(GetDlgItem(_t286, 0x14)) & 0xffffff00 | _t220 != 0x00000000;
					}
				}
				 *((char*)(_v40 + 0xb2)) = 1;
				_t141 =  *0x47e194; // 0x0
				if((_t141 & 0x00000004) == 0) {
					ShowWindow(GetDlgItem(_t286, 0xb), 0);
					ShowWindow(GetDlgItem(_t286, 0x15), 0);
					goto L18;
				} else {
					if((_t141 & 0x00000008) != 0) {
						SetDlgItemTextA(_t286, 0xb, E0041CD1E( &_v24));
					}
					SetDlgItemTextA(_t286, 0x15, E0041CD1E(0x47e1c4));
					if(( *0x47e194 & 0x00000008) == 0) {
						L18:
						_t146 = _v40;
						goto L19;
					} else {
						_t214 = GetWindowTextLengthA(GetDlgItem(_t286, 0x15));
						_t146 = _v40;
						 *((char*)(_t146 + 0xb2)) = 0x47e100 | _t214 != 0x00000000;
						L19:
						 *((char*)(_t146 + 0xb3)) = 1;
						 *((char*)(_t146 + 0xb4)) = 1;
						 *((char*)(_t146 + 0xb5)) = 1;
						 *((char*)(_t146 + 0xb6)) = 1;
						SendDlgItemMessageA(_t286, 0x17, 0xc5,  *0x47e664, 0);
						SendDlgItemMessageA(_t286, 0x18, 0xc5,  *0x47e668, 0);
						SendDlgItemMessageA(_t286, 0x19, 0xc5,  *0x47e66c, 0);
						_t150 =  *0x47e194; // 0x0
						if((_t150 & 0x00000010) == 0) {
							ShowWindow(GetDlgItem(_t286, 0xc), 0);
							ShowWindow(GetDlgItem(_t286, 0x16), 0);
							ShowWindow(GetDlgItem(_t286, 0x17), 0);
							ShowWindow(GetDlgItem(_t286, 0x18), 0);
							ShowWindow(GetDlgItem(_t286, 0x19), 0);
							ShowWindow(GetDlgItem(_t286, 0x1f), 0);
							ShowWindow(GetDlgItem(_t286, 0x20), 0);
							L40:
							_t281 = _v40;
							L41:
							if( *((char*)(_t281 + 0xb1)) == 0 ||  *((char*)(_t281 + 0xb2)) == 0 ||  *(_t281 + 0xb3) == 0 ||  *((char*)(_t281 + 0xb4)) == 0 ||  *((char*)(_t281 + 0xb5)) == 0 ||  *((char*)(_t281 + 0xb6)) == 0) {
								_push(0);
							} else {
								_push(1);
							}
							EnableWindow(GetDlgItem(_t286, 1), ??);
							 *(_t281 + 0xb0) =  *(_t281 + 0xb0) & 0x00000000;
							E0041BEFB( &_v36);
							E0041BEFB( &_v24);
							E0041BEFB( &_v12);
							return 1;
						}
						if((_t150 & 0x00000020) != 0) {
							SetDlgItemTextA(_t286, 0xc, E0041CD1E( &_v36));
						}
						if(( *0x47e190 & 0x00000080) == 0) {
							if( *0x47e1d0 > 0) {
								SetDlgItemTextA(_t286, 0x16, E0041CD1E(0x47e1d0));
							}
							ShowWindow(GetDlgItem(_t286, 0x17), 0);
							ShowWindow(GetDlgItem(_t286, 0x18), 0);
							ShowWindow(GetDlgItem(_t286, 0x19), 0);
							ShowWindow(GetDlgItem(_t286, 0x1f), 0);
							_push(0);
							_push(0x20);
						} else {
							_t194 =  *0x47e66c; // 0x4
							_t260 =  *0x47e668; // 0x4
							_t195 =  *0x47e664; // 0x4
							_t304 =  *0x47e1d0 - _t260 + _t194 + _t195 + 2; // 0x0
							if(_t304 == 0) {
								SetDlgItemTextA(_t286, 0x17, E0041CD1E(E0041CC95(0x47e1d0, 0, _t195)));
								_t199 =  *0x47e664; // 0x4
								SetDlgItemTextA(_t286, 0x18, E0041CD1E(E0041CC95(0x47e1d0, _t199 + 1,  *0x47e668)));
								_t204 =  *0x47e668; // 0x4
								_t267 =  *0x47e664; // 0x4
								SetDlgItemTextA(_t286, 0x19, E0041CD1E(E0041CC95(0x47e1d0, _t204 + _t267 + 2,  *0x47e66c)));
							}
							_push(0);
							_push(0x16);
						}
						ShowWindow(GetDlgItem(), _t286);
						if(( *0x47e194 & 0x00000020) == 0) {
							goto L40;
						} else {
							if(( *0x47e190 & 0x00000080) != 0) {
								if(GetWindowTextLengthA(GetDlgItem(_t286, 0x17)) !=  *0x47e664) {
									 *(_v40 + 0xb4) =  *(_v40 + 0xb4) & 0x00000000;
								}
								if(GetWindowTextLengthA(GetDlgItem(_t286, 0x18)) !=  *0x47e668) {
									 *(_v40 + 0xb5) =  *(_v40 + 0xb5) & 0x00000000;
								}
								if(GetWindowTextLengthA(GetDlgItem(_t286, 0x19)) !=  *0x47e66c) {
									 *(_v40 + 0xb6) =  *(_v40 + 0xb6) & 0x00000000;
								}
								goto L40;
							}
							_t191 = GetWindowTextLengthA(GetDlgItem(_t286, 0x16));
							if(_t191 != 0) {
								goto L40;
							}
							_t281 = _v40;
							 *(_t281 + 0xb3) =  *(_t281 + 0xb3) & _t191;
							goto L41;
						}
					}
				}
			}


































                  0x0040a8c4
                  0x0040a8ce
                  0x0040a8dd
                  0x0040a8e2
                  0x0040a8e6
                  0x0040a8f0
                  0x0040a8f0
                  0x0040a8fd
                  0x0040a902
                  0x0040a904
                  0x0040a904
                  0x0040a910
                  0x0040a92a
                  0x0040a93a
                  0x0040a94a
                  0x0040a95a
                  0x0040a968
                  0x0040a978
                  0x0040a978
                  0x0040a97a
                  0x0040a984
                  0x0040a992
                  0x0040a9a0
                  0x0040a9ab
                  0x0040a9b6
                  0x0040a9c1
                  0x0040a9d3
                  0x0040a9e2
                  0x0040a9f1
                  0x0040a9f3
                  0x0040a9fc
                  0x0040aa02
                  0x0040aa14
                  0x0040aa25
                  0x0040aa36
                  0x0040aa48
                  0x0040aa59
                  0x0040aa6a
                  0x0040aa7b
                  0x0040aa87
                  0x0040aa93
                  0x0040aaa2
                  0x0040aaa9
                  0x0040aab0
                  0x0040ab03
                  0x0040ab0d
                  0x0040aab2
                  0x0040aab4
                  0x0040aac3
                  0x0040aac3
                  0x0040aad3
                  0x0040aadc
                  0x0040aaf3
                  0x0040aaf3
                  0x0040aadc
                  0x0040ab13
                  0x0040ab1a
                  0x0040ab21
                  0x0040ab74
                  0x0040ab7e
                  0x00000000
                  0x0040ab23
                  0x0040ab25
                  0x0040ab34
                  0x0040ab34
                  0x0040ab44
                  0x0040ab4d
                  0x0040ab80
                  0x0040ab80
                  0x00000000
                  0x0040ab4f
                  0x0040ab55
                  0x0040ab5d
                  0x0040ab64
                  0x0040ab84
                  0x0040ab86
                  0x0040ab8d
                  0x0040ab94
                  0x0040ab9b
                  0x0040abb0
                  0x0040abc6
                  0x0040abdc
                  0x0040abe2
                  0x0040abe9
                  0x0040ad82
                  0x0040ad8b
                  0x0040ad94
                  0x0040ad9d
                  0x0040ada6
                  0x0040adaf
                  0x0040adb8
                  0x0040adba
                  0x0040adba
                  0x0040adbe
                  0x0040adc6
                  0x0040adf9
                  0x0040adf5
                  0x0040adf5
                  0x0040adf5
                  0x0040ae01
                  0x0040ae07
                  0x0040ae12
                  0x0040ae1b
                  0x0040ae24
                  0x0040ae31
                  0x0040ae31
                  0x0040abf1
                  0x0040ac00
                  0x0040ac00
                  0x0040ac09
                  0x0040aca5
                  0x0040acb5
                  0x0040acb5
                  0x0040acbf
                  0x0040acca
                  0x0040acd3
                  0x0040acdc
                  0x0040acde
                  0x0040acdf
                  0x0040ac0f
                  0x0040ac0f
                  0x0040ac14
                  0x0040ac1c
                  0x0040ac25
                  0x0040ac2b
                  0x0040ac45
                  0x0040ac47
                  0x0040ac69
                  0x0040ac6b
                  0x0040ac70
                  0x0040ac96
                  0x0040ac96
                  0x0040ac98
                  0x0040ac9a
                  0x0040ac9a
                  0x0040ace5
                  0x0040acee
                  0x00000000
                  0x0040acf4
                  0x0040acfb
                  0x0040ad34
                  0x0040ad3a
                  0x0040ad3a
                  0x0040ad4f
                  0x0040ad55
                  0x0040ad55
                  0x0040ad6a
                  0x0040ad70
                  0x0040ad70
                  0x00000000
                  0x0040ad6a
                  0x0040ad03
                  0x0040ad0b
                  0x00000000
                  0x00000000
                  0x0040ad11
                  0x0040ad15
                  0x00000000
                  0x0040ad15
                  0x0040acee
                  0x0040ab4d

                  APIs
                  • GetDlgItem.USER32 ref: 0040A8ED
                  • EnableWindow.USER32(00000000), ref: 0040A8F0
                  • SetWindowTextA.USER32(?,00000000), ref: 0040A910
                  • SetDlgItemTextA.USER32 ref: 0040A92A
                  • SetDlgItemTextA.USER32 ref: 0040A93A
                  • SetDlgItemTextA.USER32 ref: 0040A94A
                  • SetDlgItemTextA.USER32 ref: 0040A95A
                  • SetDlgItemTextA.USER32 ref: 0040A978
                  • SetDlgItemTextA.USER32 ref: 0040A9D3
                  • SetDlgItemTextA.USER32 ref: 0040A9E2
                  • SetDlgItemTextA.USER32 ref: 0040A9F1
                  • SetDlgItemTextA.USER32 ref: 0040A9FC
                  • SetDlgItemTextA.USER32 ref: 0040AA02
                  • SendDlgItemMessageA.USER32(?,00000014,000000C5,00000103,00000000), ref: 0040AA14
                  • SendDlgItemMessageA.USER32(?,00000015,000000C5,00000103,00000000), ref: 0040AA25
                  • SendDlgItemMessageA.USER32(?,00000016,000000C5,00000103,00000000), ref: 0040AA36
                    • Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
                    • Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
                    • Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • SetDlgItemTextA.USER32 ref: 0040AAC3
                  • SetDlgItemTextA.USER32 ref: 0040AAD3
                  • GetDlgItem.USER32 ref: 0040AAE1
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040AAE4
                  • GetDlgItem.USER32 ref: 0040AB00
                  • ShowWindow.USER32(00000000), ref: 0040AB03
                  • GetDlgItem.USER32 ref: 0040AB0A
                  • ShowWindow.USER32(00000000), ref: 0040AB0D
                  • SetDlgItemTextA.USER32 ref: 0040AB34
                  • SetDlgItemTextA.USER32 ref: 0040AB44
                  • GetDlgItem.USER32 ref: 0040AB52
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040AB55
                  • GetDlgItem.USER32 ref: 0040AB71
                  • ShowWindow.USER32(00000000), ref: 0040AB74
                  • GetDlgItem.USER32 ref: 0040AB7B
                  • ShowWindow.USER32(00000000), ref: 0040AB7E
                  • SendDlgItemMessageA.USER32(?,00000017,000000C5,00000000), ref: 0040ABB0
                  • SendDlgItemMessageA.USER32(?,00000018,000000C5,00000000), ref: 0040ABC6
                  • SendDlgItemMessageA.USER32(?,00000019,000000C5,00000000), ref: 0040ABDC
                  • SetDlgItemTextA.USER32 ref: 0040AC00
                  • SetDlgItemTextA.USER32 ref: 0040AC45
                  • SetDlgItemTextA.USER32 ref: 0040AC69
                  • SetDlgItemTextA.USER32 ref: 0040AC96
                  • SetDlgItemTextA.USER32 ref: 0040ACB5
                  • GetDlgItem.USER32 ref: 0040ACBC
                  • ShowWindow.USER32(00000000), ref: 0040ACBF
                  • GetDlgItem.USER32 ref: 0040ACC7
                  • ShowWindow.USER32(00000000), ref: 0040ACCA
                  • GetDlgItem.USER32 ref: 0040ACD0
                  • ShowWindow.USER32(00000000), ref: 0040ACD3
                  • GetDlgItem.USER32 ref: 0040ACD9
                  • ShowWindow.USER32(00000000), ref: 0040ACDC
                  • GetDlgItem.USER32 ref: 0040ACE2
                  • ShowWindow.USER32(00000000), ref: 0040ACE5
                  • GetDlgItem.USER32 ref: 0040AD00
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040AD03
                  • GetDlgItem.USER32 ref: 0040AD23
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040AD2C
                  • GetDlgItem.USER32 ref: 0040AD44
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040AD47
                  • GetDlgItem.USER32 ref: 0040AD5F
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040AD62
                  • GetDlgItem.USER32 ref: 0040AD7F
                  • ShowWindow.USER32(00000000), ref: 0040AD82
                  • GetDlgItem.USER32 ref: 0040AD88
                  • ShowWindow.USER32(00000000), ref: 0040AD8B
                  • GetDlgItem.USER32 ref: 0040AD91
                  • ShowWindow.USER32(00000000), ref: 0040AD94
                  • GetDlgItem.USER32 ref: 0040AD9A
                  • ShowWindow.USER32(00000000), ref: 0040AD9D
                  • GetDlgItem.USER32 ref: 0040ADA3
                  • ShowWindow.USER32(00000000), ref: 0040ADA6
                  • GetDlgItem.USER32 ref: 0040ADAC
                  • ShowWindow.USER32(00000000), ref: 0040ADAF
                  • GetDlgItem.USER32 ref: 0040ADB5
                  • ShowWindow.USER32(00000000), ref: 0040ADB8
                  • GetDlgItem.USER32 ref: 0040ADFE
                  • EnableWindow.USER32(00000000), ref: 0040AE01
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Window$Show$Global$LengthMessageSend$AllocLockUnlock$Enable$lstrlen
                  • String ID: *:$PG
                  • API String ID: 4025793253-1572763361
                  • Opcode ID: c2233555d261a09f4db66d793c1b20fb3d5c75a06fb9833033005f03d8b724d8
                  • Instruction ID: 4ebb24ae434b6306264965b08b50a1bab40d74009ba8edf4197c7e526d008c02
                  • Opcode Fuzzy Hash: c2233555d261a09f4db66d793c1b20fb3d5c75a06fb9833033005f03d8b724d8
                  • Instruction Fuzzy Hash: 58E1F430244344BAE221E7328C5AFEF3A5DDF49748F00056DF6446A1D2CBBD9986C66F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040906D, Relevance: 79.1, APIs: 17, Strings: 28, Instructions: 306registrylibrarywindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 33%
                  			E0040906D(void* __edi, struct HWND__* _a4) {
				signed int _v8;
				int _v12;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v135;
				signed char _v136;
				_Unknown_base(*)()* _t64;
				long _t68;
				signed int _t71;
				void* _t83;
				signed int _t90;
				long _t99;
				CHAR* _t102;
				void* _t110;
				signed int _t115;
				void* _t133;
				intOrPtr _t137;
				struct HWND__* _t139;
				void* _t143;

				_t133 = __edi;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_a4, 3), 0);
				}
				if(E00419E8A() == 0) {
					_t139 = _a4;
				} else {
					_t102 = E0041CD1E(0x47e8c4);
					_t139 = _a4;
					SetDlgItemTextA(_t139, 1, _t102);
				}
				_t110 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t110 = 0x47e5d4;
				}
				SetWindowTextA(_t139, E0041CD1E(_t110));
				_push(_t133);
				SetDlgItemTextA(_t139, 0x1e, E0041CD1E(0x47e5e0));
				SetDlgItemTextA(_t139, 1, "&Next >>");
				SetDlgItemTextA(_t139, 3, "<< &Back");
				SetDlgItemTextA(_t139, 2, "&Cancel");
				_v36 = E0041C8FD(0x47e2f0, 0x9c);
				_v12 = E0041C8FD(0x47e2f0, 0xa0);
				_v32 = E0041C8FD(0x47e2f0, 0xa4);
				_t64 = GetProcAddress(LoadLibraryA("KERNEL32.DLL"), "GetUserDefaultUILanguage");
				if(_t64 == 0) {
					_v136 = _v136 & 0x00000000;
					_t115 = 0x18;
					memset( &_v135, 0, _t115 << 2);
					asm("stosw");
					__eflags =  *0x47e19c; // 0x1
					_v28 = 0x64;
					asm("stosb");
					_v8 = 0;
					_push( &_v8);
					_push(0x20019);
					_push(0);
					if(__eflags == 0) {
						_t68 = RegOpenKeyExA(0x80000001, "Control Panel\\desktop\\ResourceLocale", ??, ??, ??);
						__eflags = _t68;
						if(_t68 != 0) {
							L15:
							RegCloseKey(_v8);
							_t71 = E0041D911( &_v136);
							goto L16;
						}
						_push( &_v28);
						_push( &_v136);
						_push(0);
						_push(0);
						_push(0x42e0c8);
						L14:
						RegQueryValueExA(_v8, ??, ??, ??, ??, ??);
						goto L15;
					}
					_t99 = RegOpenKeyExA(0x80000003, ".DEFAULT\\Control Panel\\International", ??, ??, ??);
					__eflags = _t99;
					if(_t99 != 0) {
						goto L15;
					}
					_push( &_v28);
					_push( &_v136);
					_push(0);
					_push(0);
					_push("Locale");
					goto L14;
				} else {
					_t71 =  *_t64();
					L16:
					_v28 = _t71 & 0x000003ff;
					E0041BDC5( &_v24);
					_v8 = _v8 & 0x00000000;
					if(_v36 <= 0) {
						L56:
						SendDlgItemMessageA(_a4, 0xa, 0x186, _v12, 0);
						if( *0x47e114 != 0) {
							SetDlgItemTextA(_a4, 0x41f, E0041CD1E(0x47df68));
							E0040EFE7();
						}
						E0041BEFB( &_v24);
						return 1;
					} else {
						goto L17;
					}
					do {
						L17:
						if(E0041CAC5( &_v24, E0041CD1E(0x47e6c8), _v32, 8) < 0) {
							E0041D881("Unknown error");
						}
						_t143 = E0041C8FD( &_v24, 0);
						_t83 = E0041C8FD( &_v24, 4);
						_t137 = _v32;
						if(E0041CAC5( &_v24, E0041CD1E(0x47e6c8), _t137 + 8, _t83) < 0) {
							E0041D881("Unknown error");
						}
						SendDlgItemMessageA(_a4, 0xa, 0x180, 0, E0041CD1E( &_v24));
						_v32 = _t137 + _t143 + 4;
						_t90 = _v28;
						if(_t90 != 0xb) {
							__eflags = _t90 - 9;
							if(_t90 != 9) {
								__eflags = _t90 - 0xa;
								if(_t90 != 0xa) {
									__eflags = _t90 - 0x13;
									if(_t90 != 0x13) {
										__eflags = _t90 - 0xc;
										if(_t90 != 0xc) {
											__eflags = _t90 - 7;
											if(_t90 != 7) {
												__eflags = _t90 - 8;
												if(_t90 != 8) {
													__eflags = _t90 - 0xe;
													if(_t90 != 0xe) {
														__eflags = _t90 - 0x10;
														if(_t90 != 0x10) {
															__eflags = _t90 - 0x15;
															if(_t90 != 0x15) {
																__eflags = _t90 - 0x16;
																if(_t90 != 0x16) {
																	__eflags = _t90 - 0x19;
																	if(_t90 != 0x19) {
																		__eflags = _t90 - 0x1a;
																		if(_t90 != 0x1a) {
																			__eflags = _t90 - 0x1d;
																			if(_t90 != 0x1d) {
																				__eflags = _t90 - 0x1f;
																				if(_t90 != 0x1f) {
																					__eflags = _t90 - 0x22;
																					if(_t90 != 0x22) {
																						goto L55;
																					}
																					_push(0);
																					_push(0);
																					_push("Ukrainian");
																					goto L53;
																				}
																				_push(0);
																				_push(0);
																				_push("Turkish");
																				goto L53;
																			}
																			_push(0);
																			_push(0);
																			_push("Swedish");
																			goto L53;
																		}
																		_push(0);
																		_push(0);
																		_push("Serbian");
																		goto L53;
																	}
																	_push(0);
																	_push(0);
																	_push("Russian");
																	goto L53;
																}
																_push(0);
																_push(0);
																_push("Portuguese");
																goto L53;
															}
															_push(0);
															_push(0);
															_push("Polish");
															goto L53;
														}
														_push(0);
														_push(0);
														_push("Italian");
														goto L53;
													}
													_push(0);
													_push(0);
													_push("Hungarian");
													goto L53;
												}
												_push(0);
												_push(0);
												_push("Greek");
												goto L53;
											}
											_push(0);
											_push(0);
											_push("German");
											goto L53;
										}
										_push(0);
										_push(0);
										_push("French");
										goto L53;
									}
									_push(0);
									_push(0);
									_push("Dutch");
									goto L53;
								}
								_push(0);
								_push(0);
								_push("Spanish");
								goto L53;
							}
							_push(0);
							_push(0);
							_push("English");
							goto L53;
						} else {
							_push(0);
							_push(0);
							_push("Finnish");
							L53:
							if(E0041C6D0( &_v24) != 0xffffffff) {
								_v12 = _v8;
							}
						}
						L55:
						_v8 = _v8 + 1;
					} while (_v8 < _v36);
					goto L56;
				}
			}
























                  0x0040906d
                  0x0040907d
                  0x0040908d
                  0x0040908d
                  0x004090a7
                  0x004090be
                  0x004090a9
                  0x004090ae
                  0x004090b3
                  0x004090ba
                  0x004090ba
                  0x004090c8
                  0x004090cd
                  0x004090cf
                  0x004090cf
                  0x004090db
                  0x004090e1
                  0x004090f0
                  0x004090fa
                  0x00409104
                  0x0040910e
                  0x00409128
                  0x00409137
                  0x00409144
                  0x00409153
                  0x0040915b
                  0x00409164
                  0x0040916d
                  0x00409178
                  0x0040917a
                  0x0040917c
                  0x00409182
                  0x00409189
                  0x0040918d
                  0x00409190
                  0x00409191
                  0x00409196
                  0x00409197
                  0x004091cb
                  0x004091d1
                  0x004091d3
                  0x004091f0
                  0x004091f3
                  0x00409200
                  0x00000000
                  0x00409205
                  0x004091d8
                  0x004091df
                  0x004091e0
                  0x004091e1
                  0x004091e2
                  0x004091e7
                  0x004091ea
                  0x00000000
                  0x004091ea
                  0x004091a3
                  0x004091a9
                  0x004091ab
                  0x00000000
                  0x00000000
                  0x004091b0
                  0x004091b7
                  0x004091b8
                  0x004091b9
                  0x004091ba
                  0x00000000
                  0x0040915d
                  0x0040915d
                  0x00409206
                  0x0040920e
                  0x00409211
                  0x00409216
                  0x0040921e
                  0x004093f8
                  0x00409407
                  0x00409415
                  0x0040942a
                  0x00409431
                  0x00409431
                  0x00409439
                  0x00409443
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00409224
                  0x00409224
                  0x0040923e
                  0x00409245
                  0x0040924a
                  0x0040925a
                  0x0040925c
                  0x00409261
                  0x0040927e
                  0x00409285
                  0x0040928a
                  0x004092a0
                  0x004092aa
                  0x004092ad
                  0x004092b4
                  0x004092c4
                  0x004092c8
                  0x004092d8
                  0x004092dc
                  0x004092ec
                  0x004092f0
                  0x00409300
                  0x00409304
                  0x00409314
                  0x00409318
                  0x00409328
                  0x0040932c
                  0x0040933c
                  0x00409340
                  0x00409350
                  0x00409354
                  0x00409361
                  0x00409365
                  0x00409372
                  0x00409376
                  0x00409383
                  0x00409387
                  0x00409394
                  0x00409398
                  0x004093a5
                  0x004093a9
                  0x004093b6
                  0x004093ba
                  0x004093c7
                  0x004093cb
                  0x00000000
                  0x00000000
                  0x004093cd
                  0x004093cf
                  0x004093d1
                  0x00000000
                  0x004093d1
                  0x004093bc
                  0x004093be
                  0x004093c0
                  0x00000000
                  0x004093c0
                  0x004093ab
                  0x004093ad
                  0x004093af
                  0x00000000
                  0x004093af
                  0x0040939a
                  0x0040939c
                  0x0040939e
                  0x00000000
                  0x0040939e
                  0x00409389
                  0x0040938b
                  0x0040938d
                  0x00000000
                  0x0040938d
                  0x00409378
                  0x0040937a
                  0x0040937c
                  0x00000000
                  0x0040937c
                  0x00409367
                  0x00409369
                  0x0040936b
                  0x00000000
                  0x0040936b
                  0x00409356
                  0x00409358
                  0x0040935a
                  0x00000000
                  0x0040935a
                  0x00409342
                  0x00409344
                  0x00409346
                  0x00000000
                  0x00409346
                  0x0040932e
                  0x00409330
                  0x00409332
                  0x00000000
                  0x00409332
                  0x0040931a
                  0x0040931c
                  0x0040931e
                  0x00000000
                  0x0040931e
                  0x00409306
                  0x00409308
                  0x0040930a
                  0x00000000
                  0x0040930a
                  0x004092f2
                  0x004092f4
                  0x004092f6
                  0x00000000
                  0x004092f6
                  0x004092de
                  0x004092e0
                  0x004092e2
                  0x00000000
                  0x004092e2
                  0x004092ca
                  0x004092cc
                  0x004092ce
                  0x00000000
                  0x004092b6
                  0x004092b6
                  0x004092b8
                  0x004092ba
                  0x004093d6
                  0x004093e1
                  0x004093e6
                  0x004093e6
                  0x004093e1
                  0x004093e9
                  0x004093e9
                  0x004093ef
                  0x00000000
                  0x00409224

                  APIs
                  • GetDlgItem.USER32 ref: 00409086
                  • EnableWindow.USER32(00000000), ref: 0040908D
                  • SetDlgItemTextA.USER32 ref: 004090BA
                  • SetWindowTextA.USER32(?,00000000), ref: 004090DB
                  • SetDlgItemTextA.USER32 ref: 004090F0
                  • SetDlgItemTextA.USER32 ref: 004090FA
                  • SetDlgItemTextA.USER32 ref: 00409104
                  • SetDlgItemTextA.USER32 ref: 0040910E
                  • LoadLibraryA.KERNEL32(KERNEL32.DLL,000000A4,000000A0,0000009C), ref: 00409147
                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00409153
                  • RegOpenKeyExA.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,00020019,?), ref: 004091A3
                  • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\desktop\ResourceLocale,00000000,00020019,?), ref: 004091CB
                  • RegQueryValueExA.ADVAPI32(?,0042E0C8,00000000,00000000,00000000,00000064), ref: 004091EA
                  • RegCloseKey.ADVAPI32(?), ref: 004091F3
                  • SendDlgItemMessageA.USER32(?,0000000A,00000180,00000000,00000000), ref: 004092A0
                  • SendDlgItemMessageA.USER32(?,0000000A,00000186,?,00000000), ref: 00409407
                  • SetDlgItemTextA.USER32 ref: 0040942A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$MessageOpenSendWindow$AddressCloseEnableLibraryLoadProcQueryValue
                  • String ID: &Cancel$&Next >>$.DEFAULT\Control Panel\International$<< &Back$Control Panel\desktop\ResourceLocale$Dutch$English$Finnish$French$German$GetUserDefaultUILanguage$Greek$Hungarian$Italian$KERNEL32.DLL$Locale$Polish$Portuguese$PG$Russian$Serbian$Spanish$Swedish$Turkish$Ukrainian$Unknown error$d$G
                  • API String ID: 197437431-3923757053
                  • Opcode ID: 932b0a1320e2d8e500f9c6d51e8da7430af6cd8b5ecf0549b4374da9cdf5794b
                  • Instruction ID: bb1e0e259d96a11ac7e4365f6f5e7a16268a53fcd0579c9adc81d8e9e1168d7a
                  • Opcode Fuzzy Hash: 932b0a1320e2d8e500f9c6d51e8da7430af6cd8b5ecf0549b4374da9cdf5794b
                  • Instruction Fuzzy Hash: ACA18830B81319B6EB20A651DC57FEE7764EB04B04FA0407BBA01B51D2DBBC6D429B5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D42A, Relevance: 66.7, APIs: 33, Strings: 5, Instructions: 245windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0040D42A(void* __ebx, char __ecx, void* __ebp, struct HWND__* _a4) {
				char _v12;
				char _v16;
				signed int _t35;
				CHAR* _t36;
				signed char _t65;
				signed char _t66;
				signed int _t68;
				void* _t74;
				void* _t97;
				struct HWND__* _t99;
				void* _t102;
				void* _t105;
				struct HWND__* _t126;
				void* _t128;

				_t128 = __ebp;
				_t97 = __ebx;
				_t35 =  *0x47e190; // 0x2080c08
				_v16 = __ecx;
				if( *0x47e6b0 > 0) {
					_t35 = _t35 & 0xf7fffff3 | 0x00000002;
					 *0x47e190 = _t35;
				}
				_t102 = 0x47e850;
				if((_t35 & 0x02000000) == 0) {
					_t102 = 0x47ef60;
				}
				_t36 = E0041CD1E(_t102);
				_t126 = _a4;
				SetWindowTextA(_t126, _t36);
				E0041BDC5( &_v12);
				if(( *0x47e18c & 0x00000040) == 0) {
					_push(E0041CD1E(0x47e350));
					_t105 = 0x47ef78;
				} else {
					_push(E0041CD1E(0x47e350));
					_t105 = 0x47ef84;
				}
				E0041C467( &_v12, E0041CD1E(_t105));
				SetDlgItemTextA(_t126, 0xa, E0041CD1E( &_v12));
				SetDlgItemTextA(_t126, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t126, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t126, 2, E0041CD1E(0x47e8b8));
				if(E00419E6A() != 0) {
					SetDlgItemTextA(_t126, 1, E0041CD1E(0x47ef6c));
				}
				_push(_t97);
				_push(_t128);
				SetDlgItemTextA(_t126, 0xb, E0041CD1E(0x47ef90));
				SetDlgItemTextA(_t126, 0x14, E0041CD1E(0x47ef9c));
				SetDlgItemTextA(_t126, 0x15, E0041CD1E(0x47efa8));
				SetDlgItemTextA(_t126, 0x16, E0041CD1E(0x47efb4));
				SetDlgItemTextA(_t126, 0x17, E0041CD1E(0x47efc0));
				SetDlgItemTextA(_t126, 0xc, E0041CD1E(0x47efcc));
				_push(0);
				if(( *0x47e190 & 0x00000002) != 0) {
					SendDlgItemMessageA(_t126, 0x14, 0xf1, 1, ??);
					if(( *0x47e192 & 0x00000010) != 0) {
						EnableWindow(GetDlgItem(_t126, 0x15), 0);
					}
				} else {
					ShowWindow(GetDlgItem(_t126, 0xb), ??);
					ShowWindow(GetDlgItem(_t126, 0x14), 0);
					ShowWindow(GetDlgItem(_t126, 0x15), 0);
				}
				_t65 =  *0x47e190; // 0x2080c08
				if((_t65 & 0x00000008) != 0) {
					if((_t65 & 0x00000040) != 0) {
						SendDlgItemMessageA(_t126, 0x16, 0xf1, 1, 0);
					}
				} else {
					ShowWindow(GetDlgItem(_t126, 0x16), 0);
				}
				_t66 =  *0x47e190; // 0x2080c08
				if((_t66 & 0x00000004) != 0) {
					if((_t66 & 0x00000080) != 0) {
						SendDlgItemMessageA(_t126, 0x17, 0xf1, 1, 0);
					}
				} else {
					ShowWindow(GetDlgItem(_t126, 0x17), 0);
				}
				if(( *0x47e193 & 0x00000008) != 0) {
					_t99 = 0;
					SendDlgItemMessageA(_t126, 0x46, 0xf1, 1, 0);
				} else {
					ShowWindow(GetDlgItem(_t126, 0x46), 0);
					_t99 = 0;
				}
				_t68 =  *0x47e190; // 0x2080c08
				if((_t68 & 0x00000008) != 0 || (_t68 & 0x08000000) == 0) {
					if((_t68 & 0x00000004) != 0 || (_t68 & 0x08000000) == 0) {
						goto L32;
					} else {
						_push(0x17);
						goto L30;
					}
				} else {
					_push(0x16);
					L30:
					_t74 = E0040710F(_v16);
					if(_t74 != _t99) {
						SetWindowPos(GetDlgItem(_t126, 0x46), _t99,  *(_t74 + 0x14),  *(_t74 + 0x18), _t99, _t99, 0x215);
					}
					L32:
					if( *0x47e114 != 0) {
						SetDlgItemTextA(_t126, 0x41f, E0041CD1E(0x47df68));
						E0040EFE7();
					}
					E0041BEFB( &_v12);
					return 1;
				}
			}

















                  0x0040d42a
                  0x0040d42a
                  0x0040d434
                  0x0040d439
                  0x0040d43d
                  0x0040d444
                  0x0040d446
                  0x0040d446
                  0x0040d452
                  0x0040d457
                  0x0040d459
                  0x0040d459
                  0x0040d45e
                  0x0040d463
                  0x0040d469
                  0x0040d473
                  0x0040d484
                  0x0040d498
                  0x0040d499
                  0x0040d486
                  0x0040d48b
                  0x0040d48c
                  0x0040d48c
                  0x0040d4a9
                  0x0040d4c4
                  0x0040d4d4
                  0x0040d4e4
                  0x0040d4f4
                  0x0040d502
                  0x0040d512
                  0x0040d512
                  0x0040d514
                  0x0040d515
                  0x0040d524
                  0x0040d534
                  0x0040d544
                  0x0040d554
                  0x0040d564
                  0x0040d574
                  0x0040d589
                  0x0040d58b
                  0x0040d5b5
                  0x0040d5c2
                  0x0040d5cc
                  0x0040d5cc
                  0x0040d58d
                  0x0040d593
                  0x0040d59d
                  0x0040d5a7
                  0x0040d5a7
                  0x0040d5d2
                  0x0040d5d9
                  0x0040d5ea
                  0x0040d5f8
                  0x0040d5f8
                  0x0040d5db
                  0x0040d5e3
                  0x0040d5e3
                  0x0040d5fe
                  0x0040d605
                  0x0040d616
                  0x0040d624
                  0x0040d624
                  0x0040d607
                  0x0040d60f
                  0x0040d60f
                  0x0040d631
                  0x0040d641
                  0x0040d64e
                  0x0040d633
                  0x0040d63b
                  0x0040d63d
                  0x0040d63d
                  0x0040d654
                  0x0040d65b
                  0x0040d66a
                  0x00000000
                  0x0040d673
                  0x0040d673
                  0x00000000
                  0x0040d673
                  0x0040d664
                  0x0040d664
                  0x0040d675
                  0x0040d679
                  0x0040d680
                  0x0040d696
                  0x0040d696
                  0x0040d69c
                  0x0040d6a5
                  0x0040d6b8
                  0x0040d6bf
                  0x0040d6bf
                  0x0040d6c8
                  0x0040d6d4
                  0x0040d6d4

                  APIs
                  • SetWindowTextA.USER32(?,00000000), ref: 0040D469
                  • SetDlgItemTextA.USER32 ref: 0040D4C4
                  • SetDlgItemTextA.USER32 ref: 0040D4D4
                  • SetDlgItemTextA.USER32 ref: 0040D4E4
                  • SetDlgItemTextA.USER32 ref: 0040D4F4
                  • SetDlgItemTextA.USER32 ref: 0040D512
                  • SetDlgItemTextA.USER32 ref: 0040D524
                  • SetDlgItemTextA.USER32 ref: 0040D534
                  • SetDlgItemTextA.USER32 ref: 0040D544
                  • SetDlgItemTextA.USER32 ref: 0040D554
                  • SetDlgItemTextA.USER32 ref: 0040D564
                  • SetDlgItemTextA.USER32 ref: 0040D574
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • GetDlgItem.USER32 ref: 0040D590
                  • ShowWindow.USER32(00000000), ref: 0040D593
                  • GetDlgItem.USER32 ref: 0040D59A
                  • ShowWindow.USER32(00000000), ref: 0040D59D
                  • GetDlgItem.USER32 ref: 0040D5A4
                  • ShowWindow.USER32(00000000), ref: 0040D5A7
                  • SendDlgItemMessageA.USER32(?,00000014,000000F1,00000001,00000000), ref: 0040D5B5
                  • GetDlgItem.USER32 ref: 0040D5C9
                  • EnableWindow.USER32(00000000), ref: 0040D5CC
                  • GetDlgItem.USER32 ref: 0040D5E0
                  • ShowWindow.USER32(00000000), ref: 0040D5E3
                  • SendDlgItemMessageA.USER32(?,00000016,000000F1,00000001,00000000), ref: 0040D5F8
                  • GetDlgItem.USER32 ref: 0040D60C
                  • ShowWindow.USER32(00000000), ref: 0040D60F
                  • SendDlgItemMessageA.USER32(?,00000017,000000F1,00000001,00000000), ref: 0040D624
                  • GetDlgItem.USER32 ref: 0040D638
                  • ShowWindow.USER32(00000000), ref: 0040D63B
                  • SendDlgItemMessageA.USER32(?,00000046,000000F1,00000001,00000000), ref: 0040D64E
                  • GetDlgItem.USER32 ref: 0040D693
                  • SetWindowPos.USER32(00000000), ref: 0040D696
                  • SetDlgItemTextA.USER32 ref: 0040D6B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Window$Show$MessageSend$Global$AllocEnableLockUnlock
                  • String ID: PG$PG$`G$lG$xG
                  • API String ID: 3032138065-1923768288
                  • Opcode ID: 05dfcc1085d6eedecaa10e0d44eb7dceb23ed1d2773465519599df6e1f284045
                  • Instruction ID: 49fdebd98fac3304353a2dd6f13cbc95544f1438b6f99baf14de67e434ed9392
                  • Opcode Fuzzy Hash: 05dfcc1085d6eedecaa10e0d44eb7dceb23ed1d2773465519599df6e1f284045
                  • Instruction Fuzzy Hash: 2C61D2706802087AE63077625C47FFF264D9F45B48F10457AF7097A1D2CFBE4846956E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F6CB, Relevance: 61.8, APIs: 41, Instructions: 251windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E0040F6CB(int _a4, int _a8, int _a12, int _a16, struct HDC__* _a20, struct HDC__* _a24, struct HDC__* _a28) {
				struct HDC__* _v8;
				struct HBITMAP__* _v12;
				struct HBITMAP__* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				void* _t96;
				void* _t101;
				struct HBITMAP__* _t113;
				struct HDC__* _t149;
				void* _t156;

				_t149 = CreateCompatibleDC( *0x47e184);
				_v8 = _t149;
				_t96 = CreateCompatibleBitmap( *0x47e184, _a12, _a16);
				_v24 = _t96;
				if(_t149 == 0 || _t96 == 0) {
					E00424DCE(_a28->i);
					DeleteDC(_t149);
					DeleteObject(_v24);
					_push(0xfffffff0);
					goto L19;
				} else {
					if(SelectObject(_t149, _t96) != 0) {
						_v28 = StretchDIBits(_v8, 0, 0, _a12, _a16, 0, 0,  *(_a20 + 4),  *(_a20 + 8), _a24, _a20, 0, 0xcc0020);
						E00424DCE(_a28->i);
						_a28->i = 0;
						_a20 = CreateCompatibleDC( *0x47e184);
						_v12 = CreateBitmap(_a12, _a16, 1, 1, 0);
						_a24 = CreateCompatibleDC(_v8);
						_v16 = CreateCompatibleBitmap(_v8, _a12, _a16);
						_a28 = CreateCompatibleDC( *0x47e184);
						_t113 = CreateCompatibleBitmap( *0x47e184, _a12, _a16);
						_v20 = _t113;
						if(_a20 == 0 || _a24 == 0 || _v12 == 0 || _v16 == 0 || _a28 == 0 || _t113 == 0 || _v28 == 0xffffffff) {
							DeleteDC(_v8);
							DeleteDC(_a20);
							DeleteDC(_a24);
							DeleteDC(_a28);
							DeleteObject(_v24);
							DeleteObject(_v12);
							DeleteObject(_v16);
							DeleteObject(_v20);
							return (0 | _v28 != 0xffffffff) + 0xffffffed;
						} else {
							if(SelectObject(_a20, _v12) == 0 || SelectObject(_a24, _v16) == 0 || SelectObject(_a28, _v20) == 0) {
								_push(0xffffffec);
							} else {
								SetBkColor(_v8, 0);
								BitBlt(_a20, 0, 0, _a12, _a16, _v8, 0, 0, 0xcc0020);
								BitBlt(_a24, 0, 0, _a12, _a16, _v8, 0, 0, 0xcc0020);
								BitBlt(_a24, 0, 0, _a12, _a16, _a20, 0, 0, 0x220326);
								BitBlt(_a28, 0, 0, _a12, _a16,  *0x47e184, _a4, _a8, 0xcc0020);
								BitBlt(_a28, 0, 0, _a12, _a16, _a20, 0, 0, 0x8800c6);
								BitBlt(_a28, 0, 0, _a12, _a16, _a24, 0, 0, 0xee0086);
								BitBlt( *0x47e184, _a4, _a8, _a12, _a16, _a28, 0, 0, 0xcc0020);
								_push(1);
							}
							_pop(_t156);
							DeleteDC(_v8);
							DeleteDC(_a20);
							DeleteDC(_a24);
							DeleteDC(_a28);
							DeleteObject(_v24);
							DeleteObject(_v12);
							DeleteObject(_v16);
							DeleteObject(_v20);
							return _t156;
						}
					}
					E00424DCE( *_a28);
					DeleteDC(_t149);
					DeleteObject(_v24);
					_push(0xffffffef);
					L19:
					_pop(_t101);
					return _t101;
				}
			}














                  0x0040f6e5
                  0x0040f6e7
                  0x0040f6f3
                  0x0040f6fb
                  0x0040f700
                  0x0040f979
                  0x0040f980
                  0x0040f989
                  0x0040f98f
                  0x00000000
                  0x0040f70e
                  0x0040f718
                  0x0040f763
                  0x0040f76b
                  0x0040f774
                  0x0040f783
                  0x0040f795
                  0x0040f79d
                  0x0040f7b2
                  0x0040f7ba
                  0x0040f7c6
                  0x0040f7cf
                  0x0040f7d2
                  0x0040f93b
                  0x0040f940
                  0x0040f945
                  0x0040f94a
                  0x0040f955
                  0x0040f95a
                  0x0040f95f
                  0x0040f964
                  0x00000000
                  0x0040f80e
                  0x0040f81e
                  0x0040f92e
                  0x0040f844
                  0x0040f848
                  0x0040f865
                  0x0040f878
                  0x0040f88f
                  0x0040f8a9
                  0x0040f8c0
                  0x0040f8d7
                  0x0040f8f1
                  0x0040f8f3
                  0x0040f8f3
                  0x0040f8fb
                  0x0040f8ff
                  0x0040f904
                  0x0040f909
                  0x0040f90e
                  0x0040f919
                  0x0040f91e
                  0x0040f923
                  0x0040f928
                  0x00000000
                  0x0040f92a
                  0x0040f7d2
                  0x0040f71f
                  0x0040f726
                  0x0040f72f
                  0x0040f735
                  0x0040f991
                  0x0040f991
                  0x00000000
                  0x0040f991

                  APIs
                  • CreateCompatibleDC.GDI32(00CC0020), ref: 0040F6E0
                  • CreateCompatibleBitmap.GDI32(?,?), ref: 0040F6F3
                  • SelectObject.GDI32(00000000,00000000), ref: 0040F710
                  • DeleteDC.GDI32(00000000), ref: 0040F726
                  • DeleteObject.GDI32(?), ref: 0040F72F
                  • StretchDIBits.GDI32(00CC0020,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 0040F75D
                  • CreateCompatibleDC.GDI32 ref: 0040F77C
                  • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0040F78C
                  • CreateCompatibleDC.GDI32(?), ref: 0040F798
                  • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040F7A6
                  • CreateCompatibleDC.GDI32 ref: 0040F7B5
                  • CreateCompatibleBitmap.GDI32(?,?), ref: 0040F7C6
                  • SelectObject.GDI32(000000FF,?), ref: 0040F81A
                  • SelectObject.GDI32(?,?), ref: 0040F82A
                  • SelectObject.GDI32(?,?), ref: 0040F83A
                  • SetBkColor.GDI32(?,00000000), ref: 0040F848
                  • BitBlt.GDI32(000000FF,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0040F865
                  • DeleteDC.GDI32(00000000), ref: 0040F980
                  • DeleteObject.GDI32(?), ref: 0040F989
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Create$Compatible$Object$BitmapDeleteSelect$BitsColorStretch
                  • String ID:
                  • API String ID: 2205707287-0
                  • Opcode ID: c67d60daae90353adcdfeae3e4c12f8c60b2230a5a186e30fd6dfb6ac8044501
                  • Instruction ID: 4482fd01da12e19a8ba615bb7988d16a4b5e2bf5455e3b8baba2561fa1554ba7
                  • Opcode Fuzzy Hash: c67d60daae90353adcdfeae3e4c12f8c60b2230a5a186e30fd6dfb6ac8044501
                  • Instruction Fuzzy Hash: B991E272901129FFCF229FA2DC08D9F7F76FF08360B154125BA1861170CA368961EFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A208, Relevance: 61.6, APIs: 32, Strings: 3, Instructions: 387COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0040A208(void* __ecx) {
				void* __edi;
				void* __esi;
				unsigned int _t77;
				unsigned int _t78;
				signed int _t79;
				signed int _t83;
				int _t89;
				signed int _t90;
				signed int _t97;
				int _t100;
				signed int _t101;
				signed int _t104;
				signed int _t110;
				signed int _t113;
				signed int _t114;
				int _t117;
				signed int _t119;
				signed int _t122;
				signed int _t127;
				unsigned int _t132;
				void* _t136;
				void* _t138;
				signed int _t157;
				int _t160;
				signed int _t163;
				void* _t199;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_t199 = __ecx;
				if( *((intOrPtr*)(__ecx + 0xb0)) != 0) {
					L3:
					return 0;
				}
				_t77 =  *(_t214 + 0x20);
				_t201 = _t77 & 0x0000ffff;
				_t78 = _t77 >> 0x10;
				if(_t78 == 0 || _t78 == 0x300) {
					__eflags = _t201 - 2;
					if(_t201 != 2) {
						L6:
						__eflags = _t201 - 0x15;
						if(__eflags > 0) {
							_t202 = _t201 - 0x16;
							__eflags = _t202;
							if(_t202 == 0) {
								_t79 =  *0x47e194; // 0x0
								__eflags = (_t79 & 0x00000030) - 0x30;
								if((_t79 & 0x00000030) != 0x30) {
									L91:
									return 1;
								}
								 *(_t199 + 0xb3) = 1;
								_t83 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x16));
								__eflags = _t83;
								if(_t83 != 0) {
									__eflags =  *(_t199 + 0xb2);
									if( *(_t199 + 0xb2) == 0) {
										goto L91;
									}
									__eflags =  *(_t199 + 0xb1);
									L88:
									if(__eflags == 0) {
										goto L91;
									}
									_push(1);
									L90:
									EnableWindow(GetDlgItem( *(_t199 + 4), 1), ??);
									goto L91;
								}
								EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
								 *(_t199 + 0xb3) = 0;
								goto L91;
							}
							_t203 = _t202 - 1;
							__eflags = _t203;
							if(_t203 == 0) {
								 *(_t199 + 0xb4) = 0;
								_t89 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x17));
								__eflags = _t89 -  *0x47e664;
								_t90 =  *0x47e194; // 0x0
								if(_t89 !=  *0x47e664) {
									__eflags = (_t90 & 0x00000030) - 0x30;
									if((_t90 & 0x00000030) != 0x30) {
										goto L91;
									}
									L82:
									_push(0);
									goto L90;
								}
								__eflags = (_t90 & 0x00000030) - 0x30;
								if((_t90 & 0x00000030) != 0x30) {
									L79:
									_push(0x18);
									L80:
									SetFocus(GetDlgItem( *(_t199 + 4), ??));
									goto L91;
								}
								__eflags =  *(_t199 + 0xb2);
								 *(_t199 + 0xb4) = 1;
								if( *(_t199 + 0xb2) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb1);
								if( *(_t199 + 0xb1) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb5);
								if( *(_t199 + 0xb5) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb6);
								if( *(_t199 + 0xb6) == 0) {
									goto L79;
								}
								__eflags =  *(_t199 + 0xb3);
								if( *(_t199 + 0xb3) == 0) {
									goto L79;
								}
								_push(1);
								L78:
								EnableWindow(GetDlgItem( *(_t199 + 4), 1), ??);
								goto L79;
							}
							_t204 = _t203 - 1;
							__eflags = _t204;
							if(_t204 == 0) {
								_t97 =  *0x47e194; // 0x0
								__eflags = (_t97 & 0x00000030) - 0x30;
								if((_t97 & 0x00000030) == 0x30) {
									 *(_t199 + 0xb5) = 0;
								}
								_t100 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x18));
								__eflags = _t100 -  *0x47e668;
								_t101 =  *0x47e194; // 0x0
								if(_t100 !=  *0x47e668) {
									__eflags = (_t101 & 0x00000030) - 0x30;
									if((_t101 & 0x00000030) == 0x30) {
										EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
									}
									_t104 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x18));
									__eflags = _t104;
									if(_t104 != 0) {
										goto L91;
									} else {
										_push(0x17);
										goto L80;
									}
								} else {
									__eflags = (_t101 & 0x00000030) - 0x30;
									if((_t101 & 0x00000030) == 0x30) {
										__eflags =  *(_t199 + 0xb2);
										 *(_t199 + 0xb5) = 1;
										if( *(_t199 + 0xb2) != 0) {
											__eflags =  *(_t199 + 0xb1);
											if( *(_t199 + 0xb1) != 0) {
												__eflags =  *(_t199 + 0xb4);
												if( *(_t199 + 0xb4) != 0) {
													__eflags =  *(_t199 + 0xb6);
													if( *(_t199 + 0xb6) != 0) {
														__eflags =  *(_t199 + 0xb3);
														if( *(_t199 + 0xb3) != 0) {
															EnableWindow(GetDlgItem( *(_t199 + 4), 1), 1);
														}
													}
												}
											}
										}
									}
									_push(0x19);
									goto L80;
								}
							}
							__eflags = _t204 != 1;
							if(_t204 != 1) {
								goto L91;
							}
							_t110 =  *0x47e194; // 0x0
							__eflags = (_t110 & 0x00000030) - 0x30;
							if((_t110 & 0x00000030) == 0x30) {
								 *(_t199 + 0xb6) = 0;
							}
							_t113 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x19));
							__eflags = _t113;
							_t114 =  *0x47e194; // 0x0
							if(_t113 != 0) {
								__eflags = (_t114 & 0x00000030) - 0x30;
								if((_t114 & 0x00000030) != 0x30) {
									goto L91;
								}
								_t117 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x19));
								__eflags = _t117 -  *0x47e66c;
								if(_t117 !=  *0x47e66c) {
									goto L82;
								}
								__eflags =  *(_t199 + 0xb2);
								 *(_t199 + 0xb6) = 1;
								if( *(_t199 + 0xb2) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb1);
								if( *(_t199 + 0xb1) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb5);
								if( *(_t199 + 0xb5) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb4);
								if( *(_t199 + 0xb4) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb3);
								goto L88;
							} else {
								__eflags = (_t114 & 0x00000030) - 0x30;
								if((_t114 & 0x00000030) != 0x30) {
									goto L79;
								}
								_push(0);
								goto L78;
							}
						}
						if(__eflags == 0) {
							_t119 =  *0x47e194; // 0x0
							__eflags = (_t119 & 0x0000000c) - 0xc;
							if((_t119 & 0x0000000c) != 0xc) {
								goto L91;
							}
							 *(_t199 + 0xb2) = 1;
							_t122 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x15));
							__eflags = _t122;
							if(_t122 != 0) {
								__eflags =  *(_t199 + 0xb1);
								L34:
								if(__eflags == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb3);
								if( *(_t199 + 0xb3) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb4);
								if( *(_t199 + 0xb4) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb5);
								if( *(_t199 + 0xb5) == 0) {
									goto L91;
								}
								__eflags =  *(_t199 + 0xb6);
								goto L88;
							}
							EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
							 *(_t199 + 0xb2) = 0;
							goto L91;
						}
						_t208 = _t201 - 1;
						__eflags = _t208;
						if(_t208 == 0) {
							 *(_t214 + 0x20) = 0;
							E0040A736(_t199);
							_t127 = E0040AE34(_t199, _t214 + 0x20);
							__eflags = _t127;
							if(_t127 != 0) {
								_t11 = _t214 + 0x14; // 0x47ebe8
								E0041BE99(_t11, 0x47ebe8);
								E0041C047(_t214 + 0x18, "\r\n", 0);
								__eflags =  *0x47e194 & 0x00000001;
								_t209 = "\r\n%s: %s";
								if(( *0x47e194 & 0x00000001) != 0) {
									_push(E0041CD1E(0x47e1b8));
									_push(E0041CD1E(0x47ebb8));
									E0041C467(_t214 + 0x18, "\r\n%s: %s");
									_t214 = _t214 + 0x10;
								}
								__eflags =  *0x47e194 & 0x00000004;
								if(( *0x47e194 & 0x00000004) != 0) {
									_push(E0041CD1E(0x47e1c4));
									_push(E0041CD1E(0x47ebc4));
									E0041C467(_t214 + 0x18, _t209);
									_t214 = _t214 + 0x10;
								}
								__eflags =  *0x47e194 & 0x00000010;
								if(( *0x47e194 & 0x00000010) != 0) {
									_push(E0041CD1E(0x47e1d0));
									_push(E0041CD1E(0x47ebd0));
									E0041C467(_t214 + 0x18, _t209);
									_t214 = _t214 + 0x10;
								}
								E0041C047(_t214 + 0x18, "\r\n\r\n", 0);
								_t23 = _t214 + 0x14; // 0x47ebe8
								E0041C0C5(_t23, __eflags, 0x47ebf4);
								__eflags =  *0x47e190 & 0x00000001;
								if(( *0x47e190 & 0x00000001) == 0) {
									L28:
									_t132 =  *(_t214 + 0x20);
									_push(0);
									 *_t132 =  *_t132 + 0x57;
									__eflags =  *_t132;
									E00407827(_t199, 0x47dfb8, _t199);
									E00417EA6(0x47dfb8, 0);
									goto L29;
								} else {
									_t136 = E0041CD1E(0x47e700);
									_t138 = E0041B2CC(0x47dfb8,  *(_t199 + 4), E0041CD1E(_t214 + 0x18), _t136, 4);
									__eflags = _t138 - 7;
									if(_t138 == 7) {
										L29:
										E0041BEFB(_t214 + 0x10);
										goto L91;
									}
									goto L28;
								}
							}
							E0041B2CC(0x47dfb8,  *(_t199 + 4), E0041CD1E(0x47ebdc), 0, 0);
							goto L91;
						}
						_t211 = _t208 - 1;
						__eflags = _t211;
						if(_t211 == 0) {
							_push(0);
							E00407827(_t199, 0x47dfb8, _t199);
							E0041A1B5(1);
							goto L91;
						}
						_t212 = _t211 - 1;
						__eflags = _t212;
						if(_t212 == 0) {
							E0040A736(_t199);
							_push(0);
							E00407827(_t199, 0x47dfb8, _t199);
							E00417D26(0x47dfb8, 0);
							goto L91;
						}
						__eflags = _t212 != 0x11;
						if(_t212 != 0x11) {
							goto L91;
						}
						_t157 =  *0x47e194; // 0x0
						__eflags = (_t157 & 0x00000003) - 3;
						if((_t157 & 0x00000003) != 3) {
							goto L91;
						}
						 *(_t199 + 0xb1) = 1;
						_t160 = GetWindowTextLengthA(GetDlgItem( *(_t199 + 4), 0x14));
						__eflags = _t160;
						if(_t160 != 0) {
							__eflags =  *(_t199 + 0xb2);
							goto L34;
						} else {
							EnableWindow(GetDlgItem( *(_t199 + 4), 1), 0);
							 *(_t199 + 0xb1) = 0;
							goto L91;
						}
					}
					_t163 = E0041BC79(0x47dfb8);
					__eflags = _t163;
					if(_t163 == 0) {
						goto L91;
					}
					goto L6;
				} else {
					goto L3;
				}
			}





































                  0x0040a20e
                  0x0040a219
                  0x0040a22e
                  0x00000000
                  0x0040a22e
                  0x0040a21b
                  0x0040a21f
                  0x0040a222
                  0x0040a225
                  0x0040a235
                  0x0040a23d
                  0x0040a24e
                  0x0040a24e
                  0x0040a251
                  0x0040a4d0
                  0x0040a4d0
                  0x0040a4d3
                  0x0040a6c8
                  0x0040a6d0
                  0x0040a6d2
                  0x0040a72a
                  0x00000000
                  0x0040a72a
                  0x0040a6df
                  0x0040a6e9
                  0x0040a6ef
                  0x0040a6f1
                  0x0040a70a
                  0x0040a710
                  0x00000000
                  0x00000000
                  0x0040a712
                  0x0040a718
                  0x0040a718
                  0x00000000
                  0x00000000
                  0x0040a71a
                  0x0040a71c
                  0x0040a724
                  0x00000000
                  0x0040a724
                  0x0040a6fc
                  0x0040a702
                  0x00000000
                  0x0040a702
                  0x0040a4d9
                  0x0040a4d9
                  0x0040a4da
                  0x0040a64c
                  0x0040a655
                  0x0040a65b
                  0x0040a661
                  0x0040a666
                  0x0040a6c1
                  0x0040a6c3
                  0x00000000
                  0x00000000
                  0x0040a6c5
                  0x0040a6c5
                  0x00000000
                  0x0040a6c5
                  0x0040a66b
                  0x0040a66d
                  0x0040a6ae
                  0x0040a6ae
                  0x0040a6b0
                  0x0040a6b6
                  0x00000000
                  0x0040a6b6
                  0x0040a66f
                  0x0040a675
                  0x0040a67c
                  0x00000000
                  0x00000000
                  0x0040a67e
                  0x0040a684
                  0x00000000
                  0x00000000
                  0x0040a686
                  0x0040a68c
                  0x00000000
                  0x00000000
                  0x0040a68e
                  0x0040a694
                  0x00000000
                  0x00000000
                  0x0040a696
                  0x0040a69c
                  0x00000000
                  0x00000000
                  0x0040a69e
                  0x0040a6a0
                  0x0040a6a8
                  0x00000000
                  0x0040a6a8
                  0x0040a4e0
                  0x0040a4e0
                  0x0040a4e1
                  0x0040a593
                  0x0040a59b
                  0x0040a59d
                  0x0040a59f
                  0x0040a59f
                  0x0040a5b9
                  0x0040a5bb
                  0x0040a5c1
                  0x0040a5c6
                  0x0040a618
                  0x0040a61a
                  0x0040a625
                  0x0040a625
                  0x0040a633
                  0x0040a635
                  0x0040a637
                  0x00000000
                  0x0040a63d
                  0x0040a63d
                  0x00000000
                  0x0040a63d
                  0x0040a5c8
                  0x0040a5cb
                  0x0040a5cd
                  0x0040a5cf
                  0x0040a5d5
                  0x0040a5dc
                  0x0040a5de
                  0x0040a5e4
                  0x0040a5e6
                  0x0040a5ec
                  0x0040a5ee
                  0x0040a5f4
                  0x0040a5f6
                  0x0040a5fc
                  0x0040a608
                  0x0040a608
                  0x0040a5fc
                  0x0040a5f4
                  0x0040a5ec
                  0x0040a5e4
                  0x0040a5dc
                  0x0040a60e
                  0x00000000
                  0x0040a60e
                  0x0040a5c6
                  0x0040a4e7
                  0x0040a4e8
                  0x00000000
                  0x00000000
                  0x0040a4ee
                  0x0040a4f6
                  0x0040a4f8
                  0x0040a4fa
                  0x0040a4fa
                  0x0040a514
                  0x0040a516
                  0x0040a518
                  0x0040a51d
                  0x0040a533
                  0x0040a535
                  0x00000000
                  0x00000000
                  0x0040a543
                  0x0040a545
                  0x0040a54b
                  0x00000000
                  0x00000000
                  0x0040a551
                  0x0040a557
                  0x0040a55e
                  0x00000000
                  0x00000000
                  0x0040a564
                  0x0040a56a
                  0x00000000
                  0x00000000
                  0x0040a570
                  0x0040a576
                  0x00000000
                  0x00000000
                  0x0040a57c
                  0x0040a582
                  0x00000000
                  0x00000000
                  0x0040a588
                  0x00000000
                  0x0040a51f
                  0x0040a522
                  0x0040a524
                  0x00000000
                  0x00000000
                  0x0040a52a
                  0x00000000
                  0x0040a52a
                  0x0040a51d
                  0x0040a257
                  0x0040a44c
                  0x0040a454
                  0x0040a456
                  0x00000000
                  0x00000000
                  0x0040a467
                  0x0040a471
                  0x0040a477
                  0x0040a479
                  0x0040a495
                  0x0040a49b
                  0x0040a49b
                  0x00000000
                  0x00000000
                  0x0040a4a1
                  0x0040a4a7
                  0x00000000
                  0x00000000
                  0x0040a4ad
                  0x0040a4b3
                  0x00000000
                  0x00000000
                  0x0040a4b9
                  0x0040a4bf
                  0x00000000
                  0x00000000
                  0x0040a4c5
                  0x00000000
                  0x0040a4c5
                  0x0040a484
                  0x0040a48a
                  0x00000000
                  0x0040a48a
                  0x0040a25d
                  0x0040a25d
                  0x0040a25e
                  0x0040a2fb
                  0x0040a2ff
                  0x0040a30b
                  0x0040a310
                  0x0040a312
                  0x0040a336
                  0x0040a33a
                  0x0040a349
                  0x0040a34e
                  0x0040a355
                  0x0040a35a
                  0x0040a366
                  0x0040a371
                  0x0040a378
                  0x0040a37d
                  0x0040a37d
                  0x0040a380
                  0x0040a387
                  0x0040a393
                  0x0040a39e
                  0x0040a3a5
                  0x0040a3aa
                  0x0040a3aa
                  0x0040a3ad
                  0x0040a3b4
                  0x0040a3c0
                  0x0040a3cb
                  0x0040a3d2
                  0x0040a3d7
                  0x0040a3d7
                  0x0040a3e4
                  0x0040a3ee
                  0x0040a3f2
                  0x0040a3f7
                  0x0040a3fe
                  0x0040a427
                  0x0040a427
                  0x0040a42b
                  0x0040a42e
                  0x0040a42e
                  0x0040a431
                  0x0040a439
                  0x00000000
                  0x0040a400
                  0x0040a405
                  0x0040a41d
                  0x0040a422
                  0x0040a425
                  0x0040a43e
                  0x0040a442
                  0x00000000
                  0x0040a442
                  0x00000000
                  0x0040a425
                  0x0040a3fe
                  0x0040a327
                  0x00000000
                  0x0040a327
                  0x0040a264
                  0x0040a264
                  0x0040a265
                  0x0040a2e3
                  0x0040a2e6
                  0x0040a2ef
                  0x00000000
                  0x0040a2ef
                  0x0040a267
                  0x0040a267
                  0x0040a268
                  0x0040a2c9
                  0x0040a2ce
                  0x0040a2d1
                  0x0040a2d9
                  0x00000000
                  0x0040a2d9
                  0x0040a26a
                  0x0040a26d
                  0x00000000
                  0x00000000
                  0x0040a273
                  0x0040a27b
                  0x0040a27d
                  0x00000000
                  0x00000000
                  0x0040a28e
                  0x0040a298
                  0x0040a29e
                  0x0040a2a0
                  0x0040a2bc
                  0x00000000
                  0x0040a2a2
                  0x0040a2ab
                  0x0040a2b1
                  0x00000000
                  0x0040a2b1
                  0x0040a2a0
                  0x0040a241
                  0x0040a246
                  0x0040a248
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetDlgItem.USER32 ref: 0040A295
                  • GetWindowTextLengthA.USER32(00000000), ref: 0040A298
                  • GetDlgItem.USER32 ref: 0040A2A8
                  • EnableWindow.USER32(00000000), ref: 0040A2AB
                  • GetDlgItem.USER32 ref: 0040A721
                  • EnableWindow.USER32(00000000), ref: 0040A724
                    • Part of subcall function 0040A736: GetDlgItemTextA.USER32 ref: 0040A7D8
                    • Part of subcall function 0040A736: lstrlenA.KERNEL32(?), ref: 0040A7E7
                    • Part of subcall function 0040A736: GetDlgItemTextA.USER32 ref: 0040A825
                    • Part of subcall function 0040A736: lstrlenA.KERNEL32(?), ref: 0040A82E
                    • Part of subcall function 0040A736: GetDlgItemTextA.USER32 ref: 0040A865
                    • Part of subcall function 0040A736: lstrlenA.KERNEL32(?), ref: 0040A86E
                    • Part of subcall function 00407827: GetWindowTextLengthA.USER32(?), ref: 004078A0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Window$lstrlen$EnableLength
                  • String ID: $%s: %s$G
                  • API String ID: 3337122462-2356399927
                  • Opcode ID: 7ee84b8dd8312172b3a059aeb61dd93444f64e87a211af6e345f0ab10acbdc47
                  • Instruction ID: 221bc5c8d733b3f505849e16dbfb439457003c1b78ab7289a70c632a7fb1e998
                  • Opcode Fuzzy Hash: 7ee84b8dd8312172b3a059aeb61dd93444f64e87a211af6e345f0ab10acbdc47
                  • Instruction Fuzzy Hash: 47D17C31548784AAE730E3318C56BAB7BA69B50344F08487FE186633D2DB3E9895D71F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E6A9, Relevance: 61.4, APIs: 18, Strings: 17, Instructions: 123libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041E6A9(intOrPtr* __ecx, intOrPtr _a4) {
				CHAR* _v0;
				struct HINSTANCE__* _t54;
				_Unknown_base(*)()* _t72;
				intOrPtr* _t79;

				_t79 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x60)) != 0) {
					L18:
					return 1;
				}
				_t3 = _t79 + 0x64; // 0x47e774
				E0041BF12(_t3, _a4);
				_t54 = LoadLibraryA(_v0);
				 *(_t79 + 0x60) = _t54;
				if(_t54 == 0) {
					L19:
					return 0;
				}
				 *_t79 = GetProcAddress(_t54, "MP3Close");
				_t6 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 4)) = GetProcAddress( *_t6, "MP3DeInit");
				_t8 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 8)) = GetProcAddress( *_t8, "MP3GetCurrentPos");
				_t10 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0xc)) = GetProcAddress( *_t10, "MP3GetLength");
				_t12 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x10)) = GetProcAddress( *_t12, "MP3GetMPEG_Args");
				_t14 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x14)) = GetProcAddress( *_t14, "MP3GetPlayer");
				_t16 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x18)) = GetProcAddress( *_t16, "MP3GetPlayerMode");
				_t18 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x1c)) = GetProcAddress( *_t18, "MP3Init");
				_t20 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x20)) = GetProcAddress( *_t20, "MP3Open");
				_t22 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x24)) = GetProcAddress( *_t22, "MP3Pause");
				_t24 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x28)) = GetProcAddress( *_t24, "MP3Play");
				_t26 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x2c)) = GetProcAddress( *_t26, "MP3SetDevice");
				_t28 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x30)) = GetProcAddress( *_t28, "MP3SetExternalValues");
				_t30 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x34)) = GetProcAddress( *_t30, "MP3SetPriority");
				_t32 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x38)) = GetProcAddress( *_t32, "MP3Stop");
				_t34 = _t79 + 0x60; // 0x0
				 *((intOrPtr*)(_t79 + 0x40)) = GetProcAddress( *_t34, "MP3Resume");
				_t36 = _t79 + 0x60; // 0x0
				_t72 = GetProcAddress( *_t36, "MP3Suspend");
				 *(_t79 + 0x3c) = _t72;
				if( *((intOrPtr*)(_t79 + 0x2c)) == 0 ||  *((intOrPtr*)(_t79 + 0x20)) == 0 ||  *((intOrPtr*)(_t79 + 0x34)) == 0 ||  *((intOrPtr*)(_t79 + 0x28)) == 0 ||  *_t79 == 0 ||  *((intOrPtr*)(_t79 + 0x10)) == 0 ||  *((intOrPtr*)(_t79 + 0x14)) == 0 ||  *((intOrPtr*)(_t79 + 8)) == 0 ||  *((intOrPtr*)(_t79 + 0xc)) == 0 ||  *((intOrPtr*)(_t79 + 0x18)) == 0 ||  *((intOrPtr*)(_t79 + 4)) == 0 ||  *((intOrPtr*)(_t79 + 0x1c)) == 0 ||  *((intOrPtr*)(_t79 + 0x30)) == 0 ||  *((intOrPtr*)(_t79 + 0x24)) == 0 || _t72 == 0 ||  *((intOrPtr*)(_t79 + 0x40)) == 0) {
					goto L19;
				} else {
					goto L18;
				}
			}







                  0x0041e6ab
                  0x0041e6b2
                  0x0041e809
                  0x00000000
                  0x0041e809
                  0x0041e6bc
                  0x0041e6bf
                  0x0041e6c8
                  0x0041e6d0
                  0x0041e6d3
                  0x0041e80d
                  0x00000000
                  0x0041e80d
                  0x0041e6ed
                  0x0041e6ef
                  0x0041e6f9
                  0x0041e6fc
                  0x0041e706
                  0x0041e709
                  0x0041e713
                  0x0041e716
                  0x0041e720
                  0x0041e723
                  0x0041e72d
                  0x0041e730
                  0x0041e73a
                  0x0041e73d
                  0x0041e747
                  0x0041e74a
                  0x0041e754
                  0x0041e757
                  0x0041e761
                  0x0041e764
                  0x0041e76e
                  0x0041e771
                  0x0041e77b
                  0x0041e77e
                  0x0041e788
                  0x0041e78b
                  0x0041e795
                  0x0041e798
                  0x0041e7a2
                  0x0041e7a5
                  0x0041e7af
                  0x0041e7b2
                  0x0041e7b5
                  0x0041e7ba
                  0x0041e7be
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • LoadLibraryA.KERNEL32(00000001,00000001,00000000,0047E880,00418994,00000000,00000000,00000000,00000060,0000005C,0047E1B8,00000001,?,00000000), ref: 0041E6C8
                  • GetProcAddress.KERNEL32(00000000,MP3Close), ref: 0041E6E6
                  • GetProcAddress.KERNEL32(00000000,MP3DeInit), ref: 0041E6F2
                  • GetProcAddress.KERNEL32(00000000,MP3GetCurrentPos), ref: 0041E6FF
                  • GetProcAddress.KERNEL32(00000000,MP3GetLength), ref: 0041E70C
                  • GetProcAddress.KERNEL32(00000000,MP3GetMPEG_Args), ref: 0041E719
                  • GetProcAddress.KERNEL32(00000000,MP3GetPlayer), ref: 0041E726
                  • GetProcAddress.KERNEL32(00000000,MP3GetPlayerMode), ref: 0041E733
                  • GetProcAddress.KERNEL32(00000000,MP3Init), ref: 0041E740
                  • GetProcAddress.KERNEL32(00000000,MP3Open), ref: 0041E74D
                  • GetProcAddress.KERNEL32(00000000,MP3Pause), ref: 0041E75A
                  • GetProcAddress.KERNEL32(00000000,MP3Play), ref: 0041E767
                  • GetProcAddress.KERNEL32(00000000,MP3SetDevice), ref: 0041E774
                  • GetProcAddress.KERNEL32(00000000,MP3SetExternalValues), ref: 0041E781
                  • GetProcAddress.KERNEL32(00000000,MP3SetPriority), ref: 0041E78E
                  • GetProcAddress.KERNEL32(00000000,MP3Stop), ref: 0041E79B
                  • GetProcAddress.KERNEL32(00000000,MP3Resume), ref: 0041E7A8
                  • GetProcAddress.KERNEL32(00000000,MP3Suspend), ref: 0041E7B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AddressProc$Global$AllocLibraryLoadLockUnlock
                  • String ID: MP3Close$MP3DeInit$MP3GetCurrentPos$MP3GetLength$MP3GetMPEG_Args$MP3GetPlayer$MP3GetPlayerMode$MP3Init$MP3Open$MP3Pause$MP3Play$MP3Resume$MP3SetDevice$MP3SetExternalValues$MP3SetPriority$MP3Stop$MP3Suspend
                  • API String ID: 965071145-3235912515
                  • Opcode ID: 20784e80a0a34f3acdc7371813bb123dc37661cd575c96a1689c7c4cf3d30629
                  • Instruction ID: 1619fba8f7bcf3451f2e6772190591f9765ac1e1d8174a758dadbc188b95dfea
                  • Opcode Fuzzy Hash: 20784e80a0a34f3acdc7371813bb123dc37661cd575c96a1689c7c4cf3d30629
                  • Instruction Fuzzy Hash: 9941C875900B55AFCB306F62DC448ABFAE2FE80B01751493FE5C642A60D775A880DF59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F47A, Relevance: 50.9, APIs: 22, Strings: 7, Instructions: 173COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F47A() {
				struct tagSIZE _v80;
				struct tagSIZE _v88;
				intOrPtr _v92;
				intOrPtr _v108;
				intOrPtr _v112;
				void* _v124;
				void* _v140;
				int _t11;
				CHAR* _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t27;
				void* _t39;
				void* _t51;
				int _t63;
				int _t65;
				int _t69;

				_t11 = SetBkMode( *0x47e184, 1);
				_t63 =  *0x47e85c; // 0xe
				if(_t63 > 0) {
					_t39 = CreateFontA(0x1c, 0x12, 0, 0, 0x258, 0, 0, 0, 1, 0, 0, 2, 0, "Times New Roman");
					_v80.cx = _t39;
					SelectObject( *0x47e184, _t39);
					GetTextExtentPoint32A( *0x47e184, E0041CD1E(0x47e85c),  *0x47e85c,  &_v80);
					SetTextColor( *0x47e184,  *0x47e834);
					if( *0x47e834 != 0xffffff) {
						TextOutA( *0x47e184, 0xc, 0xb, E0041CD1E(0x47e85c),  *0x47e85c);
					}
					SetTextColor( *0x47e184,  *0x47e830);
					TextOutA( *0x47e184, 0xa, 0xa, E0041CD1E(0x47e85c),  *0x47e85c);
					_t11 = DeleteObject(_v140);
				}
				_t65 =  *0x47e868; // 0xc
				if(_t65 > 0) {
					_t27 = CreateFontA(0x10, 9, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 2, 0, "Times New Roman");
					_v80.cx = _t27;
					SelectObject( *0x47e184, _t27);
					SetTextColor( *0x47e184,  *0x47e83c);
					if( *0x47e83c != 0xffffff) {
						TextOutA( *0x47e184, 0xc, _v88.cy + 0x10, E0041CD1E(0x47e868),  *0x47e868);
					}
					SetTextColor( *0x47e184,  *0x47e838);
					TextOutA( *0x47e184, 0xa, _v92 + 0xf, E0041CD1E(0x47e868),  *0x47e868);
					_t11 = DeleteObject(_v124);
				}
				_t69 =  *0x47e874; // 0x16
				if(_t69 > 0) {
					_t51 = CreateFontA(0xe, 8, 0, 0, 0x2bc, 0, 0, 0, 1, 0, 0, 2, 0, "Times New Roman");
					SelectObject( *0x47e184, _t51);
					GetTextExtentPoint32A( *0x47e184, E0041CD1E(0x47e874),  *0x47e874,  &_v88);
					SetTextColor( *0x47e184,  *0x47e840);
					_t18 = E0041CD1E(0x47e874);
					_t19 =  *0x47e174; // 0x0
					_t22 =  *0x47e170; // 0x0
					TextOutA( *0x47e184, _t22 - _v112 - 0xa, _t19 - _v108 - 8, _t18,  *0x47e874);
					return DeleteObject(_t51);
				}
				return _t11;
			}




















                  0x0040f489
                  0x0040f4a3
                  0x0040f4a9
                  0x0040f4c9
                  0x0040f4cc
                  0x0040f4d6
                  0x0040f4f4
                  0x0040f506
                  0x0040f512
                  0x0040f52f
                  0x0040f52f
                  0x0040f541
                  0x0040f55e
                  0x0040f568
                  0x0040f568
                  0x0040f56e
                  0x0040f574
                  0x0040f594
                  0x0040f597
                  0x0040f5a1
                  0x0040f5af
                  0x0040f5bb
                  0x0040f5de
                  0x0040f5de
                  0x0040f5f0
                  0x0040f613
                  0x0040f61d
                  0x0040f61d
                  0x0040f623
                  0x0040f629
                  0x0040f64b
                  0x0040f654
                  0x0040f674
                  0x0040f686
                  0x0040f690
                  0x0040f696
                  0x0040f6a3
                  0x0040f6b6
                  0x00000000
                  0x0040f6bd
                  0x0040f6ca

                  APIs
                  • SetBkMode.GDI32(00000001,00000032), ref: 0040F489
                  • CreateFontA.GDI32(0000001C,00000012,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000000,00000000,00000002,00000000,Times New Roman), ref: 0040F4C9
                  • GetTextExtentPoint32A.GDI32(00000000,?,?,0047E850), ref: 0040F4F4
                  • SetTextColor.GDI32(?,0047E850), ref: 0040F506
                  • TextOutA.GDI32(0000000C,0000000B,00000000,?,0047E850), ref: 0040F52F
                  • SetTextColor.GDI32(?,0047E850), ref: 0040F541
                  • TextOutA.GDI32(0000000A,0000000A,00000000,?,0047E850), ref: 0040F55E
                  • DeleteObject.GDI32(?), ref: 0040F568
                  • SelectObject.GDI32(00000000), ref: 0040F4D6
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFontA.GDI32(00000010,00000009,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000002,00000000,Times New Roman), ref: 0040F594
                  • SelectObject.GDI32(00000000), ref: 0040F5A1
                  • SetTextColor.GDI32(?,0047E850), ref: 0040F5AF
                  • TextOutA.GDI32(0000000C,?,00000000,?,0047E850), ref: 0040F5DE
                  • SetTextColor.GDI32(?,0047E850), ref: 0040F5F0
                  • TextOutA.GDI32(0000000A,?,00000000,?,0047E850), ref: 0040F613
                  • DeleteObject.GDI32(?), ref: 0040F61D
                  • CreateFontA.GDI32(0000000E,00000008,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000002,00000000,Times New Roman), ref: 0040F649
                  • SelectObject.GDI32(00000000), ref: 0040F654
                  • GetTextExtentPoint32A.GDI32(00000000,?,?,0047E850), ref: 0040F674
                  • SetTextColor.GDI32(?,0047E850), ref: 0040F686
                  • TextOutA.GDI32(?,?,00000000,?,0047E850), ref: 0040F6B6
                  • DeleteObject.GDI32(00000000), ref: 0040F6BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Text$Object$Color$CreateDeleteFontGlobalSelect$ExtentPoint32$AllocLockModeUnlock
                  • String ID: Times New Roman$\G$\G$\G$hG$hG$tG
                  • API String ID: 3925784853-825372909
                  • Opcode ID: e40a0036ea07f2b8a7558271e1f6f941f65df4797eaf26ba6e08b467d0ced6cc
                  • Instruction ID: 99419c99bfa201b0603410c1c4a6b0ae38e5c226678128a219e58409f66074ab
                  • Opcode Fuzzy Hash: e40a0036ea07f2b8a7558271e1f6f941f65df4797eaf26ba6e08b467d0ced6cc
                  • Instruction Fuzzy Hash: CE519030241214BFE7216B63ED4AE5B3F69FB49760F410279F60C621B1CB314895DB6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C0A9, Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 208windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040C0A9(void* __ecx, struct HWND__* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v32;
				struct HWND__* _t38;
				struct HWND__* _t41;
				struct HBITMAP__* _t42;
				signed char _t63;
				long _t64;
				void* _t68;
				void* _t69;
				char _t73;
				struct HWND__* _t85;
				void* _t100;
				void* _t129;

				_t38 = _a4;
				_t129 = __ecx;
				 *(__ecx + 4) = _t38;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t38, 3), 0);
				}
				if(GetDlgItem( *(_t129 + 4), 0xa) == 0) {
					E0041D881("Invalid dialog template or tree-view creation failed.");
				}
				if(E00424DD9(0x14) == 0) {
					_t41 = 0;
					__eflags = 0;
				} else {
					_t41 = E00405EC8(_t40);
				}
				 *((intOrPtr*)(_t129 + 0xb0)) = _t41;
				if(_t41 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t42 = LoadBitmapA( *0x47e17c, 0x7f);
				E004060B6( *((intOrPtr*)(_t129 + 0xb0)), GetDlgItem( *(_t129 + 4), 0xa), _t42);
				_t100 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t100 = 0x47ed2c;
				}
				SetWindowTextA( *(_t129 + 4), E0041CD1E(_t100));
				SetDlgItemTextA( *(_t129 + 4), 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA( *(_t129 + 4), 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA( *(_t129 + 4), 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA( *(_t129 + 4), 0x1e, E0041CD1E(0x47ed38));
				SetDlgItemTextA( *(_t129 + 4), 0x21, E0041CD1E(0x47ed44));
				SetDlgItemTextA( *(_t129 + 4), 0x1f, E0041CD1E(0x47ed50));
				SetDlgItemTextA( *(_t129 + 4), 0x20, E0041CD1E(0x47ed5c));
				if(E00419E8A() != 0) {
					SetDlgItemTextA( *(_t129 + 4), 1, E0041CD1E(0x47e8c4));
				}
				_t63 = GetWindowLongA(GetDlgItem( *(_t129 + 4), 0xa), 0xfffffff0);
				if(( *0x47e190 & 0x00000020) != 0) {
					_t64 = _t63 | 0x00000004;
					__eflags = _t64;
				} else {
					_t64 = _t63 & 0x000000fb;
				}
				SetWindowLongA(GetDlgItem( *(_t129 + 4), 0xa), 0xfffffff0, _t64);
				 *0x47e65c = 4;
				E0041BDC5( &_v32);
				_t68 = E0041C8FD(0x47e2f0, 0xb8);
				_t69 = E0041C8FD(0x47e2f0, 0xb4);
				if(E0041CAC5( &_v32, E0041CD1E(0x47e6c8), _t69, _t68) < 0) {
					E0041D881("Unknown error");
				}
				 *0x47e698 = 0;
				 *0x47e69c = 0;
				 *0x47e6a0 = 0;
				 *0x47e6a4 = 0;
				 *0x47e6a8 = 0;
				 *0x47e6ac = 0;
				_a4 = 0;
				_t73 = E0041C8FD(0x47e2f0, 0xb0);
				_t138 = _t73;
				_v12 = 0;
				if(_t73 > 0) {
					_v8 = _t73;
					do {
						_t85 = E0040C3A0(_t129, _t138,  &_v32, _a4,  &_v12, 0);
						_t30 =  &_v8;
						 *_t30 = _v8 - 1;
						_a4 = _t85;
					} while ( *_t30 != 0);
				}
				E00406506( *((intOrPtr*)(_t129 + 0xb0)));
				E0040629C( *((intOrPtr*)(_t129 + 0xb0)), 0);
				_push( &_v20);
				E0040C96B(_t129);
				if( *0x47e114 != 0) {
					SetDlgItemTextA( *(_t129 + 4), 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v32);
				return 1;
			}


















                  0x0040c0af
                  0x0040c0ba
                  0x0040c0bd
                  0x0040c0c7
                  0x0040c0d1
                  0x0040c0d1
                  0x0040c0e0
                  0x0040c0e7
                  0x0040c0ec
                  0x0040c0f7
                  0x0040c102
                  0x0040c102
                  0x0040c0f9
                  0x0040c0fb
                  0x0040c0fb
                  0x0040c106
                  0x0040c10c
                  0x0040c119
                  0x0040c11e
                  0x0040c127
                  0x0040c13c
                  0x0040c148
                  0x0040c14d
                  0x0040c14f
                  0x0040c14f
                  0x0040c15d
                  0x0040c179
                  0x0040c18b
                  0x0040c19d
                  0x0040c1af
                  0x0040c1c1
                  0x0040c1d3
                  0x0040c1e5
                  0x0040c1f3
                  0x0040c205
                  0x0040c205
                  0x0040c211
                  0x0040c21e
                  0x0040c224
                  0x0040c224
                  0x0040c220
                  0x0040c220
                  0x0040c220
                  0x0040c231
                  0x0040c23a
                  0x0040c244
                  0x0040c255
                  0x0040c262
                  0x0040c27d
                  0x0040c284
                  0x0040c289
                  0x0040c293
                  0x0040c298
                  0x0040c29d
                  0x0040c2a2
                  0x0040c2a7
                  0x0040c2ac
                  0x0040c2b1
                  0x0040c2b4
                  0x0040c2bb
                  0x0040c2bd
                  0x0040c2c0
                  0x0040c2c2
                  0x0040c2c5
                  0x0040c2d3
                  0x0040c2d8
                  0x0040c2d8
                  0x0040c2db
                  0x0040c2db
                  0x0040c2c5
                  0x0040c2e6
                  0x0040c2f2
                  0x0040c2fc
                  0x0040c2fd
                  0x0040c309
                  0x0040c31e
                  0x0040c325
                  0x0040c325
                  0x0040c32d
                  0x0040c338

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Window$Long$BitmapEnableLoad
                  • String ID: $G$,G$8G$DG$Invalid dialog template or tree-view creation failed.$PG$PG$Unknown error$\G
                  • API String ID: 3899850823-1744149094
                  • Opcode ID: f1ed27bd11f40985a3ae38480d279baaa47c525fd336369dc1ca43c4ce602c06
                  • Instruction ID: e9724913dde6e49aaf8b8cc420de5cb2d47973a8f667f7f0ac012c5886f2ab73
                  • Opcode Fuzzy Hash: f1ed27bd11f40985a3ae38480d279baaa47c525fd336369dc1ca43c4ce602c06
                  • Instruction Fuzzy Hash: B0610970640305AED720BB76DC86BAA7A99EF44704F00857FF61AA61E2CF7858409A1D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040EFE7, Relevance: 47.4, APIs: 11, Strings: 16, Instructions: 134COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040EFE7() {
				void* _v8;
				int _v20;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				void* _t53;
				intOrPtr _t92;

				_t92 =  *0x47e114; // 0x0
				if(_t92 != 0) {
					_t53 = CreateFontA(0x1e, 0, 0x5a, 0x5a, 0x2bc, 0, 0, 0, 0, 0, 0, 0, 0, "Times New Roman");
					_v8 = _t53;
					SelectObject( *0x47e184, _t53);
					SetTextColor( *0x47e184, 0xa0a0a);
					TextOutA( *0x47e184, 0xc, 0x6f, E0041CD1E(0x47df68),  *0x47df68);
					SetTextColor( *0x47e184, 0xff);
					TextOutA( *0x47e184, 0xa, 0x6e, E0041CD1E(0x47df68),  *0x47df68);
					_v60 = 0x61;
					_v59 = 0x84;
					_v58 = 0x6a;
					_v57 = 0xb7;
					_v56 = 0x15;
					_v55 = 0x42;
					_v54 = 0x6c;
					_v53 = 0x9b;
					_v52 = 0xbf;
					_v51 = 0x9e;
					_v50 = 0xf3;
					_v49 = 0x44;
					_v48 = 0x75;
					_v47 = 0xa2;
					_v46 = 0xbb;
					_v45 = 0xf2;
					_v44 = 0x1e;
					_v43 = 0x43;
					_v42 = 0x7c;
					_v41 = 0x31;
					_v40 = 0x94;
					_v39 = 0xa;
					_v38 = 5;
					_v37 = 0x4d;
					_v36 = 0x74;
					_v35 = 0x3a;
					_v34 = 0x1b;
					_v33 = 0x48;
					_v32 = 0x98;
					_v31 = 0x16;
					_v30 = 0x63;
					_v29 = 0xb2;
					_v28 = 0x9f;
					_v27 = 0xf4;
					_v26 = 0x74;
					_v25 = 0xb6;
					_v24 = 4;
					_v23 = 0x8f;
					_v22 = 0xda;
					E0041BDC5( &_v20);
					E0041C047( &_v20,  &_v60, 0x27);
					E0041C2E0( &_v20);
					E0041C2E0( &_v20);
					SetTextColor( *0x47e184, 0xa0a0a);
					TextOutA( *0x47e184, 0x13, 0x8d, E0041CD1E( &_v20), _v20);
					SetTextColor( *0x47e184, 0xff);
					TextOutA( *0x47e184, 0x11, 0x8c, E0041CD1E( &_v20), _v20);
					DeleteObject(_v8);
					return E0041BEFB( &_v20);
				}
				return 0;
			}














































                  0x0040efef
                  0x0040eff5
                  0x0040f017
                  0x0040f01e
                  0x0040f027
                  0x0040f03e
                  0x0040f061
                  0x0040f06f
                  0x0040f08c
                  0x0040f08e
                  0x0040f092
                  0x0040f096
                  0x0040f09a
                  0x0040f09e
                  0x0040f0a2
                  0x0040f0a6
                  0x0040f0aa
                  0x0040f0ae
                  0x0040f0b2
                  0x0040f0b6
                  0x0040f0ba
                  0x0040f0be
                  0x0040f0c2
                  0x0040f0c6
                  0x0040f0ca
                  0x0040f0ce
                  0x0040f0d2
                  0x0040f0d6
                  0x0040f0da
                  0x0040f0de
                  0x0040f0e2
                  0x0040f0e6
                  0x0040f0ea
                  0x0040f0ee
                  0x0040f0f2
                  0x0040f0f6
                  0x0040f0fa
                  0x0040f0fe
                  0x0040f102
                  0x0040f106
                  0x0040f10a
                  0x0040f10e
                  0x0040f112
                  0x0040f119
                  0x0040f11d
                  0x0040f121
                  0x0040f125
                  0x0040f129
                  0x0040f12d
                  0x0040f13b
                  0x0040f143
                  0x0040f14b
                  0x0040f15b
                  0x0040f176
                  0x0040f17f
                  0x0040f19a
                  0x0040f19f
                  0x00000000
                  0x0040f1af
                  0x0040f1b1

                  APIs
                  • CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
                  • SelectObject.GDI32(00000000), ref: 0040F027
                  • SetTextColor.GDI32(000A0A0A), ref: 0040F03E
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
                  • SetTextColor.GDI32(000000FF), ref: 0040F06F
                  • TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • SetTextColor.GDI32(000A0A0A,00000061), ref: 0040F15B
                  • TextOutA.GDI32(00000013,0000008D,00000000,?), ref: 0040F176
                  • SetTextColor.GDI32(000000FF), ref: 0040F17F
                  • TextOutA.GDI32(00000011,0000008C,00000000,?), ref: 0040F19A
                  • DeleteObject.GDI32(00000000), ref: 0040F19F
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Text$Color$AllocLockUnlock$Object$CreateDeleteFontFreeSelectlstrlen
                  • String ID: 1$:$B$C$D$H$M$Times New Roman$a$c$j$l$t$t$u$|
                  • API String ID: 1504305052-3776954210
                  • Opcode ID: 0898f61e26a57f1fa401cbf66ffe2bfefa2e0da7bd6eb85c7d141dea550474d7
                  • Instruction ID: b96e83faf94bd855eac5d28af4e6b08fe524ba3b2a2faf81bbdc3322f893e8cf
                  • Opcode Fuzzy Hash: 0898f61e26a57f1fa401cbf66ffe2bfefa2e0da7bd6eb85c7d141dea550474d7
                  • Instruction Fuzzy Hash: 295173309043CAEDDB2297B9DC49BDEBF719F26324F4402A9F190361E2C7A50545D77A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004203D5, Relevance: 44.0, APIs: 4, Strings: 21, Instructions: 284COMMON
                  Download Yara Rule
                  C-Code - Quality: 57%
                  			E004203D5(void* __ebx, intOrPtr __ecx) {
				char _v16;
				signed int _v20;
				char _v24;
				void* _v28;
				int _v32;
				intOrPtr _v36;
				struct _OSVERSIONINFOA _v184;
				int _t77;
				signed char _t81;
				signed char _t86;
				intOrPtr _t92;
				intOrPtr _t93;
				intOrPtr _t99;
				signed int _t105;
				signed int _t108;
				signed char _t113;
				void* _t122;
				int _t123;
				intOrPtr _t134;
				intOrPtr _t135;
				intOrPtr _t137;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				int* _t151;
				char _t153;
				void* _t156;
				void* _t157;

				_t122 = __ebx;
				_t151 = 0;
				_v36 = __ecx;
				E00424500( &_v184, 0, 0x94);
				_t157 = _t156 + 0xc;
				_v184.dwOSVersionInfoSize = 0x94;
				_t77 = GetVersionExA( &_v184);
				if(_t77 == 0) {
					 *0x47e2c8 =  *0x47e2c8 + 1;
					return _t77;
				}
				_v20 = 0;
				E0041BE99( &_v16, 0x47ea14);
				E0041BFF8( &_v16, 9);
				__eflags = _v184.dwPlatformId;
				_t153 = " SP%d";
				if(_v184.dwPlatformId != 0) {
					__eflags = _v184.dwPlatformId - 1;
					if(_v184.dwPlatformId != 1) {
						__eflags = _v184.dwPlatformId - 2;
						if(_v184.dwPlatformId == 2) {
							__eflags = _v184.dwMajorVersion - 5;
							if(_v184.dwMajorVersion != 5) {
								_push(_v184.dwMinorVersion);
								_push(_v184.dwMajorVersion);
								E0041C467( &_v16, "Windows NT %d.%d");
								_t157 = _t157 + 0x10;
							} else {
								__eflags = _v184.dwMinorVersion;
								if(_v184.dwMinorVersion != 0) {
									__eflags = _v184.dwMinorVersion - 1;
									_push(0);
									if(_v184.dwMinorVersion != 1) {
										_push("Windows 2003");
									} else {
										_push("Windows XP");
									}
								} else {
									_push(0);
									_push("Windows 2000");
								}
								E0041C047( &_v16);
							}
							_v24 = _t151;
							_v32 = 4;
							_t105 = RegOpenKeyExA(0x80000002, "System\\CurrentControlSet\\Control\\Windows", _t151, 1,  &_v28);
							__eflags = _t105;
							if(_t105 == 0) {
								_t108 = RegQueryValueExA(_v28, "CSDVersion", _t151, _t151,  &_v24,  &_v32);
								__eflags = _t108;
								if(_t108 == 0) {
									_t113 = _v24;
									__eflags = _t113 - 0xff;
									_v20 = _t113;
									if(_t113 > 0xff) {
										__eflags = 0;
										_v20 = _t113 & 0x000000ff;
									}
								}
								RegCloseKey(_v28);
								__eflags = _v20 - _t151;
								if(_v20 > _t151) {
									_push(_v20 & 0x0000ffff);
									E0041C467( &_v16, _t153);
									_t157 = _t157 + 0xc;
								}
							}
						}
						goto L27;
					}
					__eflags = _v184.dwMinorVersion - 0x5a;
					if(_v184.dwMinorVersion == 0x5a) {
						L10:
						_push(_t151);
						_push("Windows ME");
						L11:
						E0041C047( &_v16);
						_push(_v184.dwBuildNumber & 0x0000ffff);
						_push(_v184.dwMinorVersion);
						_push(_v184.dwMajorVersion);
						E0041C467( &_v16, " (%d.%d.%d)");
						_t157 = _t157 + 0x14;
						goto L27;
					}
					__eflags = _v184.dwMajorVersion - 4;
					if(_v184.dwMajorVersion != 4) {
						goto L10;
					} else {
						__eflags = _v184.dwMinorVersion;
						_push(0);
						if(_v184.dwMinorVersion != 0) {
							_push("Windows 98 ");
						} else {
							_push("Windows 95 ");
						}
						goto L11;
					}
				} else {
					E0041C047( &_v16, "Windows 32s ", 0);
					L27:
					__eflags =  *0x47e118 - _t151; // 0x5
					_push(_t151);
					if(__eflags != 0) {
						_push("\tWin ");
					} else {
						_push("\t-/");
					}
					E0041C047( &_v16);
					_t81 =  *0x47e118; // 0x5
					__eflags = _t81 & 0x00000001;
					if((_t81 & 0x00000001) == 0) {
						__eflags = _t81 & 0x00000002;
						if((_t81 & 0x00000002) == 0) {
							__eflags = _t81 & 0x00000008;
							if((_t81 & 0x00000008) == 0) {
								goto L41;
							}
							_push(_t151);
							_push("ME/");
							goto L40;
						}
						__eflags =  *0x47e11c - 0x8ad;
						_push(_t151);
						if( *0x47e11c <= 0x8ad) {
							_push("98/");
						} else {
							_push("98 SE/");
						}
						goto L40;
					} else {
						__eflags =  *0x47e11c - 0x3e8;
						_push(_t151);
						if( *0x47e11c <= 0x3e8) {
							_push("95/");
						} else {
							_push("95 (OSR2)/");
						}
						L40:
						E0041C047( &_v16);
						L41:
						__eflags =  *0x47e118 & 0x00000004;
						if(( *0x47e118 & 0x00000004) == 0) {
							L53:
							_push(_t122);
							E0041C3A9( &_v16, _v16 - 1, 1);
							E0041BFF8( &_v16, 9);
							_t86 =  *0x47e118; // 0x5
							_t123 = 0;
							__eflags = _v184.dwPlatformId - 1;
							if(_v184.dwPlatformId != 1) {
								L62:
								__eflags = _v184.dwPlatformId - 2;
								if(_v184.dwPlatformId != 2) {
									L71:
									__eflags = _t86 - _t151;
									if(_t86 == _t151) {
										_t123 = 1;
									}
									__eflags = _t123;
									if(__eflags == 0) {
										 *0x47e2c0 =  *0x47e2c0 + 1;
										__eflags =  *0x47e2c0;
										_push(0x47e8dc);
									} else {
										_push(0x47e8f4);
									}
									E0041C0C5( &_v16, __eflags);
									E0041EEC5(_v36,  &_v16);
									return E0041BEFB( &_v16);
								}
								_t134 =  *0x47e120; // 0x5
								_t148 = _t86 & 0x00000004;
								__eflags = _t148;
								if(_t148 == 0) {
									L65:
									__eflags = _t148 - _t151;
									if(_t148 == _t151) {
										goto L71;
									}
									__eflags = _v184.dwMajorVersion - _t134;
									if(_v184.dwMajorVersion != _t134) {
										goto L71;
									}
									_t135 =  *0x47e124; // 0x2
									__eflags = _v184.dwMinorVersion - _t135;
									if(__eflags > 0) {
										L70:
										_t123 = 1;
										goto L71;
									}
									if(__eflags != 0) {
										goto L71;
									}
									__eflags = (_v20 & 0x0000ffff) -  *0x47e128; // 0x0
									if(__eflags < 0) {
										goto L71;
									}
									goto L70;
								}
								__eflags = _v184.dwMajorVersion - _t134;
								if(_v184.dwMajorVersion > _t134) {
									goto L70;
								}
								goto L65;
							}
							_t149 = _v184.dwBuildNumber;
							_t137 =  *0x47e11c; // 0x0
							__eflags = _t86 & 0x00000001;
							if((_t86 & 0x00000001) != 0) {
								__eflags = (_t149 & 0x0000ffff) - _t137;
								if((_t149 & 0x0000ffff) >= _t137) {
									_t123 = 1;
									_t151 = 0;
									__eflags = 0;
								}
							}
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								goto L71;
							} else {
								_t150 = _t149 & 0x0000ffff;
								__eflags = _t150 - 0x7ce;
								if(_t150 < 0x7ce) {
									goto L71;
								}
								__eflags = _t150 - _t137;
								if(_t150 < _t137) {
									goto L71;
								}
								__eflags = _v184.dwMinorVersion - 1;
								if(_v184.dwMinorVersion < 1) {
									goto L71;
								}
								_t123 = 1;
								goto L62;
							}
						}
						__eflags =  *0x47e120 - 5;
						if( *0x47e120 != 5) {
							E0041C047( &_v16, "NT", _t151);
							_t92 =  *0x47e120; // 0x5
							__eflags = _t92 - _t151;
							if(_t92 != _t151) {
								_push( *0x47e124);
								_push(_t92);
								E0041C467( &_v16, " %d.%d");
								_t157 = _t157 + 0x10;
							}
							L50:
							_t93 =  *0x47e128; // 0x0
							__eflags = _t93 - _t151;
							if(_t93 > _t151) {
								_push(_t93);
								E0041C467( &_v16, _t153);
							}
							E0041C047( &_v16, "/", _t151);
							goto L53;
						}
						_t99 =  *0x47e124; // 0x2
						__eflags = _t99 - _t151;
						if(_t99 != _t151) {
							__eflags = _t99 - 1;
							if(_t99 != 1) {
								goto L50;
							}
							_push(_t151);
							_push("XP");
							L45:
							E0041C047( &_v16);
							goto L50;
						}
						_push(_t151);
						_push("2000");
						goto L45;
					}
				}
			}































                  0x004203d5
                  0x004203e5
                  0x004203ef
                  0x004203f3
                  0x004203f8
                  0x00420401
                  0x00420408
                  0x00420410
                  0x00420412
                  0x00000000
                  0x00420412
                  0x00420425
                  0x00420428
                  0x00420432
                  0x00420437
                  0x0042043d
                  0x00420442
                  0x00420457
                  0x0042045e
                  0x004204c5
                  0x004204cc
                  0x004204d2
                  0x004204d9
                  0x0042050b
                  0x00420514
                  0x00420520
                  0x00420525
                  0x004204db
                  0x004204db
                  0x004204e1
                  0x004204eb
                  0x004204f2
                  0x004204f3
                  0x00420504
                  0x004204f5
                  0x004204f5
                  0x004204f5
                  0x004204e3
                  0x004204e3
                  0x004204e4
                  0x004204e4
                  0x004204fd
                  0x004204fd
                  0x0042052b
                  0x0042053c
                  0x00420543
                  0x00420549
                  0x0042054b
                  0x0042055f
                  0x00420565
                  0x00420567
                  0x00420569
                  0x0042056c
                  0x00420570
                  0x00420573
                  0x00420575
                  0x0042057d
                  0x0042057d
                  0x00420573
                  0x00420584
                  0x0042058a
                  0x0042058e
                  0x00420594
                  0x0042059a
                  0x0042059f
                  0x0042059f
                  0x0042058e
                  0x0042054b
                  0x00000000
                  0x004204cc
                  0x00420460
                  0x00420467
                  0x00420489
                  0x00420489
                  0x0042048a
                  0x0042048f
                  0x00420492
                  0x004204a2
                  0x004204a6
                  0x004204ac
                  0x004204b8
                  0x004204bd
                  0x00000000
                  0x004204bd
                  0x00420469
                  0x00420470
                  0x00000000
                  0x00420472
                  0x00420472
                  0x00420478
                  0x00420479
                  0x00420482
                  0x0042047b
                  0x0042047b
                  0x0042047b
                  0x00000000
                  0x00420479
                  0x00420444
                  0x0042044d
                  0x004205a2
                  0x004205a2
                  0x004205a8
                  0x004205a9
                  0x004205b2
                  0x004205ab
                  0x004205ab
                  0x004205ab
                  0x004205ba
                  0x004205bf
                  0x004205c4
                  0x004205c6
                  0x004205e3
                  0x004205e5
                  0x00420602
                  0x00420604
                  0x00000000
                  0x00000000
                  0x00420606
                  0x00420607
                  0x00000000
                  0x00420607
                  0x004205e7
                  0x004205f1
                  0x004205f2
                  0x004205fb
                  0x004205f4
                  0x004205f4
                  0x004205f4
                  0x00000000
                  0x004205c8
                  0x004205c8
                  0x004205d2
                  0x004205d3
                  0x004205dc
                  0x004205d5
                  0x004205d5
                  0x004205d5
                  0x0042060c
                  0x0042060f
                  0x00420614
                  0x00420614
                  0x0042061b
                  0x004206a4
                  0x004206a7
                  0x004206af
                  0x004206b9
                  0x004206be
                  0x004206c3
                  0x004206c5
                  0x004206cc
                  0x0042070f
                  0x0042070f
                  0x00420716
                  0x00420757
                  0x00420757
                  0x00420759
                  0x0042075b
                  0x0042075b
                  0x0042075d
                  0x00420760
                  0x00420769
                  0x00420769
                  0x0042076f
                  0x00420762
                  0x00420762
                  0x00420762
                  0x00420777
                  0x00420783
                  0x00000000
                  0x0042078b
                  0x00420718
                  0x00420720
                  0x00420720
                  0x00420723
                  0x0042072d
                  0x0042072d
                  0x0042072f
                  0x00000000
                  0x00000000
                  0x00420731
                  0x00420737
                  0x00000000
                  0x00000000
                  0x00420739
                  0x0042073f
                  0x00420745
                  0x00420755
                  0x00420755
                  0x00000000
                  0x00420755
                  0x00420747
                  0x00000000
                  0x00000000
                  0x0042074d
                  0x00420753
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420753
                  0x00420725
                  0x0042072b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042072b
                  0x004206ce
                  0x004206d4
                  0x004206da
                  0x004206dc
                  0x004206e6
                  0x004206e8
                  0x004206ea
                  0x004206ec
                  0x004206ec
                  0x004206ec
                  0x004206e8
                  0x004206ee
                  0x004206f0
                  0x00000000
                  0x004206f2
                  0x004206f2
                  0x004206f8
                  0x004206fe
                  0x00000000
                  0x00000000
                  0x00420700
                  0x00420702
                  0x00000000
                  0x00000000
                  0x00420704
                  0x0042070b
                  0x00000000
                  0x00000000
                  0x0042070d
                  0x00000000
                  0x0042070d
                  0x004206f0
                  0x00420621
                  0x00420628
                  0x00420659
                  0x0042065e
                  0x00420663
                  0x00420665
                  0x00420667
                  0x0042066d
                  0x00420677
                  0x0042067c
                  0x0042067c
                  0x0042067f
                  0x0042067f
                  0x00420684
                  0x00420686
                  0x00420688
                  0x0042068e
                  0x00420693
                  0x0042069f
                  0x00000000
                  0x0042069f
                  0x0042062a
                  0x0042062f
                  0x00420631
                  0x00420643
                  0x00420646
                  0x00000000
                  0x00000000
                  0x00420648
                  0x00420649
                  0x00420639
                  0x0042063c
                  0x00000000
                  0x0042063c
                  0x00420633
                  0x00420634
                  0x00000000
                  0x00420634
                  0x004205c6

                  APIs
                  • GetVersionExA.KERNEL32(?,?,00000000,00000001), ref: 00420408
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Version
                  • String ID: -/$Win $ %d.%d$ (%d.%d.%d)$ SP%d$2000$95 (OSR2)/$95/$98 SE/$98/$CSDVersion$ME/$System\CurrentControlSet\Control\Windows$Windows 2000$Windows 2003$Windows 32s $Windows 95 $Windows 98 $Windows ME$Windows NT %d.%d$Windows XP
                  • API String ID: 1889659487-740960729
                  • Opcode ID: 6a0f525bd7985fdb30faff8a1c78a6b5a2a9e847dc414c89a137130ad6e84491
                  • Instruction ID: 2417f0839384a8edb32b0f15c93a5ee3403d1f3a49fea074af27b245caaf526f
                  • Opcode Fuzzy Hash: 6a0f525bd7985fdb30faff8a1c78a6b5a2a9e847dc414c89a137130ad6e84491
                  • Instruction Fuzzy Hash: 55A1BC70F40224AACB20DB42EC46FEF77B9EB95704FA041ABE44562252D7785AC4CE5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E01C, Relevance: 43.8, APIs: 29, Instructions: 279windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E0041E01C(void* __eflags, struct HWND__* _a4, int _a8, signed char _a11, intOrPtr* _a12) {
				int _v8;
				long _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _v40;
				void* _v56;
				struct HDC__* _v60;
				void* _v64;
				int _v68;
				int _v72;
				int _v76;
				signed int _v80;
				signed int _v84;
				struct _DOCINFOA _v104;
				struct tagRECT _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				signed int _v140;
				signed int _v144;
				long _v152;
				char _v164;
				char _v180;
				char _v196;
				int _t137;
				int _t138;
				struct HDC__* _t143;
				signed int _t151;
				long _t157;
				struct HDC__* _t166;
				intOrPtr* _t171;
				int _t195;
				int _t196;
				struct tagPOINT* _t211;
				int _t217;
				int _t221;
				signed int* _t224;
				long _t225;
				void* _t226;
				void* _t227;

				_t195 = _a8;
				_v8 = GetDeviceCaps( *(_t195 + 0x10), 0x6e);
				_v12 = GetDeviceCaps( *(_t195 + 0x10), 0x6f);
				_a8 = GetDeviceCaps( *(_t195 + 0x10), 0x58);
				_v16 = GetDeviceCaps( *(_t195 + 0x10), 0x5a);
				_t137 = MulDiv(_v8, 0x5a0, _a8);
				_v80 = _v80 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v8 = _t137;
				_v76 = _t137;
				_t138 = MulDiv(_v12, 0x5a0, _v16);
				_v140 = _v140 & 0x00000000;
				_v144 = _v144 & 0x00000000;
				_v72 = _t138;
				_v136 = _v8 + 0xfffff4c0;
				_v132 = _t138 + 0xfffff4c0;
				E0041E814( &_v164);
				_v128 = _v128 & 0x00000000;
				E00424500( &_v64, 0, 0x30);
				_t143 =  *(_t195 + 0x10);
				_t227 = _t226 + 0xc;
				_v20 = _v20 | 0xffffffff;
				_v64 = _t143;
				_v60 = _t143;
				_v24 = _v128;
				_v12 = SendMessageA(_a4, 0xe, 0, 0);
				SendMessageA(_a4, 0x439, 0, 0);
				SaveDC(_v64);
				SetMapMode(_v64, 1);
				_v8 =  ~(GetDeviceCaps( *(_t195 + 0x10), 0x70));
				_t151 = GetDeviceCaps( *(_t195 + 0x10), 0x71);
				_v8 = _v8 + MulDiv(0x5a0, _a8, 0x5a0);
				_t217 =  ~_t151 + MulDiv(0x5a0, _v16, 0x5a0);
				_v68 = _t217;
				SetViewportOrgEx(_v64, _v8, _t217, 0);
				_v16 = _v16 | 0xffffffff;
				_a11 = 1;
				L1:
				L1:
				if(_a11 == 0) {
					_v16 = _v24;
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_a11 = _a11 & 0x00000000;
				_v128 = _v24;
				_t157 = SendMessageA(_a4, 0x439, 0,  &_v64);
				_t70 = _t157 - 1; // -1
				_v24 = _t157;
				_v124 = _t70;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_v16 >= _t157) {
					goto L6;
				}
				_t224 = E00424DD9(0x18);
				 *_t224 = _v128;
				_t224[1] = _v124;
				_t80 =  &(_t224[2]); // 0x8
				CopyRect(_t80,  &_v120);
				E0041E87A( &_v164, _t224, 0xffffffff);
				E00427836(_v24,  &_v196, 0xa);
				_t225 = _v12;
				E00427836(_t225,  &_v180, 0xa);
				_t227 = _t227 + 0x18;
				if(_v24 != 0xffffffff && _v24 < _t225) {
					goto L1;
				}
				L6:
				_t211 = 0;
				_v12 = _v152;
				SendMessageA(_a4, 0x439, 0, 0);
				RestoreDC(_v64, 0xffffffff);
				_t221 = 0x14;
				E00424500( &_v104, 0, _t221);
				_v104.lpszDocName = _a12;
				_v104.cbSize = _t221;
				_v104.lpszOutput = 0;
				_v104.lpszDatatype = 0;
				_v104.fwType = 0;
				if(StartDocA( *(_t195 + 0x10),  &_v104) != 0xffffffff) {
					_t166 =  *(_t195 + 0x10);
					_v64 = _t166;
					_v60 = _t166;
					SaveDC(_t166);
					_a8 = 0;
					while(1) {
						StartPage( *(_t195 + 0x10));
						SetMapMode( *(_t195 + 0x10), 1);
						SetViewportOrgEx(_v64, _v8, _v68, _t211);
						_t171 = E0041E860( &_v164, _a8);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_a12 = _t171;
						_v24 =  *_t171;
						_v20 =  *(_t171 + 4);
						_v24 = SendMessageA(_a4, 0x439, 1,  &_v64);
						EndPage( *(_t195 + 0x10));
						E00424DCE(_a12);
						_a8 = _a8 + 1;
						if(_a8 >= _v12) {
							break;
						}
						_t211 = 0;
					}
					RestoreDC(_v64, 0xffffffff);
					EndDoc( *(_t195 + 0x10));
					SendMessageA(_a4, 0x439, 0, 0);
					_t196 = 1;
				} else {
					_t196 = 0;
				}
				E0041E841( &_v164);
				return _t196;
			}













































                  0x0041e026
                  0x0041e03a
                  0x0041e044
                  0x0041e04e
                  0x0041e05e
                  0x0041e065
                  0x0041e06e
                  0x0041e072
                  0x0041e076
                  0x0041e07a
                  0x0041e080
                  0x0041e089
                  0x0041e090
                  0x0041e09d
                  0x0041e0a0
                  0x0041e0b1
                  0x0041e0b4
                  0x0041e0b9
                  0x0041e0c5
                  0x0041e0ca
                  0x0041e0cd
                  0x0041e0d0
                  0x0041e0d4
                  0x0041e0dd
                  0x0041e0e6
                  0x0041e0f8
                  0x0041e0fe
                  0x0041e107
                  0x0041e112
                  0x0041e126
                  0x0041e129
                  0x0041e13a
                  0x0041e148
                  0x0041e14d
                  0x0041e156
                  0x0041e15c
                  0x0041e160
                  0x00000000
                  0x0041e164
                  0x0041e168
                  0x0041e16d
                  0x0041e16d
                  0x0041e179
                  0x0041e17a
                  0x0041e17b
                  0x0041e17c
                  0x0041e183
                  0x0041e184
                  0x0041e185
                  0x0041e186
                  0x0041e18a
                  0x0041e18e
                  0x0041e19f
                  0x0041e1a5
                  0x0041e1ae
                  0x0041e1b1
                  0x0041e1b7
                  0x0041e1b8
                  0x0041e1b9
                  0x0041e1ba
                  0x0041e1bb
                  0x00000000
                  0x00000000
                  0x0041e1c4
                  0x0041e1ca
                  0x0041e1cf
                  0x0041e1d6
                  0x0041e1da
                  0x0041e1e9
                  0x0041e1fa
                  0x0041e1ff
                  0x0041e20c
                  0x0041e211
                  0x0041e218
                  0x00000000
                  0x00000000
                  0x0041e223
                  0x0041e229
                  0x0041e232
                  0x0041e238
                  0x0041e243
                  0x0041e24e
                  0x0041e252
                  0x0041e25d
                  0x0041e264
                  0x0041e26a
                  0x0041e26d
                  0x0041e270
                  0x0041e27c
                  0x0041e285
                  0x0041e289
                  0x0041e28c
                  0x0041e28f
                  0x0041e295
                  0x0041e29c
                  0x0041e29f
                  0x0041e2aa
                  0x0041e2ba
                  0x0041e2c9
                  0x0041e2d4
                  0x0041e2d5
                  0x0041e2d6
                  0x0041e2d7
                  0x0041e2de
                  0x0041e2df
                  0x0041e2e0
                  0x0041e2e1
                  0x0041e2e4
                  0x0041e2e7
                  0x0041e2ed
                  0x0041e307
                  0x0041e30a
                  0x0041e313
                  0x0041e318
                  0x0041e322
                  0x00000000
                  0x00000000
                  0x0041e29a
                  0x0041e29a
                  0x0041e32d
                  0x0041e336
                  0x0041e348
                  0x0041e34e
                  0x0041e27e
                  0x0041e27e
                  0x0041e27e
                  0x0041e356
                  0x0041e361

                  APIs
                  • GetDeviceCaps.GDI32(?,0000006E), ref: 0041E036
                  • GetDeviceCaps.GDI32(?,0000006F), ref: 0041E040
                  • GetDeviceCaps.GDI32(?,00000058), ref: 0041E04A
                  • GetDeviceCaps.GDI32(?,0000005A), ref: 0041E054
                  • MulDiv.KERNEL32(?,000005A0,?), ref: 0041E065
                  • MulDiv.KERNEL32(?,000005A0,?), ref: 0041E080
                    • Part of subcall function 0041E814: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0040E8F7,00000000,0042290E,00000000,00000001,00000000,00000000,00000000,0000005C,00000000,00000000,00000000,00000001), ref: 0041E82A
                    • Part of subcall function 0041E814: GlobalLock.KERNEL32 ref: 0041E834
                  • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0041E0E9
                  • SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E0FE
                  • SaveDC.GDI32(?), ref: 0041E107
                  • SetMapMode.GDI32(?,00000001), ref: 0041E112
                  • GetDeviceCaps.GDI32(000000FF,00000070), ref: 0041E11D
                  • GetDeviceCaps.GDI32(000000FF,00000071), ref: 0041E129
                  • MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E134
                  • MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E142
                  • SetViewportOrgEx.GDI32(?,?,00000000,00000000), ref: 0041E156
                  • SendMessageA.USER32(?,00000439,00000000,?), ref: 0041E19F
                  • CopyRect.USER32 ref: 0041E1DA
                  • SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E238
                  • RestoreDC.GDI32(?,000000FF), ref: 0041E243
                  • StartDocA.GDI32(000000FF,?), ref: 0041E273
                  • SaveDC.GDI32(000000FF), ref: 0041E28F
                  • StartPage.GDI32(000000FF), ref: 0041E29F
                  • SetMapMode.GDI32(000000FF,00000001), ref: 0041E2AA
                  • SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0041E2BA
                  • SendMessageA.USER32(?,00000439,00000001,?), ref: 0041E2FE
                  • EndPage.GDI32(000000FF), ref: 0041E30A
                  • RestoreDC.GDI32(?,000000FF), ref: 0041E32D
                  • EndDoc.GDI32(000000FF), ref: 0041E336
                  • SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E348
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CapsDeviceMessageSend$GlobalModePageRestoreSaveStartViewport$AllocCopyLockRect
                  • String ID:
                  • API String ID: 54228542-0
                  • Opcode ID: 29e6c191569b3bbdfa7c37b12c6a74977c0f2874edb9c76f228611af02002a36
                  • Instruction ID: 8899b8a3c47762d5e30adf8522a6582b7fb057d6e4100d733f1496dcfd388cca
                  • Opcode Fuzzy Hash: 29e6c191569b3bbdfa7c37b12c6a74977c0f2874edb9c76f228611af02002a36
                  • Instruction Fuzzy Hash: E8B10F71E01218EFDF219FA5DC48B9EBBB5EF05310F10816AF924AA2A0CB719A55CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413CFF, Relevance: 42.3, APIs: 17, Strings: 7, Instructions: 286comlibrarysleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00413CFF(void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				CHAR* _v12;
				CHAR* _v16;
				struct HINSTANCE__* _v28;
				char _v40;
				char _v52;
				char _v64;
				char _v76;
				struct _PROCESS_INFORMATION _v92;
				struct _STARTUPINFOA _v160;
				void _v678;
				short _v680;
				char _v940;
				void* _t90;
				void* _t99;
				void* _t113;
				struct HINSTANCE__* _t121;
				struct HINSTANCE__* _t132;
				struct HINSTANCE__* _t133;
				void* _t135;
				void* _t136;
				_Unknown_base(*)()* _t139;
				struct HINSTANCE__* _t144;
				void* _t212;
				struct HINSTANCE__* _t221;
				long _t222;
				void* _t223;

				_v8 = 0;
				E0041BDC5( &_v28);
				_v16 = 0;
				if( *((intOrPtr*)(_a4 + 0xc)) > 0) {
					do {
						_t99 = E0041E860(_a4, _v16);
						_t9 = _t99 + 4; // 0x4
						_t218 = _t9;
						E0041BE99( &_v52, _t9);
						if(_t99 != 0) {
							E0041BEFB(_t218);
							E00424DCE(_t211);
						}
						GetCurrentDirectoryA(0x104,  &_v940);
						E0041BE99( &_v76,  &_v52);
						_t212 = E0041C7DB( &_v76, "\\", 0, 1);
						_t227 = _t212 - 0xffffffff;
						if(_t212 != 0xffffffff) {
							(E0041CD1E( &_v76))[_t212] = 0;
						}
						SetCurrentDirectoryA(E0041CD1E( &_v76));
						E0041BE99( &_v40, E0041CC95( &_v52, _v52 + 0xfffffffc, 4));
						E0041CD68( &_v40);
						_t113 = E0041C1FA( &_v40, _t227, ".TLB", 1);
						_t228 = _t113;
						if(_t113 != 0) {
							L21:
							_v680 = 0;
							memset( &_v678, 0, 0x81 << 2);
							_t223 = _t223 + 0xc;
							asm("stosw");
							MultiByteToWideChar(0, 0, E0041CD1E( &_v52), 0xffffffff,  &_v680, 0x104);
							SetErrorMode(1);
							__imp__CoInitialize(0);
							_v12 = 0;
							_t121 =  &_v680;
							__imp__#161(_t121,  &_v12);
							__eflags = _t121;
							if(_t121 != 0) {
								L24:
								_v8 = _v8 + 1;
								__eflags = _v28;
								if(__eflags > 0) {
									E0041BFF8( &_v28, 0xa);
								}
								E0041C0C5( &_v28, __eflags,  &_v52);
							} else {
								__eflags = _v12;
								if(_v12 != 0) {
									_t132 =  &_v680;
									__imp__#163(_v12, _t132, 0);
									_t133 = _v12;
									 *((intOrPtr*)(_t133->i + 8))(_t133);
									__eflags = _t132;
									if(_t132 != 0) {
										goto L24;
									}
								}
							}
							__imp__CoUninitialize();
							SetErrorMode(0);
						} else {
							_t135 = E0041C1FA( &_v40, _t228, ".OLB", 1);
							_t229 = _t135;
							if(_t135 != 0) {
								goto L21;
							} else {
								_t136 = E0041C1FA( &_v40, _t229, ".EXE", 1);
								_t230 = _t136;
								if(_t136 == 0) {
									__imp__OleInitialize(0);
									_t221 = LoadLibraryA(E0041CD1E( &_v52));
									__eflags = _t221;
									if(_t221 != 0) {
										_t139 = GetProcAddress(_t221, "DllRegisterServer");
										__eflags = _t139;
										if(_t139 == 0) {
											L16:
											__eflags = _v28;
											if(__eflags > 0) {
												E0041C047( &_v28, "\n", 0);
											}
											E0041C0C5( &_v28, __eflags,  &_v52);
											_t46 =  &_v8;
											 *_t46 = _v8 + 1;
											__eflags =  *_t46;
										} else {
											_t144 =  *_t139();
											__eflags = _t144;
											if(_t144 != 0) {
												goto L16;
											}
										}
										FreeLibrary(_t221);
									} else {
										__eflags = _v28;
										if(__eflags > 0) {
											E0041C047( &_v28, "\n", 0);
										}
										E0041C0C5( &_v28, __eflags,  &_v52);
										_v8 = _v8 + 1;
									}
									__imp__OleUninitialize();
								} else {
									E0041BE35( &_v64, "\"");
									E0041C0C5( &_v64, _t230,  &_v52);
									E0041C047( &_v64, "\" /RegServer", 0);
									_t222 = 0x44;
									E00424500( &_v160, 0, _t222);
									_v160.cb = _t222;
									E00424500( &_v92, 0, 0x10);
									_t223 = _t223 + 0x18;
									CreateProcessA(0, E0041CD1E( &_v64), 0, 0, 0, 0, 0, 0,  &_v160,  &_v92);
									Sleep(0x32);
									E0041BEFB( &_v64);
								}
							}
						}
						SetCurrentDirectoryA( &_v940);
						E0041BEFB( &_v40);
						E0041BEFB( &_v76);
						E0041BEFB( &_v52);
						_v16 = _v16 + 1;
					} while (_v16 <  *((intOrPtr*)(_a4 + 0xc)));
				}
				E0041E921(_a4);
				if(_v8 > 0) {
					_t90 = E0041D46F("<__Internal_RegistrationFailed__>");
					_t233 = _t90;
					if(_t90 == 0) {
						_t90 = E0041CD1E(0x47f0e0);
					}
					E0041BE35( &_v40, _t90);
					E0041CBF9( &_v40, _t233, "<\\n>", "\n", 0, 0, 1);
					E0041C047( &_v40, "\n", 0);
					E0041C0C5( &_v40, _t233,  &_v28);
					E0041B2A8( *0x47e178, E0041CD1E( &_v40), 0);
					E0041BEFB( &_v40);
				}
				return E0041BEFB( &_v28);
			}






























                  0x00413d0f
                  0x00413d12
                  0x00413d1a
                  0x00413d20
                  0x00413d27
                  0x00413d2d
                  0x00413d37
                  0x00413d37
                  0x00413d3b
                  0x00413d42
                  0x00413d46
                  0x00413d4c
                  0x00413d51
                  0x00413d5f
                  0x00413d6c
                  0x00413d81
                  0x00413d83
                  0x00413d86
                  0x00413d90
                  0x00413d90
                  0x00413d9c
                  0x00413db7
                  0x00413dbf
                  0x00413dce
                  0x00413dd3
                  0x00413dd5
                  0x00413f16
                  0x00413f23
                  0x00413f2a
                  0x00413f2a
                  0x00413f2c
                  0x00413f43
                  0x00413f51
                  0x00413f54
                  0x00413f5d
                  0x00413f61
                  0x00413f68
                  0x00413f6e
                  0x00413f70
                  0x00413f97
                  0x00413f97
                  0x00413f9a
                  0x00413f9d
                  0x00413fa4
                  0x00413fa4
                  0x00413fb0
                  0x00413f72
                  0x00413f72
                  0x00413f75
                  0x00413f77
                  0x00413f82
                  0x00413f8a
                  0x00413f90
                  0x00413f93
                  0x00413f95
                  0x00000000
                  0x00000000
                  0x00413f95
                  0x00413f75
                  0x00413fb5
                  0x00413fbc
                  0x00413ddb
                  0x00413de5
                  0x00413dea
                  0x00413dec
                  0x00000000
                  0x00413df2
                  0x00413dfc
                  0x00413e01
                  0x00413e03
                  0x00413e8d
                  0x00413ea2
                  0x00413ea4
                  0x00413ea6
                  0x00413ed2
                  0x00413ed8
                  0x00413eda
                  0x00413ee2
                  0x00413ee2
                  0x00413ee5
                  0x00413ef0
                  0x00413ef0
                  0x00413efc
                  0x00413f01
                  0x00413f01
                  0x00413f01
                  0x00413edc
                  0x00413edc
                  0x00413ede
                  0x00413ee0
                  0x00000000
                  0x00000000
                  0x00413ee0
                  0x00413f05
                  0x00413ea8
                  0x00413ea8
                  0x00413eab
                  0x00413eb6
                  0x00413eb6
                  0x00413ec2
                  0x00413ec7
                  0x00413ec7
                  0x00413f0b
                  0x00413e09
                  0x00413e11
                  0x00413e1d
                  0x00413e2b
                  0x00413e38
                  0x00413e3c
                  0x00413e48
                  0x00413e4e
                  0x00413e53
                  0x00413e71
                  0x00413e79
                  0x00413e82
                  0x00413e82
                  0x00413e03
                  0x00413dec
                  0x00413fc5
                  0x00413fce
                  0x00413fd6
                  0x00413fde
                  0x00413fe3
                  0x00413fec
                  0x00413ff5
                  0x00413ff9
                  0x00414001
                  0x00414008
                  0x0041400d
                  0x0041400f
                  0x00414016
                  0x00414016
                  0x0041401f
                  0x00414036
                  0x00414040
                  0x0041404c
                  0x00414066
                  0x0041406e
                  0x0041406e
                  0x0041407e

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                  • GetCurrentDirectoryA.KERNEL32(00000104,?,00000004,?,770B8BA0,0047E880,00000000), ref: 00413D5F
                  • SetCurrentDirectoryA.KERNEL32(00000000,0042BC5C,00000000,00000001,?), ref: 00413D9C
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,.TLB,00000001,00000000,?,00000004), ref: 00413E71
                  • LoadLibraryA.KERNEL32(00000000), ref: 00413E9C
                  • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00413ED2
                  • FreeLibrary.KERNEL32(00000000,?), ref: 00413F05
                  • OleUninitialize.OLE32 ref: 00413F0B
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104,.TLB,00000001,00000000,?,00000004), ref: 00413F43
                  • SetErrorMode.KERNEL32(00000001), ref: 00413F51
                  • CoInitialize.OLE32(00000000), ref: 00413F54
                  • LoadTypeLib.OLEAUT32(?,?), ref: 00413F68
                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00413F82
                  • CoUninitialize.OLE32(?), ref: 00413FB5
                  • SetErrorMode.KERNEL32(00000000), ref: 00413FBC
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00413FC5
                  • OleInitialize.OLE32(00000000), ref: 00413E8D
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • Sleep.KERNEL32(00000032), ref: 00413E79
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$CurrentDirectoryUnlock$ErrorFreeInitializeLibraryLoadModeTypeUninitialize$AddressByteCharCreateMultiProcProcessRegisterSleepWidelstrlen
                  • String ID: " /RegServer$.EXE$.OLB$.TLB$<\n>$<__Internal_RegistrationFailed__>$DllRegisterServer
                  • API String ID: 4104066615-2501933237
                  • Opcode ID: 75c37d0b52bb14feb4aa97639a786b202e0c3cf3cc6146b2f471712ea1ac7ff9
                  • Instruction ID: 4537c82b285972284a216b033d865e15a8dd3af8c18363ac8b515f199ec2a324
                  • Opcode Fuzzy Hash: 75c37d0b52bb14feb4aa97639a786b202e0c3cf3cc6146b2f471712ea1ac7ff9
                  • Instruction Fuzzy Hash: DBA11E71940219ABCB14EFA1DC96DEEB778EF14309F50006EF506A3192DF385E86CA69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407300, Relevance: 40.7, APIs: 15, Strings: 8, Instructions: 446windowlibraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E00407300(intOrPtr __ecx, void* __eflags, struct HINSTANCE__* _a4, long* _a8, signed int _a11) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				CHAR* _v24;
				char _v36;
				char _v48;
				char _v60;
				char _v72;
				char _v84;
				unsigned int _t149;
				signed int _t151;
				long _t162;
				struct HWND__* _t169;
				long _t171;
				long _t173;
				long _t175;
				void* _t180;
				signed int _t185;
				intOrPtr _t187;
				struct HINSTANCE__* _t188;
				signed int _t189;
				signed int _t191;
				long _t196;
				CHAR* _t207;
				signed int _t208;
				void* _t214;
				CHAR* _t220;
				void* _t226;
				void* _t229;
				signed int _t238;
				long _t239;
				long _t241;
				signed int _t256;
				intOrPtr _t259;
				signed int* _t260;
				CHAR* _t261;
				CHAR* _t262;
				long _t276;
				CHAR* _t282;
				long _t317;
				intOrPtr _t318;
				long* _t321;

				_t318 = __ecx;
				_v20 = __ecx;
				if(E00407D82(__ecx) == 0) {
					_v16 =  *((intOrPtr*)(__ecx + 0x1c));
				} else {
					_v16 = _v16 & 0x00000000;
				}
				if(E00407D82(_t318) == 0) {
					_v12 =  *((intOrPtr*)(_t318 + 0x20));
				} else {
					_v12 = _v12 & 0x00000000;
				}
				_t321 = _a8;
				_v5 = _v5 & 0x00000000;
				if(_t321[2] == 6) {
					_t261 = "RichEd20.dll";
					if(GetModuleHandleA(_t261) != 0 || LoadLibraryA(_t261) != 0) {
						_v5 = 1;
					} else {
						_t262 = "RichEd32.dll";
						_t256 = GetModuleHandleA(_t262);
						__eflags = _t256;
						if(_t256 == 0) {
							LoadLibraryA(_t262);
						}
					}
				}
				_t317 = _t321[2];
				if(_t317 != 0xc) {
					_a11 = _a11 & 0x00000000;
					_v6 = _v6 & 0x00000000;
					_v7 = _v7 & 0x00000000;
					__eflags = _t317 - 3;
					if(_t317 == 3) {
						L25:
						_t149 = _t321[1];
						_t321[1] = _t149 & 0x7fffffff;
						__eflags = _t149 >> 0x0000001f & 0x00000001;
						if((_t149 >> 0x0000001f & 0x00000001) != 0) {
							__eflags = _t317 - 2;
							if(_t317 != 2) {
								__eflags = _t317 - 9;
								if(_t317 != 9) {
									__eflags = _t317 - 6;
									if(_t317 != 6) {
										_v7 = 1;
									}
								}
							}
						}
						L30:
						__eflags = _t317 - 1;
						if(_t317 == 1) {
							_t238 = _t321[1];
							__eflags = _t238 & 0x80000000;
							if((_t238 & 0x80000000) != 0) {
								_t239 = _t238 & 0x7fffffff;
								__eflags = _t239;
								_a11 = _t317;
								_t321[1] = _t239;
							}
						}
						__eflags = _t317 - 1;
						if(_t317 == 1) {
							_push(0);
							_push(0);
							_t42 =  &(_t321[0xe]); // 0x38
							_push("hyperlink:");
							_t208 = E0041C6D0(_t42);
							__eflags = _t208;
							if(_t208 == 0) {
								E0041BDC5( &_v84);
								E0041BDC5( &_v72);
								_t45 =  &(_t321[0xe]); // 0x38
								E0041BE99( &_v36, _t45);
								E0041C3A9( &_v36, 0, 0xa);
								_push(0);
								_push(0);
								_push("text=\"");
								_t214 = E0041C6D0( &_v36);
								__eflags = _t214 - 0xffffffff;
								if(_t214 != 0xffffffff) {
									E0041C3A9( &_v36, 0, _t214 + 6);
									_t220 = E0041C6AD( &_v36, 0x22, 0);
									__eflags = _t220 - 0xffffffff;
									_v24 = _t220;
									if(_t220 != 0xffffffff) {
										E0041BF80( &_v84, E0041CC95( &_v36, 0, _t220));
										E0041C3A9( &_v36, 0,  &(_v24[1]));
										_push(0);
										_push(0);
										_push("link=\"");
										_t226 = E0041C6D0( &_v36);
										__eflags = _t226 - 0xffffffff;
										if(_t226 != 0xffffffff) {
											E0041C3A9( &_v36, 0, _t226 + 6);
											_t229 = E0041C6AD( &_v36, 0x22, 0);
											__eflags = _t229 - 0xffffffff;
											if(_t229 != 0xffffffff) {
												E0041BF80( &_v72, E0041CC95( &_v36, 0, _t229));
												_t62 =  &(_t321[0x11]); // 0x44
												_v6 = 1;
												E0041BF80(_t62,  &_v72);
												_t64 =  &(_t321[0x11]); // 0x44
												E0041B3B9(0x47dfb8, _t64, 0x7fffffff);
												_t66 =  &(_t321[0xe]); // 0x38
												E0041BF80(_t66,  &_v84);
											}
										}
									}
								}
								E0041BEFB( &_v36);
								E0041BEFB( &_v72);
								E0041BEFB( &_v84);
							}
						}
						_t151 = _t321[2];
						__eflags = _t151 - 6;
						_v24 =  *((intOrPtr*)(0x42b920 + _t151 * 4));
						if(_t151 == 6) {
							__eflags = _v5;
							if(_v5 != 0) {
								_t207 =  *0x42b954; // 0x42b958
								_v24 = _t207;
							}
						}
						_t76 =  &(_t321[0xe]); // 0x38
						E0041BE99( &_v48, _t76);
						E0041B3B9(0x47dfb8,  &_v48, 0x7fffffff);
						E0041A81A(__eflags,  &_v48);
						E004164B1(0x47dfb8, __eflags,  &_v48);
						E0041BE99( &_v60,  &_v48);
						_t162 = _t321[2];
						__eflags = _t162 - 7;
						if(_t162 == 7) {
							L46:
							E0041BF12( &_v60, 0x42e0c8);
							goto L47;
						} else {
							__eflags = _t162 - 8;
							if(_t162 != 8) {
								L47:
								_t259 = _v20;
								_t91 = _t259 + 4; // 0x7d808b7c
								_t169 = CreateWindowExA(_t321[1], _v24, E0041CD1E( &_v60),  *_t321, _t321[5] + _v16, _t321[6] + _v12, _t321[7], _t321[8],  *_t91, _t321[4], _a4, 0);
								__eflags = _t169;
								_t321[0x14] = _t169;
								if(_t169 != 0) {
									_t276 = _t321[2];
									__eflags = _t276 - 6;
									if(_t276 == 6) {
										L52:
										SendMessageA(_t169, 0xc5, 0x2ffffffe, 0);
										L53:
										_t171 = _t321[2];
										__eflags = _t171 - 7;
										if(_t171 == 7) {
											L55:
											__eflags = _t321[0xe];
											if(_t321[0xe] <= 0) {
												L59:
												_t173 = _t321[2];
												__eflags = _t173 - 4;
												if(_t173 == 4) {
													L61:
													__eflags =  *0x47e19c;
													if( *0x47e19c == 0) {
														L68:
														__eflags = _v6;
														if(_v6 == 0) {
															__eflags = _a11;
															_push(0);
															if(_a11 == 0) {
																_t136 = _t259 + 0x48; // 0x774c085
																_push( *_t136);
															} else {
																_t135 = _t259 + 0x4c; // 0x8244c8b
																_push( *_t135);
															}
															SendMessageA(_t321[0x14], 0x30, ??, ??);
														} else {
															SetWindowLongA(_t321[0x14], 0xffffffeb, 1);
															__eflags = _a11;
															_push(0);
															if(_a11 == 0) {
																_t125 = _t259 + 0x50; // 0xc2244889
																_push( *_t125);
															} else {
																_t124 = _t259 + 0x54; // 0x56530008
																_push( *_t124);
															}
															SendMessageA(_t321[0x14], 0x30, ??, ??);
															__eflags =  *(_t259 + 0x9c) & 0x00000001;
															if(( *(_t259 + 0x9c) & 0x00000001) == 0) {
																_t185 = LoadCursorA(0, 0x7f89);
																_t260 = _t259 + 0xa0;
																__eflags = _t185;
																 *_t260 = _t185;
																if(_t185 == 0) {
																	 *_t260 = LoadCursorA(_a4, 0x98);
																}
																_t259 = _v20;
															}
															 *(_t259 + 0x9c) =  *(_t259 + 0x9c) | 0x00000001;
														}
														_t175 = _t321[2];
														__eflags = _t175 - 6;
														if(_t175 != 6) {
															__eflags = _t175 - 0xb;
															if(_t175 != 0xb) {
																goto L86;
															}
															_push(_t321[0xb]);
															_push(0);
															_push(0x111d);
															goto L85;
														} else {
															_push(_t321[0xb]);
															_push(0);
															_push(0x443);
															L85:
															SendMessageA(_t321[0x14], ??, ??, ??);
															L86:
															__eflags = _v7;
															if(_v7 != 0) {
																E00406E4B(_t259, _t321);
															}
															_push(_t321);
															E00406F81();
															E00408006(_t321);
															E0041BEFB( &_v60);
															E0041BEFB( &_v48);
															goto L89;
														}
													}
													_t187 =  *0x47e1e0; // 0x6
													__eflags = _t187 - 5;
													if(__eflags > 0) {
														L65:
														_t188 = LoadLibraryA("UxTheme.dll");
														__eflags = _t188;
														if(_t188 != 0) {
															_t189 = GetProcAddress(_t188, "SetWindowTheme");
															__eflags = _t189;
															if(_t189 != 0) {
																_t282 = " ";
																 *_t189(_t321[0x14], _t282, _t282);
															}
														}
														goto L68;
													}
													if(__eflags != 0) {
														goto L68;
													}
													__eflags =  *0x47e1e4 - 1;
													if( *0x47e1e4 < 1) {
														goto L68;
													}
													goto L65;
												}
												__eflags = _t173 - 3;
												if(_t173 != 3) {
													goto L68;
												}
												goto L61;
											}
											_v24 = 0;
											_push(0);
											while(1) {
												_t191 = E0041C9D2( &_v48);
												__eflags = _t191;
												if(_t191 == 0) {
													goto L59;
												}
												E0041BDC5( &_v84);
												E0041C92F( &_v48,  &_v24,  &_v84);
												_t196 = E0041CD1E( &_v84);
												__eflags = _t321[2] - 7;
												SendMessageA(_t321[0x14], ((0 | _t321[2] != 0x00000007) - 0x00000001 & 0x0000003d) + 0x143, 0, _t196);
												E0041BEFB( &_v84);
												_push(_v24);
											}
											goto L59;
										}
										__eflags = _t171 - 8;
										if(_t171 != 8) {
											goto L59;
										}
										goto L55;
									}
									__eflags = _t276 - 5;
									if(_t276 != 5) {
										goto L53;
									}
									__eflags =  *_t321 & 0x00000004;
									if(( *_t321 & 0x00000004) == 0) {
										goto L53;
									}
									goto L52;
								}
								E0041BEFB( &_v60);
								return E0041BEFB( &_v48) | 0xffffffff;
							}
							goto L46;
						}
					}
					__eflags = _t317 - 4;
					if(_t317 == 4) {
						goto L25;
					}
					__eflags = _t317 - 5;
					if(_t317 == 5) {
						goto L25;
					}
					__eflags = _t317 - 6;
					if(_t317 == 6) {
						goto L25;
					}
					__eflags = _t317 - 2;
					if(_t317 == 2) {
						goto L25;
					}
					__eflags = _t317 - 9;
					if(_t317 != 9) {
						goto L30;
					}
					goto L25;
				} else {
					if(E00424DD9(0x2c) == 0) {
						_t241 = 0;
						__eflags = 0;
					} else {
						_t241 = E0041EA76(_t240);
					}
					_t321[0x14] = _t241;
					if(_t241 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					asm("sbb eax, eax");
					E0041EBAF(_t321[0x14],  *((intOrPtr*)(_t318 + 4)), _t321[5] + _v16, _t321[6] + _v12, _t321[7], _t321[8], _t321[9],  ~( *_t321 & 0x00000001) + 2);
					 *(_t318 + 0x13) =  *(_t318 + 0x13) | 0x00000080;
					L89:
					_t180 = 1;
					return _t180;
				}
			}
















































                  0x00407309
                  0x0040730b
                  0x00407315
                  0x00407320
                  0x00407317
                  0x00407317
                  0x00407317
                  0x0040732c
                  0x00407337
                  0x0040732e
                  0x0040732e
                  0x0040732e
                  0x0040733a
                  0x0040733d
                  0x00407345
                  0x00407347
                  0x00407355
                  0x00407362
                  0x00407368
                  0x00407368
                  0x0040736e
                  0x00407374
                  0x00407376
                  0x00407379
                  0x00407379
                  0x00407376
                  0x00407355
                  0x0040737f
                  0x00407385
                  0x004073ec
                  0x004073f0
                  0x004073f4
                  0x004073f8
                  0x00407400
                  0x0040741b
                  0x0040741b
                  0x00407428
                  0x0040742b
                  0x0040742d
                  0x0040742f
                  0x00407432
                  0x00407434
                  0x00407437
                  0x00407439
                  0x0040743c
                  0x0040743e
                  0x0040743e
                  0x0040743c
                  0x00407437
                  0x00407432
                  0x00407442
                  0x00407442
                  0x00407445
                  0x00407447
                  0x0040744a
                  0x0040744f
                  0x00407451
                  0x00407451
                  0x00407453
                  0x00407456
                  0x00407456
                  0x0040744f
                  0x00407459
                  0x00407461
                  0x00407467
                  0x00407469
                  0x0040746b
                  0x0040746e
                  0x00407473
                  0x00407478
                  0x0040747a
                  0x00407483
                  0x0040748b
                  0x00407490
                  0x00407497
                  0x004074a3
                  0x004074a8
                  0x004074aa
                  0x004074ac
                  0x004074b4
                  0x004074b9
                  0x004074bc
                  0x004074cb
                  0x004074d7
                  0x004074dc
                  0x004074df
                  0x004074e2
                  0x004074f7
                  0x00407506
                  0x0040750b
                  0x0040750d
                  0x0040750f
                  0x00407517
                  0x0040751c
                  0x0040751f
                  0x0040752a
                  0x00407536
                  0x0040753b
                  0x0040753e
                  0x0040754f
                  0x00407557
                  0x0040755b
                  0x0040755f
                  0x00407564
                  0x0040756b
                  0x00407573
                  0x00407577
                  0x00407577
                  0x0040753e
                  0x0040751f
                  0x004074e2
                  0x0040757f
                  0x00407587
                  0x0040758f
                  0x0040758f
                  0x0040747a
                  0x00407594
                  0x00407597
                  0x004075a1
                  0x004075a4
                  0x004075a6
                  0x004075aa
                  0x004075ac
                  0x004075b1
                  0x004075b1
                  0x004075aa
                  0x004075b4
                  0x004075bb
                  0x004075c7
                  0x004075d2
                  0x004075dd
                  0x004075e9
                  0x004075ee
                  0x004075f1
                  0x004075f4
                  0x004075fb
                  0x00407603
                  0x00000000
                  0x004075f6
                  0x004075f6
                  0x004075f9
                  0x00407608
                  0x00407608
                  0x0040761c
                  0x0040763b
                  0x00407641
                  0x00407643
                  0x00407646
                  0x00407660
                  0x00407669
                  0x0040766c
                  0x00407678
                  0x00407685
                  0x00407687
                  0x00407687
                  0x0040768a
                  0x0040768d
                  0x00407694
                  0x00407696
                  0x00407699
                  0x004076f3
                  0x004076f3
                  0x004076f6
                  0x004076f9
                  0x00407700
                  0x00407700
                  0x00407707
                  0x00407749
                  0x00407749
                  0x0040774d
                  0x004077b1
                  0x004077b5
                  0x004077b7
                  0x004077be
                  0x004077be
                  0x004077b9
                  0x004077b9
                  0x004077b9
                  0x004077b9
                  0x004077c6
                  0x0040774f
                  0x00407756
                  0x0040775c
                  0x00407760
                  0x00407762
                  0x00407769
                  0x00407769
                  0x00407764
                  0x00407764
                  0x00407764
                  0x00407764
                  0x00407771
                  0x00407773
                  0x0040777a
                  0x00407783
                  0x00407789
                  0x0040778f
                  0x00407791
                  0x00407793
                  0x004077a3
                  0x004077a3
                  0x004077a5
                  0x004077a5
                  0x004077a8
                  0x004077a8
                  0x004077c8
                  0x004077cb
                  0x004077ce
                  0x004077dc
                  0x004077df
                  0x00000000
                  0x00000000
                  0x004077e1
                  0x004077e4
                  0x004077e6
                  0x00000000
                  0x004077d0
                  0x004077d0
                  0x004077d3
                  0x004077d5
                  0x004077eb
                  0x004077ee
                  0x004077f0
                  0x004077f0
                  0x004077f4
                  0x004077f9
                  0x004077f9
                  0x004077fe
                  0x00407801
                  0x00407807
                  0x00407810
                  0x00407818
                  0x00000000
                  0x00407818
                  0x004077ce
                  0x00407709
                  0x0040770e
                  0x00407711
                  0x0040771e
                  0x00407723
                  0x00407729
                  0x0040772b
                  0x00407733
                  0x00407739
                  0x0040773b
                  0x0040773d
                  0x00407747
                  0x00407747
                  0x0040773b
                  0x00000000
                  0x0040772b
                  0x00407713
                  0x00000000
                  0x00000000
                  0x00407715
                  0x0040771c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040771c
                  0x004076fb
                  0x004076fe
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004076fe
                  0x0040769b
                  0x0040769e
                  0x0040769f
                  0x004076a2
                  0x004076a7
                  0x004076a9
                  0x00000000
                  0x00000000
                  0x004076ae
                  0x004076be
                  0x004076c6
                  0x004076ce
                  0x004076e4
                  0x004076e9
                  0x004076ee
                  0x004076ee
                  0x00000000
                  0x0040769f
                  0x0040768f
                  0x00407692
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407692
                  0x0040766e
                  0x00407671
                  0x00000000
                  0x00000000
                  0x00407673
                  0x00407676
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407676
                  0x0040764b
                  0x00000000
                  0x00407658
                  0x00000000
                  0x004075f9
                  0x004075f4
                  0x00407402
                  0x00407405
                  0x00000000
                  0x00000000
                  0x00407407
                  0x0040740a
                  0x00000000
                  0x00000000
                  0x0040740c
                  0x0040740f
                  0x00000000
                  0x00000000
                  0x00407411
                  0x00407414
                  0x00000000
                  0x00000000
                  0x00407416
                  0x00407419
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407387
                  0x00407391
                  0x0040739c
                  0x0040739c
                  0x00407393
                  0x00407395
                  0x00407395
                  0x004073a0
                  0x004073a3
                  0x004073b0
                  0x004073b5
                  0x004073bf
                  0x004073de
                  0x004073e3
                  0x0040781d
                  0x0040781f
                  0x00000000
                  0x0040781f

                  APIs
                  • GetModuleHandleA.KERNEL32(RichEd20.dll,?,00000000,00000000), ref: 0040734D
                  • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 00407358
                  • GetModuleHandleA.KERNEL32(RichEd32.dll), ref: 0040736E
                  • LoadLibraryA.KERNEL32(RichEd32.dll), ref: 00407379
                  • CreateWindowExA.USER32 ref: 0040763B
                    • Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
                    • Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
                    • Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406
                  • SendMessageA.USER32(00000000,000000C5,2FFFFFFE,00000000), ref: 00407685
                  • SendMessageA.USER32(?,-00000144,00000000,00000000), ref: 004076E4
                  • LoadLibraryA.KERNEL32(UxTheme.dll), ref: 00407723
                  • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 00407733
                  • SetWindowLongA.USER32 ref: 00407756
                  • SendMessageA.USER32(?,00000030,C2244889,00000000), ref: 00407771
                  • LoadCursorA.USER32 ref: 00407783
                    • Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
                    • Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
                    • Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC
                  • LoadCursorA.USER32 ref: 0040779D
                  • SendMessageA.USER32(?,00000030,0774C085,00000000), ref: 004077C6
                  • SendMessageA.USER32(?,0000111D,00000000,?), ref: 004077EE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$LoadMessageSend$Library$AllocCursorHandleLockModuleUnlockWindow$AddressCreateLongProc
                  • String ID: $G$RichEd20.dll$RichEd32.dll$SetWindowTheme$UxTheme.dll$hyperlink:$link="$text="
                  • API String ID: 177784201-3124033326
                  • Opcode ID: 4ee4922ab18f7ac4cef60481175f6aba00ff1f9fe77b4889e2f26e4254a1ce61
                  • Instruction ID: a4660ac1969131d1af0a58f9a131e4f7bdd23c77902d1825a1c3448cfc6067af
                  • Opcode Fuzzy Hash: 4ee4922ab18f7ac4cef60481175f6aba00ff1f9fe77b4889e2f26e4254a1ce61
                  • Instruction Fuzzy Hash: FFF1D070E04205ABDB24EBA5CC81BEEB7B5EF04304F10442EF542B66E1DB78B945CB5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415DC6, Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 196sleepprocessfileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00415DC6(void* __ecx, void* __eflags) {
				long _v8;
				char _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				struct _PROCESS_INFORMATION _v84;
				struct _STARTUPINFOA _v152;
				void _v411;
				char _v412;
				CHAR* _t64;
				signed int _t84;
				CHAR* _t85;
				CHAR* _t100;
				signed int _t103;
				long _t139;
				void* _t140;
				void* _t146;
				void* _t149;
				void* _t150;
				void* _t152;

				_t146 = __eflags;
				DestroyWindow( *0x47e178);
				E0041A81A(_t146, 0x47e61c);
				_t100 = 0;
				_t103 = 0x40;
				_v412 = 0;
				memset( &_v411, 0, _t103 << 2);
				asm("stosw");
				asm("stosb");
				GetModuleFileNameA(0,  &_v412, 0x104);
				E0041BE35( &_v32,  &_v412);
				if(E0041C7DB( &_v32, "\\", 0, 1) != 0xffffffff) {
					E0041C3A9( &_v32, _t53 + 1, _v32 - _t53 - 1);
				}
				_t139 = 0x44;
				E00424500( &_v152, _t100, _t139);
				_v152.cb = _t139;
				E00424500( &_v84, _t100, 0x10);
				E0041BDC5( &_v20);
				_push(E0041CD1E(0x47e61c));
				E0041C467( &_v20, "\"%s\"");
				_t149 =  *0x47f27c - _t100; // 0x1
				if(_t149 != 0) {
					E0041C047( &_v20, " /silent", _t100);
				}
				_t150 =  *0x47f2d5 - _t100; // 0x0
				if(_t150 != 0) {
					E0041C047( &_v20, " /revert", _t100);
				}
				_t64 = E0041CD1E( &_v32);
				if(CreateProcessA(_t100, E0041CD1E( &_v20), _t100, _t100, _t100, 0x4000000, _t100, _t64,  &_v152,  &_v84) != 0) {
					WaitForSingleObject(_v84.hProcess, 0xffffffff);
					Sleep(0x32);
					_t140 = 0;
					__eflags =  *0x47e640 - _t100; // 0x0
					if(__eflags <= 0) {
						L11:
						E0041BE99( &_v68, 0x47e628);
						E0041C047( &_v68, "\\installer", _t100);
						RemoveDirectoryA(E0041CD1E( &_v68));
						E0041BE99( &_v44, 0x47e628);
						E0041C047( &_v44, "\\slideshow", _t100);
						RemoveDirectoryA(E0041CD1E( &_v44));
						E0041BE99( &_v56, 0x47e628);
						E0041C047( &_v56, "\\3rd-party", _t100);
						RemoveDirectoryA(E0041CD1E( &_v56));
						RemoveDirectoryA(E0041CD1E(0x47e628));
						_v8 = _t100;
						GetExitCodeProcess(_v84.hProcess,  &_v8);
						_t84 = CloseHandle(_v84);
						__eflags = _v8 - _t100;
						_t85 = _t84 & 0xffffff00 | _v8 != _t100;
						__eflags =  *0x47f2d5 - _t100; // 0x0
						if(__eflags == 0) {
							_t100 = _t85;
						} else {
							__eflags = _t85 - _t100;
							_t100 = _t100 & 0xffffff00 | _t85 == _t100;
						}
						E0041BEFB( &_v56);
						E0041BEFB( &_v44);
						E0041BEFB( &_v68);
						goto L15;
					} else {
						goto L10;
					}
					do {
						L10:
						DeleteFileA(E0041CD1E(E0041E860(0x47e634, _t140)));
						_t140 = _t140 + 1;
						__eflags = _t140 -  *0x47e640; // 0x0
					} while (__eflags < 0);
					goto L11;
				} else {
					_t152 =  *0x47f27c - _t100; // 0x1
					if(_t152 == 0) {
						E0041B2A8(_t100, "Failed to launch installer. (CreateProcess failed)", _t100);
					}
					L15:
					E0041BEFB( &_v20);
					E0041BEFB( &_v32);
					return _t100;
				}
			}
























                  0x00415dc6
                  0x00415dda
                  0x00415de7
                  0x00415dee
                  0x00415df0
                  0x00415df9
                  0x00415dff
                  0x00415e01
                  0x00415e03
                  0x00415e11
                  0x00415e21
                  0x00415e39
                  0x00415e47
                  0x00415e47
                  0x00415e54
                  0x00415e58
                  0x00415e64
                  0x00415e6a
                  0x00415e75
                  0x00415e84
                  0x00415e8e
                  0x00415e96
                  0x00415e9c
                  0x00415ea7
                  0x00415ea7
                  0x00415eac
                  0x00415eb2
                  0x00415ebd
                  0x00415ebd
                  0x00415ed0
                  0x00415ef1
                  0x00415f1a
                  0x00415f22
                  0x00415f28
                  0x00415f2a
                  0x00415f30
                  0x00415f54
                  0x00415f5d
                  0x00415f6b
                  0x00415f7f
                  0x00415f85
                  0x00415f93
                  0x00415fa1
                  0x00415fa7
                  0x00415fb5
                  0x00415fc3
                  0x00415fd0
                  0x00415fd5
                  0x00415fdc
                  0x00415fe5
                  0x00415feb
                  0x00415fee
                  0x00415ff1
                  0x00415ff7
                  0x00416000
                  0x00415ff9
                  0x00415ff9
                  0x00415ffb
                  0x00415ffb
                  0x00416005
                  0x0041600d
                  0x00416015
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415f32
                  0x00415f32
                  0x00415f45
                  0x00415f4b
                  0x00415f4c
                  0x00415f4c
                  0x00000000
                  0x00415ef3
                  0x00415ef3
                  0x00415ef9
                  0x00415f0b
                  0x00415f0b
                  0x0041601a
                  0x0041601d
                  0x00416025
                  0x00416030
                  0x00416030

                  APIs
                  • DestroyWindow.USER32(00000000,0047DFB8,00000000), ref: 00415DDA
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0047E61C), ref: 00415E11
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                    • Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,?,?,?,?,?,?,0042BC5C), ref: 00415EE9
                    • Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
                    • Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
                    • Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F1A
                  • Sleep.KERNEL32(00000032,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F22
                  • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F45
                  • RemoveDirectoryA.KERNEL32(00000000,\installer,00000000,0047E628,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415F7F
                  • RemoveDirectoryA.KERNEL32(00000000,\slideshow,00000000,0047E628,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FA1
                  • RemoveDirectoryA.KERNEL32(00000000,\3rd-party,00000000,0047E628,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FC3
                  • RemoveDirectoryA.KERNEL32(00000000,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FD0
                  • GetExitCodeProcess.KERNEL32 ref: 00415FDC
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,0042BC5C,00000000,00000001,?), ref: 00415FE5
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$DirectoryRemove$AllocLock$FileProcessUnlocklstrlen$CloseCodeCreateDeleteDestroyExitHandleModuleNameObjectSingleSleepWaitWindow
                  • String ID: /revert$ /silent$"%s"$(G$(G$4G$Failed to launch installer. (CreateProcess failed)$\3rd-party$\installer$\slideshow
                  • API String ID: 2727010560-1226287940
                  • Opcode ID: 5398187f917318cc6776e3c3fdb12b5de82adc2cc83cb376463ad335155050c8
                  • Instruction ID: c84c90120c8cb0b02637a7889d897b933ea34145bef4a6e03f7a32fae6314024
                  • Opcode Fuzzy Hash: 5398187f917318cc6776e3c3fdb12b5de82adc2cc83cb376463ad335155050c8
                  • Instruction Fuzzy Hash: EC518171940219AADB14FBA5EC96DFF7B3CEF14748F50406FB105A2092DF781D86CA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408768, Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 396windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00408768(struct HWND__* _a4, intOrPtr _a8, struct HDC__* _a12, signed int _a16) {
				signed int _v5;
				RECT* _v12;
				struct tagRECT _v28;
				intOrPtr _t163;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				void* _t176;
				intOrPtr _t180;
				void* _t183;
				signed int* _t184;
				void* _t185;
				long _t192;
				intOrPtr _t198;
				char* _t210;
				intOrPtr _t213;
				intOrPtr _t218;
				intOrPtr _t226;
				void* _t227;
				intOrPtr _t233;
				void* _t234;
				void* _t235;
				unsigned int _t237;
				void* _t238;
				void* _t239;
				struct HWND__* _t240;
				void* _t241;
				intOrPtr _t251;
				intOrPtr _t253;
				RECT* _t268;
				RECT* _t269;
				void* _t270;
				void* _t271;
				intOrPtr* _t272;
				void* _t273;

				_t233 = _a8;
				if(_t233 == 0x112 && _a12 == 1) {
					_t240 = _a4;
					EnableWindow(_t240, 0);
					DialogBoxParamA( *0x47e17c, 0x72, _t240, E00405955, 0);
					EnableWindow(_t240, 1);
					SetForegroundWindow(_t240);
					return 0;
				}
				_t272 = E00407E63(_a4);
				_pop(_t241);
				if(_t272 == 0) {
					_t272 =  *0x47df64;
				}
				if(( *0x47e18c & 0x80000000) == 0) {
					L9:
					if(_t272 != 0) {
						if(_t233 != 0x14) {
							if(_t233 != 0x402) {
								L23:
								if(_a8 != 0xf) {
									L30:
									_t163 = _a8;
									_t234 = 0x133;
									if(_t163 != 0x133) {
										_t234 = 0x134;
										if(_t163 != 0x134) {
											if(_t163 != 0x138) {
												if(_t163 != 0x135) {
													if(_t163 != 0x201) {
														_t268 = 0;
														L58:
														if(_a8 != 0x200) {
															L73:
															if(_a8 != 0x20) {
																if(_a8 != 6) {
																	L83:
																	if(_a8 != 0x111) {
																		if(_a8 == 0x10) {
																			return SendMessageA(_a4, 0x111, 2, _t268);
																		}
																		if(_a8 == 0x110 || _a8 == 0x4e || _a8 == 0xf || _a8 == 0x113) {
																			L93:
																			_t167 = _a8 - 0xf;
																			if(_t167 == 0) {
																				_t169 =  *((intOrPtr*)( *_t272 + 0x14))(_a12, _a16);
																			} else {
																				_t172 = _t167 - 0x3f;
																				if(_t172 == 0) {
																					_t169 =  *((intOrPtr*)( *_t272 + 0x10))(_a12, _a16);
																				} else {
																					_t174 = _t172 - 0xc2;
																					if(_t174 == 0) {
																						_t169 =  *((intOrPtr*)( *_t272 + 8))(_a4, _a12, _a16);
																					} else {
																						_t176 = _t174 - 1;
																						if(_t176 == 0) {
																							_t169 =  *((intOrPtr*)( *_t272 + 4))(_a12, _a16);
																						} else {
																							_push(_a16);
																							_t180 =  *_t272;
																							_push(_a12);
																							if(_t176 == 0) {
																								_t169 =  *((intOrPtr*)(_t180 + 0x18))();
																							} else {
																								_t169 =  *((intOrPtr*)(_t180 + 0xc))(_a8);
																							}
																						}
																					}
																				}
																			}
																			if(_t169 != 0) {
																				L14:
																				_t170 = 1;
																				return _t170;
																			} else {
																				goto L105;
																			}
																		} else {
																			L105:
																			_push(_a16);
																			_push(_a12);
																			_push(_a8);
																			L11:
																			return DefWindowProcA(_a4, ??, ??, ??);
																		}
																	}
																	E00408E91(_t272);
																	_v5 = _v5 & 0x00000000;
																	_t183 = E00408658(_t272, _a12, _a16,  &_v5);
																	if(_v5 == 0) {
																		goto L93;
																	}
																	return _t183;
																}
																if(_a12 != _t268) {
																	goto L105;
																}
																_t118 = _t272 + 0x9c; // 0x9c
																_t184 = _t118;
																if(( *(_t272 + 0x9c) & 0x00000002) == 0) {
																	goto L105;
																}
																 *_t184 =  *_t184 & 0xfffffffd;
																 *(_t272 + 0x98) = _t268;
																_t235 = 0;
																if( *((intOrPtr*)(_t272 + 0x7c)) <= _t268) {
																	goto L105;
																} else {
																	goto L80;
																}
																do {
																	L80:
																	_t121 = _t272 + 0x70; // 0x70
																	_t185 = E0041E860(_t121, _t235);
																	_t251 =  *((intOrPtr*)(_t185 + 0x28));
																	if( *((intOrPtr*)(_t185 + 0x24)) != _t251) {
																		 *((intOrPtr*)(_t185 + 0x24)) = _t251;
																		InvalidateRect( *(_t185 + 0x50), _t268, _t268);
																	}
																	_t235 = _t235 + 1;
																} while (_t235 <  *((intOrPtr*)(_t272 + 0x7c)));
																goto L83;
															}
															if(( *(_t272 + 0x9c) & 0x00000002) == 0) {
																goto L105;
															}
															SetCursor( *(_t272 + 0xa0));
															goto L14;
														}
														if(( *(_t272 + 0x9c) & 0x00000001) == 0) {
															goto L105;
														}
														_v12 = _t268;
														_t237 = _a16 >> 0x10;
														 *(_t272 + 0x98) = _t268;
														_v5 =  *(_t272 + 0x98) != _t268;
														 *(_t272 + 0x9c) =  *(_t272 + 0x9c) & 0xfffffffd;
														if( *((intOrPtr*)(_t272 + 0x7c)) <= _t268) {
															L70:
															if( *(_t272 + 0x98) != 0 || _v5 == 0) {
																goto L105;
															} else {
																SetCursor( *(_t272 + 0xa4));
																_t268 = 0;
																goto L73;
															}
														} else {
															goto L61;
														}
														do {
															L61:
															_t75 = _t272 + 0x70; // 0x70
															_t269 = E0041E860(_t75, _v12);
															if( *((intOrPtr*)(_t269 + 0x44)) > 0 && IsWindowVisible( *(_t269 + 0x50)) != 0) {
																_t192 =  *(_t269 + 0x14);
																_t253 =  *((intOrPtr*)(_t269 + 0x18));
																_v28.left = _t192;
																_push(_t237);
																_v28.bottom =  *((intOrPtr*)(_t269 + 0x20)) + _t253;
																_v28.top = _t253;
																_v28.right =  *((intOrPtr*)(_t269 + 0x1c)) + _t192;
																if(PtInRect( &_v28, _a16 & 0x0000ffff) == 0) {
																	_t198 =  *((intOrPtr*)(_t269 + 0x28));
																	if( *((intOrPtr*)(_t269 + 0x24)) == _t198) {
																		goto L69;
																	}
																	 *((intOrPtr*)(_t269 + 0x24)) = _t198;
																	L68:
																	InvalidateRect( *(_t269 + 0x50), 0, 0);
																	goto L69;
																}
																 *(_t272 + 0x9c) =  *(_t272 + 0x9c) | 0x00000002;
																 *(_t272 + 0x98) = _t269;
																if( *((intOrPtr*)(_t269 + 0x24)) !=  *((intOrPtr*)(_t269 + 0x28))) {
																	goto L69;
																}
																SetCursor( *(_t272 + 0xa0));
																 *((intOrPtr*)(_t269 + 0x24)) = 0xff;
																 *((intOrPtr*)(_t269 + 0x28)) =  *((intOrPtr*)(_t269 + 0x24));
																goto L68;
															}
															L69:
															_v12 =  &(_v12->left);
														} while (_v12 <  *((intOrPtr*)(_t272 + 0x7c)));
														goto L70;
													}
													if(( *(_t272 + 0x9c) & 0x00000002) == 0) {
														goto L105;
													}
													_t203 =  *(_t272 + 0x98);
													_t268 = 0;
													if( *(_t272 + 0x98) == 0) {
														goto L105;
													}
													ShellExecuteA(0, "open", E0041CD1E(_t203 + 0x44), 0, 0, 3);
													goto L58;
												}
												_t273 = E004070D7(_t272, _a16);
												if(_t273 == 0) {
													goto L105;
												}
												SetTextColor(_a12,  *(_t273 + 0x24));
												L52:
												SetBkMode(_a12, 1);
												L36:
												return  *((intOrPtr*)(_t273 + 0x54));
											}
											_t48 = _t272 + 0xac; // 0xac
											_t210 = _t48;
											if( *((char*)(_t272 + 0xac)) == 0) {
												 *_t210 = 1;
											}
											_t273 = E004070D7(_t272, _a16);
											if(_t273 == 0) {
												goto L105;
											} else {
												SetTextColor(_a12,  *(_t273 + 0x24));
												_t213 =  *((intOrPtr*)(_t273 + 8));
												if(_t213 == 5 || _t213 == 6) {
													L35:
													SetBkColor(_a12,  *(_t273 + 0x2c));
													goto L36;
												} else {
													goto L52;
												}
											}
										}
										_t273 = E004070D7(_t272, _a16);
										if(_t273 == 0) {
											goto L105;
										}
										if( *((intOrPtr*)(_t273 + 8)) != 7 ||  *((intOrPtr*)(_t273 + 0x54)) == 0) {
											goto L10;
										} else {
											L34:
											SetTextColor(_a12,  *(_t273 + 0x24));
											goto L35;
										}
									}
									_t273 = E004070D7(_t272, _a16);
									if(_t273 == 0) {
										goto L105;
									}
									_t218 =  *((intOrPtr*)(_t273 + 8));
									if(_t218 == 5 || _t218 == 6) {
										goto L34;
									} else {
										goto L10;
									}
								}
								if(( *(_t272 + 0x13) & 0x00000080) == 0) {
									goto L93;
								}
								_t238 = 0;
								if( *((intOrPtr*)(_t272 + 0x7c)) <= 0) {
									goto L93;
								}
								_t32 = _t272 + 0x70; // 0x70
								_t270 = _t32;
								do {
									if( *((intOrPtr*)(E0041E860(_t270, _t238) + 8)) == 0xc) {
										E0041ED05( *((intOrPtr*)(E0041E860(_t270, _t238) + 0x50)));
									}
									_t238 = _t238 + 1;
								} while (_t238 <  *((intOrPtr*)(_t272 + 0x7c)));
								goto L30;
							}
							if(( *(_t272 + 0x10) & 0x80000000) == 0) {
								goto L105;
							}
							_t271 = 0;
							if( *((intOrPtr*)(_t272 + 0x7c)) <= 0) {
								goto L105;
							} else {
								goto L19;
							}
							do {
								L19:
								_t19 = _t272 + 0x70; // 0x70
								_t239 = E0041E860(_t19, _t271);
								if( *((intOrPtr*)(_t239 + 8)) == 0xc &&  *((intOrPtr*)(_t239 + 0x10)) == _a16) {
									E0041EE7E( *((intOrPtr*)(_t239 + 0x50)), _a12);
									E0041ED05( *((intOrPtr*)(_t239 + 0x50)));
								}
								_t271 = _t271 + 1;
							} while (_t271 <  *((intOrPtr*)(_t272 + 0x7c)));
							goto L23;
						}
						if( *((char*)(_t272 + 0xac)) != 0) {
							goto L105;
						}
						goto L14;
					}
					L10:
					_push(_a16);
					_push(_a12);
					_push(_t234);
					goto L11;
				}
				_t226 = 0;
				if(_t272 != 0) {
					_t226 =  *((intOrPtr*)(_t272 + 0x14));
				}
				_t227 = E004241D8(_t241, _a4, _t233, _a12, _a16, _t226);
				if(_t227 != 0) {
					return _t227;
				} else {
					goto L9;
				}
			}








































                  0x0040876f
                  0x0040877a
                  0x00408782
                  0x0040878e
                  0x004087a0
                  0x004087a9
                  0x004087ac
                  0x00000000
                  0x004087b2
                  0x004087be
                  0x004087c0
                  0x004087c3
                  0x004087c5
                  0x004087c5
                  0x004087d6
                  0x004087f8
                  0x004087fa
                  0x00408811
                  0x00408830
                  0x00408878
                  0x0040887c
                  0x004088ba
                  0x004088ba
                  0x004088bd
                  0x004088c4
                  0x0040890b
                  0x00408912
                  0x00408943
                  0x00408993
                  0x004089ca
                  0x00408a04
                  0x00408a06
                  0x00408a0d
                  0x00408b19
                  0x00408b1d
                  0x00408b41
                  0x00408b99
                  0x00408ba1
                  0x00408bce
                  0x00000000
                  0x00408bfa
                  0x00408bd7
                  0x00408c05
                  0x00408c08
                  0x00408c0b
                  0x00408c73
                  0x00408c0d
                  0x00408c0d
                  0x00408c10
                  0x00408c64
                  0x00408c12
                  0x00408c12
                  0x00408c17
                  0x00408c55
                  0x00408c19
                  0x00408c19
                  0x00408c1a
                  0x00408c43
                  0x00408c1c
                  0x00408c1c
                  0x00408c21
                  0x00408c23
                  0x00408c26
                  0x00408c34
                  0x00408c28
                  0x00408c2d
                  0x00408c2d
                  0x00408c26
                  0x00408c1a
                  0x00408c17
                  0x00408c10
                  0x00408c78
                  0x00408820
                  0x00408822
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408bee
                  0x00408c7e
                  0x00408c7e
                  0x00408c81
                  0x00408c84
                  0x00408803
                  0x00000000
                  0x00408806
                  0x00408bd7
                  0x00408ba5
                  0x00408bad
                  0x00408bba
                  0x00408bc3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408bc3
                  0x00408b47
                  0x00000000
                  0x00000000
                  0x00408b54
                  0x00408b54
                  0x00408b5a
                  0x00000000
                  0x00000000
                  0x00408b60
                  0x00408b63
                  0x00408b69
                  0x00408b6e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408b74
                  0x00408b74
                  0x00408b75
                  0x00408b78
                  0x00408b7d
                  0x00408b83
                  0x00408b8a
                  0x00408b8d
                  0x00408b8d
                  0x00408b93
                  0x00408b94
                  0x00000000
                  0x00408b74
                  0x00408b26
                  0x00000000
                  0x00000000
                  0x00408b32
                  0x00000000
                  0x00408b32
                  0x00408a1a
                  0x00000000
                  0x00000000
                  0x00408a23
                  0x00408a26
                  0x00408a2f
                  0x00408a35
                  0x00408a39
                  0x00408a43
                  0x00408af4
                  0x00408afb
                  0x00000000
                  0x00408b0b
                  0x00408b11
                  0x00408b17
                  0x00000000
                  0x00408b17
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408a49
                  0x00408a49
                  0x00408a4c
                  0x00408a54
                  0x00408a5a
                  0x00408a6d
                  0x00408a73
                  0x00408a76
                  0x00408a80
                  0x00408a81
                  0x00408a84
                  0x00408a90
                  0x00408a9b
                  0x00408acd
                  0x00408ad3
                  0x00000000
                  0x00000000
                  0x00408ad5
                  0x00408ad8
                  0x00408adf
                  0x00000000
                  0x00408adf
                  0x00408a9d
                  0x00408aa4
                  0x00408ab0
                  0x00000000
                  0x00000000
                  0x00408ab8
                  0x00408ac1
                  0x00408ac8
                  0x00000000
                  0x00408ac8
                  0x00408ae5
                  0x00408ae5
                  0x00408aeb
                  0x00000000
                  0x00408a49
                  0x004089d3
                  0x00000000
                  0x00000000
                  0x004089d9
                  0x004089df
                  0x004089e3
                  0x00000000
                  0x00000000
                  0x004089fc
                  0x00000000
                  0x004089fc
                  0x0040899f
                  0x004089a3
                  0x00000000
                  0x00000000
                  0x004089af
                  0x004089b5
                  0x004089ba
                  0x00408903
                  0x00000000
                  0x00408903
                  0x0040894c
                  0x0040894c
                  0x00408952
                  0x00408954
                  0x00408954
                  0x00408961
                  0x00408965
                  0x00000000
                  0x0040896b
                  0x00408971
                  0x00408977
                  0x0040897d
                  0x004088f7
                  0x004088fd
                  0x00000000
                  0x0040898c
                  0x00000000
                  0x0040898c
                  0x0040897d
                  0x00408965
                  0x0040891e
                  0x00408922
                  0x00000000
                  0x00000000
                  0x0040892c
                  0x00000000
                  0x0040893c
                  0x004088eb
                  0x004088f1
                  0x00000000
                  0x004088f1
                  0x0040892c
                  0x004088d0
                  0x004088d4
                  0x00000000
                  0x00000000
                  0x004088da
                  0x004088e0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004088e0
                  0x00408882
                  0x00000000
                  0x00000000
                  0x00408888
                  0x0040888d
                  0x00000000
                  0x00000000
                  0x00408893
                  0x00408893
                  0x00408896
                  0x004088a2
                  0x004088af
                  0x004088af
                  0x004088b4
                  0x004088b5
                  0x00000000
                  0x00408896
                  0x00408835
                  0x00000000
                  0x00000000
                  0x0040883b
                  0x00408840
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408846
                  0x00408846
                  0x00408847
                  0x0040884f
                  0x00408855
                  0x00408865
                  0x0040886d
                  0x0040886d
                  0x00408872
                  0x00408873
                  0x00000000
                  0x00408846
                  0x0040881a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040881a
                  0x004087fc
                  0x004087fc
                  0x004087ff
                  0x00408802
                  0x00000000
                  0x00408802
                  0x004087d8
                  0x004087dc
                  0x004087de
                  0x004087de
                  0x004087ec
                  0x004087f6
                  0x00408827
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • EnableWindow.USER32(?,00000000), ref: 0040878E
                  • DialogBoxParamA.USER32 ref: 004087A0
                  • EnableWindow.USER32(?,00000001), ref: 004087A9
                  • SetForegroundWindow.USER32(?), ref: 004087AC
                  • DefWindowProcA.USER32(00000007,00000134,?,?,?,00000400,00000112,00000000), ref: 00408806
                  • SetTextColor.GDI32(?,?), ref: 004088F1
                  • SetBkColor.GDI32(?,?), ref: 004088FD
                  • SetTextColor.GDI32(?,?), ref: 00408971
                  • SetTextColor.GDI32(?,?), ref: 004089AF
                  • SetBkMode.GDI32(?,00000001), ref: 004089BA
                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000003), ref: 004089FC
                  • IsWindowVisible.USER32(?), ref: 00408A63
                  • PtInRect.USER32(?,?,?), ref: 00408A93
                  • SetCursor.USER32(?), ref: 00408AB8
                  • InvalidateRect.USER32(?,00000000,00000000), ref: 00408ADF
                  • SetCursor.USER32(?,?), ref: 00408B11
                  • SetCursor.USER32(?), ref: 00408B32
                  • InvalidateRect.USER32(?,00000000,00000000,00000000), ref: 00408B8D
                  • SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00408BFA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$Color$CursorRectText$EnableInvalidate$DialogExecuteForegroundMessageModeParamProcSendShellVisible
                  • String ID: N$open
                  • API String ID: 3906583626-904208323
                  • Opcode ID: 793b6bc99f52ec241c5777074f5b58d0a80f154596fac2008537b918d8063120
                  • Instruction ID: ff61c556d1a4f47141abc3fa5068174e258a9013b54a303101cef0423bcc2c65
                  • Opcode Fuzzy Hash: 793b6bc99f52ec241c5777074f5b58d0a80f154596fac2008537b918d8063120
                  • Instruction Fuzzy Hash: 32E1AF31500605EFDB319F25CA48AAB7BB1FF08710F00843EE996666A1CB39EC51DF69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413748, Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 268stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00413748(struct HWND__* _a4, intOrPtr _a8, char _a12, char _a13, char _a14, char _a15, CHAR* _a16) {
				char _v16;
				char _v28;
				char _v44;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v88;
				CHAR* _v92;
				int _v96;
				intOrPtr _v108;
				struct HWND__* _v116;
				struct tagOFNA _v120;
				void* _t65;
				CHAR* _t66;
				int _t83;
				signed int _t89;
				void* _t93;
				void* _t95;
				signed int _t99;
				void* _t101;
				int _t118;
				intOrPtr _t127;
				int _t130;
				int _t140;
				CHAR* _t146;
				intOrPtr _t152;
				intOrPtr _t155;
				char* _t160;
				intOrPtr _t161;
				intOrPtr _t166;
				void* _t171;
				intOrPtr _t180;
				void* _t187;
				struct HWND__* _t191;
				int _t192;
				CHAR* _t193;
				struct tagOFNA _t194;

				_t65 = _a8 - 0x110;
				if(_t65 == 0) {
					_t66 = E0041CD1E(0x47e8e8);
					_t191 = _a4;
					SetDlgItemTextA(_t191, 1, _t66);
					SetDlgItemTextA(_t191, 4, E0041CD1E(0x47e8ac));
					SetDlgItemTextA(_t191, 2, E0041CD1E(0x47e8b8));
					 *0x47f2a4 = _a16;
					SetWindowTextA(_t191, E0041CD1E(0x47e700));
					E0041BDC5( &_v16);
					_t152 =  *0x47f2a4; // 0x0
					_push(E0041CD1E(_t152));
					E0041C467( &_v16, E0041CD1E(0x47ee4c));
					E0041BFF8( &_v16, 0x20);
					_t155 =  *0x47f2a4; // 0x0
					_a12 = E0041BFE3(_t155, 0);
					_a13 = 0x3a;
					_a14 = 0x5c;
					_a15 = 0;
					_t83 = GetDriveTypeA( &_a12);
					__eflags = _t83 - 3;
					if(__eflags == 0) {
						L20:
						_push(0x47ee64);
						L21:
						E0041C0C5( &_v16, __eflags);
						E0041BFF8( &_v16, 0x20);
						E0041C0C5( &_v16, __eflags, 0x47ee70);
						SetDlgItemTextA(_t191, 0x42a, E0041CD1E( &_v16));
						_t160 =  &_v16;
						L22:
						_t89 = E0041BEFB(_t160);
						L23:
						return (_t89 & 0xffffff00 | _a8 == 0x00000110) & 0x000000ff;
					}
					__eflags = _t83 - 4;
					if(__eflags == 0) {
						goto L20;
					}
					_push(0x47ee58);
					goto L21;
				}
				_t89 = _t65 - 1;
				if(_t89 != 0) {
					goto L23;
				}
				_t93 = (_a12 & 0x0000ffff) - 1;
				if(_t93 == 0) {
					_t161 =  *0x47f2a4; // 0x0
					_t95 = E0040DF52(E0041CD1E(_t161));
					__eflags = _t95;
					if(_t95 != 0) {
						_t192 = 1;
						EndDialog(_a4, _t192);
						L12:
						return _t192;
					}
					_t89 = E0041B2CC(0x47dfb8, _a4, E0041CD1E(0x47ee7c), 0, 0);
					goto L23;
				}
				_t99 = _t93 - 1;
				if(_t99 == 0) {
					EndDialog(_a4, 0);
					_t101 = 1;
					return _t101;
				}
				_t89 = _t99;
				if(_t89 != 0) {
					goto L23;
				}
				_t193 = E00424DD9(0x104);
				_a16 = _t193;
				if(_t193 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t193, 0, 0x104);
				_t166 =  *0x47f2a4; // 0x0
				lstrcatA(_t193, E0041CD1E(_t166));
				_t194 = 0x4c;
				E00424500( &_v120, 0, _t194);
				_v120 = _t194;
				_v116 = _a4;
				E0041BE35( &_v16, "Astrum Installer package #");
				E00427836( *0x42bf9c,  &_v44, 0xa);
				E0041C047( &_v16,  &_v44, 0);
				E0041C047( &_v16, " (*.", 0);
				E0041BDC5( &_v28);
				_a12 = 0;
				_t118 = lstrlenA( &_v44);
				_t171 = 3;
				if(_t171 == _t118) {
					L9:
					E0041C047( &_v28,  &_v44, 0);
					E0041C0C5( &_v16, _t210,  &_v28);
					E0041C047( &_v16, 0x42c1f4, 4);
					E0041C0C5( &_v16, _t210,  &_v28);
					E0041C047( &_v16, 0x47f2b0, 2);
					_t127 = E0041CD1E( &_v16);
					_t146 = _a16;
					_t192 = 1;
					_v108 = _t127;
					_v96 = _t192;
					_v92 = _t146;
					_v88 = 0x104;
					_v68 = 0x1804;
					_v72 = E0041CD1E(0x47ee88);
					_t130 = GetOpenFileNameA( &_v120);
					_push(_t146);
					if(_t130 != 0) {
						_t180 =  *0x47f2a4; // 0x0
						E0041BF12(_t180);
						E00424DCE(_t146);
						EndDialog(_a4, _t192);
						E0041BEFB( &_v28);
						E0041BEFB( &_v16);
						goto L12;
					}
					E00424DCE();
					E0041BEFB( &_v28);
					_t160 =  &_v16;
					goto L22;
				} else {
					do {
						E0041BFF8( &_v28, 0x30);
						_a12 = _a12 + 1;
						_t140 = lstrlenA( &_v44);
						_t187 = 3;
						_t210 = _a12 - _t187 - _t140;
					} while (_a12 < _t187 - _t140);
					goto L9;
				}
			}







































                  0x00413753
                  0x00413759
                  0x0041397d
                  0x00413982
                  0x0041398f
                  0x0041399f
                  0x004139af
                  0x004139b9
                  0x004139c5
                  0x004139ce
                  0x004139d3
                  0x004139de
                  0x004139ee
                  0x004139fb
                  0x00413a00
                  0x00413a0e
                  0x00413a15
                  0x00413a19
                  0x00413a1d
                  0x00413a20
                  0x00413a26
                  0x00413a29
                  0x00413a37
                  0x00413a37
                  0x00413a3c
                  0x00413a3f
                  0x00413a49
                  0x00413a56
                  0x00413a6a
                  0x00413a6c
                  0x00413a6f
                  0x00413a6f
                  0x00413a74
                  0x00000000
                  0x00413a7e
                  0x00413a2b
                  0x00413a2e
                  0x00000000
                  0x00000000
                  0x00413a30
                  0x00000000
                  0x00413a30
                  0x0041375f
                  0x00413760
                  0x00000000
                  0x00000000
                  0x0041376a
                  0x0041376b
                  0x00413932
                  0x0041393e
                  0x00413943
                  0x00413946
                  0x0041396b
                  0x00413970
                  0x00413918
                  0x00000000
                  0x00413918
                  0x0041395f
                  0x00000000
                  0x0041395f
                  0x00413771
                  0x00413772
                  0x00413924
                  0x0041392c
                  0x00000000
                  0x0041392c
                  0x00413779
                  0x0041377a
                  0x00000000
                  0x00000000
                  0x0041378b
                  0x00413792
                  0x00413795
                  0x004137a2
                  0x004137a7
                  0x004137ab
                  0x004137b0
                  0x004137c0
                  0x004137cb
                  0x004137cf
                  0x004137dd
                  0x004137e5
                  0x004137e8
                  0x004137f9
                  0x00413809
                  0x00413817
                  0x0041381f
                  0x0041382e
                  0x00413831
                  0x00413835
                  0x00413838
                  0x00413857
                  0x0041385f
                  0x0041386b
                  0x0041387a
                  0x00413886
                  0x00413895
                  0x0041389d
                  0x004138a2
                  0x004138a7
                  0x004138ad
                  0x004138b0
                  0x004138b3
                  0x004138b6
                  0x004138b9
                  0x004138c5
                  0x004138cc
                  0x004138d3
                  0x004138d4
                  0x004138ec
                  0x004138f2
                  0x004138f8
                  0x00413902
                  0x0041390b
                  0x00413913
                  0x00000000
                  0x00413913
                  0x004138d6
                  0x004138df
                  0x004138e4
                  0x00000000
                  0x0041383a
                  0x0041383a
                  0x0041383f
                  0x00413844
                  0x0041384b
                  0x0041384f
                  0x00413852
                  0x00413852
                  0x00000000
                  0x0041383a

                  APIs
                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004137C0
                  • lstrlenA.KERNEL32(?, (*.,00000000,?,00000000), ref: 00413831
                  • lstrlenA.KERNEL32(?,00000030), ref: 0041384B
                  • EndDialog.USER32(?,00000001), ref: 00413902
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  • GetOpenFileNameA.COMDLG32(?,0047F2B0,00000002,?,0042C1F4,00000004,?,?,00000000), ref: 004138CC
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • EndDialog.USER32(?,00000000), ref: 00413924
                  • SetDlgItemTextA.USER32 ref: 0041398F
                  • SetDlgItemTextA.USER32 ref: 0041399F
                  • SetDlgItemTextA.USER32 ref: 004139AF
                  • SetWindowTextA.USER32(?,00000000), ref: 004139C5
                  • GetDriveTypeA.KERNEL32(?,00000000,00000020), ref: 00413A20
                  • SetDlgItemTextA.USER32 ref: 00413A6A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: GlobalText$Item$DialogUnlocklstrlen$AllocDriveFileFreeLockNameOpenTypeWindowlstrcat
                  • String ID: (*.$$G$:$Astrum Installer package #$LG$\$|G$G
                  • API String ID: 1704251759-1853225045
                  • Opcode ID: 26e77d59309514d4294a95995032ecbbd080c6fb48c5b310bc7d7efad43cac87
                  • Instruction ID: fc77d3e9e13320066b9983e77b152ba6fdb0cba62896dbaa18d01fc9fa2dd16e
                  • Opcode Fuzzy Hash: 26e77d59309514d4294a95995032ecbbd080c6fb48c5b310bc7d7efad43cac87
                  • Instruction Fuzzy Hash: 4E91D571940209AADB14EFA2EC86EEE7B78EF44344F50402FF501A7192DF785A85CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041425E, Relevance: 37.0, APIs: 10, Strings: 11, Instructions: 235COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E0041425E(void* __edx, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				struct _MEMORYSTATUS _v48;
				signed int _t38;
				signed int _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t55;
				signed int _t59;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t70;
				intOrPtr _t76;
				intOrPtr _t77;
				signed int _t79;
				void* _t86;
				signed short _t98;
				signed int _t101;
				void* _t109;
				void* _t111;
				intOrPtr* _t112;
				signed int _t113;
				struct HDC__* _t114;
				struct HDC__* _t115;
				struct HDC__* _t116;

				_t109 = __edx;
				_t112 = _a4;
				if( *_t112 == 0) {
					L44:
					__eflags = 0;
					return 0;
				}
				if(E0041BFE3(_t112, 0) == 0x3c) {
					__eflags =  *0x47e4dc; // 0x8
					_a4 = 0;
					_t111 = 1;
					if(__eflags <= 0) {
						L6:
						_t88 = _t112;
						__eflags = E0041C1FA(_t112, __eflags, "<CPUSpeed>", _t111);
						if(__eflags == 0) {
							_t89 = _t112;
							__eflags = E0041C1FA(_t112, __eflags, "<CPUType>", _t111);
							if(__eflags == 0) {
								_t90 = _t112;
								__eflags = E0041C1FA(_t112, __eflags, "<CPUFlags>", _t111);
								if(__eflags == 0) {
									__eflags = E0041C1FA(_t112, __eflags, "<LanguageID>", _t111);
									if(__eflags == 0) {
										__eflags = E0041C1FA(_t112, __eflags, "<OSBuild>", _t111);
										if(__eflags == 0) {
											__eflags = E0041C1FA(_t112, __eflags, "<CurXRes>", _t111);
											if(__eflags == 0) {
												__eflags = E0041C1FA(_t112, __eflags, "<CurYRes>", _t111);
												if(__eflags == 0) {
													__eflags = E0041C1FA(_t112, __eflags, "<CurBPP>", _t111);
													if(__eflags == 0) {
														__eflags = E0041C1FA(_t112, __eflags, "<RAM>", _t111);
														if(__eflags == 0) {
															_t38 = E0041C1FA(_t112, __eflags, "<DirectXVer>", _t111);
															__eflags = _t38;
															if(_t38 == 0) {
																goto L44;
															}
															_t98 =  *0x47e6f4; // 0x9
															__eflags = _t98 - 0xffffffff;
															if(_t98 == 0xffffffff) {
																_t98 = E0041FEF9();
																 *0x47e6f4 = _t98;
															}
															return _t98 >> 0x00000010 | (_t98 & 0x0000ffff) << 0x00000010;
														}
														_t101 =  *0x47e6f0; // 0xffffffff
														__eflags = _t101 - 0xffffffff;
														if(_t101 == 0xffffffff) {
															_v48.dwLength = 0x20;
															GlobalMemoryStatus( &_v48);
															_t101 = _v48.dwTotalPhys >> 0x14;
															_t45 = _t101;
															_t113 = 2;
															asm("cdq");
															 *0x47e6f0 = _t101;
															__eflags = _t45 % _t113;
															if(_t45 % _t113 != 0) {
																_t101 = _t101 + 1;
																__eflags = _t101;
																 *0x47e6f0 = _t101;
															}
														}
														return _t101;
													}
													__eflags =  *0x47e6ec - 0xffffffff;
													if( *0x47e6ec == 0xffffffff) {
														_t114 = GetDC( *0x47e178);
														 *0x47e6ec = GetDeviceCaps(_t114, 0xc);
														ReleaseDC( *0x47e178, _t114);
													}
													_t47 =  *0x47e6ec; // 0xffffffff
													return _t47;
												}
												__eflags =  *0x47e6e8 - 0xffffffff;
												if( *0x47e6e8 == 0xffffffff) {
													_t115 = GetDC( *0x47e178);
													 *0x47e6e8 = GetDeviceCaps(_t115, 0xa);
													ReleaseDC( *0x47e178, _t115);
												}
												_t51 =  *0x47e6e8; // 0xffffffff
												return _t51;
											}
											__eflags =  *0x47e6e4 - 0xffffffff;
											if( *0x47e6e4 == 0xffffffff) {
												_t116 = GetDC( *0x47e178);
												 *0x47e6e4 = GetDeviceCaps(_t116, 8);
												ReleaseDC( *0x47e178, _t116);
											}
											_t55 =  *0x47e6e4; // 0xffffffff
											return _t55;
										}
										_t59 =  *0x47e1e8; // 0x23f0
										return _t59 & 0x0000ffff;
									}
									_t61 =  *0x47e60c; // 0x0
									return _t61;
								}
								__eflags =  *0x47e6dc - 0xffffffff;
								if( *0x47e6dc == 0xffffffff) {
									E004066E0(_t90, _t109,  &_v12,  &_a4,  &_v8,  &_v16);
									 *0x47e6dc = _a4;
									 *0x47e6e0 = _v8;
								}
								_t62 =  *0x47e6e0; // 0xffffffff
								return _t62;
							}
							_t70 =  *0x47e6dc; // 0xffffffff
							__eflags = _t70 - 0xffffffff;
							if(_t70 != 0xffffffff) {
								L45:
								return _t70;
							}
							E004066E0(_t89, _t109,  &_v16,  &_a4,  &_v8,  &_v12);
							_t76 = _a4;
							 *0x47e6dc = _t76;
							 *0x47e6e0 = _v8;
							return _t76;
						}
						_t70 =  *0x47e6d8; // 0xffffffff
						__eflags = _t70 - 0xffffffff;
						if(__eflags != 0) {
							goto L45;
						}
						_t77 = E00406C98(_t88, __eflags);
						 *0x47e6d8 = _t77;
						return _t77;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t86 = E0041E860(0x47e4d0, _a4);
						_t79 = E0041C176(_t86, __eflags, _t112, _t111);
						__eflags = _t79;
						if(_t79 != 0) {
							break;
						}
						_a4 = _a4 + 1;
						__eflags = _a4 -  *0x47e4dc; // 0x8
						if(__eflags < 0) {
							continue;
						}
						goto L6;
					}
					__eflags =  *((intOrPtr*)(_t86 + 0x10)) - 0xffffffff;
					if(__eflags != 0) {
						E0041AACD(0x47dfb8, __eflags, _a4);
					}
					return  *((intOrPtr*)(_t86 + 0x54));
				}
				return E00424FC3(_t112, E0041CD1E(_t112));
			}





























                  0x0041425e
                  0x00414266
                  0x0041426e
                  0x00414557
                  0x00414557
                  0x00000000
                  0x00414557
                  0x0041427e
                  0x00414293
                  0x0041429b
                  0x0041429e
                  0x0041429f
                  0x004142cb
                  0x004142d1
                  0x004142d8
                  0x004142da
                  0x0041431a
                  0x00414321
                  0x00414323
                  0x00414367
                  0x0041436e
                  0x00414370
                  0x004143ba
                  0x004143bc
                  0x004143d5
                  0x004143d7
                  0x004143f5
                  0x004143f7
                  0x00414442
                  0x00414444
                  0x0041448f
                  0x00414491
                  0x004144dc
                  0x004144de
                  0x00414527
                  0x0041452c
                  0x0041452e
                  0x00000000
                  0x00000000
                  0x00414530
                  0x00414536
                  0x00414539
                  0x00414540
                  0x00414542
                  0x00414542
                  0x00000000
                  0x00414553
                  0x004144e0
                  0x004144e6
                  0x004144e9
                  0x004144ee
                  0x004144f6
                  0x00414501
                  0x00414504
                  0x00414506
                  0x00414507
                  0x0041450a
                  0x00414510
                  0x00414512
                  0x00414514
                  0x00414514
                  0x00414515
                  0x00414515
                  0x00414512
                  0x00000000
                  0x0041451b
                  0x00414493
                  0x0041449a
                  0x004144a8
                  0x004144b4
                  0x004144bf
                  0x004144bf
                  0x004144c5
                  0x00000000
                  0x004144c5
                  0x00414446
                  0x0041444d
                  0x0041445b
                  0x00414467
                  0x00414472
                  0x00414472
                  0x00414478
                  0x00000000
                  0x00414478
                  0x004143f9
                  0x00414400
                  0x0041440e
                  0x0041441a
                  0x00414425
                  0x00414425
                  0x0041442b
                  0x00000000
                  0x0041442b
                  0x004143d9
                  0x00000000
                  0x004143de
                  0x004143be
                  0x00000000
                  0x004143be
                  0x00414372
                  0x00414379
                  0x0041438b
                  0x00414396
                  0x0041439e
                  0x0041439e
                  0x004143a3
                  0x00000000
                  0x004143a3
                  0x00414325
                  0x0041432a
                  0x0041432d
                  0x0041455d
                  0x0041455d
                  0x0041455d
                  0x00414343
                  0x00414348
                  0x00414351
                  0x00414356
                  0x00000000
                  0x00414356
                  0x004142dc
                  0x004142e1
                  0x004142e4
                  0x00000000
                  0x00000000
                  0x004142ea
                  0x004142ef
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004142a1
                  0x004142a1
                  0x004142ae
                  0x004142b4
                  0x004142b9
                  0x004142bb
                  0x00000000
                  0x00000000
                  0x004142bd
                  0x004142c3
                  0x004142c9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004142c9
                  0x004142f9
                  0x004142fd
                  0x00414307
                  0x00414307
                  0x00000000
                  0x0041430c
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $<CPUFlags>$<CPUSpeed>$<CPUType>$<CurBPP>$<CurXRes>$<CurYRes>$<DirectXVer>$<LanguageID>$<OSBuild>$<RAM>
                  • API String ID: 3972497268-815162245
                  • Opcode ID: bcd4e52eb266c46fd5636fc65d7aca031b21fa9503f878899f2192197056ed69
                  • Instruction ID: 3105dd021db19612d1c9d2ca186850fd31b29f9c8cd7eefb7947060dc7c6eec1
                  • Opcode Fuzzy Hash: bcd4e52eb266c46fd5636fc65d7aca031b21fa9503f878899f2192197056ed69
                  • Instruction Fuzzy Hash: 1F81D730600214ABDB14DF2AEC459EE3775EB99714B90437BF916AB2D1C73C89C28B8D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409446, Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 114COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00409446(struct HWND__* _a4) {
				char _v16;
				void* _t42;
				struct HWND__* _t60;

				_t60 = _a4;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t60, 3), 0);
				}
				_t42 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t42 = 0x47e930;
				}
				SetWindowTextA(_t60, E0041CD1E(_t42));
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47e350));
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v16, E0041CD1E(0x47e93c));
				SetDlgItemTextA(_t60, 0xa, E0041CD1E( &_v16));
				SetDlgItemTextA(_t60, 0xb, E0041CD1E(0x47e948));
				SetDlgItemTextA(_t60, 0xc, E0041CD1E(0x47e954));
				SetDlgItemTextA(_t60, 0xd, E0041CD1E(0x47e960));
				SetDlgItemTextA(_t60, 0xe, E0041CD1E(0x47e96c));
				SetDlgItemTextA(_t60, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t60, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t60, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t60, 1, E0041CD1E(0x47e8c4));
				}
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t60, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v16);
				return 1;
			}






                  0x00409455
                  0x00409458
                  0x00409466
                  0x00409466
                  0x00409473
                  0x00409478
                  0x0040947a
                  0x0040947a
                  0x00409486
                  0x0040948f
                  0x004094a0
                  0x004094a8
                  0x004094b8
                  0x004094d2
                  0x004094e2
                  0x004094f2
                  0x00409502
                  0x00409512
                  0x00409522
                  0x00409532
                  0x00409542
                  0x00409550
                  0x00409560
                  0x00409560
                  0x00409569
                  0x0040957c
                  0x00409583
                  0x00409583
                  0x0040958b
                  0x00409595

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ItemText$Window$Enable
                  • String ID: 0G$<G$HG$PG$PG$TG$`G$lG
                  • API String ID: 43940206-1470656634
                  • Opcode ID: 9e0cf94691ae7aae7209686407adddb972dc44465b93ee7827a8b19faa09c670
                  • Instruction ID: 6f7eff01a6f98409c8fd215d112adea29b7d19b614916cbc6a3e109e305d1433
                  • Opcode Fuzzy Hash: 9e0cf94691ae7aae7209686407adddb972dc44465b93ee7827a8b19faa09c670
                  • Instruction Fuzzy Hash: 8E3194B1A4010976E61573665C96FFE1A5E8B85B48F10817FB606B61C3CF6C0882967E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409637, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 233windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00409637(intOrPtr __ecx, struct HWND__* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v23;
				long _v24;
				intOrPtr _v28;
				char _v40;
				char _v52;
				CHAR* _t54;
				void* _t73;
				CHAR* _t74;
				intOrPtr _t86;
				void* _t99;
				intOrPtr _t105;
				struct HWND__* _t115;
				void* _t119;
				void* _t123;
				intOrPtr _t156;
				void* _t157;
				void* _t158;
				intOrPtr _t165;
				void* _t169;

				_v28 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_a4, 3), 0);
				}
				_t119 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t119 = 0x47e978;
				}
				_t54 = E0041CD1E(_t119);
				_t115 = _a4;
				SetWindowTextA(_t115, _t54);
				SetDlgItemTextA(_t115, 0xa, E0041CD1E(0x47e984));
				SetDlgItemTextA(_t115, 0xb, E0041CD1E(0x47e990));
				SetDlgItemTextA(_t115, 3, E0041CD1E(0x47e8a0));
				_t123 = 0x47e8f4;
				if( *0x47e6c0 == 0) {
					_t123 = 0x47e8d0;
				}
				SetDlgItemTextA(_t115, 1, E0041CD1E(_t123));
				SetDlgItemTextA(_t115, 2, E0041CD1E(0x47e8b8));
				E0041BDC5( &_v52);
				if(E0041C8FD(0x47e2f0, 0x30) == 0) {
					L22:
					_v24 = GetWindowLongA(GetDlgItem(_a4, 0xc), 0xfffffff0);
					SendMessageA(GetDlgItem(_a4, 0xc), 0xcf, 0, 0);
					_t73 = E004070D7(_v28, GetDlgItem(_a4, 0xc));
					if(_t73 == 0 ||  *((intOrPtr*)(_t73 + 8)) != 6 || ( *0x47e191 & 0x00000001) != 0) {
						_t74 = E0041CD1E( &_v52);
						SetWindowTextA(GetDlgItem(_a4, 0xc), _t74);
					} else {
						E0041D8DA( *((intOrPtr*)(_t73 + 0x50)),  &_v52);
					}
					if((_v23 & 0x00000008) != 0) {
						SendMessageA(GetDlgItem(_a4, 0xc), 0xcf, 1, 0);
					}
					if( *0x47e114 != 0) {
						SetDlgItemTextA(_a4, 0x41f, E0041CD1E(0x47df68));
						E0040EFE7();
					}
					goto L31;
				} else {
					_v8 = E0041C8FD(0x47e2f0, 0x34);
					_t86 = E0041C8FD(0x47e2f0, 0x38);
					_t156 = 0;
					_v24 = _t86;
					if(_v8 == 0) {
						L31:
						E0041BEFB( &_v52);
						return 1;
					}
					_t165 = _t86;
					if(_t165 == 0) {
						goto L31;
					}
					_v12 = 0;
					if(_t165 <= 0) {
						goto L22;
					}
					while(1) {
						E0041BDC5( &_v40);
						if(E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t156, 4) < 0) {
							break;
						}
						_t157 = _t156 + 4;
						_v20 = E0041C8FD( &_v40, 0);
						_t99 = E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t157, 4);
						_push(0);
						if(_t99 < 0) {
							L20:
							_push(E0041CD1E(0x47e99c));
							_push(_a4);
							E0041B2A8();
							E0041BEFB( &_v40);
							goto L31;
						}
						_v16 = E0041C8FD( &_v40);
						_t158 = _t157 + 4;
						if(E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t158, _t100) < 0) {
							break;
						}
						_t105 = _v20;
						_t156 = _t158 + _v16;
						_t169 = _t105 -  *0x47e60c; // 0x0
						if(_t169 == 0) {
							E0041BF80( &_v52,  &_v40);
							E0041BEFB( &_v40);
							goto L22;
						}
						if(_t105 == 0) {
							E0041BF80( &_v52,  &_v40);
						}
						E0041BEFB( &_v40);
						_v12 = _v12 + 1;
						if(_v12 < _v24) {
							continue;
						} else {
							goto L22;
						}
					}
					_push(0);
					goto L20;
				}
			}


























                  0x0040964d
                  0x00409650
                  0x0040965c
                  0x0040965c
                  0x00409669
                  0x0040966e
                  0x00409670
                  0x00409670
                  0x00409675
                  0x0040967a
                  0x0040967f
                  0x00409699
                  0x004096a9
                  0x004096b9
                  0x004096c2
                  0x004096c7
                  0x004096c9
                  0x004096c9
                  0x004096d7
                  0x004096e7
                  0x004096ec
                  0x00409701
                  0x00409831
                  0x0040984d
                  0x0040985c
                  0x00409869
                  0x00409870
                  0x00409894
                  0x004098a2
                  0x00409881
                  0x00409888
                  0x0040988e
                  0x004098ac
                  0x004098bb
                  0x004098bb
                  0x004098c4
                  0x004098d9
                  0x004098e4
                  0x004098e4
                  0x00000000
                  0x00409707
                  0x00409714
                  0x00409717
                  0x0040971c
                  0x0040971e
                  0x00409724
                  0x004098e9
                  0x004098ec
                  0x004098f7
                  0x004098f7
                  0x0040972a
                  0x0040972c
                  0x00000000
                  0x00000000
                  0x00409732
                  0x00409735
                  0x00000000
                  0x00000000
                  0x00409740
                  0x00409743
                  0x00409762
                  0x00000000
                  0x00000000
                  0x0040976d
                  0x00409775
                  0x0040978b
                  0x00409792
                  0x00409794
                  0x004097f8
                  0x00409802
                  0x00409808
                  0x0040980b
                  0x00409813
                  0x00000000
                  0x00409813
                  0x0040979e
                  0x004097a5
                  0x004097bd
                  0x00000000
                  0x00000000
                  0x004097bf
                  0x004097c2
                  0x004097c5
                  0x004097cb
                  0x00409824
                  0x0040982c
                  0x00000000
                  0x0040982c
                  0x004097cf
                  0x004097d8
                  0x004097d8
                  0x004097e0
                  0x004097e5
                  0x004097ee
                  0x00000000
                  0x004097f4
                  0x00000000
                  0x004097f4
                  0x004097ee
                  0x004097f6
                  0x00000000
                  0x004097f6

                  APIs
                  • GetDlgItem.USER32 ref: 00409659
                  • EnableWindow.USER32(00000000), ref: 0040965C
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041CAC5: CreateFileA.KERNELBASE(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,747DFBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
                  • SetWindowTextA.USER32(?,00000000), ref: 0040967F
                  • SetDlgItemTextA.USER32 ref: 00409699
                  • SetDlgItemTextA.USER32 ref: 004096A9
                  • SetDlgItemTextA.USER32 ref: 004096B9
                  • SetDlgItemTextA.USER32 ref: 004096D7
                  • SetDlgItemTextA.USER32 ref: 004096E7
                  • GetDlgItem.USER32 ref: 00409838
                  • GetWindowLongA.USER32 ref: 0040983B
                  • GetDlgItem.USER32 ref: 00409853
                  • SendMessageA.USER32(00000000), ref: 0040985C
                  • GetDlgItem.USER32 ref: 00409863
                  • GetDlgItem.USER32 ref: 0040989F
                  • SetWindowTextA.USER32(00000000), ref: 004098A2
                    • Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
                    • Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
                    • Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC
                  • GetDlgItem.USER32 ref: 004098B8
                  • SendMessageA.USER32(00000000), ref: 004098BB
                  • SetDlgItemTextA.USER32 ref: 004098D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Global$Window$AllocLockMessageSendUnlock$CreateEnableFileLong
                  • String ID: PG$xG
                  • API String ID: 3181886133-570473810
                  • Opcode ID: c42083a09af4f97d8826f838adace99b710d5d26bb73f142417c0969db62e7a4
                  • Instruction ID: deb672f3dba8153a638bbbe562cc6a0016075999e4d0a6927899504e7a5f6053
                  • Opcode Fuzzy Hash: c42083a09af4f97d8826f838adace99b710d5d26bb73f142417c0969db62e7a4
                  • Instruction Fuzzy Hash: E971A271A40208AAEB10FB62CD96FEE7B69AF44344F10447FF605B62D2CF795D41CA68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B314, Relevance: 35.1, APIs: 15, Strings: 5, Instructions: 134windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0040B314(struct HWND__* _a4) {
				char _v16;
				CHAR* _t22;
				void* _t52;
				struct HWND__* _t72;

				_t72 = _a4;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t72, 3), 0);
				}
				_t52 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t52 = 0x47ec00;
				}
				SetWindowTextA(_t72, E0041CD1E(_t52));
				SetDlgItemTextA(_t72, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t72, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t72, 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA(_t72, 4, E0041CD1E(0x47e8ac));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t72, 1, E0041CD1E(0x47e8c4));
				}
				_t22 = E0041CD1E(0x47e338);
				SetWindowTextA(GetDlgItem(_t72, 0xa), _t22);
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v16, E0041CD1E(0x47ec0c));
				SetDlgItemTextA(_t72, 0x1e, E0041CD1E( &_v16));
				E0041BF12( &_v16, 0x42e0c8);
				_push(E0041CD1E(0x47e35c));
				E0041C467( &_v16, E0041CD1E(0x47ec18));
				SetDlgItemTextA(_t72, 0x1f, E0041CD1E( &_v16));
				SetDlgItemTextA(_t72, 0x20, E0041CD1E(0x47ec24));
				SendDlgItemMessageA(_t72, 0xa, 0xc5, 0x103, 0);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t72, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v16);
				return 1;
			}







                  0x0040b32a
                  0x0040b32d
                  0x0040b337
                  0x0040b337
                  0x0040b344
                  0x0040b349
                  0x0040b34b
                  0x0040b34b
                  0x0040b357
                  0x0040b371
                  0x0040b381
                  0x0040b391
                  0x0040b3a1
                  0x0040b3af
                  0x0040b3bf
                  0x0040b3bf
                  0x0040b3c6
                  0x0040b3d2
                  0x0040b3db
                  0x0040b3ea
                  0x0040b3fa
                  0x0040b40e
                  0x0040b418
                  0x0040b427
                  0x0040b437
                  0x0040b44b
                  0x0040b45b
                  0x0040b46c
                  0x0040b479
                  0x0040b48c
                  0x0040b493
                  0x0040b493
                  0x0040b49b
                  0x0040b4a6

                  APIs
                  • GetDlgItem.USER32 ref: 0040B334
                  • EnableWindow.USER32(00000000), ref: 0040B337
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • SetWindowTextA.USER32(?,00000000), ref: 0040B357
                  • SetDlgItemTextA.USER32 ref: 0040B371
                  • SetDlgItemTextA.USER32 ref: 0040B381
                  • SetDlgItemTextA.USER32 ref: 0040B391
                  • SetDlgItemTextA.USER32 ref: 0040B3A1
                  • SetDlgItemTextA.USER32 ref: 0040B3BF
                  • GetDlgItem.USER32 ref: 0040B3CF
                  • SetWindowTextA.USER32(00000000), ref: 0040B3D2
                  • SetDlgItemTextA.USER32 ref: 0040B40E
                  • SetDlgItemTextA.USER32 ref: 0040B44B
                  • SetDlgItemTextA.USER32 ref: 0040B45B
                  • SendDlgItemMessageA.USER32(?,0000000A,000000C5,00000103,00000000), ref: 0040B46C
                  • SetDlgItemTextA.USER32 ref: 0040B48C
                    • Part of subcall function 0040EFE7: CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
                    • Part of subcall function 0040EFE7: SelectObject.GDI32(00000000), ref: 0040F027
                    • Part of subcall function 0040EFE7: SetTextColor.GDI32(000A0A0A), ref: 0040F03E
                    • Part of subcall function 0040EFE7: TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
                    • Part of subcall function 0040EFE7: SetTextColor.GDI32(000000FF), ref: 0040F06F
                    • Part of subcall function 0040EFE7: TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Text$Item$GlobalWindow$Color$AllocCreateEnableFontLockMessageObjectSelectSendUnlock
                  • String ID: $G$8G$PG$PG$\G
                  • API String ID: 1413699155-721960894
                  • Opcode ID: a0d9d8fccdb9081172e89fa577caae926867bca15e60fbfc26177545783e6c0e
                  • Instruction ID: d30331ef3bcde2c4e3323b7d76a48e8f567f138a6d1759f739aa7ffe92caea70
                  • Opcode Fuzzy Hash: a0d9d8fccdb9081172e89fa577caae926867bca15e60fbfc26177545783e6c0e
                  • Instruction Fuzzy Hash: 1E31A770A4010876E21573666C9AFFE2A2DDF89B48F10857FF605A61C2CF6C1981967E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00415C0F, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 135windowregistryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00415C0F(struct HMENU__* __ecx) {
				struct HMENU__* _v8;
				struct _WNDCLASSA _v48;
				struct HINSTANCE__* _t27;
				signed char _t33;
				int _t35;
				struct HWND__* _t37;
				struct HMENU__* _t38;
				int _t40;
				long _t48;
				intOrPtr _t52;
				int _t54;
				intOrPtr _t60;
				CHAR* _t62;
				intOrPtr _t69;
				intOrPtr _t72;

				_t27 =  *0x47e17c; // 0x400000
				_v8 = __ecx;
				_v48.style = 3;
				_v48.lpfnWndProc = E00405A9B;
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 0;
				_v48.hInstance = _t27;
				_v48.hIcon = LoadIconA(_t27, 0x65);
				_v48.hCursor = LoadCursorA(0, 0x7f00);
				_t62 = "AstrumInstaller";
				_v48.hbrBackground = 0;
				_v48.lpszMenuName = 0;
				_v48.lpszClassName = _t62;
				RegisterClassA( &_v48);
				if(SystemParametersInfoA(0x30, 0, 0x47e168, 0) == 0) {
					GetWindowRect(GetDesktopWindow(), 0x47e168);
				}
				_t33 =  *0x47e84c; // 0x10
				if((_t33 & 0x00000010) == 0) {
					if((_t33 & 0x00000001) != 0) {
						0x47e168->left = 0;
						 *0x47e16c = 0;
						 *0x47e170 = GetSystemMetrics(0);
						 *0x47e174 = GetSystemMetrics(1);
						_t33 =  *0x47e84c; // 0x10
					}
					_t48 = 0x80000000;
				} else {
					_t48 = 0x1cf0000;
					if((_t33 & 0x00000001) != 0) {
						_t48 = 0x81ca0000;
					}
				}
				if((_t33 & 0x00000002) == 0) {
					L10:
					_t48 = 0x80000000;
					SetRectEmpty(0x47e168);
					goto L11;
				} else {
					_t69 =  *0x47e610; // 0x0
					if(_t69 == 0) {
						L11:
						_t35 =  *0x47e16c; // 0x0
						_t52 =  *0x47e174; // 0x0
						_t60 =  *0x47e170; // 0x0
						_t54 = 0x47e168->left; // 0x0
						_t37 = CreateWindowExA(0, _t62, E0041CD1E(0x47e850), _t48, _t54, _t35, _t60 - _t54, _t52 - _t35, 0, 0,  *0x47e17c, 0);
						 *0x47e178 = _t37;
						_v8->i = _t37;
						_t38 = GetSystemMenu( *0x47e178, 0);
						_v8 = _t38;
						AppendMenuA(_t38, 0x800, 2, "-");
						_t40 = AppendMenuA(_v8, 0, 1, "About...");
						if(( *0x47e84c & 0x00000010) != 0) {
							_t40 = GetClientRect( *0x47e178, 0x47e168);
						}
						if(( *0x47e84c & 0x00000002) == 0) {
							L17:
							return _t40;
						} else {
							_t72 =  *0x47e610; // 0x0
							if(_t72 != 0) {
								goto L17;
							}
							_t40 = E0040EE9C();
							if(_t40 != 0) {
								goto L17;
							}
							return E0041B2CC(0x47dfb8, 0, "Graphics initialization failed", E0041CD1E(0x47e850), 0x30);
						}
					}
					goto L10;
				}
			}


















                  0x00415c15
                  0x00415c21
                  0x00415c25
                  0x00415c2c
                  0x00415c33
                  0x00415c36
                  0x00415c39
                  0x00415c48
                  0x00415c51
                  0x00415c57
                  0x00415c5d
                  0x00415c60
                  0x00415c63
                  0x00415c66
                  0x00415c7e
                  0x00415c88
                  0x00415c88
                  0x00415c8e
                  0x00415c95
                  0x00415ca9
                  0x00415cb2
                  0x00415cb8
                  0x00415cc2
                  0x00415cc9
                  0x00415cce
                  0x00415cce
                  0x00415cd3
                  0x00415c97
                  0x00415c99
                  0x00415c9e
                  0x00415ca0
                  0x00415ca0
                  0x00415c9e
                  0x00415cda
                  0x00415ce4
                  0x00415ce9
                  0x00415cee
                  0x00000000
                  0x00415cdc
                  0x00415cdc
                  0x00415ce2
                  0x00415cf4
                  0x00415cf4
                  0x00415cf9
                  0x00415d00
                  0x00415d11
                  0x00415d2c
                  0x00415d35
                  0x00415d3b
                  0x00415d43
                  0x00415d5c
                  0x00415d5f
                  0x00415d6c
                  0x00415d75
                  0x00415d82
                  0x00415d82
                  0x00415d8f
                  0x00415dc5
                  0x00415dc5
                  0x00415d91
                  0x00415d91
                  0x00415d97
                  0x00000000
                  0x00000000
                  0x00415d9e
                  0x00415da5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415dbc
                  0x00415d8f
                  0x00000000
                  0x00415ce2

                  APIs
                  • LoadIconA.USER32(00400000,00000065), ref: 00415C3C
                  • LoadCursorA.USER32 ref: 00415C4B
                  • RegisterClassA.USER32 ref: 00415C66
                  • SystemParametersInfoA.USER32(00000030,00000000,0047E168,00000000), ref: 00415C76
                  • GetDesktopWindow.USER32 ref: 00415C81
                  • GetWindowRect.USER32 ref: 00415C88
                  • GetSystemMetrics.USER32 ref: 00415CBE
                  • GetSystemMetrics.USER32 ref: 00415CC7
                  • SetRectEmpty.USER32(0047E168), ref: 00415CEE
                  • CreateWindowExA.USER32 ref: 00415D2C
                  • GetSystemMenu.USER32(00000000), ref: 00415D43
                  • AppendMenuA.USER32 ref: 00415D5F
                  • AppendMenuA.USER32 ref: 00415D6C
                  • GetClientRect.USER32 ref: 00415D82
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: System$MenuRectWindow$AppendLoadMetrics$ClassClientCreateCursorDesktopEmptyIconInfoParametersRegister
                  • String ID: About...$AstrumInstaller$Graphics initialization failed$PG$hG
                  • API String ID: 465687589-1226465133
                  • Opcode ID: 77b50cf9f7da1eaea1bfab1b0edd4f534d28b8b0f47e48231d6c08afcebacf7d
                  • Instruction ID: 097d18280a4a8a077a5ed2b2894a9038ec6d3db9919c27a42d9944593a3069de
                  • Opcode Fuzzy Hash: 77b50cf9f7da1eaea1bfab1b0edd4f534d28b8b0f47e48231d6c08afcebacf7d
                  • Instruction Fuzzy Hash: 83416570A01314EFE7119F66AC49AEF7FA8EB4DB04F90426AF905A6251CB750881CB9C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004155D2, Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 266stringsleepprocessCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E004155D2(intOrPtr __ecx, char _a4, CHAR* _a8) {
				long _v8;
				char _v20;
				char _v32;
				char _v44;
				intOrPtr _v48;
				void* _v52;
				struct _PROCESS_INFORMATION _v68;
				struct _STARTUPINFOA _v136;
				char _v396;
				char _v656;
				int _t59;
				void* _t61;
				int _t78;
				long _t81;
				void* _t92;
				void* _t101;
				void* _t108;
				void* _t110;
				void* _t114;
				void* _t115;
				CHAR* _t123;
				void* _t125;
				void* _t128;
				char* _t139;
				void* _t161;
				long _t163;
				long _t164;
				char* _t165;
				void* _t166;
				void* _t167;
				void* _t171;

				_t123 = 0;
				_t171 =  *0x47f27c - _t123; // 0x1
				_v48 = __ecx;
				if(_t171 != 0) {
					_a4 = 1;
				}
				if(_a4 != _t123) {
					_t161 = 0x47dfb8;
					L14:
					__eflags = _a8 - _t123;
					if(_a8 != _t123) {
						lstrcpyA( &_v396, _a8);
					} else {
						E004229A8( &_v396);
					}
					_t59 = E0040DF52( &_v396);
					__eflags = _t59;
					_pop(_t125);
					if(_t59 != 0) {
						_t61 = E00424D20(_t125,  &_v396, 0x5c);
						_t128 = 1;
						lstrcpynA( &_v656,  &_v396, _t61 + _t128 -  &_v396);
						_t163 = 0x44;
						E00424500( &_v136, _t123, _t163);
						_v136.cb = _t163;
						E00424500( &_v68, _t123, 0x10);
						E0041BDC5( &_v32);
						_push( &_v396);
						E0041C467( &_v32, "\"%s\" ");
						__eflags = _a4 - _t123;
						if(_a4 != _t123) {
							E0041C047( &_v32, "/SILENT /NOREMOVE", _t123);
						}
						_t78 = CreateProcessA(_t123, E0041CD1E( &_v32), _t123, _t123, _t123, 0x4000000, _t123,  &_v656,  &_v136,  &_v68);
						__eflags = _t78;
						if(_t78 != 0) {
							_v52 = _v68.hProcess;
							while(1) {
								_push(0xff);
								_push(0xffffffff);
								_push(_t123);
								_push( &_v52);
								_t164 = 1;
								_t81 = MsgWaitForMultipleObjects(_t164, ??, ??, ??, ??);
								__eflags = _t81 - _t123;
								if(_t81 == _t123) {
									break;
								}
								__eflags = _t81 - _t164;
								if(_t81 != _t164) {
									break;
								}
								_t101 = E0041A207();
								__eflags = _t101 - 0xffffffff;
								if(_t101 != 0xffffffff) {
									continue;
								}
								goto L34;
							}
							Sleep(0x32);
							_v8 = _t164;
							GetExitCodeProcess(_v68,  &_v8);
							__eflags = _v8 - _t164;
							if(_v8 == _t164) {
								DeleteFileA( &_v396);
							}
							__eflags = _a4 - _t123;
							if(_a4 == _t123) {
								__eflags = _v8 - _t123;
								if(_v8 != _t123) {
									L42:
									E0041BEFB( &_v32);
									goto L43;
								}
								_t165 = E0041D46F("<__Internal_InstallationNotRemoved__>");
								__eflags = _t165 - _t123;
								if(_t165 == _t123) {
									_t165 = "The installation was not removed. Do you still want to re-install?";
								}
								E0041BDC5( &_v20);
								_push(E0041CD1E(0x47e350));
								E0041C467( &_v20, _t165);
								_t92 = E0041B2CC(_t161, _t123, E0041CD1E( &_v20), _t123, 0x104);
								__eflags = _t92 - 7;
								if(_t92 != 7) {
									E0041BEFB( &_v20);
									goto L42;
								} else {
									E0041BEFB( &_v20);
									E0041BEFB( &_v32);
									return 0;
								}
							} else {
								goto L33;
							}
						} else {
							__eflags = _a4 - _t123;
							if(_a4 == _t123) {
								E0041B2A8(_t123, "Couldn\'t launch uninstaller. Previous installation was not removed!", _t123);
							}
							L33:
							_t123 = 1;
							L34:
							_t139 =  &_v32;
							L35:
							E0041BEFB(_t139);
							return _t123;
						}
					} else {
						__eflags = _a4 - _t123;
						if(_a4 == _t123) {
							E0041B2A8(_t123, "Couldn\'t find uninstaller. Previous installation was not removed!", _t123);
						}
						L43:
						return 1;
					}
				}
				E0041BE35( &_v44, "%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?");
				_t108 = E0041D46F("<__Internal_AlreadyInstalled__>");
				_t162 = _t108;
				if(_t108 == _t123) {
					L8:
					E0041BDC5( &_v20);
					_t110 = E0041CD1E(0x47e350);
					_push(_t110);
					_push(_t110);
					E0041C467( &_v20, E0041CD1E( &_v44));
					_t167 = _t167 + 0x10;
					_t114 = E0041CD1E( &_v20);
					_t161 = 0x47dfb8;
					_t115 = E0041B2CC(0x47dfb8, _t123, _t114, _t123, 3);
					if(_t115 == 2) {
						L11:
						E0041BEFB( &_v20);
						_t139 =  &_v44;
						goto L35;
					}
					if(_t115 != 7) {
						E0041BEFB( &_v20);
						E0041BEFB( &_v44);
						goto L14;
					}
					_t123 = 1;
					goto L11;
				}
				_t166 = 0;
				if(E004248B0(_t162, 0x25) == _t123) {
					L7:
					E0041BF12( &_v44, _t162);
					E0041CBF9( &_v44, _t176, "<\\n>", "\n", _t123, _t123, 1);
					goto L8;
				} else {
					goto L5;
				}
				do {
					L5:
					_t166 = _t166 + 1;
				} while (_t119 != _t123);
				_t176 = _t166 - 3;
				if(_t166 >= 3) {
					goto L8;
				}
				goto L7;
			}


































                  0x004155dc
                  0x004155de
                  0x004155e6
                  0x004155e9
                  0x004155eb
                  0x004155eb
                  0x004155f2
                  0x004156c9
                  0x004156ce
                  0x004156ce
                  0x004156d1
                  0x004156f0
                  0x004156d3
                  0x004156df
                  0x004156df
                  0x004156fd
                  0x00415702
                  0x00415704
                  0x00415705
                  0x0041572c
                  0x0041573b
                  0x0041574f
                  0x0041575d
                  0x00415761
                  0x0041576d
                  0x00415773
                  0x0041577e
                  0x00415789
                  0x00415793
                  0x0041579b
                  0x0041579e
                  0x004157a9
                  0x004157a9
                  0x004157d3
                  0x004157d9
                  0x004157db
                  0x004157f5
                  0x004157f8
                  0x004157f8
                  0x004157fd
                  0x00415802
                  0x00415803
                  0x00415806
                  0x00415808
                  0x0041580e
                  0x00415810
                  0x00000000
                  0x00000000
                  0x00415812
                  0x00415814
                  0x00000000
                  0x00000000
                  0x00415819
                  0x0041581e
                  0x00415821
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415823
                  0x00415827
                  0x00415830
                  0x00415837
                  0x0041583d
                  0x00415840
                  0x00415849
                  0x00415849
                  0x0041584f
                  0x00415852
                  0x00415862
                  0x00415865
                  0x004158d1
                  0x004158d4
                  0x00000000
                  0x004158d4
                  0x00415871
                  0x00415873
                  0x00415875
                  0x00415877
                  0x00415877
                  0x0041587f
                  0x0041588e
                  0x00415894
                  0x004158ae
                  0x004158b3
                  0x004158b9
                  0x004158cc
                  0x00000000
                  0x004158bb
                  0x004158bb
                  0x004158c3
                  0x00000000
                  0x004158c8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004157dd
                  0x004157dd
                  0x004157e0
                  0x004157eb
                  0x004157eb
                  0x00415854
                  0x00415854
                  0x00415856
                  0x00415856
                  0x00415859
                  0x00415859
                  0x00000000
                  0x0041585e
                  0x00415707
                  0x00415707
                  0x0041570a
                  0x00415719
                  0x00415719
                  0x004158d9
                  0x00000000
                  0x004158d9
                  0x00415705
                  0x00415600
                  0x0041560a
                  0x0041560f
                  0x00415613
                  0x00415659
                  0x0041565c
                  0x00415666
                  0x0041566b
                  0x0041566c
                  0x0041567a
                  0x0041567f
                  0x00415688
                  0x0041568d
                  0x00415696
                  0x0041569e
                  0x004156a7
                  0x004156aa
                  0x004156af
                  0x00000000
                  0x004156af
                  0x004156a3
                  0x004156ba
                  0x004156c2
                  0x00000000
                  0x004156c2
                  0x004156a5
                  0x00000000
                  0x004156a5
                  0x00415618
                  0x00415623
                  0x0041563a
                  0x0041563e
                  0x00415654
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00415625
                  0x00415625
                  0x00415625
                  0x00415632
                  0x00415635
                  0x00415638
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  • lstrcpyA.KERNEL32(?,00422DD8,747DFC30,0047E788,00000000), ref: 004156F0
                    • Part of subcall function 004229A8: RegOpenKeyExA.KERNELBASE(00000000,00020019,00000000,0047DFB8,0047E788), ref: 004229DD
                    • Part of subcall function 004229A8: RegQueryValueExA.ADVAPI32(00000000,Uninstaller,00000000,00000000,?,0047E788), ref: 004229FF
                    • Part of subcall function 004229A8: lstrcpyA.KERNEL32(0047E788,?), ref: 00422A24
                  • lstrcpynA.KERNEL32(?,?,00000000), ref: 0041574F
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,?,?,?), ref: 004157D3
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • MsgWaitForMultipleObjects.USER32 ref: 00415808
                  • Sleep.KERNEL32(00000032), ref: 00415827
                  • GetExitCodeProcess.KERNEL32 ref: 00415837
                  • DeleteFileA.KERNEL32(?), ref: 00415849
                    • Part of subcall function 0041A207: PeekMessageA.USER32 ref: 0041A218
                    • Part of subcall function 0041A207: GetMessageA.USER32 ref: 0041A229
                  Strings
                  • Couldn't launch uninstaller. Previous installation was not removed!, xrefs: 004157E3
                  • Couldn't find uninstaller. Previous installation was not removed!, xrefs: 00415711
                  • PG, xrefs: 00415884
                  • /SILENT /NOREMOVE, xrefs: 004157A1
                  • The installation was not removed. Do you still want to re-install?, xrefs: 00415877, 00415892
                  • PG, xrefs: 00415661
                  • "%s" , xrefs: 0041578D
                  • <__Internal_InstallationNotRemoved__>, xrefs: 00415867
                  • <__Internal_AlreadyInstalled__>, xrefs: 00415605
                  • %s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?, xrefs: 004155F8
                  • <\n>, xrefs: 0041564C
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$AllocLockMessageProcessUnlocklstrcpy$CodeCreateDeleteExitFileFreeMultipleObjectsOpenPeekQuerySleepValueWaitlstrcpyn
                  • String ID: "%s" $%s is already installed on your system. It is highly recommended to uninstall the application before re-installing. Do you want to uninstall %s before re-installing?$/SILENT /NOREMOVE$<\n>$<__Internal_AlreadyInstalled__>$<__Internal_InstallationNotRemoved__>$Couldn't find uninstaller. Previous installation was not removed!$Couldn't launch uninstaller. Previous installation was not removed!$PG$PG$The installation was not removed. Do you still want to re-install?
                  • API String ID: 5953620-3108517879
                  • Opcode ID: a0c72cbc21d4021cace9b81552925521a9cfbd9e81944c9cd3dc9f1d37cb1d68
                  • Instruction ID: a27e536e62ffa8f343b590eff34a559a4dd4de782d666e018237867d81a44d9f
                  • Opcode Fuzzy Hash: a0c72cbc21d4021cace9b81552925521a9cfbd9e81944c9cd3dc9f1d37cb1d68
                  • Instruction Fuzzy Hash: 5A819171940219EADF20FAA1DC85AFE776CEF54318F90406FF106A6181DF385EC58BA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409999, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 229windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E00409999(intOrPtr __ecx, struct HWND__* _a4) {
				intOrPtr _v8;
				int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v23;
				long _v24;
				intOrPtr _v28;
				char _v40;
				char _v52;
				void* _t74;
				CHAR* _t75;
				intOrPtr _t87;
				void* _t92;
				void* _t100;
				intOrPtr _t106;
				void* _t122;
				void* _t159;
				void* _t160;
				void* _t161;
				intOrPtr _t163;
				void* _t173;

				_t163 =  *0x42bf98; // 0xffffffff
				_v28 = __ecx;
				if(_t163 <= 0) {
					EnableWindow(GetDlgItem(_a4, 3), 0);
				}
				_t122 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t122 = 0x47e9a8;
				}
				SetWindowTextA(_a4, E0041CD1E(_t122));
				SetDlgItemTextA(_a4, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_a4, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_a4, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_a4, 1, E0041CD1E(0x47e8c4));
				}
				E0041BDC5( &_v52);
				if(E0041C8FD(0x47e2f0, 0x3c) == 0) {
					L22:
					_v24 = GetWindowLongA(GetDlgItem(_a4, 0xa), 0xfffffff0);
					SendMessageA(GetDlgItem(_a4, 0xa), 0xcf, 0, 0);
					_t74 = E004070D7(_v28, GetDlgItem(_a4, 0xa));
					if(_t74 == 0 ||  *((intOrPtr*)(_t74 + 8)) != 6 || ( *0x47e191 & 0x00000002) != 0) {
						_t75 = E0041CD1E( &_v52);
						SetWindowTextA(GetDlgItem(_a4, 0xa), _t75);
					} else {
						E0041D8DA( *((intOrPtr*)(_t74 + 0x50)),  &_v52);
					}
					if((_v23 & 0x00000008) != 0) {
						SendMessageA(GetDlgItem(_a4, 0xa), 0xcf, 1, 0);
					}
					if( *0x47e114 != 0) {
						SetDlgItemTextA(_a4, 0x41f, E0041CD1E(0x47df68));
						E0040EFE7();
					}
					goto L31;
				} else {
					_v8 = E0041C8FD(0x47e2f0, 0x40);
					_t87 = E0041C8FD(0x47e2f0, 0x44);
					_v24 = _t87;
					if(_v8 == 0 || _t87 == 0) {
						L31:
						E0041BEFB( &_v52);
						return 1;
					} else {
						_t159 = 0;
						_v12 = 0;
						if(_t87 <= 0) {
							goto L22;
						}
						while(1) {
							E0041BDC5( &_v40);
							_t92 = E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t159, 4);
							_push(0);
							if(_t92 < 0) {
								break;
							}
							_v20 = E0041C8FD( &_v40);
							_t160 = _t159 + 4;
							_t100 = E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t160, 4);
							_push(0);
							if(_t100 < 0) {
								break;
							}
							_v16 = E0041C8FD( &_v40);
							_t161 = _t160 + 4;
							if(E0041CAC5( &_v40, E0041CD1E(0x47e6c8), _v8 + _t161, _t101) < 0) {
								_push(0);
								break;
							}
							_t106 = _v20;
							_t159 = _t161 + _v16;
							_t173 = _t106 -  *0x47e60c; // 0x0
							if(_t173 == 0) {
								E0041BF80( &_v52,  &_v40);
								E0041BEFB( &_v40);
								goto L22;
							}
							if(_t106 == 0) {
								E0041BF80( &_v52,  &_v40);
							}
							E0041BEFB( &_v40);
							_v12 = _v12 + 1;
							if(_v12 < _v24) {
								continue;
							} else {
								goto L22;
							}
						}
						_push(E0041CD1E(0x47e9b4));
						_push(_a4);
						E0041B2A8();
						E0041BEFB( &_v40);
						goto L31;
					}
				}
			}
























                  0x004099a2
                  0x004099b0
                  0x004099b3
                  0x004099be
                  0x004099be
                  0x004099cb
                  0x004099d0
                  0x004099d2
                  0x004099d2
                  0x004099e0
                  0x004099fc
                  0x00409a0e
                  0x00409a20
                  0x00409a2e
                  0x00409a40
                  0x00409a40
                  0x00409a45
                  0x00409a5a
                  0x00409b8c
                  0x00409ba8
                  0x00409bb7
                  0x00409bc4
                  0x00409bcb
                  0x00409bef
                  0x00409bfd
                  0x00409bdc
                  0x00409be3
                  0x00409be9
                  0x00409c07
                  0x00409c16
                  0x00409c16
                  0x00409c1f
                  0x00409c34
                  0x00409c3f
                  0x00409c3f
                  0x00000000
                  0x00409a60
                  0x00409a6d
                  0x00409a70
                  0x00409a78
                  0x00409a7b
                  0x00409c44
                  0x00409c47
                  0x00409c52
                  0x00409a89
                  0x00409a89
                  0x00409a8d
                  0x00409a90
                  0x00000000
                  0x00000000
                  0x00409a9b
                  0x00409a9e
                  0x00409ab6
                  0x00409abd
                  0x00409abf
                  0x00000000
                  0x00000000
                  0x00409acd
                  0x00409ad3
                  0x00409ae6
                  0x00409aed
                  0x00409aef
                  0x00000000
                  0x00000000
                  0x00409af9
                  0x00409b00
                  0x00409b18
                  0x00409b51
                  0x00000000
                  0x00409b51
                  0x00409b1a
                  0x00409b1d
                  0x00409b20
                  0x00409b26
                  0x00409b7f
                  0x00409b87
                  0x00000000
                  0x00409b87
                  0x00409b2a
                  0x00409b33
                  0x00409b33
                  0x00409b3b
                  0x00409b40
                  0x00409b49
                  0x00000000
                  0x00409b4f
                  0x00000000
                  0x00409b4f
                  0x00409b49
                  0x00409b5d
                  0x00409b63
                  0x00409b66
                  0x00409b6e
                  0x00000000
                  0x00409b6e
                  0x00409a7b

                  APIs
                  • GetDlgItem.USER32 ref: 004099BB
                  • EnableWindow.USER32(00000000), ref: 004099BE
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041CAC5: CreateFileA.KERNELBASE(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,747DFBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
                  • SetWindowTextA.USER32(?,00000000), ref: 004099E0
                  • SetDlgItemTextA.USER32 ref: 004099FC
                  • SetDlgItemTextA.USER32 ref: 00409A0E
                  • SetDlgItemTextA.USER32 ref: 00409A20
                  • SetDlgItemTextA.USER32 ref: 00409A40
                  • GetDlgItem.USER32 ref: 00409B93
                  • GetWindowLongA.USER32 ref: 00409B96
                  • GetDlgItem.USER32 ref: 00409BAE
                  • SendMessageA.USER32(00000000), ref: 00409BB7
                  • GetDlgItem.USER32 ref: 00409BBE
                  • GetDlgItem.USER32 ref: 00409BFA
                  • SetWindowTextA.USER32(00000000), ref: 00409BFD
                    • Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
                    • Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
                    • Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC
                  • GetDlgItem.USER32 ref: 00409C13
                  • SendMessageA.USER32(00000000), ref: 00409C16
                  • SetDlgItemTextA.USER32 ref: 00409C34
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Global$Window$AllocLockMessageSendUnlock$CreateEnableFileLong
                  • String ID: PG
                  • API String ID: 3181886133-134009939
                  • Opcode ID: 50855ed6c324d4a01632b148dba64e7988e052d9a48d98e0a6eab7eb2b3b6176
                  • Instruction ID: d1ef8cf44ac91c91fcabe9bb5089d668b09125659dcb00a9096ae25bfe5b6d19
                  • Opcode Fuzzy Hash: 50855ed6c324d4a01632b148dba64e7988e052d9a48d98e0a6eab7eb2b3b6176
                  • Instruction Fuzzy Hash: 56719471A402086ADB14EB62DD86FEE7AB9EF44344F10407FF605B61E2CB785D41CA59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040BE43, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 125windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E0040BE43(struct HWND__* _a4) {
				intOrPtr _t26;
				void* _t27;
				void* _t39;
				struct HWND__* _t54;
				intOrPtr _t56;

				_t56 =  *0x42bf98; // 0xffffffff
				_t54 = _a4;
				if(_t56 <= 0) {
					EnableWindow(GetDlgItem(_t54, 3), 0);
				}
				_t39 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t39 = 0x47ecc0;
				}
				SetWindowTextA(_t54, E0041CD1E(_t39));
				SetDlgItemTextA(_t54, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t54, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8c4));
				}
				SetDlgItemTextA(_t54, 0x1e, E0041CD1E(0x47eccc));
				SetDlgItemTextA(_t54, 0x19, E0041CD1E(0x47ece4));
				SetDlgItemTextA(_t54, 0x1b, E0041CD1E(0x47ecfc));
				SetDlgItemTextA(_t54, 0x1a, E0041CD1E(0x47ed14));
				SetDlgItemTextA(_t54, 0xa, E0041CD1E(0x47ecd8));
				SetDlgItemTextA(_t54, 0xb, E0041CD1E(0x47ecf0));
				SetDlgItemTextA(_t54, 0xc, E0041CD1E(0x47ed08));
				_t26 =  *0x47e65c; // 0x2
				_t27 = _t26 - 1;
				if(_t27 == 0) {
					_push(0);
					_push(1);
					_push(0xf1);
					_push(0xb);
				} else {
					_push(0);
					_push(1);
					_push(0xf1);
					if(_t27 == 3) {
						_push(0xc);
					} else {
						_push(0xa);
					}
				}
				SendDlgItemMessageA(_t54, ??, ??, ??, ??);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t54, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				return 1;
			}








                  0x0040be46
                  0x0040be4e
                  0x0040be52
                  0x0040be5f
                  0x0040be5f
                  0x0040be6c
                  0x0040be71
                  0x0040be73
                  0x0040be73
                  0x0040be7f
                  0x0040be99
                  0x0040bea9
                  0x0040beb9
                  0x0040bec7
                  0x0040bed7
                  0x0040bed7
                  0x0040bee7
                  0x0040bef7
                  0x0040bf07
                  0x0040bf17
                  0x0040bf27
                  0x0040bf37
                  0x0040bf47
                  0x0040bf49
                  0x0040bf4e
                  0x0040bf4f
                  0x0040bf66
                  0x0040bf67
                  0x0040bf69
                  0x0040bf6e
                  0x0040bf51
                  0x0040bf51
                  0x0040bf55
                  0x0040bf57
                  0x0040bf5c
                  0x0040bf62
                  0x0040bf5e
                  0x0040bf5e
                  0x0040bf5e
                  0x0040bf5c
                  0x0040bf71
                  0x0040bf7e
                  0x0040bf91
                  0x0040bf98
                  0x0040bf98
                  0x0040bfa2

                  APIs
                  • GetDlgItem.USER32 ref: 0040BE58
                  • EnableWindow.USER32(00000000), ref: 0040BE5F
                    • Part of subcall function 0040EFE7: CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
                    • Part of subcall function 0040EFE7: SelectObject.GDI32(00000000), ref: 0040F027
                    • Part of subcall function 0040EFE7: SetTextColor.GDI32(000A0A0A), ref: 0040F03E
                    • Part of subcall function 0040EFE7: TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
                    • Part of subcall function 0040EFE7: SetTextColor.GDI32(000000FF), ref: 0040F06F
                    • Part of subcall function 0040EFE7: TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C
                  • SetWindowTextA.USER32(?,00000000), ref: 0040BE7F
                  • SetDlgItemTextA.USER32 ref: 0040BE99
                  • SetDlgItemTextA.USER32 ref: 0040BEA9
                  • SetDlgItemTextA.USER32 ref: 0040BEB9
                  • SetDlgItemTextA.USER32 ref: 0040BED7
                  • SetDlgItemTextA.USER32 ref: 0040BEE7
                  • SetDlgItemTextA.USER32 ref: 0040BEF7
                  • SetDlgItemTextA.USER32 ref: 0040BF07
                  • SetDlgItemTextA.USER32 ref: 0040BF17
                  • SetDlgItemTextA.USER32 ref: 0040BF27
                  • SetDlgItemTextA.USER32 ref: 0040BF37
                  • SetDlgItemTextA.USER32 ref: 0040BF47
                  • SendDlgItemMessageA.USER32(?,0000000B,000000F1,00000001,00000000), ref: 0040BF71
                  • SetDlgItemTextA.USER32 ref: 0040BF91
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Text$Item$ColorWindow$CreateEnableFontMessageObjectSelectSend
                  • String ID: PG$G
                  • API String ID: 2240931465-1134899898
                  • Opcode ID: fbf63a2e6e865f56f20177791816b4740162252679370649d026e09afa41e30c
                  • Instruction ID: 4de78865ab571ced7cf8cf875867d43830bb34964b65dd31c01aee71d4a6cb9e
                  • Opcode Fuzzy Hash: fbf63a2e6e865f56f20177791816b4740162252679370649d026e09afa41e30c
                  • Instruction Fuzzy Hash: 663183707901097AF12133665C9AFFF195ECB89B44F10857FBA05B61D28FAC0881A67F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420AA9, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 253registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E00420AA9(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				int _v16;
				void* _v20;
				char _v24;
				int* _v28;
				int _v32;
				int _v36;
				char _v44;
				char _v56;
				void _v107;
				char _v108;
				void _v159;
				char _v160;
				void _v259;
				char _v260;
				void _v519;
				char _v520;
				void _v779;
				char _v780;
				int _t85;
				int _t99;
				int _t109;
				signed int _t150;
				signed int _t155;
				signed int _t158;
				signed int _t160;
				signed int _t162;
				signed int _t173;
				void* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				intOrPtr _t209;

				_v8 = 0;
				_t85 = RegOpenKeyExA(0x80000002, "Software\\JavaSoft\\Java Runtime Environment", 0, 0x20019,  &_v8);
				if(_t85 == 0) {
					_t150 = 0xc;
					_v160 = 0;
					memset( &_v159, _t85, _t150 << 2);
					_t199 = _t198 + 0xc;
					asm("stosb");
					_v16 = 0x32;
					if(RegQueryValueExA(_v8, "CurrentVersion", 0, 0,  &_v160,  &_v16) != 0) {
						L20:
						return RegCloseKey(_v8);
					}
					_t182 = _a4;
					E0041BF12(_a4,  &_v160);
					if(E0041C6AD(_a4, 0x2e, 0) == 0xffffffff || E0041C6AD(_t182, 0x2e, _t93 + 1) == 0xffffffff) {
						E0041BE99( &_v56, _t182);
						_t155 = 0x40;
						_v520 = 0;
						_v20 = 0;
						memset( &_v519, 0, _t155 << 2);
						_t200 = _t199 + 0xc;
						asm("stosw");
						asm("stosb");
						_t99 = RegOpenKeyExA(_v8,  &_v160, 0, 0x20019,  &_v20);
						if(_t99 == 0) {
							_t173 = 0xc;
							_v108 = 0;
							memset( &_v107, _t99, _t173 << 2);
							_t200 = _t200 + 0xc;
							asm("stosb");
							_v16 = 0x32;
							if(RegQueryValueExA(_v20, "MicroVersion", 0, 0,  &_v108,  &_v16) == 0) {
								E0041BFF8(_a4, 0x2e);
								E0041C047(_a4,  &_v108, 0);
							}
							_v16 = 0x104;
							RegQueryValueExA(_v20, "JavaHome", 0, 0,  &_v520,  &_v16);
							RegCloseKey(_v20);
						}
						_t209 =  *0x47e19c; // 0x1
						if(_t209 != 0) {
							L19:
							E0041BEFB( &_v56);
							goto L20;
						} else {
							_t158 = 0x18;
							_v260 = 0;
							_v28 = 0;
							memset( &_v259, 0, _t158 << 2);
							_t201 = _t200 + 0xc;
							asm("stosw");
							asm("stosb");
							_v24 = 0x64;
							_push( &_v44);
							_push(0);
							_push(0);
							_push(0);
							_push( &_v24);
							_push( &_v260);
							_push(0);
							while(RegEnumKeyExA(_v8, ??, ??, ??, ??, ??, ??, ??) == 0) {
								_v12 = 0;
								_t109 = RegOpenKeyExA(_v8,  &_v260, 0, 0x20019,  &_v12);
								if(_t109 != 0) {
									L17:
									_v28 = _v28 + 1;
									_t160 = 0x18;
									_v260 = 0;
									memset( &_v259, 0, _t160 << 2);
									_t201 = _t201 + 0xc;
									asm("stosw");
									asm("stosb");
									_v24 = 0x64;
									_push( &_v44);
									_push(0);
									_push(0);
									_push(0);
									_push( &_v24);
									_push( &_v260);
									_push(_v28);
									continue;
								}
								_t162 = 0xc;
								_v108 = 0;
								memset( &_v107, _t109, _t162 << 2);
								asm("stosb");
								_push(0x40);
								_v780 = 0;
								_v36 = 0x104;
								memset( &_v779, 0, 0 << 2);
								_t201 = _t201 + 0x18;
								asm("stosw");
								asm("stosb");
								_v32 = 0x32;
								if(RegQueryValueExA(_v12, "JavaHome", 0, 0,  &_v780,  &_v36) != 0 || RegQueryValueExA(_v12, "MicroVersion", 0, 0,  &_v108,  &_v32) != 0 || E00427910(0,  &_v780,  &_v520) != 0 || E00424A30( &_v108, "0") <= 0) {
									RegCloseKey(_v12);
									goto L17;
								} else {
									E0041BF80(_a4,  &_v56);
									E0041C047(_a4, ".", 0);
									E0041C047(_a4,  &_v108, 0);
									RegCloseKey(_v12);
									goto L19;
								}
							}
							goto L19;
						}
					} else {
						goto L20;
					}
				}
				return _t85;
			}





































                  0x00420ac9
                  0x00420acc
                  0x00420ad4
                  0x00420ae4
                  0x00420ae5
                  0x00420aeb
                  0x00420aeb
                  0x00420aed
                  0x00420b09
                  0x00420b14
                  0x00420d77
                  0x00000000
                  0x00420d81
                  0x00420b1a
                  0x00420b26
                  0x00420b38
                  0x00420b52
                  0x00420b5b
                  0x00420b62
                  0x00420b68
                  0x00420b6b
                  0x00420b6b
                  0x00420b6d
                  0x00420b6f
                  0x00420b84
                  0x00420b8c
                  0x00420b93
                  0x00420b94
                  0x00420b97
                  0x00420b97
                  0x00420b99
                  0x00420b9d
                  0x00420bb7
                  0x00420bbe
                  0x00420bcb
                  0x00420bcb
                  0x00420bd3
                  0x00420bec
                  0x00420bf1
                  0x00420bf1
                  0x00420bf7
                  0x00420bfd
                  0x00420d6f
                  0x00420d72
                  0x00000000
                  0x00420c03
                  0x00420c07
                  0x00420c0e
                  0x00420c14
                  0x00420c17
                  0x00420c17
                  0x00420c19
                  0x00420c1b
                  0x00420c1f
                  0x00420c26
                  0x00420c27
                  0x00420c28
                  0x00420c2c
                  0x00420c2d
                  0x00420c34
                  0x00420c35
                  0x00420c36
                  0x00420c4a
                  0x00420c5e
                  0x00420c66
                  0x00420d05
                  0x00420d05
                  0x00420d0a
                  0x00420d13
                  0x00420d19
                  0x00420d19
                  0x00420d1b
                  0x00420d1d
                  0x00420d21
                  0x00420d28
                  0x00420d29
                  0x00420d2a
                  0x00420d2e
                  0x00420d2f
                  0x00420d36
                  0x00420d37
                  0x00000000
                  0x00420d37
                  0x00420c71
                  0x00420c72
                  0x00420c75
                  0x00420c77
                  0x00420c78
                  0x00420c83
                  0x00420c89
                  0x00420c90
                  0x00420c90
                  0x00420c92
                  0x00420c94
                  0x00420c98
                  0x00420cb5
                  0x00420cff
                  0x00000000
                  0x00420d3f
                  0x00420d46
                  0x00420d54
                  0x00420d61
                  0x00420d69
                  0x00000000
                  0x00420d69
                  0x00420cb5
                  0x00000000
                  0x00420c36
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420b38
                  0x00420d84

                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\JavaSoft\Java Runtime Environment,00000000,00020019,00000001,00000000), ref: 00420ACC
                  • RegQueryValueExA.ADVAPI32(00000001,CurrentVersion,00000000,00000000,?,00000000,00000000,00000001), ref: 00420B10
                  • RegCloseKey.ADVAPI32(00000001), ref: 00420D7A
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • RegOpenKeyExA.ADVAPI32(00000001,?,00000000,00020019,00420DA0,00000000,0000002E,00000000,?), ref: 00420B84
                  • RegQueryValueExA.ADVAPI32(00420DA0,MicroVersion,00000000,00000000,?,00000032), ref: 00420BB3
                  • RegQueryValueExA.ADVAPI32(00420DA0,JavaHome,00000000,00000000,?,00000032), ref: 00420BEC
                  • RegCloseKey.ADVAPI32(00420DA0), ref: 00420BF1
                  • RegEnumKeyExA.ADVAPI32(00000001,00000000,?,00000064,00000000,00000000,00000000,?), ref: 00420C39
                  • RegOpenKeyExA.ADVAPI32(00000001,?,00000000,00020019,00000000), ref: 00420C5E
                  • RegQueryValueExA.ADVAPI32(00000000,JavaHome,00000000,00000000,?,00000104), ref: 00420CB1
                  • RegQueryValueExA.ADVAPI32(00000000,MicroVersion,00000000,00000000,?,00000032), ref: 00420CC9
                  • RegCloseKey.ADVAPI32(00000000), ref: 00420CFF
                  • RegCloseKey.ADVAPI32(00000000,?,00000000,0042DA60,00000000,?), ref: 00420D69
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: QueryValue$Close$GlobalOpen$AllocEnumLockUnlock
                  • String ID: CurrentVersion$JavaHome$MicroVersion$Software\JavaSoft\Java Runtime Environment
                  • API String ID: 70163249-2505188448
                  • Opcode ID: dbd1b0d162f727fcd93d84ea524a9d01fcdd93a7bbf0c53bbf031b63f6c95dd6
                  • Instruction ID: f064f4b1a39d29ecacb366c45173f128611cdb4614f83e65575f7f39dd4475f1
                  • Opcode Fuzzy Hash: dbd1b0d162f727fcd93d84ea524a9d01fcdd93a7bbf0c53bbf031b63f6c95dd6
                  • Instruction Fuzzy Hash: 97815EB1A4021DBEEF11CBA4DC85EEEBBBCEB08348F50006AF605A6151DB745E49CF64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407147, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 144windowmemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00407147(intOrPtr __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t25;
				void* _t29;
				void* _t35;
				void* _t58;
				void* _t59;
				struct HMENU__* _t60;
				void* _t75;
				intOrPtr _t79;

				_t75 = __edx;
				_t79 = __ecx;
				 *0x47df64 = __ecx;
				_t58 = E00408121(__ecx, _a4);
				if(_t58 < 0) {
					E0041BDC5( &_v16);
					_push(_t58);
					E0041C467( &_v16, "Load template failed (%d)");
					E0041D881(E0041CD1E( &_v16));
					E0041BEFB( &_v16);
				}
				_push(_a8);
				_push(_a12);
				E00408C8C(_t79, _t75);
				_t25 = _a16;
				 *0x47df64 = 0;
				if(_t25 != 0) {
					 *_t25 = _t79;
				}
				 *(_t79 + 0x6c) = _t25;
				if( *(_t79 + 4) != 0) {
					 *0x47df54 =  *0x47df54 + 1;
					GlobalUnlock( *0x47df5c);
					_t29 = GlobalReAlloc( *0x47df5c,  *0x47df54 << 2, 0x42);
					 *0x47df5c = _t29;
					 *0x47df58 = GlobalLock(_t29);
					if( *0x47df5c == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					 *((intOrPtr*)( *0x47df58 +  *0x47df54 * 4 - 4)) = _t79;
					E00408E91(_t79);
					SendMessageA( *(_t79 + 4), 0x110, 0, 0);
					_t59 = 0;
					if( *((intOrPtr*)(_t79 + 0x7c)) <= 0) {
						L13:
						if(E00407D82(_t79) != 0) {
							_t60 = GetSystemMenu( *(_t79 + 4), 0);
							DeleteMenu(_t60, 0xf120, 0);
							DeleteMenu(_t60, 0xf020, 0);
							DeleteMenu(_t60, 0xf030, 0);
							DeleteMenu(_t60, 0xf000, 0);
							DeleteMenu(_t60, 1, 0x400);
							AppendMenuA(_t60, 0x800, 2, "-");
							AppendMenuA(_t60, 0, 1, "About...");
							ShowWindow( *(_t79 + 4), 1);
							E00407B45(_t60, AppendMenuA, _t79, 1);
							 *0x47e110 = _t79;
						}
						_t35 = 1;
						return _t35;
					} else {
						while(1) {
							_t16 = _t79 + 0x70; // 0x70
							if( *((intOrPtr*)(E0041E860(_t16, _t59) + 0x10)) == 1) {
								break;
							}
							_t59 = _t59 + 1;
							if(_t59 <  *((intOrPtr*)(_t79 + 0x7c))) {
								continue;
							}
							goto L13;
						}
						_t19 = _t79 + 0x70; // 0x70
						SetFocus( *(E0041E860(_t19, _t59) + 0x50));
						goto L13;
					}
				} else {
					return _t25 | 0xffffffff;
				}
			}















                  0x00407147
                  0x00407150
                  0x00407155
                  0x00407160
                  0x00407166
                  0x0040716b
                  0x00407170
                  0x0040717a
                  0x0040718b
                  0x00407194
                  0x00407194
                  0x00407199
                  0x0040719e
                  0x004071a1
                  0x004071a6
                  0x004071a9
                  0x004071b1
                  0x004071b3
                  0x004071b3
                  0x004071b8
                  0x004071bb
                  0x004071cb
                  0x004071d1
                  0x004071e8
                  0x004071ef
                  0x00407200
                  0x00407205
                  0x00407212
                  0x00407217
                  0x00407223
                  0x00407229
                  0x00407238
                  0x0040723e
                  0x00407243
                  0x0040726e
                  0x00407277
                  0x00407283
                  0x00407292
                  0x0040729c
                  0x004072a6
                  0x004072b0
                  0x004072ba
                  0x004072cf
                  0x004072db
                  0x004072e2
                  0x004072ea
                  0x004072f0
                  0x004072f0
                  0x004072f8
                  0x00000000
                  0x00407245
                  0x00407245
                  0x00407246
                  0x00407252
                  0x00000000
                  0x00000000
                  0x00407254
                  0x00407258
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040725a
                  0x0040725d
                  0x00407268
                  0x00000000
                  0x00407268
                  0x004071bd
                  0x00000000
                  0x004071bd

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  • GlobalUnlock.KERNEL32(00000000,?,?,00000400,00000000,00000000), ref: 004071D1
                  • GlobalReAlloc.KERNEL32 ref: 004071E8
                  • GlobalLock.KERNEL32 ref: 004071F4
                  • SendMessageA.USER32(?,00000110,00000000,00000000), ref: 00407238
                  • SetFocus.USER32(?,00000000), ref: 00407268
                  • GetSystemMenu.USER32(?,00000000), ref: 0040727D
                  • DeleteMenu.USER32(00000000,0000F120,00000000), ref: 00407292
                  • DeleteMenu.USER32(00000000,0000F020,00000000), ref: 0040729C
                  • DeleteMenu.USER32(00000000,0000F030,00000000), ref: 004072A6
                  • DeleteMenu.USER32(00000000,0000F000,00000000), ref: 004072B0
                  • DeleteMenu.USER32(00000000,00000001,00000400), ref: 004072BA
                  • AppendMenuA.USER32 ref: 004072CF
                  • AppendMenuA.USER32 ref: 004072DB
                  • ShowWindow.USER32(?,00000001), ref: 004072E2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Menu$Delete$AllocLockUnlocklstrlen$Append$FocusFreeMessageSendShowSystemWindow
                  • String ID: $G$About...$Load template failed (%d)
                  • API String ID: 4201493354-4259950461
                  • Opcode ID: 13d18569783887c689b1cedd7764c6d1cc9bc3f1867207fa8ad77af0ad2be610
                  • Instruction ID: 866d9aeac3c835f741d54545ca8fe705d8432e42f4f522c6dab8da38ea409ca8
                  • Opcode Fuzzy Hash: 13d18569783887c689b1cedd7764c6d1cc9bc3f1867207fa8ad77af0ad2be610
                  • Instruction Fuzzy Hash: EA419670A40704ABD721AF62DC86F5A7779EF84704F10443FF517661E2CBB96481CA5C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409CDD, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 107COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00409CDD(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, struct HWND__* _a4) {
				intOrPtr _v8;
				CHAR* _t8;
				void* _t39;
				intOrPtr _t50;
				struct HWND__* _t54;
				void* _t57;

				_push(__ecx);
				_t54 = _a4;
				_v8 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t54, 3), 0);
				}
				_t39 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t39 = 0x47e9d8;
				}
				SetWindowTextA(_t54, E0041CD1E(_t39));
				_t8 = E0041CD1E(0x47e9e4);
				_t57 = SetDlgItemTextA;
				SetDlgItemTextA(_t54, 0xa, _t8);
				SetDlgItemTextA(_t54, 0xb, E0041CD1E(0x47e9f0));
				SetDlgItemTextA(_t54, 0xc, E0041CD1E(0x47e9fc));
				SetDlgItemTextA(_t54, 0xd, E0041CD1E(0x47ea08));
				SetDlgItemTextA(_t54, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t54, 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA(_t54, 4, E0041CD1E(0x47eb70));
				if(E00419E8A() != 0) {
					SetDlgItemTextA(_t54, 1, E0041CD1E(0x47e8c4));
				}
				_push(GetDlgItem(_t54, 0xf));
				E00409E0C(_t54, _t57);
				_t50 =  *0x47e274; // 0x0
				if(_t50 != 0) {
					E0042138A(_t50, _v8);
				}
				SetForegroundWindow(_t54);
				if( *0x47e114 != 0) {
					E0040EFE7();
				}
				return 1;
			}









                  0x00409ce0
                  0x00409cf1
                  0x00409cf4
                  0x00409cf7
                  0x00409d01
                  0x00409d01
                  0x00409d0e
                  0x00409d13
                  0x00409d15
                  0x00409d15
                  0x00409d21
                  0x00409d2c
                  0x00409d31
                  0x00409d3b
                  0x00409d4b
                  0x00409d5b
                  0x00409d6b
                  0x00409d7b
                  0x00409d8b
                  0x00409d9b
                  0x00409dab
                  0x00409db9
                  0x00409dc9
                  0x00409dc9
                  0x00409dd0
                  0x00409dd1
                  0x00409dd7
                  0x00409ddf
                  0x00409de4
                  0x00409de4
                  0x00409dea
                  0x00409dfa
                  0x00409e01
                  0x00409e01
                  0x00409e09

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Window$EnableForeground
                  • String ID: PG$pG$G
                  • API String ID: 588041497-2689831273
                  • Opcode ID: f3daa2747dbba6a4ebaccdfe6f895ee9e141ce91d27a0abc31df0bababac09f6
                  • Instruction ID: 423ab95a91abf6a2929d521cd3dd1b830fa26b07c3f81d625dc7f3cfa57831cc
                  • Opcode Fuzzy Hash: f3daa2747dbba6a4ebaccdfe6f895ee9e141ce91d27a0abc31df0bababac09f6
                  • Instruction Fuzzy Hash: BD21C37064010536E22473666C96FBF2A5ECFC9B48F10817FF605A62C38FAC0C41A67E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042138A, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 146windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0042138A(intOrPtr __ecx, signed int _a4) {
				intOrPtr _v8;
				struct HWND__* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				char _v36;
				char _v48;
				struct HWND__* _t40;
				signed int _t80;
				char* _t89;
				struct HWND__* _t107;

				_t80 = _a4;
				_v8 = __ecx;
				_t40 = GetDlgItem( *(_t80 + 4), 0xf);
				_v12 = _t40;
				_v24 = 0x40;
				_v20 = 0xa0;
				_v16 = 0x100;
				SendMessageA(_t40, 0x192, 3,  &_v24);
				_a4 = _a4 & 0x00000000;
				E0041BDC5( &_v48);
				L1:
				_push(_a4);
				if(E0041C9D2(_v8) != 0) {
					E0041C92F(_v8,  &_a4,  &_v48);
					SendMessageA(_v12, 0x180, 0, E0041CD1E( &_v48));
					goto L1;
				}
				_t107 = GetDlgItem( *(_t80 + 4), 0xe);
				__eflags =  *0x47e2c0; // 0x0
				if(__eflags != 0) {
					__eflags =  *0x47e2c8; // 0x0
					if(__eflags == 0) {
						E0041BDC5( &_v36);
						_push(E0041CD1E(0x47e350));
						E0041C467( &_v36, E0041CD1E(0x47eb4c));
						SetWindowTextA(_t107, E0041CD1E( &_v36));
						__eflags =  *0x47e192 & 0x00000008;
						if(( *0x47e192 & 0x00000008) != 0) {
							E00408E7A(_t80, _t107, 0xff);
						}
						_t89 =  &_v36;
					} else {
						E0041BDC5( &_v36);
						_push(E0041CD1E(0x47e350));
						E0041C467( &_v36, E0041CD1E(0x47eb64));
						SetWindowTextA(_t107, E0041CD1E( &_v36));
						__eflags =  *0x47e192 & 0x00000008;
						if(( *0x47e192 & 0x00000008) != 0) {
							E00408E7A(_t80, _t107, 0xff);
						}
						_t89 =  &_v36;
					}
					L10:
					E0041BEFB(_t89);
					L11:
					return E0041BEFB( &_v48);
				}
				__eflags =  *0x47e2c8; // 0x0
				if(__eflags != 0) {
					SetWindowTextA(_t107, E0041CD1E(0x47eb58));
					__eflags =  *0x47e192 & 0x00000008;
					if(( *0x47e192 & 0x00000008) != 0) {
						E00408E7A(_t80, _t107, 0xffff);
					}
					goto L11;
				}
				E0041BDC5( &_v36);
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v36, E0041CD1E(0x47eb40));
				SetWindowTextA(_t107, E0041CD1E( &_v36));
				_t89 =  &_v36;
				goto L10;
			}














                  0x00421391
                  0x004213a1
                  0x004213a5
                  0x004213b9
                  0x004213bc
                  0x004213c3
                  0x004213ca
                  0x004213d1
                  0x004213d3
                  0x004213da
                  0x004213df
                  0x004213df
                  0x004213ec
                  0x004213f9
                  0x00421411
                  0x00000000
                  0x00421411
                  0x0042141d
                  0x00421421
                  0x00421427
                  0x00421474
                  0x0042147a
                  0x00421514
                  0x00421523
                  0x00421533
                  0x00421545
                  0x0042154b
                  0x00421552
                  0x0042155c
                  0x0042155c
                  0x00421561
                  0x00421480
                  0x00421483
                  0x00421492
                  0x004214a2
                  0x004214b4
                  0x004214ba
                  0x004214c1
                  0x004214cb
                  0x004214cb
                  0x004214d0
                  0x004214d0
                  0x004214d3
                  0x004214d3
                  0x004214d8
                  0x004214e4
                  0x004214e4
                  0x00421429
                  0x0042142f
                  0x004214f3
                  0x004214f9
                  0x00421500
                  0x0042150a
                  0x0042150a
                  0x00000000
                  0x00421500
                  0x00421438
                  0x00421447
                  0x00421457
                  0x00421469
                  0x0042146f
                  0x00000000

                  APIs
                  • GetDlgItem.USER32 ref: 004213A5
                  • SendMessageA.USER32(00000000,00000192,00000003,?), ref: 004213D1
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                  • SendMessageA.USER32(00000000,00000180,00000000,00000000), ref: 00421411
                  • GetDlgItem.USER32 ref: 0042141B
                  • SetWindowTextA.USER32(00000000,00000000), ref: 004214B4
                  • SetWindowTextA.USER32(00000000,00000000), ref: 004214F3
                  • SetWindowTextA.USER32(00000000,00000000), ref: 00421469
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • SetWindowTextA.USER32(00000000,00000000), ref: 00421545
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$TextWindow$lstrlen$AllocItemLockMessageSend$Unlock
                  • String ID: @$@G$LG$PG$PG$PG$XG$dG
                  • API String ID: 435120884-2778522185
                  • Opcode ID: 996a918e6309023e079e4b7f1d51968db3e82d47320e26d52fae00e1e8fb2819
                  • Instruction ID: 16a7887dbd8dfa4a05515dd7873a9adc68804f2da8967db5dfc7659aed23bba8
                  • Opcode Fuzzy Hash: 996a918e6309023e079e4b7f1d51968db3e82d47320e26d52fae00e1e8fb2819
                  • Instruction Fuzzy Hash: 1341A571900119AADF04EBA2EC96EEE7779AF18308F40807EF505B6192DF7C5945CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B9F9, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 127windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040B9F9(intOrPtr __ecx, struct HWND__* _a4) {
				intOrPtr _v8;
				char _v20;
				void* _t24;
				CHAR* _t29;
				void* _t53;
				struct HWND__* _t71;

				_t71 = _a4;
				_v8 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t71, 3), 0);
				}
				_t53 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t53 = 0x47ec84;
				}
				SetWindowTextA(_t71, E0041CD1E(_t53));
				SetDlgItemTextA(_t71, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t71, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t71, 2, E0041CD1E(0x47e8b8));
				_t24 = E00419E8A();
				_t75 = _t24;
				if(_t24 != 0) {
					SetDlgItemTextA(_t71, 1, E0041CD1E(0x47e8c4));
				}
				SetDlgItemTextA(_t71, 0x1e, E0041CD1E(0x47ec90));
				SetDlgItemTextA(_t71, 0x1f, E0041CD1E(0x47ec9c));
				_t29 = E0041CD1E(0x47e344);
				SetWindowTextA(GetDlgItem(_t71, 0xa), _t29);
				E0041BE99( &_v20, 0x47e064);
				_t51 = "\\*.*";
				E0041C047( &_v20, "\\*.*", 0);
				E0040B6B3(_t75, _t71,  &_v20);
				if(( *0x47e192 & 0x00000080) == 0) {
					_t77 =  *0x47e19c;
					if( *0x47e19c != 0) {
						E0041BF80( &_v20, 0x47e004);
						E0041C047( &_v20, _t51, 0);
						E0040B6B3(_t77, _t71,  &_v20);
					}
				}
				SendDlgItemMessageA(_t71, 0xa, 0xc5, 0xd2, 0);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t71, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				E0041BEFB( &_v20);
				return 1;
			}









                  0x0040ba0f
                  0x0040ba12
                  0x0040ba15
                  0x0040ba1f
                  0x0040ba1f
                  0x0040ba2c
                  0x0040ba31
                  0x0040ba33
                  0x0040ba33
                  0x0040ba3f
                  0x0040ba59
                  0x0040ba69
                  0x0040ba79
                  0x0040ba80
                  0x0040ba85
                  0x0040ba87
                  0x0040ba97
                  0x0040ba97
                  0x0040baa7
                  0x0040bab7
                  0x0040babe
                  0x0040baca
                  0x0040bad8
                  0x0040badd
                  0x0040bae8
                  0x0040baf5
                  0x0040bb01
                  0x0040bb03
                  0x0040bb0a
                  0x0040bb14
                  0x0040bb1f
                  0x0040bb2c
                  0x0040bb2c
                  0x0040bb0a
                  0x0040bb40
                  0x0040bb4d
                  0x0040bb60
                  0x0040bb67
                  0x0040bb67
                  0x0040bb6f
                  0x0040bb7a

                  APIs
                  • GetDlgItem.USER32 ref: 0040BA1C
                  • EnableWindow.USER32(00000000), ref: 0040BA1F
                    • Part of subcall function 0040EFE7: CreateFontA.GDI32(0000001E,00000000,0000005A,0000005A,000002BC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,Times New Roman), ref: 0040F017
                    • Part of subcall function 0040EFE7: SelectObject.GDI32(00000000), ref: 0040F027
                    • Part of subcall function 0040EFE7: SetTextColor.GDI32(000A0A0A), ref: 0040F03E
                    • Part of subcall function 0040EFE7: TextOutA.GDI32(0000000C,0000006F,00000000), ref: 0040F061
                    • Part of subcall function 0040EFE7: SetTextColor.GDI32(000000FF), ref: 0040F06F
                    • Part of subcall function 0040EFE7: TextOutA.GDI32(0000000A,0000006E,00000000), ref: 0040F08C
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  • SetWindowTextA.USER32(?,00000000), ref: 0040BA3F
                  • SetDlgItemTextA.USER32 ref: 0040BA59
                  • SetDlgItemTextA.USER32 ref: 0040BA69
                  • SetDlgItemTextA.USER32 ref: 0040BA79
                  • SetDlgItemTextA.USER32 ref: 0040BA97
                  • SetDlgItemTextA.USER32 ref: 0040BAA7
                  • SetDlgItemTextA.USER32 ref: 0040BAB7
                  • GetDlgItem.USER32 ref: 0040BAC7
                  • SetWindowTextA.USER32(00000000), ref: 0040BACA
                  • SendDlgItemMessageA.USER32(?,0000000A,000000C5,000000D2,00000000), ref: 0040BB40
                  • SetDlgItemTextA.USER32 ref: 0040BB60
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Text$Item$Window$ColorGlobal$CreateEnableFontFreeMessageObjectSelectSendUnlock
                  • String ID: DG$PG$\*.*
                  • API String ID: 1573608945-4063998206
                  • Opcode ID: 55b0961a9734f431be93e9acbb95f164460e1c960aad09dd4823f354d4e25df6
                  • Instruction ID: 98bb2e4754260d3fde4e02e62b7a5bbe3a8d5a751bfae680a84eb71d1c3eba76
                  • Opcode Fuzzy Hash: 55b0961a9734f431be93e9acbb95f164460e1c960aad09dd4823f354d4e25df6
                  • Instruction Fuzzy Hash: FB31A2307402096AE711B7A69C96FFE2A2DDB89B08F50847FB605761D2CFBC1841D66E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405955, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 121stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00405955(struct HWND__* _a4, signed int _a8, void* _a12) {
				void* _t29;
				signed int _t34;
				int _t37;
				CHAR* _t38;
				void* _t49;
				void* _t51;
				void* _t53;
				signed int _t54;
				signed int _t59;
				struct HDC__* _t62;
				struct HDC__* _t63;

				_t29 = _a8 - 0xf;
				if(_t29 == 0) {
					_t62 = GetDC(_a4);
					_a12 = SelectObject(_t62,  *0x47df50);
					SetBkMode(_t62, 1);
					_t34 = MulDiv(0xf4240, GetDeviceCaps(_t62, 0x5a), 0x48);
					asm("cdq");
					_a8 = _t34 / 0x535;
					_t37 = lstrlenA(E0041CD1E(0x47df68));
					_t38 = E0041CD1E(0x47df68);
					asm("cdq");
					asm("cdq");
					TextOutA(_t62, _a8 * 0xb / 0x3e8, _a8 * 0x2f / 0x3e8, _t38, _t37);
					SelectObject(_t62, _a12);
					ReleaseDC(_a4, _t62);
					return 0;
				}
				_t49 = _t29 - 1;
				if(_t49 == 0) {
					L6:
					EndDialog(_a4, 1);
					_t51 = 1;
					return _t51;
				}
				_t53 = _t49;
				if(_t53 == 0) {
					goto L6;
				}
				_t54 = _t53 - 0xfe;
				if(_t54 == 0) {
					if( *0x47df50 == 0) {
						_t63 = GetDC(_a4);
						_t59 = MulDiv(8, GetDeviceCaps(_t63, 0x5a), 0x48);
						ReleaseDC(_a4, _t63);
						_t54 = CreateFontA( ~_t59, 0, 0, 0, 0x190, 0, 0, 0, 0, 0, 0, 0, 0, "MS Sans Serif");
						 *0x47df50 = _t54;
					}
					L9:
					return (_t54 & 0xffffff00 | _a8 == 0x00000110) & 0x000000ff;
				}
				_t54 = _t54 - 1;
				if(_t54 != 0) {
					goto L9;
				}
				_t54 = (_a12 & 0x0000ffff) - 1;
				if(_t54 != 0) {
					goto L9;
				}
				goto L6;
			}














                  0x0040595d
                  0x00405961
                  0x00405a11
                  0x00405a19
                  0x00405a1c
                  0x00405a33
                  0x00405a39
                  0x00405a48
                  0x00405a51
                  0x00405a5a
                  0x00405a6b
                  0x00405a77
                  0x00405a7c
                  0x00405a86
                  0x00405a8c
                  0x00000000
                  0x00405a92
                  0x00405967
                  0x00405968
                  0x0040597f
                  0x00405984
                  0x0040598c
                  0x00000000
                  0x0040598c
                  0x0040596b
                  0x0040596c
                  0x00000000
                  0x00000000
                  0x0040596e
                  0x00405973
                  0x0040599a
                  0x004059a5
                  0x004059b5
                  0x004059c3
                  0x004059df
                  0x004059e5
                  0x004059e5
                  0x004059ea
                  0x00000000
                  0x004059f4
                  0x00405975
                  0x00405976
                  0x00000000
                  0x00000000
                  0x0040597c
                  0x0040597d
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • EndDialog.USER32(?,00000001), ref: 00405984
                  • GetDC.USER32(?), ref: 0040599F
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004059AC
                  • MulDiv.KERNEL32(00000008,00000000), ref: 004059B5
                  • ReleaseDC.USER32 ref: 004059C3
                  • CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,MS Sans Serif), ref: 004059DF
                  • GetDC.USER32(?), ref: 004059FF
                  • SelectObject.GDI32(00000000), ref: 00405A14
                  • SetBkMode.GDI32(00000000,00000001), ref: 00405A1C
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00405A27
                  • MulDiv.KERNEL32(000F4240,00000000), ref: 00405A33
                  • lstrlenA.KERNEL32(00000000), ref: 00405A51
                  • TextOutA.GDI32(00000000,?,?,00000000,00000000), ref: 00405A7C
                  • SelectObject.GDI32(00000000,?), ref: 00405A86
                  • ReleaseDC.USER32 ref: 00405A8C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CapsDeviceObjectReleaseSelect$CreateDialogFontModeTextlstrlen
                  • String ID: MS Sans Serif
                  • API String ID: 2026860755-168460110
                  • Opcode ID: 2bde214ab076bee1b329f64bfcf69bc31db3ce320ef66d49dd554740dd07ac0f
                  • Instruction ID: 2ddddb358181ba5cffd402e6d9347990a9f589195ce739888bb5f732dde058e7
                  • Opcode Fuzzy Hash: 2bde214ab076bee1b329f64bfcf69bc31db3ce320ef66d49dd554740dd07ac0f
                  • Instruction Fuzzy Hash: 25317071301618BFDB205F659C49E6F3F6DFB48751F408436FA0AEA1A0CA788842DF68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040FEB9, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 172COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0040FEB9(void* __ecx, void** _a4, struct HDC__* _a8, int _a12, int _a16) {
				BITMAPINFOHEADER* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				void* _v24;
				char _v28;
				char _v44;
				signed int _t41;
				void* _t42;
				intOrPtr* _t43;
				long _t46;
				int _t47;
				struct HDC__* _t49;
				void* _t50;
				int _t57;
				BITMAPINFOHEADER* _t58;
				void* _t60;
				int _t63;
				void* _t68;
				void* _t71;
				struct HDC__* _t73;
				int _t88;
				void* _t93;
				void* _t94;
				int _t95;
				void** _t97;

				_t41 = _a4;
				_v20 = __ecx;
				if(_t41 != 0) {
					 *_t41 = 0;
					_t71 = 0;
					__eflags =  *0x47e540; // 0x0
					if(__eflags <= 0) {
						L8:
						_t93 = 0;
						__eflags =  *0x47e52c; // 0x0
						if(__eflags <= 0) {
							L13:
							_push(0xfffffffe);
							L14:
							_pop(_t42);
							return _t42;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							_t43 = E0041E860(0x47e520, _t93);
							__eflags =  *_t43 - _a8;
							if( *_t43 == _a8) {
								break;
							}
							_t93 = _t93 + 1;
							__eflags = _t93 -  *0x47e52c; // 0x0
							if(__eflags < 0) {
								continue;
							}
							goto L13;
						}
						_t6 = _t43 + 4; // 0x4
						_t79 = _t6;
						__eflags = _t6;
						if(_t6 != 0) {
							_t94 = CreateFileA(E0041CD1E(_t79), 0x80000000, 1, 0, 3, 0x80, 0);
							__eflags = _t94 - 0xffffffff;
							if(_t94 != 0xffffffff) {
								_t46 = GetFileSize(_t94, 0);
								_v16 = 0;
								_t47 = E00410087(_v20, _t94, _t46,  &_v44,  &_v8,  &_v28,  &_v12,  &_v16);
								CloseHandle(_t94);
								__eflags = _t47;
								if(_t47 >= 0) {
									_t49 = GetDC( *0x47e178);
									_a8 = _t49;
									_t50 = CreateDIBitmap(_t49, _v8, 4, _v12, _v8, 0);
									_t95 = _a12;
									__eflags = _t95;
									 *_a4 = _t50;
									if(_t95 <= 0) {
										L25:
										ReleaseDC( *0x47e178, _a8);
										E00424DCE(_v28);
										asm("sbb eax, eax");
										_t57 = ( ~( *_a4) & 0x00000007) + 0xfffffffa;
										__eflags = _t57;
										return _t57;
									}
									_t88 = _a16;
									__eflags = _t88;
									if(_t88 <= 0) {
										goto L25;
									}
									_t58 = _v8;
									__eflags = _t95 - _t58->biWidth;
									if(_t95 != _t58->biWidth) {
										L23:
										_t73 = CreateCompatibleDC(_a8);
										_t60 = CreateCompatibleBitmap(_a8, _t95, _a16);
										_v24 = _t60;
										_v20 = SelectObject(_t73, _t60);
										_t63 = StretchDIBits(_t73, 0, 0, _a12, _a16, 0, 0, _v8->biWidth, _v8->biHeight, _v12, _t62, 0, 0xcc0020);
										SelectObject(_t73, _v20);
										DeleteDC(_t73);
										__eflags = _t63 - 0xffffffff;
										if(_t63 != 0xffffffff) {
											_t97 = _a4;
											DeleteObject( *_t97);
											 *_t97 = _v24;
										}
										goto L25;
									}
									__eflags = _t88 - _t58->biHeight;
									if(_t88 == _t58->biHeight) {
										goto L25;
									}
									goto L23;
								}
								_push(0xfffffffc);
								goto L14;
							}
							_push(0xfffffffd);
							goto L14;
						}
						goto L13;
					}
					while(1) {
						_t68 = E0041E860(0x47e534, _t71);
						__eflags = _t68 - _a8;
						if(_t68 == _a8) {
							break;
						}
						_t71 = _t71 + 2;
						__eflags = _t71 -  *0x47e540; // 0x0
						if(__eflags < 0) {
							continue;
						}
						goto L8;
					}
					_t74 = _t71 + 1;
					__eflags = _t71 + 1;
					_a8 = E0041E860(0x47e534, _t74);
					goto L8;
				}
				return _t41 | 0xffffffff;
			}





























                  0x0040febf
                  0x0040fec7
                  0x0040fecc
                  0x0040fed6
                  0x0040fed8
                  0x0040feda
                  0x0040fee0
                  0x0040ff0c
                  0x0040ff0c
                  0x0040ff0e
                  0x0040ff14
                  0x0040ff3a
                  0x0040ff3a
                  0x0040ff3c
                  0x0040ff3c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040ff16
                  0x0040ff16
                  0x0040ff1c
                  0x0040ff24
                  0x0040ff26
                  0x00000000
                  0x00000000
                  0x0040ff28
                  0x0040ff29
                  0x0040ff2f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040ff31
                  0x0040ff33
                  0x0040ff33
                  0x0040ff36
                  0x0040ff38
                  0x0040ff5e
                  0x0040ff60
                  0x0040ff63
                  0x0040ff6b
                  0x0040ff74
                  0x0040ff8d
                  0x0040ff95
                  0x0040ff9b
                  0x0040ff9d
                  0x0040ffa9
                  0x0040ffb0
                  0x0040ffbf
                  0x0040ffc8
                  0x0040ffcb
                  0x0040ffcd
                  0x0040ffcf
                  0x00410059
                  0x00410062
                  0x0041006b
                  0x00410078
                  0x0041007d
                  0x0041007d
                  0x00000000
                  0x0041007d
                  0x0040ffd5
                  0x0040ffd8
                  0x0040ffda
                  0x00000000
                  0x00000000
                  0x0040ffdc
                  0x0040ffdf
                  0x0040ffe2
                  0x0040ffe9
                  0x0040fff5
                  0x0040fffb
                  0x00410009
                  0x0041000e
                  0x0041002f
                  0x0041003b
                  0x0041003e
                  0x00410044
                  0x00410047
                  0x00410049
                  0x0041004e
                  0x00410057
                  0x00410057
                  0x00000000
                  0x00410047
                  0x0040ffe4
                  0x0040ffe7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040ffe7
                  0x0040ff9f
                  0x00000000
                  0x0040ff9f
                  0x0040ff65
                  0x00000000
                  0x0040ff65
                  0x00000000
                  0x0040ff38
                  0x0040fee7
                  0x0040feea
                  0x0040feef
                  0x0040fef2
                  0x00000000
                  0x00000000
                  0x0040fef5
                  0x0040fef6
                  0x0040fefc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040fefe
                  0x0040ff00
                  0x0040ff00
                  0x0040ff09
                  0x00000000
                  0x0040ff09
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID: G$4G
                  • API String ID: 0-1092705001
                  • Opcode ID: 9889fd5ce7184eb904817bde8fa419fbe9a3674419646645692c0059565c0ba5
                  • Instruction ID: e53022e69f18fc5ab630e4aebfff8f01bf5cca682b6cc4f9dc27a10370132a16
                  • Opcode Fuzzy Hash: 9889fd5ce7184eb904817bde8fa419fbe9a3674419646645692c0059565c0ba5
                  • Instruction Fuzzy Hash: 4351D071900119FFCB209FA6DC44DAE7B79FF49324B10463AF926A31E0DB349981CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00422CBD, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00422CBD(void* __ecx) {
				void* _v8;
				void _v12;
				long _v16;
				long _v28;
				char _v288;
				void* _t29;
				CHAR* _t30;
				CHAR* _t31;
				void* _t33;
				void* _t35;
				long _t38;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t97;
				intOrPtr _t101;

				_t95 = __ecx;
				SetCurrentDirectoryA("c:\\");
				if(( *0x47e18c & 0x00000040) != 0 || ( *0x47e192 & 0x00000002) != 0) {
					_push(1);
					__eflags =  *(_t95 + 0x90);
					if( *(_t95 + 0x90) != 0) {
						goto L10;
					}
					_pop(_t91);
					_t25 = _t95 + 0x20; // 0x0
					_t30 = E0040DF1F( *_t25, 0);
					while(1) {
						__eflags = _t30;
						if(_t30 == 0) {
							break;
						}
						E0040D85F(_t30);
						_t35 = _t91;
						_t91 = _t91 + 1;
						_t26 = _t95 + 0x20; // 0x0
						_t30 = E0040DF1F( *_t26, _t35);
						_t97 = _t97 + 0xc;
					}
					_t92 = 1;
					_push(0);
					while(1) {
						_t27 = _t95 + 0x38; // 0x0
						_push( *_t27);
						_t31 = E0040DF1F();
						__eflags = _t31;
						if(_t31 == 0) {
							goto L9;
						}
						RemoveDirectoryA(_t31);
						_t33 = _t92;
						_t92 = _t92 + 1;
						_push(_t33);
					}
					goto L9;
				} else {
					if( *(_t95 + 0x90) == 0) {
						_t93 = CreateFileA(E0041CD1E(_t95), 0xc0000000, 1, 0, 3, 0x80, 0);
						_v8 = _t93;
						_t38 = GetFileSize(_t93, 0);
						__eflags = _t93 - 0xffffffff;
						_v12 = _t38;
						if(_t93 == 0xffffffff) {
							L11:
							CloseHandle(_t93);
							L9:
							_push(1);
							L10:
							_pop(_t29);
							return _t29;
						}
						__eflags = _t38;
						if(_t38 == 0) {
							goto L11;
						}
						 *((char*)(_t95 + 0x92)) = 1;
						E0041BDC5( &_v28);
						E004221B8(_t95, __eflags,  &_v28);
						SetFilePointer(_t93, 0, 0, 2);
						WriteFile(_t93, E0041CD1E( &_v28), _v28,  &_v16, 0);
						WriteFile(_v8,  &_v12, 4,  &_v16, 0);
						CloseHandle(_v8);
						E004155D2(0x47dfb8, 1, E0041CD1E(_t95));
						DeleteFileA(E0041CD1E(_t95));
						E0041BEFB( &_v28);
						L7:
						_t101 =  *0x47e688; // 0x0
						if(_t101 > 0) {
							E004229A8( &_v288);
							CopyFileA(E0041CD1E(0x47e688),  &_v288, 0);
							DeleteFileA(E0041CD1E(0x47e688));
							E0041BF12(0x47e688, 0x42e0c8);
						}
						goto L9;
					}
					_push( &_v288);
					E00422A86();
					E004155D2(0x47dfb8, 1,  &_v288);
					DeleteFileA( &_v288);
					goto L7;
				}
			}




















                  0x00422cc9
                  0x00422cd0
                  0x00422cdd
                  0x00422e4c
                  0x00422e4e
                  0x00422e54
                  0x00000000
                  0x00000000
                  0x00422e56
                  0x00422e58
                  0x00422e5b
                  0x00422e62
                  0x00422e62
                  0x00422e64
                  0x00000000
                  0x00000000
                  0x00422e67
                  0x00422e6c
                  0x00422e6e
                  0x00422e70
                  0x00422e73
                  0x00422e78
                  0x00422e78
                  0x00422e7f
                  0x00422e80
                  0x00422e81
                  0x00422e81
                  0x00422e81
                  0x00422e84
                  0x00422e8a
                  0x00422e8d
                  0x00000000
                  0x00000000
                  0x00422e90
                  0x00422e96
                  0x00422e98
                  0x00422e99
                  0x00422e99
                  0x00000000
                  0x00422cf0
                  0x00422cf8
                  0x00422d4b
                  0x00422d4f
                  0x00422d52
                  0x00422d58
                  0x00422d5b
                  0x00422d5e
                  0x00422e41
                  0x00422e42
                  0x00422e39
                  0x00422e39
                  0x00422e3b
                  0x00422e3b
                  0x00422e40
                  0x00422e40
                  0x00422d64
                  0x00422d66
                  0x00000000
                  0x00000000
                  0x00422d6f
                  0x00422d76
                  0x00422d81
                  0x00422d8b
                  0x00422da9
                  0x00422db9
                  0x00422dbe
                  0x00422dd3
                  0x00422de0
                  0x00422de9
                  0x00422dee
                  0x00422dee
                  0x00422df4
                  0x00422dff
                  0x00422e19
                  0x00422e27
                  0x00422e34
                  0x00422e34
                  0x00000000
                  0x00422df4
                  0x00422d02
                  0x00422d03
                  0x00422d16
                  0x00422d22
                  0x00000000
                  0x00422d22

                  APIs
                  • SetCurrentDirectoryA.KERNEL32(c:\,00000000,0047DFB8,00000094), ref: 00422CD0
                  • DeleteFileA.KERNEL32(?,00000001,?,?), ref: 00422D22
                  • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000), ref: 00422D45
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00422D52
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?), ref: 00422D8B
                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 00422DA9
                  • WriteFile.KERNEL32(00000000,0041CD50,00000004,00000000,00000000), ref: 00422DB9
                  • CloseHandle.KERNEL32(00000000), ref: 00422DBE
                  • DeleteFileA.KERNEL32(00000000,00000001,00000000), ref: 00422DE0
                  • CopyFileA.KERNEL32(00000000,?,00000000), ref: 00422E19
                  • DeleteFileA.KERNEL32(00000000), ref: 00422E27
                    • Part of subcall function 00422A86: lstrcpyA.KERNEL32(00000000,00000000,0047E5EC,7FFFFFFF,0047E5EC,0047E5EC,?,<UninstallerName>,0041AA6C,?,<UninstallerName>,00000000,00000001,<ShortcutDir>,00000000,00000000), ref: 00422ABE
                  • CloseHandle.KERNEL32(00000000), ref: 00422E42
                  • RemoveDirectoryA.KERNEL32(00000000), ref: 00422E90
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Delete$CloseDirectoryHandleWrite$CopyCreateCurrentPointerRemoveSizelstrcpy
                  • String ID: c:\
                  • API String ID: 962263428-4070862797
                  • Opcode ID: d648af31b864197961dd8fa533a14e86025cb730b5bac282c79746e591d72605
                  • Instruction ID: f31a6bf3ed29a462fb3031c6dc7a7310197cb22e6e3723504f367eecada30cce
                  • Opcode Fuzzy Hash: d648af31b864197961dd8fa533a14e86025cb730b5bac282c79746e591d72605
                  • Instruction Fuzzy Hash: BC41B571B00219BBDB206761AD4AFFF7A6DDF40714F90406FF606A2191CBB84D86D668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405A9B, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 286windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405A9B(void* __edx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t24;
				signed int _t25;
				void* _t26;
				int _t31;
				signed int _t37;
				signed int _t39;
				signed int _t43;
				int _t52;
				signed int _t55;
				void* _t67;
				signed int _t74;

				_t67 = __edx;
				_t55 =  *0x47e110; // 0x0
				if(_t55 == 0) {
					L8:
					_t24 = _a8;
					__eflags = _t24 - 0x10;
					if(_t24 == 0x10) {
						L61:
						_t25 = E0041BC79(0x47dfb8);
						__eflags = _t25;
						if(_t25 != 0) {
							DestroyWindow(_a4);
							E0041A1B5(1);
						}
						L63:
						_t26 = 1;
						return _t26;
					}
					__eflags = _t24 - 0x14;
					if(_t24 == 0x14) {
						BitBlt(_a12, 0, 0,  *0x47e170,  *0x47e174,  *0x47e184, 0, 0, 0xcc0020);
						goto L63;
					}
					__eflags = _t24 - 0x7e;
					if(_t24 == 0x7e) {
						__eflags =  *0x47e84c & 0x00000002;
						if(( *0x47e84c & 0x00000002) != 0) {
							DeleteDC( *0x47e184);
							_t31 = SystemParametersInfoA(0x30, 0, 0x47e168, 0);
							__eflags = _t31;
							if(_t31 == 0) {
								GetWindowRect(GetDesktopWindow(), 0x47e168);
							}
							E0040EE9C();
							__eflags =  *0x47e114; // 0x0
							if(__eflags != 0) {
								__eflags =  *0x47f27c; // 0x1
								if(__eflags == 0) {
									E0040EFE7();
								}
							}
						}
						L59:
						return DefWindowProcA(_a4, _a8, _a12, _a16);
					}
					__eflags = _t24 - 0x112;
					if(_t24 == 0x112) {
						__eflags = _a12 - 1;
						if(_a12 == 1) {
							__eflags = _t55;
							if(_t55 != 0) {
								EnableWindow( *(_t55 + 4), 0);
							}
							DialogBoxParamA( *0x47e17c, 0x72, _a4, E00405955, 0);
							_t37 =  *0x47e110; // 0x0
							__eflags = _t37;
							if(_t37 != 0) {
								EnableWindow( *(_t37 + 4), 1);
								_t39 =  *0x47e110; // 0x0
								SetForegroundWindow( *(_t39 + 4));
							}
						}
						goto L59;
					}
					__eflags = _t24 - 0x400;
					if(_t24 != 0x400) {
						goto L59;
					}
					__eflags = _a16 - 1;
					if(_a16 != 1) {
						goto L59;
					}
					_t43 = _a12 - 1;
					__eflags = _t43 - 0xc;
					if(_t43 > 0xc) {
						_t74 = E00424DD9(0xb0);
						__eflags = _t74;
						if(__eflags == 0) {
							L18:
							_t74 = 0;
							__eflags = 0;
							L19:
							__eflags = _t74;
							if(__eflags == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							E00407147(_t74, _t67, __eflags, _a12,  *0x47e178,  *0x47e17c, 0x47e110);
							goto L59;
						}
						E00406D11(_t74, __eflags);
						 *_t74 = 0x428418;
						goto L19;
					}
					switch( *((intOrPtr*)(_t43 * 4 +  &M00405E94))) {
						case 0:
							_t74 = E00424DD9(0xb0);
							__eflags = _t74;
							if(__eflags == 0) {
								goto L18;
							} else {
								E00406D11(_t74, __eflags);
								 *_t74 = 0x428584;
								goto L19;
							}
						case 1:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							} else {
								__ecx = __esi;
								__eax = E00406D11(__ecx, __eflags);
								 *__esi = 0x428568;
								goto L19;
							}
						case 2:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x42854c;
							goto L19;
						case 3:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428530;
							goto L19;
						case 4:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428514;
							goto L19;
						case 5:
							__esi = E00424DD9(0xb8);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284f8;
							goto L19;
						case 6:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284dc;
							goto L19;
						case 7:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284c0;
							goto L19;
						case 8:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x4284a4;
							goto L19;
						case 9:
							__esi = E00424DD9(0xb4);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428488;
							goto L19;
						case 0xa:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x42846c;
							goto L19;
						case 0xb:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428434;
							goto L19;
						case 0xc:
							__esi = E00424DD9(0xb0);
							__eflags = __esi - __ebx;
							if(__eflags == 0) {
								goto L18;
							}
							__ecx = __esi;
							__eax = E00406D11(__ecx, __eflags);
							 *__esi = 0x428450;
							goto L19;
					}
				}
				if(E00407D82(_t55) != 0) {
					L7:
					_t55 =  *0x47e110; // 0x0
					goto L8;
				}
				_t52 = _a8;
				if(_t52 == 0x14 || _t52 == 0x112 || _t52 == 0x400) {
					goto L7;
				} else {
					if(_t52 == 0x10) {
						goto L61;
					} else {
						return E00408768(_a4, _t52, _a12, _a16);
					}
				}
			}














                  0x00405a9b
                  0x00405a9e
                  0x00405ab5
                  0x00405af3
                  0x00405af3
                  0x00405af6
                  0x00405af9
                  0x00405e68
                  0x00405e6f
                  0x00405e74
                  0x00405e76
                  0x00405e7b
                  0x00405e85
                  0x00405e85
                  0x00405e8a
                  0x00405e8c
                  0x00000000
                  0x00405e8c
                  0x00405aff
                  0x00405b02
                  0x00405e60
                  0x00000000
                  0x00405e60
                  0x00405b08
                  0x00405b0b
                  0x00405dd4
                  0x00405ddb
                  0x00405de3
                  0x00405df3
                  0x00405df9
                  0x00405dfb
                  0x00405e05
                  0x00405e05
                  0x00405e12
                  0x00405e17
                  0x00405e1d
                  0x00405e1f
                  0x00405e25
                  0x00405e29
                  0x00405e29
                  0x00405e25
                  0x00405e1d
                  0x00405e2e
                  0x00000000
                  0x00405e3a
                  0x00405b11
                  0x00405b13
                  0x00405d83
                  0x00405d87
                  0x00405d93
                  0x00405d95
                  0x00405d9b
                  0x00405d9b
                  0x00405dae
                  0x00405db4
                  0x00405db9
                  0x00405dbb
                  0x00405dc2
                  0x00405dc4
                  0x00405dcc
                  0x00405dcc
                  0x00405dbb
                  0x00000000
                  0x00405d87
                  0x00405b19
                  0x00405b1b
                  0x00000000
                  0x00000000
                  0x00405b21
                  0x00405b25
                  0x00000000
                  0x00000000
                  0x00405b2e
                  0x00405b2f
                  0x00405b32
                  0x00405d66
                  0x00405d69
                  0x00405d6b
                  0x00405b5f
                  0x00405b5f
                  0x00405b5f
                  0x00405b61
                  0x00405b61
                  0x00405b63
                  0x00405b70
                  0x00405b75
                  0x00405b8c
                  0x00000000
                  0x00405b8c
                  0x00405d73
                  0x00405d78
                  0x00000000
                  0x00405d78
                  0x00405b38
                  0x00000000
                  0x00405b49
                  0x00405b4c
                  0x00405b4e
                  0x00000000
                  0x00405b50
                  0x00405b52
                  0x00405b57
                  0x00000000
                  0x00405b57
                  0x00000000
                  0x00405ba0
                  0x00405ba3
                  0x00405ba5
                  0x00000000
                  0x00405ba7
                  0x00405ba7
                  0x00405ba9
                  0x00405bae
                  0x00000000
                  0x00405bae
                  0x00000000
                  0x00405bc0
                  0x00405bc3
                  0x00405bc5
                  0x00000000
                  0x00000000
                  0x00405bc7
                  0x00405bc9
                  0x00405bce
                  0x00000000
                  0x00000000
                  0x00405be0
                  0x00405be3
                  0x00405be5
                  0x00000000
                  0x00000000
                  0x00405beb
                  0x00405bed
                  0x00405bf2
                  0x00000000
                  0x00000000
                  0x00405c07
                  0x00405c0a
                  0x00405c0c
                  0x00000000
                  0x00000000
                  0x00405c12
                  0x00405c14
                  0x00405c19
                  0x00000000
                  0x00000000
                  0x00405c2e
                  0x00405c31
                  0x00405c33
                  0x00000000
                  0x00000000
                  0x00405c39
                  0x00405c3b
                  0x00405c40
                  0x00000000
                  0x00000000
                  0x00405c55
                  0x00405c58
                  0x00405c5a
                  0x00000000
                  0x00000000
                  0x00405c60
                  0x00405c62
                  0x00405c67
                  0x00000000
                  0x00000000
                  0x00405c7c
                  0x00405c7f
                  0x00405c81
                  0x00000000
                  0x00000000
                  0x00405c87
                  0x00405c89
                  0x00405c8e
                  0x00000000
                  0x00000000
                  0x00405ca3
                  0x00405ca6
                  0x00405ca8
                  0x00000000
                  0x00000000
                  0x00405cae
                  0x00405cb0
                  0x00405cb5
                  0x00000000
                  0x00000000
                  0x00405cca
                  0x00405ccd
                  0x00405ccf
                  0x00000000
                  0x00000000
                  0x00405cd5
                  0x00405cd7
                  0x00405cdc
                  0x00000000
                  0x00000000
                  0x00405cf1
                  0x00405cf4
                  0x00405cf6
                  0x00000000
                  0x00000000
                  0x00405cfc
                  0x00405cfe
                  0x00405d03
                  0x00000000
                  0x00000000
                  0x00405d3f
                  0x00405d42
                  0x00405d44
                  0x00000000
                  0x00000000
                  0x00405d4a
                  0x00405d4c
                  0x00405d51
                  0x00000000
                  0x00000000
                  0x00405d18
                  0x00405d1b
                  0x00405d1d
                  0x00000000
                  0x00000000
                  0x00405d23
                  0x00405d25
                  0x00405d2a
                  0x00000000
                  0x00000000
                  0x00405b38
                  0x00405abe
                  0x00405aed
                  0x00405aed
                  0x00000000
                  0x00405aed
                  0x00405ac0
                  0x00405ac6
                  0x00000000
                  0x00405ad0
                  0x00405ad3
                  0x00000000
                  0x00405ad9
                  0x00000000
                  0x00405ae3
                  0x00405ad3

                  APIs
                  • EnableWindow.USER32(?,00000000), ref: 00405D9B
                  • DialogBoxParamA.USER32 ref: 00405DAE
                  • EnableWindow.USER32(?,00000001), ref: 00405DC2
                  • SetForegroundWindow.USER32(?), ref: 00405DCC
                  • DeleteDC.GDI32 ref: 00405DE3
                  • SystemParametersInfoA.USER32(00000030,00000000,0047E168,00000000), ref: 00405DF3
                  • GetDesktopWindow.USER32 ref: 00405DFE
                  • GetWindowRect.USER32 ref: 00405E05
                  • DefWindowProcA.USER32(?,?,?,?), ref: 00405E3A
                  • BitBlt.GDI32(?,00000000,00000000,00000000,00000000,00CC0020), ref: 00405E60
                  • DestroyWindow.USER32(?), ref: 00405E7B
                    • Part of subcall function 00408768: EnableWindow.USER32(?,00000000), ref: 0040878E
                    • Part of subcall function 00408768: DialogBoxParamA.USER32 ref: 004087A0
                    • Part of subcall function 00408768: EnableWindow.USER32(?,00000001), ref: 004087A9
                    • Part of subcall function 00408768: SetForegroundWindow.USER32(?), ref: 004087AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$Enable$DialogForegroundParam$DeleteDesktopDestroyInfoParametersProcRectSystem
                  • String ID: $G$hG
                  • API String ID: 3857719481-203099041
                  • Opcode ID: 2f3b12d5543e14b79b981c452a303d4a0eca5a49f133cdee6d41fc202542ed02
                  • Instruction ID: fa91adb50b79aa072a828a9bd1838e9d073234fdb9740b73cce90f07b5154bab
                  • Opcode Fuzzy Hash: 2f3b12d5543e14b79b981c452a303d4a0eca5a49f133cdee6d41fc202542ed02
                  • Instruction Fuzzy Hash: 6391D132B00620ABDB243FA1AC4262F7661DB40714B65417FF9467B2D1EB7E5C918F8E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420F79, Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 210registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00420F79(intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				int _v12;
				int* _v16;
				intOrPtr _v20;
				int _v24;
				void* _v28;
				char* _v32;
				void* _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				struct _FILETIME _v60;
				char _v72;
				char _v84;
				char _v96;
				char _v108;
				char* _t146;
				char* _t147;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;

				_t154 = __eflags;
				_v20 = __ecx;
				E0041BDC5( &_v108);
				E0041EEC5(_v20,  &_v108);
				E0041BDC5( &_v96);
				_push(E0041CD1E(0x47e368));
				E0041C467( &_v96, E0041CD1E(0x47eb10));
				_t152 = _t151 + 0xc;
				E0041EEC5(_v20,  &_v96);
				_v8 = 0;
				E0041BE35( &_v84, "Software\\");
				E0041C0C5( &_v84, _t154, 0x47e368);
				if(RegOpenKeyExA(0x80000002, E0041CD1E( &_v84), 0, 0x20019,  &_v28) != 0 || RegQueryInfoKeyA(_v28, 0, 0, 0,  &_v40,  &_v24, 0, 0, 0, 0, 0, 0) != 0) {
					L21:
					E0041EEC5(_v20, 0x47eb34);
					goto L22;
				} else {
					_v32 = E00424DD9(_v24);
					_v16 = 0;
					if(_v40 <= 0) {
						L18:
						if(_v32 != 0) {
							E00424DCE(_v32);
						}
						L20:
						if(_v8 != 0) {
							L22:
							E0041BEFB( &_v84);
							E0041BEFB( &_v96);
							return E0041BEFB( &_v108);
						}
						goto L21;
					}
					while(1) {
						_t146 = _v32;
						if(_t146 == 0) {
							break;
						}
						E00424500(_t146, 0, _v24);
						_t152 = _t152 + 0xc;
						_v44 = _v24;
						RegEnumKeyExA(_v28, _v16, _t146,  &_v44, 0, 0, 0,  &_v60);
						E0041BE35( &_v72, _t146);
						if(RegOpenKeyExA(_v28, _t146, 0, 0x20019,  &_v36) != 0) {
							L14:
							E0041BEFB( &_v72);
							_v16 =  &(_v16[0]);
							if(_v16 < _v40) {
								continue;
							}
							goto L18;
						}
						_t147 = E00424DD9(0x100);
						if(_t147 == 0) {
							_t56 =  &_v8;
							 *_t56 = _v8 + 1;
							__eflags =  *_t56;
							E0041BEFB( &_v72);
							goto L18;
						}
						E00424500(_t147, 0, 0x100);
						_t153 = _t152 + 0xc;
						_v48 = 0x100;
						_v12 = 1;
						RegQueryValueExA(_v36, "Version", 0,  &_v12, _t147,  &_v48);
						if( *_t147 != 0 && _v12 == 1) {
							_push(_t147);
							_push(E0041CD1E(0x47eb1c));
							E0041C467( &_v72, " %s %s");
							_t153 = _t153 + 0x10;
						}
						E00424500(_t147, 0, 0x100);
						_t152 = _t153 + 0xc;
						_v52 = 0x100;
						RegQueryValueExA(_v36, "Installed", 0,  &_v12, _t147,  &_v52);
						if( *_t147 != 0 && _v12 == 1) {
							_push(_t147);
							_push(E0041CD1E(0x47eb28));
							E0041C467( &_v72, ", %s: %s");
							_t152 = _t152 + 0x10;
						}
						E0041EEC5(_v20,  &_v72);
						_v8 = _v8 + 1;
						E00424DCE(_t147);
						goto L14;
					}
					_v8 = _v8 + 1;
					goto L20;
				}
			}


























                  0x00420f79
                  0x00420f7f
                  0x00420f86
                  0x00420f92
                  0x00420f9a
                  0x00420fa9
                  0x00420fb9
                  0x00420fc1
                  0x00420fc8
                  0x00420fd7
                  0x00420fda
                  0x00420fe7
                  0x0042100c
                  0x004211b4
                  0x004211bc
                  0x00000000
                  0x00421034
                  0x00421042
                  0x00421045
                  0x00421048
                  0x0042119f
                  0x004211a2
                  0x004211a7
                  0x004211ac
                  0x004211ad
                  0x004211b2
                  0x004211c1
                  0x004211c4
                  0x004211cc
                  0x004211db
                  0x004211db
                  0x00000000
                  0x004211b2
                  0x00421053
                  0x00421053
                  0x00421058
                  0x00000000
                  0x00000000
                  0x00421063
                  0x0042106b
                  0x0042106e
                  0x00421083
                  0x0042108d
                  0x004210a8
                  0x00421176
                  0x00421179
                  0x0042117e
                  0x00421187
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042118d
                  0x004210b4
                  0x004210b9
                  0x00421194
                  0x00421194
                  0x00421194
                  0x0042119a
                  0x00000000
                  0x0042119a
                  0x004210c2
                  0x004210c7
                  0x004210cd
                  0x004210d0
                  0x004210e6
                  0x004210ee
                  0x004210f6
                  0x00421101
                  0x0042110b
                  0x00421110
                  0x00421110
                  0x00421116
                  0x0042111b
                  0x00421121
                  0x00421133
                  0x0042113b
                  0x00421143
                  0x0042114e
                  0x00421158
                  0x0042115d
                  0x0042115d
                  0x00421167
                  0x0042116c
                  0x00421170
                  0x00000000
                  0x00421175
                  0x0042118f
                  0x00000000
                  0x0042118f

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                    • Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
                    • Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
                    • Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C
                  • RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,00000000,0047E368,Software\,00000000,?,?,00000001,?,00000000,00000000,00000000,00000000), ref: 00421004
                  • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000001,?), ref: 00421026
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000001,?,?,00000001,?,00000000), ref: 00421083
                  • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,00000000,?,00000000,00000001,?,?,00000001,?,00000000,00000000,00000000), ref: 004210A0
                  • RegQueryValueExA.ADVAPI32(00000000,Version,00000000,00000001,00000000,00000000,?,?,?,?,00000000,00000001,?,?,00000001,?), ref: 004210E6
                  • RegQueryValueExA.ADVAPI32(00000000,Installed,00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,00000000,00000001), ref: 00421133
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLocklstrlen$Query$OpenUnlockValue$EnumInfo
                  • String ID: %s %s$(G$, %s: %s$Installed$Software\$Version$hG
                  • API String ID: 1052176546-1597445898
                  • Opcode ID: eb21f44b1c9ad5e9903d96cc4743d310b631aa8d9bb6d41590713c3ff336ad93
                  • Instruction ID: bc104e200bd05c96be64d5b001c431f16b8f9d0cb8a15f8c22d70380ef4f1218
                  • Opcode Fuzzy Hash: eb21f44b1c9ad5e9903d96cc4743d310b631aa8d9bb6d41590713c3ff336ad93
                  • Instruction Fuzzy Hash: BC611A71E0011DAADF10EBE2EC86DFFBB7DEE58708B50402BF501A2151EB395A55CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407B45, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 169memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00407B45(void* __ebx, void* __edi, void* __esi, char _a4) {
				struct HWND__** _t37;
				void* _t39;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t53;
				void* _t69;
				void* _t71;
				void* _t77;
				signed int _t86;
				signed int _t98;
				void* _t101;
				struct HWND__* _t102;

				_t32 =  *0x47df60;
				_t102 = 0;
				if(_t32 == 0) {
					L44:
					return _t32;
				}
				_t77 = 0;
				if( *((intOrPtr*)(_t32 + 0x7c)) <= 0) {
					L14:
					E0041E921(_t32 + 0x70);
					if(E00407D82( *0x47df60) != 0) {
						DestroyWindow( *( *0x47df60 + 4));
					}
					 *( *0x47df60 + 4) = _t102;
					_t37 =  *( *0x47df60 + 0x6c);
					if(_t37 != _t102) {
						 *_t37 = _t102;
					}
					_t39 =  *( *0x47df60 + 0x48);
					if(_t39 != _t102) {
						DeleteObject(_t39);
						 *( *0x47df60 + 0x48) = _t102;
					}
					_t41 =  *( *0x47df60 + 0x4c);
					if(_t41 != _t102) {
						DeleteObject(_t41);
						 *( *0x47df60 + 0x4c) = _t102;
					}
					_t43 =  *( *0x47df60 + 0x50);
					if(_t43 != _t102) {
						DeleteObject(_t43);
						 *( *0x47df60 + 0x50) = _t102;
					}
					_t45 =  *( *0x47df60 + 0x54);
					if(_t45 != _t102) {
						DeleteObject(_t45);
						 *( *0x47df60 + 0x54) = _t102;
					}
					_t32 =  *( *0x47df60 + 0xa0);
					if(_t32 != _t102) {
						DeleteObject(_t32);
						_t32 =  *0x47df60;
						 *(_t32 + 0xa0) = _t102;
					}
					_t98 = 0;
					if( *0x47df54 <= _t102) {
						L38:
						if(_a4 != 0) {
							_t100 =  *0x47df60;
							if( *0x47df60 != _t102) {
								E00406E01(_t100);
								_t32 = E00424DCE(_t100);
							}
						}
						 *0x47df60 = _t102;
						if( *0x47df5c != _t102 ||  *0x47df54 <= _t102) {
							goto L44;
						} else {
							return E0041D881(E0041CD1E(0x47e924));
						}
					} else {
						_t32 =  *0x47df58;
						do {
							if( *((intOrPtr*)(_t32 + _t98 * 4)) !=  *0x47df60) {
								goto L37;
							}
							_t86 = _t98;
							if(_t98 >=  *0x47df54 - 1) {
								L36:
								 *0x47df54 =  *0x47df54 - 1;
								GlobalUnlock( *0x47df5c);
								_t53 = GlobalReAlloc( *0x47df5c,  *0x47df54 << 2, 0x42);
								 *0x47df5c = _t53;
								_t32 = GlobalLock(_t53);
								 *0x47df58 = _t32;
								goto L37;
							}
							while(1) {
								 *((intOrPtr*)(_t32 + _t86 * 4)) =  *((intOrPtr*)(_t32 + 4 + _t86 * 4));
								_t86 = _t86 + 1;
								if(_t86 >=  *0x47df54 - 1) {
									goto L36;
								}
								_t32 =  *0x47df58;
							}
							goto L36;
							L37:
							_t98 = _t98 + 1;
						} while (_t98 <  *0x47df54);
						goto L38;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					_t101 = E0041E860(_t32 + 0x70, _t77);
					if( *((intOrPtr*)(_t101 + 8)) != 0xc) {
						DestroyWindow( *(_t101 + 0x50));
						goto L6;
					}
					_t103 =  *(_t101 + 0x50);
					if( *(_t101 + 0x50) != 0) {
						E0041EA84(_t103);
						E00424DCE(_t103);
					}
					_t102 = 0;
					L6:
					_t69 =  *(_t101 + 0x54);
					if(_t69 != _t102) {
						DeleteObject(_t69);
					}
					if( *((intOrPtr*)(_t101 + 0x34)) < 0xfffffffe) {
						_t71 =  *(_t101 + 0x58);
						if(_t71 != _t102) {
							DeleteObject(_t71);
						}
					}
					if(_t101 != _t102) {
						E00407D5B(_t101, 1);
					}
					_t32 =  *0x47df60;
					_t77 = _t77 + 1;
				} while (_t77 <  *((intOrPtr*)( *0x47df60 + 0x7c)));
				goto L14;
			}
















                  0x00407b45
                  0x00407b4b
                  0x00407b4f
                  0x00407d5a
                  0x00407d5a
                  0x00407d5a
                  0x00407b57
                  0x00407b63
                  0x00407bc3
                  0x00407bc6
                  0x00407bd8
                  0x00407be2
                  0x00407be2
                  0x00407bed
                  0x00407bf5
                  0x00407bfa
                  0x00407bfc
                  0x00407bfc
                  0x00407c03
                  0x00407c08
                  0x00407c0b
                  0x00407c12
                  0x00407c12
                  0x00407c1a
                  0x00407c1f
                  0x00407c22
                  0x00407c29
                  0x00407c29
                  0x00407c31
                  0x00407c36
                  0x00407c39
                  0x00407c40
                  0x00407c40
                  0x00407c48
                  0x00407c4d
                  0x00407c50
                  0x00407c57
                  0x00407c57
                  0x00407c5f
                  0x00407c67
                  0x00407c6a
                  0x00407c6c
                  0x00407c71
                  0x00407c71
                  0x00407c77
                  0x00407c7f
                  0x00407d10
                  0x00407d15
                  0x00407d17
                  0x00407d1f
                  0x00407d23
                  0x00407d29
                  0x00407d2e
                  0x00407d1f
                  0x00407d37
                  0x00407d3e
                  0x00000000
                  0x00407d48
                  0x00000000
                  0x00407d58
                  0x00407c85
                  0x00407c85
                  0x00407c8a
                  0x00407c93
                  0x00000000
                  0x00000000
                  0x00407c9b
                  0x00407ca0
                  0x00407cc9
                  0x00407ccf
                  0x00407cd5
                  0x00407cec
                  0x00407cf3
                  0x00407cf8
                  0x00407cfe
                  0x00000000
                  0x00407cfe
                  0x00407cb7
                  0x00407cbb
                  0x00407cc3
                  0x00407cc7
                  0x00000000
                  0x00000000
                  0x00407cb2
                  0x00407cb2
                  0x00000000
                  0x00407d03
                  0x00407d03
                  0x00407d04
                  0x00000000
                  0x00407c8a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407b65
                  0x00407b65
                  0x00407b6e
                  0x00407b74
                  0x00407ca7
                  0x00000000
                  0x00407ca7
                  0x00407b7a
                  0x00407b7f
                  0x00407b83
                  0x00407b89
                  0x00407b8e
                  0x00407b8f
                  0x00407b91
                  0x00407b91
                  0x00407b96
                  0x00407b99
                  0x00407b99
                  0x00407b9f
                  0x00407ba1
                  0x00407ba6
                  0x00407ba9
                  0x00407ba9
                  0x00407ba6
                  0x00407bad
                  0x00407bb3
                  0x00407bb3
                  0x00407bb8
                  0x00407bbd
                  0x00407bbe
                  0x00000000

                  APIs
                  • DeleteObject.GDI32(?), ref: 00407B99
                  • DeleteObject.GDI32(?), ref: 00407BA9
                    • Part of subcall function 0041EA84: DeleteDC.GDI32(?), ref: 0041EAE0
                    • Part of subcall function 0041EA84: DeleteObject.GDI32(0000000C), ref: 0041EAF8
                    • Part of subcall function 0041EA84: DeleteObject.GDI32(?), ref: 0041EB06
                  • DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
                  • DeleteObject.GDI32(?), ref: 00407C0B
                  • DeleteObject.GDI32(?), ref: 00407C22
                  • DeleteObject.GDI32(?), ref: 00407C39
                  • DeleteObject.GDI32(?), ref: 00407C50
                  • DeleteObject.GDI32(?), ref: 00407C6A
                  • DestroyWindow.USER32(?,00000000,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924), ref: 00407CA7
                  • GlobalUnlock.KERNEL32(00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F,00000000), ref: 00407CD5
                  • GlobalReAlloc.KERNEL32 ref: 00407CEC
                  • GlobalLock.KERNEL32 ref: 00407CF8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Delete$Object$Global$DestroyWindow$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 4261534367-195990108
                  • Opcode ID: 4cbbb553f0697c4bd6378f99e2a20ecd54ae89e0639677ce42858f0b454cafb8
                  • Instruction ID: e471fc44e6ccc1b89dc971079bd39713c39b082186c56252f11c08beb7781c98
                  • Opcode Fuzzy Hash: 4cbbb553f0697c4bd6378f99e2a20ecd54ae89e0639677ce42858f0b454cafb8
                  • Instruction Fuzzy Hash: 59512975E182488FC620EF69ED8492A77B5BF48304761447EE40AB76A1CB38BC85CB1D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B45D, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 141fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E0041B45D(void* __ecx, signed char _a4) {
				signed char _v8;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t42;
				intOrPtr _t56;
				struct HINSTANCE__* _t60;
				signed char _t66;
				void* _t67;
				void* _t87;
				void* _t91;
				void* _t94;
				signed char* _t95;
				void* _t98;
				void* _t103;
				void* _t106;
				void* _t107;
				void* _t109;

				_t1 = __ecx + 0x158; // 0x47e110
				_t95 = _t1;
				_t66 = 0;
				_t69 =  *_t95;
				if( *_t95 != 0) {
					_push(0);
					E00407827(_t69, _t91, _t95);
				}
				 *_t95 = _t66;
				DeleteDC( *0x47e184);
				_t98 =  *0x47e770 - _t66; // 0x0
				if(_t98 != 0) {
					if( *0x47f289 != 0) {
						 *0x47e714(_t66);
					}
					if( *0x47f288 != 0) {
						 *0x47e714(1);
					}
					E0041E681(0x47e710);
				}
				E0041BD2D(0x47e2d0);
				if(_a4 != 0) {
					_t60 =  *0x47f26c; // 0x0
					if(_t60 != _t66) {
						FreeLibrary(_t60);
						 *0x47f26c = _t66;
					}
				}
				_t103 =  *0x47e784 - _t66; // 0x0
				_a4 = _t66;
				if(_t103 <= 0) {
					L16:
					_t107 =  *0x47e52c - _t66; // 0x0
					_a4 = _t66;
					if(_t107 <= 0) {
						L21:
						E0041E921(0x47e520);
						E0041BDC5( &_v20);
						_v8 = _t66;
						_push(_t66);
						while(E0041C9D2(0x47e570) != 0) {
							_t66 = _t66 + 1;
							E0041C92F(0x47e570,  &_v8,  &_v20);
							if((_t66 & 0x00000001) != 0) {
								RemoveFontResourceA(E0041CD1E( &_v20));
							}
							DeleteFileA(E0041CD1E( &_v20));
							_push(_v8);
						}
						E0041BF12(0x47e570, 0x42e0c8);
						DeleteFileA(E0041CD1E(0x47df9c));
						DeleteFileA(E0041CD1E(0x47dfa8));
						DeleteFileA(E0041CD1E(0x47df90));
						DeleteFileA(E0041CD1E(0x47e788));
						DeleteObject( *0x47e180);
						E0041BEFB( &_v20);
						_t42 = 1;
						return _t42;
					} else {
						goto L17;
					}
					do {
						L17:
						_t67 = E0041E860(0x47e520, _a4);
						_t11 = _t67 + 4; // 0x4
						DeleteFileA(E0041CD1E(_t11));
						if(_t67 != 0) {
							_t12 = _t67 + 4; // 0x4
							E0041BEFB(_t12);
							E00424DCE(_t67);
						}
						_a4 = _a4 + 1;
						_t109 = _a4 -  *0x47e52c; // 0x0
					} while (_t109 < 0);
					_t66 = 0;
					goto L21;
				} else {
					_t94 = 0;
					do {
						_t56 =  *0x47e780; // 0x0
						_t87 = _t94 + _t56;
						if( *((intOrPtr*)(_t94 + _t56)) > _t66) {
							DeleteFileA(E0041CD1E(_t87));
						}
						_a4 = _a4 + 1;
						_t94 = _t94 + 0xc;
						_t106 = _a4 -  *0x47e784; // 0x0
					} while (_t106 < 0);
					goto L16;
				}
			}





















                  0x0041b465
                  0x0041b465
                  0x0041b46b
                  0x0041b46e
                  0x0041b472
                  0x0041b474
                  0x0041b475
                  0x0041b475
                  0x0041b47a
                  0x0041b482
                  0x0041b488
                  0x0041b48e
                  0x0041b497
                  0x0041b49a
                  0x0041b4a0
                  0x0041b4a8
                  0x0041b4ac
                  0x0041b4b2
                  0x0041b4b8
                  0x0041b4b8
                  0x0041b4c2
                  0x0041b4cb
                  0x0041b4cd
                  0x0041b4d4
                  0x0041b4d7
                  0x0041b4dd
                  0x0041b4dd
                  0x0041b4d4
                  0x0041b4e3
                  0x0041b4ef
                  0x0041b4f2
                  0x0041b51c
                  0x0041b51c
                  0x0041b522
                  0x0041b52a
                  0x0041b566
                  0x0041b568
                  0x0041b570
                  0x0041b575
                  0x0041b578
                  0x0041b57e
                  0x0041b593
                  0x0041b594
                  0x0041b59c
                  0x0041b5a7
                  0x0041b5a7
                  0x0041b5b6
                  0x0041b5b8
                  0x0041b5b8
                  0x0041b5c4
                  0x0041b5d4
                  0x0041b5e1
                  0x0041b5ee
                  0x0041b5fb
                  0x0041b603
                  0x0041b60c
                  0x0041b613
                  0x0041b618
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b52c
                  0x0041b52c
                  0x0041b536
                  0x0041b538
                  0x0041b541
                  0x0041b545
                  0x0041b547
                  0x0041b54a
                  0x0041b550
                  0x0041b555
                  0x0041b556
                  0x0041b55c
                  0x0041b55c
                  0x0041b564
                  0x00000000
                  0x0041b4f4
                  0x0041b4f4
                  0x0041b4f6
                  0x0041b4f6
                  0x0041b4fe
                  0x0041b501
                  0x0041b509
                  0x0041b509
                  0x0041b50b
                  0x0041b50e
                  0x0041b514
                  0x0041b514
                  0x00000000
                  0x0041b4f6

                  APIs
                  • DeleteDC.GDI32(00000000), ref: 0041B482
                  • FreeLibrary.KERNEL32(00000000), ref: 0041B4D7
                  • DeleteFileA.KERNEL32(00000000), ref: 0041B509
                  • DeleteFileA.KERNEL32(00000000), ref: 0041B541
                  • RemoveFontResourceA.GDI32(00000000), ref: 0041B5A7
                  • DeleteFileA.KERNEL32(00000000,?,00000000), ref: 0041B5B6
                    • Part of subcall function 00407827: GetWindowTextLengthA.USER32(?), ref: 004078A0
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • DeleteFileA.KERNEL32(00000000,0042E0C8,00000000), ref: 0041B5D4
                  • DeleteFileA.KERNEL32(00000000), ref: 0041B5E1
                  • DeleteFileA.KERNEL32(00000000), ref: 0041B5EE
                  • DeleteFileA.KERNEL32(00000000), ref: 0041B5FB
                  • DeleteObject.GDI32 ref: 0041B603
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Delete$Global$File$Unlock$AllocFreeLock$FontLengthLibraryObjectRemoveResourceTextWindow
                  • String ID: G$pG
                  • API String ID: 1984375292-3964839008
                  • Opcode ID: d5626b5a65b0072f64c185abbc8683852ebb99e60611248915683e9ff468a930
                  • Instruction ID: 296a2eed25ec2761f059183916520a0246cc43fa241ca85157825788f96731bb
                  • Opcode Fuzzy Hash: d5626b5a65b0072f64c185abbc8683852ebb99e60611248915683e9ff468a930
                  • Instruction Fuzzy Hash: E641B570A00105ABCB14AFA6EDD55EE3B6AEB44348B50847FF50597152CF3899C1CA9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EBAF, Relevance: 22.6, APIs: 15, Instructions: 120windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0041EBAF(struct HWND__** __ecx, struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, int _a16, int _a20, long _a24, signed char _a28) {
				struct tagRECT _v20;
				intOrPtr _t46;
				signed char _t48;
				struct HDC__* _t49;
				void* _t50;
				void* _t51;
				struct HDC__* _t52;
				void* _t54;
				struct HBRUSH__* _t61;
				void* _t63;
				int _t72;
				intOrPtr _t74;
				int _t79;
				void* _t81;
				struct HWND__** _t82;

				_t82 = __ecx;
				_t74 = _a12;
				_t72 = _a20;
				 *((intOrPtr*)(__ecx)) = _a4;
				_t46 = _a8;
				 *(__ecx + 0x10) =  *(__ecx + 0x10) & 0x00000000;
				_t79 = _a16;
				 *((intOrPtr*)(__ecx + 0x14)) = _t46;
				 *((intOrPtr*)(__ecx + 0x18)) = _t74;
				 *((intOrPtr*)(__ecx + 0x1c)) = _t46 + _t79;
				_t48 = _a28;
				 *(__ecx + 0x24) = _t48;
				 *((intOrPtr*)(__ecx + 0x20)) = _t74 + _t72;
				if((_t48 & 0x00000002) != 0 && (_t48 & 0x00000001) != 0) {
					 *(__ecx + 0x24) = _t48 & 0x000000fd;
				}
				_t49 = _t82[1];
				if(_t49 != 0) {
					DeleteDC(_t49);
				}
				_t50 = _t82[2];
				if(_t50 != 0) {
					DeleteObject(_t50);
				}
				_t51 = _t82[3];
				if(_t51 != 0) {
					DeleteObject(_t51);
				}
				_t52 = GetDC( *_t82);
				_a4 = _t52;
				if(_t52 != 0) {
					_t82[1] = CreateCompatibleDC(_t52);
					_t54 = CreateCompatibleBitmap(_a4, _t79, _t72);
					_t82[2] = _t54;
					if(_t54 != 0) {
						if(SelectObject(_t82[1], _t54) != 0) {
							ReleaseDC( *_t82, _a4);
							_v20.left = _v20.left & 0x00000000;
							_v20.top = _v20.top & 0x00000000;
							_v20.right = _t79;
							_v20.bottom = _t72;
							if(DrawEdge(_t82[1],  &_v20, 0xa, 0xf) != 0) {
								SetBkMode(_t82[1], 1);
								SetTextColor(_t82[1], 0xffffff);
								_t61 = CreateSolidBrush(_a24);
								_t82[3] = _t61;
								if(_t61 != 0) {
									if((_t82[9] & 0x00000002) != 0) {
										E0041EA89(_t82);
									}
									E0041ED05(_t82);
									_push(1);
									goto L23;
								} else {
									_push(0xfffffffb);
									goto L19;
								}
							} else {
								_push(0xfffffffc);
								L19:
								_pop(_t81);
								DeleteDC(_t82[1]);
								DeleteObject(_t82[2]);
								_t63 = _t81;
							}
						} else {
							_push(0xfffffff1);
							goto L23;
						}
					} else {
						DeleteDC(_t82[1]);
						_push(0xfffffffd);
						goto L23;
					}
				} else {
					_push(0xfffffffe);
					L23:
					_pop(_t63);
				}
				return _t63;
			}


















                  0x0041ebba
                  0x0041ebbc
                  0x0041ebbf
                  0x0041ebc2
                  0x0041ebc4
                  0x0041ebc7
                  0x0041ebcc
                  0x0041ebcf
                  0x0041ebd4
                  0x0041ebd7
                  0x0041ebda
                  0x0041ebdf
                  0x0041ebe4
                  0x0041ebe7
                  0x0041ebef
                  0x0041ebef
                  0x0041ebf2
                  0x0041ebf7
                  0x0041ebfa
                  0x0041ebfa
                  0x0041ec00
                  0x0041ec05
                  0x0041ec08
                  0x0041ec08
                  0x0041ec0e
                  0x0041ec13
                  0x0041ec16
                  0x0041ec16
                  0x0041ec1e
                  0x0041ec26
                  0x0041ec29
                  0x0041ec3e
                  0x0041ec41
                  0x0041ec49
                  0x0041ec4c
                  0x0041ec6a
                  0x0041ec78
                  0x0041ec7e
                  0x0041ec82
                  0x0041ec91
                  0x0041ec94
                  0x0041ec9f
                  0x0041ecaa
                  0x0041ecb8
                  0x0041ecc1
                  0x0041ecc9
                  0x0041eccc
                  0x0041eceb
                  0x0041ecef
                  0x0041ecef
                  0x0041ecf6
                  0x0041ecfb
                  0x00000000
                  0x0041ecce
                  0x0041ecce
                  0x00000000
                  0x0041ecce
                  0x0041eca1
                  0x0041eca1
                  0x0041ecd0
                  0x0041ecd0
                  0x0041ecd4
                  0x0041ecdd
                  0x0041ece3
                  0x0041ece3
                  0x0041ec6c
                  0x0041ec6c
                  0x00000000
                  0x0041ec6c
                  0x0041ec4e
                  0x0041ec51
                  0x0041ec57
                  0x00000000
                  0x0041ec57
                  0x0041ec2b
                  0x0041ec2b
                  0x0041ecfd
                  0x0041ecfd
                  0x0041ecfd
                  0x0041ed02

                  APIs
                  • DeleteDC.GDI32(?), ref: 0041EBFA
                  • DeleteObject.GDI32(?), ref: 0041EC08
                  • DeleteObject.GDI32(?), ref: 0041EC16
                  • GetDC.USER32(00000000), ref: 0041EC1E
                  • CreateCompatibleDC.GDI32(00000000), ref: 0041EC33
                  • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 0041EC41
                  • DeleteDC.GDI32(?), ref: 0041EC51
                  • SelectObject.GDI32(?,00000000), ref: 0041EC62
                  • ReleaseDC.USER32 ref: 0041EC78
                  • DrawEdge.USER32(?,00000000,0000000A,0000000F), ref: 0041EC97
                  • DeleteDC.GDI32(?), ref: 0041ECD4
                  • DeleteObject.GDI32(?), ref: 0041ECDD
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Delete$Object$CompatibleCreate$BitmapDrawEdgeReleaseSelect
                  • String ID:
                  • API String ID: 608369310-0
                  • Opcode ID: 3e7d02a4a00b271197cd033e0c72544b9dcc0dc4ebf2123fa6d999bac16dbade
                  • Instruction ID: 5f70c00956729426acaa749462fe2811b3bdc1d437f37c264a0df7fd35e865d3
                  • Opcode Fuzzy Hash: 3e7d02a4a00b271197cd033e0c72544b9dcc0dc4ebf2123fa6d999bac16dbade
                  • Instruction Fuzzy Hash: 2B418F74600705EFDB308F2ADD09B9A7BE5BF04711B10892EF966D22A0EB34D841CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407827, Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 236windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00407827(intOrPtr __ecx, void* __edi, void* __esi) {
				void* __ebx;
				void* _t53;
				struct HWND__* _t66;
				long _t67;
				void* _t70;
				signed int _t92;
				int _t100;
				void* _t101;
				void* _t103;
				intOrPtr _t109;
				int _t110;
				void* _t139;
				void* _t141;
				int _t142;
				int _t144;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t149;
				intOrPtr _t150;
				void* _t151;
				void* _t167;
				void* _t170;

				_t145 = __esi;
				_t139 = __edi;
				_t150 = __ecx;
				_t100 = 0;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					L45:
					_t53 = 1;
					return _t53;
				}
				if(E00407D82(__ecx) == 0) {
					 *((char*)(_t151 + 0x34)) = 1;
				}
				_push(_t145);
				_push(_t139);
				 *(_t151 + 0x14) = _t100;
				if( *((intOrPtr*)(_t150 + 0x64)) <= _t100) {
					L41:
					E0041E921(_t150 + 0x58);
					_t170 =  *0x47e110 - _t150; // 0x0
					if(_t170 == 0) {
						 *0x47e110 = _t100;
					}
					EnableWindow(GetDlgItem( *(_t150 + 4), 1), _t100);
					EnableWindow(GetDlgItem( *(_t150 + 4), 2), _t100);
					EnableWindow(GetDlgItem( *(_t150 + 4), 3), _t100);
					_pop(_t141);
					 *0x47df60 = _t150;
					_pop(_t147);
					if( *((char*)(_t151 + 0x3c)) != 0) {
						E00407B45(_t100, _t141, _t147, _t100);
					}
					goto L45;
				} else {
					do {
						_t148 = E0041E860(_t150 + 0x58,  *(_t151 + 0x14));
						_t101 = E0040710F(_t150,  *((intOrPtr*)(_t148 + 0xc)));
						_t142 = 0;
						if(_t101 == 0) {
							goto L39;
						}
						_t66 =  *(_t101 + 0x50);
						if(_t66 == 0) {
							goto L39;
						}
						_t109 =  *((intOrPtr*)(_t101 + 8));
						if(_t109 == 3 || _t109 == 4) {
							_t67 = SendMessageA(_t66, 0xf0, _t142, _t142);
							_t110 = 1;
							__eflags = _t67 - _t110;
							if(_t67 == _t110) {
								L21:
								 *(_t148 + 0x1c) = _t110;
								L22:
								E004278E9( *(_t148 + 0x1c), _t151 + 0x28, 0xa);
								_t151 = _t151 + 0xc;
								_t70 = _t151 + 0x28;
								goto L23;
							}
							__eflags = _t67 - 2;
							if(_t67 == 2) {
								goto L21;
							}
							 *(_t148 + 0x1c) = _t142;
							goto L22;
						} else {
							if(_t109 != 5) {
								__eflags = _t109 - 7;
								if(_t109 == 7) {
									L17:
									__eflags = _t109 - 7;
									 *(_t148 + 0x1c) = SendMessageA(_t66, ((0 | _t109 != 0x00000007) - 0x00000001 & 0x00000041) + 0x147, _t142, _t142);
									E00427836(_t89, _t151 + 0x18, 0xa);
									_t151 = _t151 + 0xc;
									_t70 = _t151 + 0x18;
									L23:
									_t29 = _t148 + 0x10; // 0x10
									E0041BF12(_t29, _t70);
									L24:
									if(E00424DD9(0x58) != _t142) {
										_t142 = E00407ADD(_t72);
									}
									if(_t142 == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									E0041BF80(_t142, _t148);
									 *(_t142 + 0x10) =  *(_t142 + 0x10) | 0xffffffff;
									_t32 = _t148 + 0x10; // 0x10
									_t102 = _t32;
									_t33 = _t142 + 0x48; // 0x48
									 *(_t142 + 0xc) = 1;
									E0041BF80(_t33, _t32);
									 *(_t142 + 0x54) =  *(_t148 + 0x1c);
									if(_t148 != 0) {
										E0041BEFB(_t102);
										E0041BEFB(_t148);
										E00424DCE(_t148);
									}
									 *(_t151 + 0x10) =  *(_t151 + 0x10) & 0x00000000;
									_t165 =  *0x47e4dc;
									if( *0x47e4dc <= 0) {
										_t149 = 0x47e4d0;
										goto L38;
									} else {
										while(1) {
											_t149 = 0x47e4d0;
											_t103 = E0041E860(0x47e4d0,  *(_t151 + 0x10));
											if(E0041C176(_t103, _t165, _t142, 1) != 0) {
												break;
											}
											 *(_t151 + 0x10) =  *(_t151 + 0x10) + 1;
											_t167 =  *(_t151 + 0x10) -  *0x47e4dc; // 0x8
											if(_t167 < 0) {
												continue;
											}
											L38:
											E0041E87A(_t149, _t142, 0xffffffff);
											goto L39;
										}
										__eflags = _t103;
										if(_t103 != 0) {
											E00407B11(_t103);
											E00424DCE(_t103);
										}
										E0041E907(_t149,  *(_t151 + 0x14), _t142);
										goto L39;
									}
								}
								__eflags = _t109 - 8;
								if(_t109 != 8) {
									goto L24;
								}
								goto L17;
							}
							_t144 = GetWindowTextLengthA(_t66) + 1;
							_t92 = E00424DD9(_t144);
							 *(_t151 + 0x10) = _t92;
							if(_t92 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							if(_t144 != 1) {
								GetWindowTextA( *(_t101 + 0x50),  *(_t151 + 0x14), _t144);
							} else {
								 *( *(_t151 + 0x10)) =  *( *(_t151 + 0x10)) & 0x00000000;
							}
							_t15 = _t148 + 0x10; // 0x10
							E0041BF12(_t15,  *(_t151 + 0x10));
							 *(_t148 + 0x1c) = E00424FC3(_t15,  *(_t151 + 0x10));
							E00424DCE( *(_t151 + 0x14));
							_t142 = 0;
							goto L24;
						}
						L39:
						 *(_t151 + 0x14) =  &(( *(_t151 + 0x14))[1]);
					} while ( *(_t151 + 0x14) <  *((intOrPtr*)(_t150 + 0x64)));
					_t100 = 0;
					goto L41;
				}
			}


























                  0x00407827
                  0x00407827
                  0x0040782c
                  0x0040782e
                  0x00407833
                  0x00407ad2
                  0x00407ad4
                  0x00407ada
                  0x00407ada
                  0x00407840
                  0x00407842
                  0x00407842
                  0x0040784a
                  0x0040784b
                  0x0040784c
                  0x00407850
                  0x00407a79
                  0x00407a7c
                  0x00407a81
                  0x00407a87
                  0x00407a89
                  0x00407a89
                  0x00407aa4
                  0x00407aaf
                  0x00407aba
                  0x00407ac1
                  0x00407ac2
                  0x00407ac8
                  0x00407ac9
                  0x00407acc
                  0x00407ad1
                  0x00000000
                  0x00407856
                  0x00407856
                  0x00407862
                  0x0040786e
                  0x00407870
                  0x00407874
                  0x00000000
                  0x00000000
                  0x0040787a
                  0x0040787f
                  0x00000000
                  0x00000000
                  0x00407885
                  0x0040788b
                  0x00407956
                  0x0040795e
                  0x0040795f
                  0x00407961
                  0x0040796d
                  0x0040796d
                  0x00407970
                  0x0040797a
                  0x0040797f
                  0x00407982
                  0x00000000
                  0x00407982
                  0x00407963
                  0x00407966
                  0x00000000
                  0x00000000
                  0x00407968
                  0x00000000
                  0x0040789a
                  0x0040789d
                  0x0040790f
                  0x00407912
                  0x00407919
                  0x0040791b
                  0x0040793d
                  0x00407940
                  0x00407945
                  0x00407948
                  0x00407986
                  0x00407987
                  0x0040798a
                  0x0040798f
                  0x00407999
                  0x004079a2
                  0x004079a2
                  0x004079a6
                  0x004079b3
                  0x004079b8
                  0x004079bc
                  0x004079c1
                  0x004079c5
                  0x004079c5
                  0x004079c9
                  0x004079cc
                  0x004079d3
                  0x004079dd
                  0x004079e0
                  0x004079e4
                  0x004079eb
                  0x004079f1
                  0x004079f6
                  0x004079f7
                  0x004079fc
                  0x00407a03
                  0x00407a57
                  0x00000000
                  0x00407a05
                  0x00407a05
                  0x00407a09
                  0x00407a15
                  0x00407a23
                  0x00000000
                  0x00000000
                  0x00407a25
                  0x00407a2d
                  0x00407a33
                  0x00000000
                  0x00000000
                  0x00407a5c
                  0x00407a61
                  0x00000000
                  0x00407a61
                  0x00407a37
                  0x00407a39
                  0x00407a3d
                  0x00407a43
                  0x00407a48
                  0x00407a50
                  0x00000000
                  0x00407a50
                  0x00407a03
                  0x00407914
                  0x00407917
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00407917
                  0x004078a8
                  0x004078aa
                  0x004078b2
                  0x004078b6
                  0x004078c3
                  0x004078c8
                  0x004078cc
                  0x004078df
                  0x004078ce
                  0x004078d2
                  0x004078d2
                  0x004078e9
                  0x004078ec
                  0x004078fe
                  0x00407901
                  0x00407907
                  0x00000000
                  0x00407909
                  0x00407a66
                  0x00407a66
                  0x00407a6e
                  0x00407a77
                  0x00000000
                  0x00407a77

                  APIs
                  • GetWindowTextLengthA.USER32(?), ref: 004078A0
                  • GetWindowTextA.USER32 ref: 004078DF
                  • SendMessageA.USER32(?,-00000148,00000000,00000000), ref: 0040792F
                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00407956
                  • GetDlgItem.USER32 ref: 00407A9B
                  • EnableWindow.USER32(00000000), ref: 00407AA4
                  • GetDlgItem.USER32 ref: 00407AAC
                  • EnableWindow.USER32(00000000), ref: 00407AAF
                  • GetDlgItem.USER32 ref: 00407AB7
                  • EnableWindow.USER32(00000000), ref: 00407ABA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$EnableItem$MessageSendText$Length
                  • String ID: $G$$G
                  • API String ID: 1281374264-2434318057
                  • Opcode ID: f4f2855c8cab32bc9d209eaa5381aa18ebcf6ff6885c2313637300ec8d4ce2d5
                  • Instruction ID: 834a23fe4f7e8a8072a0548f6f657284474bb3ca5693f3cc7dd4fb70d565ed91
                  • Opcode Fuzzy Hash: f4f2855c8cab32bc9d209eaa5381aa18ebcf6ff6885c2313637300ec8d4ce2d5
                  • Instruction Fuzzy Hash: 1B711871A08301ABDB24EF62DC85A6F77A9EF80704F10493FF501A62D1DB78AD45CB5A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B78E, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 209stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040B78E(unsigned int _a4) {
				int _v8;
				void* __ecx;
				void* __edi;
				void* __esi;
				unsigned int _t39;
				int _t40;
				void* _t41;
				int _t42;
				long _t43;
				int _t66;
				int _t67;
				intOrPtr _t68;
				int _t74;
				intOrPtr _t76;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t90;
				char* _t98;
				void* _t99;
				void* _t104;
				void* _t105;
				intOrPtr _t107;
				struct HWND__* _t109;
				void* _t110;
				void* _t116;

				_push(_t80);
				_t39 = _a4 >> 0x10;
				_t74 = 0;
				_push(_t110);
				_t107 = _t80;
				if(_t39 == 0 || _t39 == 1) {
					_t40 = _a4 & 0x0000ffff;
					if(_t40 != 2) {
						if(_t40 != 1) {
							if(_t40 != 3) {
								if(_t40 == 0xb) {
									_t42 = SendDlgItemMessageA( *(_t107 + 4), _t40, 0x188, _t74, _t74);
									_t76 =  *0x47e35c; // 0x9
									_a4 = _t42;
									_t43 = SendDlgItemMessageA( *(_t107 + 4), 0xb, 0x18a, _t42, 0);
									_t32 = _t76 + 1; // 0x1
									_t78 = E00424DD9(_t43 + _t32);
									if(_t78 == 0) {
										E0041D881(E0041CD1E(0x47e924));
									}
									SendDlgItemMessageA( *(_t107 + 4), 0xb, 0x189, _a4, _t78);
									if(( *0x47e193 & 0x00000004) == 0) {
										if( *_t78 != 0) {
											lstrcatA(_t78, "\\");
										}
										lstrcatA(_t78, E0041CD1E(0x47e35c));
									}
									SetDlgItemTextA( *(_t107 + 4), 0xa, _t78);
									E00424DCE(_t78);
								}
							} else {
								E0041DBA4( *(_t107 + 4), 0xa,  &_a4);
								E0041BF12(0x47e344, _a4);
								E00424DCE(_a4);
								E00407827(_t107, _t107, _t110, _t74);
								E00417D26(0x47dfb8, _t74);
							}
							goto L41;
						}
						E0041DBA4( *(_t107 + 4), 0xa,  &_a4);
						_t90 = _a4;
						if( *_t90 == 0) {
							L26:
							E0041BF12(0x47e344, _t90);
							E0041CDAE(0x47e344);
							E00424DCE(_a4);
							E00407827(_t107, _t107, 0x47e344, _t74);
							E00417EA6(0x47dfb8, _t74);
							goto L41;
						}
						_t66 = lstrlenA(_t90);
						_t90 = _a4;
						_t104 = 0;
						_v8 = _t66;
						if(_t66 <= _t74) {
							L21:
							if( *_t90 != 0x5c) {
								goto L26;
							}
							_t67 = lstrlenA(_t90);
							_t12 = _t67 - 1; // -1
							_t116 = _t12;
							_t105 = 0;
							if(_t116 <= _t74) {
								L25:
								 *(_t67 + _a4 - 1) =  *(_t67 + _a4 - 1) & 0x00000000;
								_t90 = _a4;
								goto L26;
							} else {
								goto L23;
							}
							do {
								L23:
								_t98 = _a4 + _t105;
								_t105 = _t105 + 1;
								 *_t98 =  *((intOrPtr*)(_t98 + 1));
							} while (_t105 < _t116);
							_t74 = 0;
							goto L25;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							_t68 =  *((intOrPtr*)(_t104 + _t90));
							if(_t68 == 0x7c || _t68 == 0x2a || _t68 == 0x2f || _t68 == 0x3e || _t68 == 0x3c || _t68 == 0x3f || _t68 == 0x22 || _t68 == 0x3a) {
								break;
							}
							if(_t104 <= _t74 || _t68 != 0x5c ||  *((intOrPtr*)(_t104 + _t90 - 1)) != _t68) {
								_t104 = _t104 + 1;
								if(_t104 < _v8) {
									continue;
								}
								goto L21;
							} else {
								_t109 =  *(_t107 + 4);
								_push(_t74);
								_push(_t74);
								_t99 = 0x47eca8;
								L29:
								_push(E0041CD1E(_t99));
								_push(_t109);
								E0041B2CC(0x47dfb8);
								goto L41;
							}
						}
						_t109 =  *(_t107 + 4);
						_push(_t74);
						_push(_t74);
						_t99 = 0x47ecb4;
						goto L29;
					} else {
						if(E0041BC79(0x47dfb8) != 0) {
							E00407827(_t107, _t107, 0x47dfb8, _t74);
							E0041A1B5(1);
						}
						L41:
						_t41 = 1;
						goto L42;
					}
				} else {
					_t41 = 0;
					L42:
					return _t41;
				}
			}




























                  0x0040b791
                  0x0040b796
                  0x0040b799
                  0x0040b79b
                  0x0040b7a0
                  0x0040b7a2
                  0x0040b7b1
                  0x0040b7b8
                  0x0040b7d6
                  0x0040b8f6
                  0x0040b950
                  0x0040b967
                  0x0040b969
                  0x0040b979
                  0x0040b97f
                  0x0040b981
                  0x0040b98b
                  0x0040b990
                  0x0040b99d
                  0x0040b9a2
                  0x0040b9b1
                  0x0040b9ba
                  0x0040b9c5
                  0x0040b9cd
                  0x0040b9cd
                  0x0040b9db
                  0x0040b9db
                  0x0040b9e3
                  0x0040b9ea
                  0x0040b9ef
                  0x0040b8f8
                  0x0040b901
                  0x0040b911
                  0x0040b919
                  0x0040b922
                  0x0040b92d
                  0x0040b92d
                  0x00000000
                  0x0040b8f6
                  0x0040b7e5
                  0x0040b7ea
                  0x0040b7f3
                  0x0040b892
                  0x0040b89a
                  0x0040b8a1
                  0x0040b8a9
                  0x0040b8b2
                  0x0040b8bd
                  0x00000000
                  0x0040b8bd
                  0x0040b800
                  0x0040b802
                  0x0040b805
                  0x0040b809
                  0x0040b80c
                  0x0040b865
                  0x0040b868
                  0x00000000
                  0x00000000
                  0x0040b86b
                  0x0040b86d
                  0x0040b86d
                  0x0040b870
                  0x0040b874
                  0x0040b887
                  0x0040b88a
                  0x0040b88f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b876
                  0x0040b876
                  0x0040b879
                  0x0040b87b
                  0x0040b881
                  0x0040b881
                  0x0040b885
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b80e
                  0x0040b80e
                  0x0040b80e
                  0x0040b813
                  0x00000000
                  0x00000000
                  0x0040b853
                  0x0040b85f
                  0x0040b863
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b8c7
                  0x0040b8c7
                  0x0040b8ca
                  0x0040b8cb
                  0x0040b8cc
                  0x0040b8dd
                  0x0040b8e2
                  0x0040b8e3
                  0x0040b8e9
                  0x00000000
                  0x0040b8e9
                  0x0040b853
                  0x0040b8d3
                  0x0040b8d6
                  0x0040b8d7
                  0x0040b8d8
                  0x00000000
                  0x0040b7ba
                  0x0040b7c8
                  0x0040b93a
                  0x0040b943
                  0x0040b943
                  0x0040b9f0
                  0x0040b9f0
                  0x00000000
                  0x0040b9f0
                  0x0040b7aa
                  0x0040b7aa
                  0x0040b9f2
                  0x0040b9f6
                  0x0040b9f6

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: $G$DG$DG$\G
                  • API String ID: 1659193697-1102624840
                  • Opcode ID: 7cc0d782bb13f3d62aeb052e18f8a0e6684ca34ee81895a96f0c97fc2e82626e
                  • Instruction ID: 62e0240078fb073b421d73022b5cc11b0d737a4f48bb43ae6e36991704f46cf2
                  • Opcode Fuzzy Hash: 7cc0d782bb13f3d62aeb052e18f8a0e6684ca34ee81895a96f0c97fc2e82626e
                  • Instruction Fuzzy Hash: 0F5107B16001147ADB246B668C81BBA771DEF85344F44C03BF6096B2E2CB3D5C8297DE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406BA4, Relevance: 19.6, APIs: 13, Instructions: 85threadsleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E00406BA4() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				long _v32;
				long _v36;
				int _v40;
				long _v48;
				void* _v52;
				long _v56;
				long _t42;
				long _t48;
				signed int _t52;
				signed int _t57;
				void* _t59;
				signed int _t62;
				signed int _t80;
				intOrPtr _t82;

				_push(0xffffffff);
				_push(0x4285c0);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t82;
				_v28 = _t82 - 0x24;
				_t59 = GetCurrentThread();
				_v52 = _t59;
				_v40 = GetThreadPriority(_t59);
				SetThreadPriority(_t59, 0xf);
				_v36 = GetTickCount();
				do {
				} while (GetTickCount() == _v36);
				_t42 = GetTickCount();
				_v36 = _t42;
				_v8 = _v8 & 0x00000000;
				asm("rdtsc");
				_v32 = _t42;
				_v8 = _v8 | 0xffffffff;
				SetThreadPriority(_t59, _v40);
				Sleep(0x3c);
				SetThreadPriority(_t59, 0xf);
				_v48 = GetTickCount();
				do {
				} while (GetTickCount() == _v48);
				_t48 = GetTickCount();
				asm("rdtsc");
				_v56 = _t48;
				SetThreadPriority(_t59, _v40);
				_t52 = (_v56 - _v32) / (_t48 - _v36);
				_t62 = _t52 / 0x3e8;
				_t80 = 0x64;
				if(_t52 / _t80 - (_t62 + _t62 * 4 << 1) >= 5) {
					_t62 = _t62 + 1;
				}
				_t57 = _t62;
				 *[fs:0x0] = _v20;
				return _t57;
			}




















                  0x00406ba7
                  0x00406ba9
                  0x00406bae
                  0x00406bb9
                  0x00406bba
                  0x00406bc7
                  0x00406bd0
                  0x00406bd2
                  0x00406bdc
                  0x00406be8
                  0x00406bf2
                  0x00406bf5
                  0x00406bf7
                  0x00406bfc
                  0x00406bfe
                  0x00406c01
                  0x00406c05
                  0x00406c07
                  0x00406c0a
                  0x00406c12
                  0x00406c16
                  0x00406c1f
                  0x00406c23
                  0x00406c26
                  0x00406c28
                  0x00406c2d
                  0x00406c31
                  0x00406c33
                  0x00406c3a
                  0x00406c47
                  0x00406c54
                  0x00406c5c
                  0x00406c69
                  0x00406c6b
                  0x00406c6b
                  0x00406c6c
                  0x00406c8c
                  0x00406c97

                  APIs
                  • GetCurrentThread.KERNEL32 ref: 00406BCA
                  • GetThreadPriority.KERNEL32(00000000,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001,00000000), ref: 00406BD6
                  • SetThreadPriority.KERNEL32(00000000,0000000F,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001,00000000), ref: 00406BE8
                  • GetTickCount.KERNEL32 ref: 00406BF0
                  • GetTickCount.KERNEL32 ref: 00406BF5
                  • GetTickCount.KERNEL32 ref: 00406BFC
                  • SetThreadPriority.KERNEL32(00000000,?,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C12
                  • Sleep.KERNEL32(0000003C,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C16
                  • SetThreadPriority.KERNEL32(00000000,0000000F,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C1F
                  • GetTickCount.KERNEL32 ref: 00406C21
                  • GetTickCount.KERNEL32 ref: 00406C26
                  • GetTickCount.KERNEL32 ref: 00406C2D
                  • SetThreadPriority.KERNEL32(00000000,?,?,FFFFFFFF,00424EE0,004285C0,000000FF,?,00406CAB,00000001), ref: 00406C3A
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CountThreadTick$Priority$CurrentSleep
                  • String ID:
                  • API String ID: 291737148-0
                  • Opcode ID: 9f8002935701d1ec369be861fcc2b505056c39e40581bdc00d2ea3d26c99d62e
                  • Instruction ID: 9f3291b0cac2f927a9765f977a280d8983fceb87df8d02e1d93569ae2ed6f9ff
                  • Opcode Fuzzy Hash: 9f8002935701d1ec369be861fcc2b505056c39e40581bdc00d2ea3d26c99d62e
                  • Instruction Fuzzy Hash: 88218D71E00628AFDB10DFB9DD44A9DBBB9FF88710F11426AE405F3294DB7859018FA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409F55, Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 239windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00409F55(intOrPtr __ecx, void* __eflags) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				char _v32;
				char _v44;
				char _v56;
				char _v68;
				long _t75;
				long _t80;
				void* _t96;
				long _t101;
				long _t103;
				void* _t188;
				void* _t191;

				_v16 = __ecx;
				E0041BDC5( &_v68);
				_t75 = SendMessageA(GetDlgItem( *(__ecx + 4), 0xf), 0x18b, 0, 0);
				_v20 = _t75;
				_v12 = 0;
				if(_t75 > 0) {
					do {
						_t101 = SendMessageA(GetDlgItem( *(_v16 + 4), 0xf), 0x18a, _v12, 0);
						_t102 = _t101 + 1;
						if(_t101 + 1 > 1) {
							_t103 = E00424DD9(_t102);
							__eflags = _t103;
							_v8 = _t103;
							if(_t103 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							SendMessageA(GetDlgItem( *(_v16 + 4), 0xf), 0x189, _v12, _v8);
							E0041BE35( &_v44, _v8);
							E00424DCE(_v8);
							_v8 = E0041C6AD( &_v44, 9, 0);
							E0041BE99( &_v32, E0041CC95( &_v44, 0, _t109));
							__eflags = _v8;
							if(_v8 >= 0) {
								while(1) {
									__eflags = _v32 - 0x16;
									if(_v32 >= 0x16) {
										break;
									}
									E0041BFF8( &_v32, 0x20);
								}
								E0041C3A9( &_v44, 0, _v8 + 1);
								_v8 = E0041C6AD( &_v44, 9, 0);
								E0041C0C5( &_v32, __eflags, E0041CC95( &_v44, 0, _t121));
								__eflags = _v8;
								if(_v8 >= 0) {
									while(1) {
										__eflags = _v32 - 0x36;
										if(_v32 >= 0x36) {
											break;
										}
										E0041BFF8( &_v32, 0x20);
									}
									E0041C3A9( &_v44, 0, _v8 + 1);
									_v8 = E0041C6AD( &_v44, 9, 0);
									E0041C0C5( &_v32, __eflags, E0041CC95( &_v44, 0, _t127));
									__eflags = _v8;
									if(_v8 >= 0) {
										while(1) {
											__eflags = _v32 - 0x56;
											if(_v32 >= 0x56) {
												break;
											}
											E0041BFF8( &_v32, 0x20);
										}
										__eflags = _v8 + 1;
										E0041C3A9( &_v44, 0, _v8 + 1);
										E0041C0C5( &_v32, __eflags,  &_v44);
									}
								}
							}
							E0041C047( &_v32, "\r\n", 0);
							E0041C0C5( &_v68, __eflags,  &_v32);
							E0041BEFB( &_v32);
							E0041BEFB( &_v44);
						} else {
							E0041C047( &_v68, "\r\n", 0);
						}
						_v12 = _v12 + 1;
					} while (_v12 < _v20);
				}
				E0041BE35( &_v56, "c:\\sysinfo.txt");
				_t188 = 1;
				while(E0040DF52(E0041CD1E( &_v56)) != 0) {
					E0041BF12( &_v56, 0x42e0c8);
					_t96 = _t188;
					_t188 = _t188 + 1;
					_push(_t96);
					E0041C467( &_v56, "c:\\sysinfo%d.txt");
					_t191 = _t191 + 0xc;
				}
				_t80 = E0041CE0E( &_v68, E0041CD1E( &_v56));
				__eflags = _t80;
				if(_t80 >= 0) {
					E0041BDC5( &_v44);
					_push(E0041CD1E( &_v56));
					E0041C467( &_v44, E0041CD1E(0x47eb88));
					E0041B2CC(0x47dfb8,  *(_v16 + 4), E0041CD1E( &_v44), 0, 0);
					E0041BEFB( &_v44);
				} else {
					E0041B2A8( *(_v16 + 4), E0041CD1E(0x47eb7c), 0);
				}
				E0041BEFB( &_v56);
				return E0041BEFB( &_v68);
			}


















                  0x00409f63
                  0x00409f66
                  0x00409f88
                  0x00409f8c
                  0x00409f8f
                  0x00409f92
                  0x00409f98
                  0x00409fac
                  0x00409fae
                  0x00409fb2
                  0x00409fc8
                  0x00409fcd
                  0x00409fd0
                  0x00409fd3
                  0x00409fe0
                  0x00409fe5
                  0x00409ffc
                  0x0040a004
                  0x0040a00c
                  0x0040a022
                  0x0040a02e
                  0x0040a033
                  0x0040a036
                  0x0040a03c
                  0x0040a03c
                  0x0040a040
                  0x00000000
                  0x00000000
                  0x0040a047
                  0x0040a047
                  0x0040a057
                  0x0040a06c
                  0x0040a078
                  0x0040a07d
                  0x0040a080
                  0x0040a082
                  0x0040a082
                  0x0040a086
                  0x00000000
                  0x00000000
                  0x0040a08d
                  0x0040a08d
                  0x0040a09d
                  0x0040a0b2
                  0x0040a0be
                  0x0040a0c3
                  0x0040a0c6
                  0x0040a0c8
                  0x0040a0c8
                  0x0040a0cc
                  0x00000000
                  0x00000000
                  0x0040a0d3
                  0x0040a0d3
                  0x0040a0e0
                  0x0040a0e3
                  0x0040a0ef
                  0x0040a0ef
                  0x0040a0c6
                  0x0040a080
                  0x0040a0fd
                  0x0040a109
                  0x0040a111
                  0x0040a119
                  0x00409fb4
                  0x00409fbd
                  0x00409fbd
                  0x0040a11e
                  0x0040a124
                  0x00409f98
                  0x0040a135
                  0x0040a13c
                  0x0040a13d
                  0x0040a158
                  0x0040a15d
                  0x0040a15f
                  0x0040a160
                  0x0040a16a
                  0x0040a16f
                  0x0040a16f
                  0x0040a180
                  0x0040a185
                  0x0040a187
                  0x0040a1aa
                  0x0040a1b7
                  0x0040a1c7
                  0x0040a1e6
                  0x0040a1ee
                  0x0040a189
                  0x0040a1a0
                  0x0040a1a0
                  0x0040a1f6
                  0x0040a207

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                  • GetDlgItem.USER32 ref: 00409F7F
                  • SendMessageA.USER32(00000000), ref: 00409F88
                  • GetDlgItem.USER32 ref: 00409FA9
                  • SendMessageA.USER32(00000000), ref: 00409FAC
                  • GetDlgItem.USER32 ref: 00409FF9
                  • SendMessageA.USER32(00000000), ref: 00409FFC
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$ItemMessageSend$AllocLock$Unlocklstrlen
                  • String ID: $G$V$c:\sysinfo%d.txt$c:\sysinfo.txt$|G
                  • API String ID: 215810071-2601299066
                  • Opcode ID: aaccd5eaf1d424c07c0ffe865da935311192873e6d83439d8d26d8d17e0f14d3
                  • Instruction ID: 16a20c480a5d05e8d8be944ef17e2098a89b4b13602600d0f02d6ddf1aec6615
                  • Opcode Fuzzy Hash: aaccd5eaf1d424c07c0ffe865da935311192873e6d83439d8d26d8d17e0f14d3
                  • Instruction Fuzzy Hash: D2818671D40219AACF04EBA2DD86DEEBB78EF14314F10402FF506B31D2DB385A86DA59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F999, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 235fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0040F999(intOrPtr __ecx, void* __eflags) {
				int _v5;
				int _v6;
				int _v7;
				long _v12;
				int _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				int _v40;
				BITMAPINFO* _v44;
				int _v48;
				char _v64;
				void* _t74;
				void* _t82;
				void* _t84;
				long _t85;
				BITMAPINFO* _t88;
				int _t89;
				void* _t92;
				struct HDC__* _t93;
				int _t95;
				void* _t104;
				signed int _t111;
				int _t121;
				signed int _t132;
				long _t134;
				signed char _t135;
				int _t138;
				int _t141;
				int _t143;
				long _t144;
				int _t148;
				int _t150;
				int _t153;

				_v28 = __ecx;
				_t74 = E0041C8FD(0x47e2f0, 0x80);
				if(_t74 == 0) {
					return _t74;
				}
				_t111 =  *0x47e844; // 0x14
				_t132 =  *0x47e848; // 0x3c
				_v6 = _t111 >> 0x0000001f & 0x00000001;
				_v7 = _t132 >> 0x0000001f & 0x00000001;
				_v20 = _t111 & 0x7fffffff;
				_v16 = _t132 & 0x7fffffff;
				_v5 = 0;
				_t82 = E0041C8FD(0x47e2f0, 0x84);
				_t157 = _t82 - 1;
				if(_t82 == 1 || E0040FCA0(_t157, E0041C8FD(0x47e2f0, 0x88)) == 2) {
					_t147 = 0x47df9c;
					_t84 = CreateFileA(E0041CD1E(0x47df9c), 0x80000000, 1, 0, 3, 0x80, 0);
					__eflags = _t84 - 0xffffffff;
					_v24 = _t84;
					if(_t84 != 0xffffffff) {
						_v5 = 1;
						_t85 = GetFileSize(_t84, 0);
						goto L9;
					}
					DeleteFileA(E0041CD1E(0x47df9c));
					_push(0xfffffffa);
				} else {
					_t104 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0);
					_v24 = _t104;
					if(_t104 != 0xffffffff) {
						_v12 = 0;
						SetFilePointer(_v24, E0041C8FD(0x47e2f0, 0x84),  &_v12, 0);
						_t85 = E0041C8FD(0x47e2f0, 0x88);
						_t147 = 0x47df9c;
						L9:
						_v40 = 0;
						_t16 =  &_v36; // 0x32
						_t143 = E00410087(_v28, _v24, _t85,  &_v64,  &_v44, _t16,  &_v32,  &_v40);
						CloseHandle(_v24);
						__eflags = _v5;
						if(_v5 != 0) {
							DeleteFileA(E0041CD1E(_t147));
						}
						__eflags = _t143;
						if(_t143 >= 0) {
							_t88 = _v44;
							__eflags = _v6;
							_t144 =  *0x47e170; // 0x0
							_t121 = _t88->bmiHeader.biWidth;
							_t134 = _t88->bmiHeader.biHeight;
							_v12 = _t121;
							_v48 = _t134;
							_v24 = _t134;
							if(_v6 != 0) {
								_t141 = _t144 - _t121 - _v20;
								__eflags = _t141;
								_v20 = _t141;
							}
							__eflags = _v7;
							_t148 =  *0x47e174; // 0x0
							if(_v7 != 0) {
								_t138 = _t148 - _v24 - _v16;
								__eflags = _t138;
								_v16 = _t138;
							}
							_t135 =  *0x47e84c; // 0x10
							__eflags = _t135 & 0x00000004;
							if((_t135 & 0x00000004) == 0) {
								__eflags = _t135 & 0x00000008;
								if((_t135 & 0x00000008) != 0) {
									_v20 = 0;
									_v16 = 0;
								}
							} else {
								_v20 = 0;
								_v16 = 0;
								_v12 = _t144;
								_v24 = _t148;
							}
							__eflags = _t135 & 0x00000040;
							if((_t135 & 0x00000040) == 0) {
								_t89 = StretchDIBits( *0x47e184, _v20, _v16, _v12, _v24, 0, 0, _t121, _v48, _v32, _t88, 0, 0xcc0020);
								_t61 =  &_v36; // 0x32
								E00424DCE( *_t61);
								__eflags = _t89 - 0xffffffff;
								if(_t89 != 0xffffffff) {
									goto L26;
								}
								_push(0xfffffff4);
								goto L33;
							} else {
								_t48 =  &_v36; // 0x32
								_t95 = E0040F6CB(_v20, _v16, _v12, _v24, _t88, _v32, _t48);
								__eflags = _t95;
								if(_t95 >= 0) {
									L26:
									DeleteObject(_v40);
									__eflags =  *0x47e84c & 0x00000008;
									if(( *0x47e84c & 0x00000008) == 0) {
										L32:
										_push(1);
										L33:
										_pop(_t92);
										return _t92;
									}
									_t150 = 0;
									__eflags =  *0x47e174; // 0x0
									_v20 = 0;
									if(__eflags <= 0) {
										goto L32;
									} else {
										goto L28;
									}
									do {
										L28:
										asm("sbb esi, esi");
										_t153 =  !( ~_t150) & _v12;
										__eflags = _t153;
										while(1) {
											__eflags = _t153 -  *0x47e170; // 0x0
											if(__eflags >= 0) {
												goto L31;
											}
											_t93 =  *0x47e184; // 0x0
											BitBlt(_t93, _t153, _v20, _v12, _v24, _t93, 0, 0, 0xcc0020);
											_t153 = _t153 + _v12;
										}
										L31:
										_t150 = _v20 + _v24;
										__eflags = _t150 -  *0x47e174; // 0x0
										_v20 = _t150;
									} while (__eflags < 0);
									goto L32;
								}
								return _t95;
							}
						} else {
							return _t143;
						}
					}
					_push(0xfffffff9);
				}
			}







































                  0x0040f9a1
                  0x0040f9b1
                  0x0040f9b8
                  0x0040fc44
                  0x0040fc44
                  0x0040f9be
                  0x0040f9c4
                  0x0040f9d8
                  0x0040f9e3
                  0x0040f9ef
                  0x0040f9f4
                  0x0040f9f7
                  0x0040f9fa
                  0x0040f9ff
                  0x0040fa02
                  0x0040fa86
                  0x0040fa9a
                  0x0040faa0
                  0x0040faa3
                  0x0040faa6
                  0x0040fabf
                  0x0040fac3
                  0x00000000
                  0x0040fac3
                  0x0040fab0
                  0x0040fab6
                  0x0040fa20
                  0x0040fa3b
                  0x0040fa44
                  0x0040fa47
                  0x0040fa58
                  0x0040fa64
                  0x0040fa71
                  0x0040fa76
                  0x0040fac9
                  0x0040facc
                  0x0040fad4
                  0x0040faef
                  0x0040faf1
                  0x0040faf7
                  0x0040fafa
                  0x0040fb04
                  0x0040fb04
                  0x0040fb0a
                  0x0040fb0c
                  0x0040fb15
                  0x0040fb18
                  0x0040fb1b
                  0x0040fb21
                  0x0040fb24
                  0x0040fb27
                  0x0040fb2a
                  0x0040fb2d
                  0x0040fb30
                  0x0040fb36
                  0x0040fb36
                  0x0040fb39
                  0x0040fb39
                  0x0040fb3c
                  0x0040fb3f
                  0x0040fb45
                  0x0040fb4c
                  0x0040fb4c
                  0x0040fb4f
                  0x0040fb4f
                  0x0040fb52
                  0x0040fb58
                  0x0040fb5b
                  0x0040fb6b
                  0x0040fb6e
                  0x0040fb70
                  0x0040fb73
                  0x0040fb73
                  0x0040fb5d
                  0x0040fb5d
                  0x0040fb60
                  0x0040fb63
                  0x0040fb66
                  0x0040fb66
                  0x0040fb76
                  0x0040fb7e
                  0x0040fbc3
                  0x0040fbc9
                  0x0040fbce
                  0x0040fbd3
                  0x0040fbd7
                  0x00000000
                  0x00000000
                  0x0040fbd9
                  0x00000000
                  0x0040fb80
                  0x0040fb80
                  0x0040fb97
                  0x0040fb9c
                  0x0040fb9e
                  0x0040fbdd
                  0x0040fbe0
                  0x0040fbe6
                  0x0040fbed
                  0x0040fc3d
                  0x0040fc3d
                  0x0040fc3f
                  0x0040fc3f
                  0x00000000
                  0x0040fc3f
                  0x0040fbef
                  0x0040fbf1
                  0x0040fbf7
                  0x0040fbfa
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040fbfc
                  0x0040fbfc
                  0x0040fbfe
                  0x0040fc02
                  0x0040fc02
                  0x0040fc05
                  0x0040fc05
                  0x0040fc0b
                  0x00000000
                  0x00000000
                  0x0040fc0d
                  0x0040fc21
                  0x0040fc27
                  0x0040fc27
                  0x0040fc2c
                  0x0040fc2f
                  0x0040fc32
                  0x0040fc38
                  0x0040fc38
                  0x00000000
                  0x0040fbfc
                  0x00000000
                  0x0040fb9e
                  0x0040fb0e
                  0x00000000
                  0x0040fb0e
                  0x0040fb0c
                  0x0040fa49
                  0x0040fa49

                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000088,00000084,00000080,00000032,00000000,73BBAC50), ref: 0040FA3B
                  • SetFilePointer.KERNEL32(00000000,00000000,00000084,0047F208,00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000), ref: 0040FA64
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000084,00000080,00000032,00000000,73BBAC50,?,?,?,0047F208), ref: 0040FA9A
                  • DeleteFileA.KERNEL32(00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000,?,0047E850,0047F208,00415DA3), ref: 0040FAB0
                    • Part of subcall function 0040FCA0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000088,00000001,?,00000000), ref: 0040FCC5
                    • Part of subcall function 0040FCA0: SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040FCE0
                    • Part of subcall function 0040FCA0: ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000), ref: 0040FCF5
                    • Part of subcall function 0040FCA0: CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040FCFC
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000,?,0047E850,0047F208), ref: 0040FAC3
                  • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,222,00000032,-00000001,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032), ref: 0040FAF1
                  • DeleteFileA.KERNEL32(00000000,?,?,?,0047F208,0040EF89,00000000,-00000001,00000032,00000032,00000032,00000000,?,0047E850,0047F208,00415DA3), ref: 0040FB04
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$CreateGlobal$CloseDeleteHandlePointer$AllocLockReadSizeUnlock
                  • String ID: 222
                  • API String ID: 403409666-4245286173
                  • Opcode ID: 419b895022984bd4935cd07fae2d7e32c9077eb33cc33c2e0760b108c1800f97
                  • Instruction ID: 314133e16cfcfab220549e2d3526c5f80cf69c47e80d0841942c05dbe0d527e2
                  • Opcode Fuzzy Hash: 419b895022984bd4935cd07fae2d7e32c9077eb33cc33c2e0760b108c1800f97
                  • Instruction Fuzzy Hash: 9481AF71E00109ABDF259FA5CC81AEEBB79FB48304F54827AE515B32E0CB381D45CB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408C8C, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 170registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00408C8C(intOrPtr __ecx, void* __edx, struct HINSTANCE__* _a4, struct HWND__* _a8, signed int _a11) {
				signed int _v5;
				signed int _v6;
				signed int _v7;
				struct tagRECT _v24;
				struct _WNDCLASSEXA _v72;
				int _t78;
				int _t80;
				int _t82;
				signed int _t95;
				void* _t98;
				void* _t99;
				void* _t109;
				void* _t111;
				signed int* _t112;
				void* _t113;
				intOrPtr _t118;
				void* _t121;
				int _t131;
				CHAR* _t132;
				intOrPtr _t133;
				intOrPtr _t134;

				_t121 = __edx;
				_t134 = __ecx;
				_t78 = GetSystemMetrics(0x2d);
				_t109 = _t78 + GetSystemMetrics(5);
				if(_t109 > 2) {
					_t2 = _t109 - 4; // -4
					 *(_t134 + 0x24) =  *(_t134 + 0x24) + _t109 + _t2;
				}
				_t80 = GetSystemMetrics(0x2e);
				_t111 = _t80 + GetSystemMetrics(6);
				if(_t111 > 2) {
					_t6 = _t111 - 4; // -4
					 *(_t134 + 0x28) =  *(_t134 + 0x28) + _t111 + _t6;
				}
				_t82 = GetSystemMetrics(4);
				if(_t82 > 0x12) {
					 *(_t134 + 0x28) =  *(_t134 + 0x28) + _t82 + 0xffffffee;
				}
				E00406E5F(_t134, _t121);
				if(( *(_t134 + 0xb) & 0x00000010) != 0 || ( *0x47e84c & 0x00000002) == 0) {
					_t131 = 0x30;
					E00424500( &_v72, 0, _t131);
					_v72.cbSize = _t131;
					_v72.lpfnWndProc = E00408768;
					_v72.hInstance = _a4;
					_v72.hCursor = LoadCursorA(0, 0x7f00);
					_t132 = "AIDialogTemplate";
					_v72.hbrBackground = 0x10;
					_v72.lpszClassName = _t132;
					RegisterClassExA( &_v72);
					_t29 = _t134 + 0x2c; // 0x2c
					_t112 = _t29;
					_t95 = CreateWindowExA( *(_t134 + 0xc) | 0x00000001, _t132, E0041CD1E(_t112),  *(_t134 + 8) & 0xefffffff,  *(_t134 + 0x1c),  *(_t134 + 0x20),  *(_t134 + 0x24),  *(_t134 + 0x28), _a8, 0, _a4, 0);
					__eflags = _t95;
					 *(_t134 + 4) = _t95;
					if(_t95 != 0) {
						__eflags =  *_t112;
						if( *_t112 > 0) {
							SetWindowTextA( *(_t134 + 4), E0041CD1E(_t112));
						}
						goto L13;
					}
					return _t95 | 0xffffffff;
				} else {
					 *(_t134 + 4) = _a8;
					L13:
					GetClientRect( *(_t134 + 4),  &_v24);
					_a11 = _a11 & 0x00000000;
					_v5 = _v5 & 0x00000000;
					_v6 = _v6 & 0x00000000;
					_v7 = _v7 & 0x00000000;
					_t113 = 0;
					if( *((intOrPtr*)(_t134 + 0x7c)) <= 0) {
						L34:
						if( *((intOrPtr*)(_t134 + 0xa8)) == 0) {
							 *(_t134 + 0xac) = 1;
						}
						_t98 = 1;
						return _t98;
					} else {
						goto L14;
					}
					do {
						L14:
						_t49 = _t134 + 0x70; // 0x70
						_t99 = E0041E860(_t49, _t113);
						if( *((intOrPtr*)(_t99 + 8)) == 1) {
							 *((intOrPtr*)(_t134 + 0xa8)) =  *((intOrPtr*)(_t134 + 0xa8)) + 1;
						}
						_t133 =  *((intOrPtr*)(_t99 + 0x14));
						if(_t133 == 0 &&  *((intOrPtr*)(_t99 + 0x18)) == _t133) {
							_a11 = 1;
						}
						_t118 =  *((intOrPtr*)(_t99 + 0x18));
						if(_t118 == 0 &&  *((intOrPtr*)(_t99 + 0x1c)) + _t133 >= _v24.right) {
							_v5 = 1;
						}
						if(_t133 == 0 &&  *((intOrPtr*)(_t99 + 0x20)) + _t118 >= _v24.bottom) {
							_v6 = 1;
						}
						if( *((intOrPtr*)(_t99 + 0x1c)) + _t133 >= _v24.right) {
							_t155 =  *((intOrPtr*)(_t99 + 0x20)) + _t118 - _v24.bottom;
							if( *((intOrPtr*)(_t99 + 0x20)) + _t118 >= _v24.bottom) {
								_v7 = 1;
							}
						}
						E00407300(_t134, _t155, _a4, _t99);
						_t113 = _t113 + 1;
					} while (_t113 <  *((intOrPtr*)(_t134 + 0x7c)));
					if(_a11 != 0 && _v5 != 0 && _v6 != 0 && _v7 != 0) {
						 *(_t134 + 0xac) =  *(_t134 + 0xac) & 0x00000000;
					}
					goto L34;
				}
			}
























                  0x00408c8c
                  0x00408c9b
                  0x00408c9f
                  0x00408ca7
                  0x00408cac
                  0x00408cae
                  0x00408cb2
                  0x00408cb2
                  0x00408cb7
                  0x00408cbf
                  0x00408cc4
                  0x00408cc6
                  0x00408cca
                  0x00408cca
                  0x00408ccf
                  0x00408cd4
                  0x00408cd9
                  0x00408cd9
                  0x00408cde
                  0x00408ce7
                  0x00408d02
                  0x00408d07
                  0x00408d12
                  0x00408d15
                  0x00408d23
                  0x00408d2c
                  0x00408d32
                  0x00408d38
                  0x00408d3f
                  0x00408d42
                  0x00408d55
                  0x00408d55
                  0x00408d79
                  0x00408d7f
                  0x00408d81
                  0x00408d84
                  0x00408d8e
                  0x00408d91
                  0x00408d9e
                  0x00408d9e
                  0x00000000
                  0x00408d91
                  0x00000000
                  0x00408cf2
                  0x00408cf5
                  0x00408da4
                  0x00408dab
                  0x00408db1
                  0x00408db5
                  0x00408db9
                  0x00408dbd
                  0x00408dc1
                  0x00408dc6
                  0x00408e60
                  0x00408e67
                  0x00408e69
                  0x00408e69
                  0x00408e72
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408dcc
                  0x00408dcc
                  0x00408dcd
                  0x00408dd0
                  0x00408dd9
                  0x00408ddb
                  0x00408ddb
                  0x00408de1
                  0x00408de6
                  0x00408ded
                  0x00408ded
                  0x00408df1
                  0x00408df6
                  0x00408e02
                  0x00408e02
                  0x00408e08
                  0x00408e14
                  0x00408e14
                  0x00408e20
                  0x00408e27
                  0x00408e2a
                  0x00408e2c
                  0x00408e2c
                  0x00408e2a
                  0x00408e36
                  0x00408e3b
                  0x00408e3c
                  0x00408e45
                  0x00408e59
                  0x00408e59
                  0x00000000
                  0x00408e45

                  APIs
                  • GetSystemMetrics.USER32 ref: 00408C9F
                  • GetSystemMetrics.USER32 ref: 00408CA5
                  • GetSystemMetrics.USER32 ref: 00408CB7
                  • GetSystemMetrics.USER32 ref: 00408CBD
                  • GetSystemMetrics.USER32 ref: 00408CCF
                  • LoadCursorA.USER32 ref: 00408D26
                  • RegisterClassExA.USER32(?), ref: 00408D42
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateWindowExA.USER32 ref: 00408D79
                  • SetWindowTextA.USER32(?,00000000), ref: 00408D9E
                  • GetClientRect.USER32 ref: 00408DAB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: MetricsSystem$Global$Window$AllocClassClientCreateCursorLoadLockRectRegisterTextUnlock
                  • String ID: AIDialogTemplate
                  • API String ID: 3571883037-4222934468
                  • Opcode ID: 1e8d9bac3a663781097ae67bd8c0ef134702edf52ea0c7c6aa142e5a863f0f83
                  • Instruction ID: 24c035e23e800b72e4b6700e17649694f93ddb37957115fe27950d462b3cf6bc
                  • Opcode Fuzzy Hash: 1e8d9bac3a663781097ae67bd8c0ef134702edf52ea0c7c6aa142e5a863f0f83
                  • Instruction Fuzzy Hash: 20611930A00748AFDB21CF64CA85B9F7BF1AF44714F14857EE485A72D2CB78A845CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B4A9, Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 167stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 67%
                  			E0040B4A9(void* __ecx, intOrPtr _a4, signed int _a7, CHAR** _a8) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				CHAR* _v12;
				char _v24;
				char _t41;
				int _t43;
				int _t47;
				intOrPtr _t50;
				CHAR* _t62;
				void* _t63;
				signed int _t67;
				char _t75;
				CHAR* _t76;
				void* _t77;
				intOrPtr _t78;

				_t77 = __ecx;
				E0041DBA4( *((intOrPtr*)(__ecx + 4)), 0xa,  &_v12);
				E0041BF12(_a4, _v12);
				_t62 = _v12;
				 *_a8 = _t62;
				_t41 =  *_t62;
				if(_t41 != 0) {
					_v8 = _t41;
					_v7 = 0x3a;
					_v6 = 0x5c;
					_v5 = 0;
					__eflags =  *_t62 - 0x5c;
					_a7 = 0;
					if( *_t62 != 0x5c) {
						L21:
						_t43 = GetDriveTypeA( &_v8);
						_t62 = _v12;
						__eflags = _t62[1] - 0x3a;
						if(_t62[1] != 0x3a) {
							L37:
							_t78 =  *((intOrPtr*)(_t77 + 4));
							_push(0);
							_push(0);
							_t63 = 0x47ec3c;
							L38:
							_push(E0041CD1E(_t63));
							_push(_t78);
							E0041B2CC(0x47dfb8);
							L39:
							return 0;
						}
						__eflags = _t62[2] - 0x5c;
						if(_t62[2] != 0x5c) {
							goto L37;
						}
						__eflags = _t43 - 1;
						if(_t43 != 1) {
							__eflags = _t43 - 3;
							if(_t43 == 3) {
								L5:
								_t47 = lstrlenA(_t62);
								asm("sbb ecx, ecx");
								_t67 =  ~_a7 & 0x00000002;
								__eflags = _t67 - _t47;
								if(_t67 >= _t47) {
									L31:
									__eflags = _a7;
									if(_a7 != 0) {
										L36:
										return 1;
									}
									_t50 = E0040DE4D( &_v8, 1);
									__eflags = _t75 -  *0x47e654; // 0x0
									 *0x47e648 = _t50;
									 *0x47e64c = _t75;
									if(__eflags > 0) {
										goto L36;
									}
									if(__eflags < 0) {
										L35:
										E0041BDC5( &_v24);
										_push( &_v8);
										E0041C467( &_v24, E0041CD1E(0x47ec78));
										E0041B2CC(0x47dfb8,  *((intOrPtr*)(_t77 + 4)), E0041CD1E( &_v24), 0, 0);
										E0041BEFB( &_v24);
										goto L39;
									}
									__eflags = _t50 -  *0x47e650; // 0x207a58a
									if(__eflags >= 0) {
										goto L36;
									}
									goto L35;
								}
								_t76 = _v12;
								do {
									_t75 = _t76[_t67];
									__eflags = _t75 - 0x3a;
									if(_t75 != 0x3a) {
										L9:
										__eflags = _t75 - 0x7c;
										if(_t75 == 0x7c) {
											L30:
											_t78 =  *((intOrPtr*)(_t77 + 4));
											_push(0);
											_push(0);
											_t63 = 0x47ec6c;
											goto L38;
										}
										__eflags = _t75 - 0x2a;
										if(_t75 == 0x2a) {
											goto L30;
										}
										__eflags = _t75 - 0x2f;
										if(_t75 == 0x2f) {
											goto L30;
										}
										__eflags = _t75 - 0x3e;
										if(_t75 == 0x3e) {
											goto L30;
										}
										__eflags = _t75 - 0x3c;
										if(_t75 == 0x3c) {
											goto L30;
										}
										__eflags = _t75 - 0x3f;
										if(_t75 == 0x3f) {
											goto L30;
										}
										__eflags = _t75 - 0x22;
										if(_t75 == 0x22) {
											goto L30;
										}
										__eflags = _t67;
										if(_t67 <= 0) {
											goto L19;
										}
										__eflags = _t75 - 0x5c;
										if(_t75 != 0x5c) {
											goto L19;
										}
										__eflags =  *((intOrPtr*)(_t67 + _t76 - 1)) - _t75;
										if( *((intOrPtr*)(_t67 + _t76 - 1)) == _t75) {
											_t78 =  *((intOrPtr*)(_t77 + 4));
											_push(0);
											_push(0);
											_t63 = 0x47ec60;
											goto L38;
										}
										goto L19;
									}
									__eflags = _t67 - 1;
									if(_t67 != 1) {
										goto L30;
									}
									goto L9;
									L19:
									_t67 = _t67 + 1;
									__eflags = _t67 - _t47;
								} while (_t67 < _t47);
								goto L31;
							}
							__eflags = _t43 - 4;
							if(_t43 == 4) {
								goto L5;
							}
							__eflags = _t43 - 2;
							if(_t43 == 2) {
								goto L5;
							}
							_t78 =  *((intOrPtr*)(_t77 + 4));
							_push(0);
							_push(0);
							_t63 = 0x47ec54;
							goto L38;
						}
						_t78 =  *((intOrPtr*)(_t77 + 4));
						_push(0);
						_push(0);
						_t63 = 0x47ec48;
						goto L38;
					}
					__eflags = _t62[1] - 0x5c;
					if(_t62[1] != 0x5c) {
						goto L21;
					}
					_a7 = 1;
					goto L5;
				}
				_t78 =  *((intOrPtr*)(_t77 + 4));
				_push(0);
				_push(0);
				_t63 = 0x47ec30;
				goto L38;
			}




















                  0x0040b4b5
                  0x0040b4bd
                  0x0040b4cb
                  0x0040b4d3
                  0x0040b4d8
                  0x0040b4da
                  0x0040b4de
                  0x0040b4ef
                  0x0040b4f2
                  0x0040b4f6
                  0x0040b4fa
                  0x0040b4fd
                  0x0040b500
                  0x0040b503
                  0x0040b599
                  0x0040b59d
                  0x0040b5a3
                  0x0040b5a6
                  0x0040b5aa
                  0x0040b68f
                  0x0040b68f
                  0x0040b692
                  0x0040b693
                  0x0040b694
                  0x0040b699
                  0x0040b69e
                  0x0040b69f
                  0x0040b6a5
                  0x0040b6aa
                  0x00000000
                  0x0040b6aa
                  0x0040b5b0
                  0x0040b5b4
                  0x00000000
                  0x00000000
                  0x0040b5ba
                  0x0040b5bd
                  0x0040b5ce
                  0x0040b5d1
                  0x0040b517
                  0x0040b518
                  0x0040b523
                  0x0040b525
                  0x0040b528
                  0x0040b52a
                  0x0040b616
                  0x0040b616
                  0x0040b619
                  0x0040b68b
                  0x00000000
                  0x0040b68b
                  0x0040b621
                  0x0040b626
                  0x0040b62e
                  0x0040b633
                  0x0040b639
                  0x00000000
                  0x00000000
                  0x0040b63b
                  0x0040b645
                  0x0040b648
                  0x0040b655
                  0x0040b660
                  0x0040b67c
                  0x0040b684
                  0x00000000
                  0x0040b684
                  0x0040b63d
                  0x0040b643
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b643
                  0x0040b530
                  0x0040b533
                  0x0040b533
                  0x0040b536
                  0x0040b539
                  0x0040b544
                  0x0040b544
                  0x0040b547
                  0x0040b607
                  0x0040b607
                  0x0040b60a
                  0x0040b60b
                  0x0040b60c
                  0x00000000
                  0x0040b60c
                  0x0040b54d
                  0x0040b550
                  0x00000000
                  0x00000000
                  0x0040b556
                  0x0040b559
                  0x00000000
                  0x00000000
                  0x0040b55f
                  0x0040b562
                  0x00000000
                  0x00000000
                  0x0040b568
                  0x0040b56b
                  0x00000000
                  0x00000000
                  0x0040b571
                  0x0040b574
                  0x00000000
                  0x00000000
                  0x0040b57a
                  0x0040b57d
                  0x00000000
                  0x00000000
                  0x0040b583
                  0x0040b585
                  0x00000000
                  0x00000000
                  0x0040b587
                  0x0040b58a
                  0x00000000
                  0x00000000
                  0x0040b58c
                  0x0040b590
                  0x0040b5f8
                  0x0040b5fb
                  0x0040b5fc
                  0x0040b5fd
                  0x00000000
                  0x0040b5fd
                  0x00000000
                  0x0040b590
                  0x0040b53b
                  0x0040b53e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040b592
                  0x0040b592
                  0x0040b593
                  0x0040b593
                  0x00000000
                  0x0040b597
                  0x0040b5d7
                  0x0040b5da
                  0x00000000
                  0x00000000
                  0x0040b5e0
                  0x0040b5e3
                  0x00000000
                  0x00000000
                  0x0040b5e9
                  0x0040b5ec
                  0x0040b5ed
                  0x0040b5ee
                  0x00000000
                  0x0040b5ee
                  0x0040b5bf
                  0x0040b5c2
                  0x0040b5c3
                  0x0040b5c4
                  0x00000000
                  0x0040b5c4
                  0x0040b509
                  0x0040b50d
                  0x00000000
                  0x00000000
                  0x0040b513
                  0x00000000
                  0x0040b513
                  0x0040b4e0
                  0x0040b4e3
                  0x0040b4e4
                  0x0040b4e5
                  0x00000000

                  APIs
                    • Part of subcall function 0041DBA4: GetDlgItem.USER32 ref: 0041DBAF
                    • Part of subcall function 0041DBA4: GetWindowTextLengthA.USER32(00000000), ref: 0041DBB8
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • lstrlenA.KERNEL32(?,?,?,00000000,?,?), ref: 0040B518
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041B2CC: MessageBoxA.USER32 ref: 0041B36B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock$ItemLengthMessageTextWindowlstrlen
                  • String ID: 0G$:$<G$HG$TG$\$`G$lG$xG
                  • API String ID: 3911724838-62612203
                  • Opcode ID: b60614546ce4b64ccd8c6c398c567348f97f6a539659fa82b4afc6692a0c2dcc
                  • Instruction ID: 254c4a2ed5f8620f2d7e97b4e7a902eafb2fc37a61131f3e50cd657c08c11bdf
                  • Opcode Fuzzy Hash: b60614546ce4b64ccd8c6c398c567348f97f6a539659fa82b4afc6692a0c2dcc
                  • Instruction Fuzzy Hash: 4B51E3B0504244AEEB258A55C8859BF776DDB09308F5488BFE046772C2C73F5D458B9F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CC6F, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 78windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040CC6F(intOrPtr __ecx, void* _a4) {
				intOrPtr _v8;
				void* _t16;
				void* _t29;
				struct HWND__* _t39;

				_push(__ecx);
				_t39 = _a4;
				_v8 = __ecx;
				if( *0x42bf98 <= 0) {
					EnableWindow(GetDlgItem(_t39, 3), 0);
				}
				_t29 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t29 = 0x47ed68;
				}
				SetWindowTextA(_t39, E0041CD1E(_t29));
				SetDlgItemTextA(_t39, 3, E0041CD1E(0x47e8a0));
				SetDlgItemTextA(_t39, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t39, 2, E0041CD1E(0x47e8b8));
				_t16 = E00419E8A();
				_t46 = _t16;
				if(_t16 != 0) {
					SetDlgItemTextA(_t39, 1, E0041CD1E(0x47e8c4));
				}
				_a4 = 0xc;
				SendDlgItemMessageA(_t39, 0xa, 0xcb, 1,  &_a4);
				E0040CD5C(_t46, _t39);
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t39, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				return 1;
			}







                  0x0040cc72
                  0x0040cc7c
                  0x0040cc7f
                  0x0040cc82
                  0x0040cc90
                  0x0040cc90
                  0x0040cc9d
                  0x0040cca2
                  0x0040cca4
                  0x0040cca4
                  0x0040ccb0
                  0x0040ccca
                  0x0040ccda
                  0x0040ccea
                  0x0040ccf1
                  0x0040ccf6
                  0x0040ccf8
                  0x0040cd08
                  0x0040cd08
                  0x0040cd0d
                  0x0040cd1f
                  0x0040cd29
                  0x0040cd35
                  0x0040cd48
                  0x0040cd4f
                  0x0040cd4f
                  0x0040cd59

                  APIs
                  • GetDlgItem.USER32 ref: 0040CC89
                  • EnableWindow.USER32(00000000), ref: 0040CC90
                  • SetWindowTextA.USER32(?,00000000), ref: 0040CCB0
                  • SetDlgItemTextA.USER32 ref: 0040CCCA
                  • SetDlgItemTextA.USER32 ref: 0040CCDA
                  • SetDlgItemTextA.USER32 ref: 0040CCEA
                  • SetDlgItemTextA.USER32 ref: 0040CD08
                  • SendDlgItemMessageA.USER32(?,0000000A,000000CB,00000001,?), ref: 0040CD1F
                  • SetDlgItemTextA.USER32 ref: 0040CD48
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Text$Window$EnableMessageSend
                  • String ID: PG$hG
                  • API String ID: 1822530713-1121987280
                  • Opcode ID: cf505d6a6191c09efaf2904ecc069a71a5d2d75c91a9b0f8291144f8a2e3fe09
                  • Instruction ID: c72ef2b5710ee1801feb2adf7e7504814bb845c99ed04c2887ed1bab3c43658b
                  • Opcode Fuzzy Hash: cf505d6a6191c09efaf2904ecc069a71a5d2d75c91a9b0f8291144f8a2e3fe09
                  • Instruction Fuzzy Hash: 8921C970640204B6E62077559C9AFFE2A6DDF89B44F10817FFA05672D2CFBC0841966E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040CD5C, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 185windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E0040CD5C(void* __eflags, long _a4) {
				struct HWND__* _v8;
				char _v20;
				char _v32;
				void* _t48;
				intOrPtr _t51;
				intOrPtr _t85;
				intOrPtr _t88;
				void* _t93;
				void* _t96;
				void* _t130;
				void* _t136;

				_t136 = __eflags;
				_v8 = GetDlgItem(_a4, 0xa);
				E0041BDC5( &_v20);
				E0041C0C5( &_v20, _t136, 0x47ed74);
				E0041C047( &_v20, "\r\n=====================================\r\n\r\n", 0);
				_push(9);
				_t48 = E00419E38();
				_t130 = "\r\n";
				if(_t48 != 0) {
					L2:
					E0041C0C5( &_v20, _t138, 0x47ed80);
					E0041C047( &_v20, _t130, 0);
					_t51 =  *0x47e65c; // 0x2
					_t139 = _t51 - 1;
					if(_t51 != 1) {
						__eflags = _t51 - 2;
						if(__eflags != 0) {
							__eflags = _t51 - 4;
							if(__eflags == 0) {
								E0041C0C5( &_v20, __eflags, 0x47ed08);
								E0041C047( &_v20, _t130, 0);
								E0041C0C5( &_v20, __eflags, 0x47ed8c);
								E0041C047( &_v20, _t130, 0);
								__eflags =  *0x47e608; // 0x0
								_a4 = 0;
								if(__eflags > 0) {
									_t96 = 0;
									__eflags = 0;
									do {
										_t85 =  *0x47e604; // 0x0
										__eflags =  *((intOrPtr*)(_t96 + _t85));
										if( *((intOrPtr*)(_t96 + _t85)) != 0) {
											E0041BFF8( &_v20, 9);
											_t88 =  *0x47e604; // 0x0
											_t18 = _t88 + 4; // 0x4
											E0041C0C5( &_v20, __eflags, _t96 + _t18);
											E0041C047( &_v20, _t130, 0);
										}
										_a4 = _a4 + 1;
										_t96 = _t96 + 0x10;
										__eflags = _a4 -  *0x47e608; // 0x0
									} while (__eflags < 0);
								}
								_push(0);
								_push(_t130);
								goto L14;
							}
						} else {
							_push(0x47ecd8);
							goto L6;
						}
					} else {
						_push(0x47ecf0);
						L6:
						E0041C0C5( &_v20, _t139);
						_push(0);
						_push("\r\n\r\n");
						L14:
						E0041C047( &_v20);
					}
				} else {
					_push(0xa);
					_t93 = E00419E38();
					_t138 = _t93;
					if(_t93 != 0) {
						goto L2;
					}
				}
				E0041C0C5( &_v20, _t139, 0x47ed98);
				E0041BFF8( &_v20, 0x20);
				E0041BDC5( &_v32);
				E0041D95E( *0x47e650,  *0x47e654,  &_v32);
				E0041C0C5( &_v20, _t139,  &_v32);
				E0041C047( &_v20, _t130, 0);
				E0041C0C5( &_v20, _t139, 0x47eda4);
				E0041BFF8( &_v20, 0x20);
				E0041D95E( *0x47e648,  *0x47e64c,  &_v32);
				E0041C0C5( &_v20, _t139,  &_v32);
				_push(E0041CD1E(0x47e344));
				_push(E0041CD1E(0x47edbc));
				_push(E0041CD1E(0x47e338));
				_push(E0041CD1E(0x47edb0));
				E0041C467( &_v20, "\r\n\r\n%s\r\n%s\r\n\r\n%s\r\n%s\r\n");
				if(E0041D46F("<SummaryExtraInfo>") != 0) {
					E0041C047( &_v20, _t72, 0);
				}
				SendMessageA(_v8, 0xcf, 0, 0);
				SetWindowTextA(_v8, E0041CD1E( &_v20));
				SendMessageA(_v8, 0xcf, 1, 0);
				E0041BEFB( &_v32);
				return E0041BEFB( &_v20);
			}














                  0x0040cd5c
                  0x0040cd73
                  0x0040cd76
                  0x0040cd83
                  0x0040cd93
                  0x0040cd9d
                  0x0040cda1
                  0x0040cda8
                  0x0040cdad
                  0x0040cdc0
                  0x0040cdc8
                  0x0040cdd2
                  0x0040cdd7
                  0x0040cddc
                  0x0040cddf
                  0x0040cde8
                  0x0040cdeb
                  0x0040ce05
                  0x0040ce08
                  0x0040ce16
                  0x0040ce20
                  0x0040ce2d
                  0x0040ce37
                  0x0040ce3c
                  0x0040ce42
                  0x0040ce45
                  0x0040ce47
                  0x0040ce47
                  0x0040ce49
                  0x0040ce49
                  0x0040ce4e
                  0x0040ce51
                  0x0040ce58
                  0x0040ce5d
                  0x0040ce65
                  0x0040ce6a
                  0x0040ce74
                  0x0040ce74
                  0x0040ce79
                  0x0040ce7c
                  0x0040ce82
                  0x0040ce82
                  0x0040ce49
                  0x0040ce8a
                  0x0040ce8b
                  0x00000000
                  0x0040ce8b
                  0x0040cded
                  0x0040cded
                  0x00000000
                  0x0040cded
                  0x0040cde1
                  0x0040cde1
                  0x0040cdf2
                  0x0040cdf5
                  0x0040cdfa
                  0x0040cdfb
                  0x0040ce8c
                  0x0040ce8f
                  0x0040ce8f
                  0x0040cdaf
                  0x0040cdaf
                  0x0040cdb3
                  0x0040cdb8
                  0x0040cdba
                  0x00000000
                  0x00000000
                  0x0040cdba
                  0x0040ce9c
                  0x0040cea6
                  0x0040ceae
                  0x0040cec3
                  0x0040ced2
                  0x0040cedc
                  0x0040cee9
                  0x0040cef3
                  0x0040cf08
                  0x0040cf17
                  0x0040cf26
                  0x0040cf31
                  0x0040cf3c
                  0x0040cf47
                  0x0040cf51
                  0x0040cf65
                  0x0040cf6c
                  0x0040cf6c
                  0x0040cf82
                  0x0040cf90
                  0x0040cf9d
                  0x0040cfa2
                  0x0040cfb3

                  APIs
                  • GetDlgItem.USER32 ref: 0040CD6A
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
                    • Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
                    • Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • SendMessageA.USER32(?,000000CF,00000000,00000000), ref: 0040CF82
                  • SetWindowTextA.USER32(?,00000000), ref: 0040CF90
                  • SendMessageA.USER32(?,000000CF,00000001,00000000), ref: 0040CF9D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$MessageSendUnlock$ItemTextWindowlstrlen
                  • String ID: $%s%s%s%s$=====================================$8G$<SummaryExtraInfo>$DG
                  • API String ID: 1410268358-2802390505
                  • Opcode ID: 0b48d18390f290eecbfa0a4d87245cdf5aa54a051737659ee71bc0f4a95d5c84
                  • Instruction ID: 20b876188295e953f62be2d2e52f0d26e4c013d0dd05712ef4c6de1570c86156
                  • Opcode Fuzzy Hash: 0b48d18390f290eecbfa0a4d87245cdf5aa54a051737659ee71bc0f4a95d5c84
                  • Instruction Fuzzy Hash: 4751717194011AEACB10EB96DCC6DFF7B38EF54708F50457FB416A20D2EB391A85CA58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B09C, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 169stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0041B09C(void* __ecx) {
				char _v16;
				void _v275;
				char _v276;
				long _t46;
				signed int _t52;
				CHAR* _t87;
				signed int _t93;
				char* _t100;
				signed int _t101;
				signed int _t113;
				signed int _t128;
				void* _t131;
				void* _t132;
				void* _t133;
				intOrPtr _t135;

				_t135 =  *0x47e614; // 0x0
				_t125 = __ecx;
				_t87 = "\\";
				if(_t135 == 0) {
					_t126 = __ecx + 0x124;
					E0041BF80(__ecx + 0x124, 0x47e6c8);
					E0041BF80(_t126, E0041CC95(_t126, 0, E0041C7DB(__ecx + 0x124, _t87, 0, 1)));
				} else {
					_v276 = _v276 & 0x00000000;
					_t113 = 0x40;
					memset( &_v275, 0, _t113 << 2);
					_t132 = _t132 + 0xc;
					asm("stosw");
					asm("stosb");
					GetCurrentDirectoryA(0x104,  &_v276);
					_t130 = _t125 + 0x124;
					E0041BF12(_t125 + 0x124,  &_v276);
					if(E0041BFE3(_t125 + 0x124,  *_t130 - 1) == 0x5c) {
						E0041C3A9(_t130,  *_t130 - 1, 1);
					}
				}
				if( *0x47e614 == 0) {
					_v276 = _v276 & 0x00000000;
					_t93 = 0x40;
					memset( &_v275, 0, _t93 << 2);
					_t133 = _t132 + 0xc;
					asm("stosw");
					asm("stosb");
					_t46 = GetTempPathA(0x104,  &_v276);
					if(_v276 == 0) {
						return _t46;
					}
					if( *((char*)(_t131 + lstrlenA( &_v276) - 0x111)) != 0x5c) {
						lstrcatA( &_v276, _t87);
					}
					_t128 = GetTickCount() & 0x7fffffff;
					E0041BDC5( &_v16);
					do {
						E0041BF12( &_v16, 0x42e0c8);
						_t52 = _t128;
						_t128 = _t128 + 1;
						_push(_t52);
						_push( &_v276);
						E0041C467( &_v16, "%sinst%d");
						_t133 = _t133 + 0x10;
					} while (E0040DF52(E0041CD1E( &_v16)) != 0);
					E0041BF80(0x47e628,  &_v16);
					_t100 =  &_v16;
					goto L15;
				} else {
					_v276 = _v276 & 0x00000000;
					_t101 = 0x40;
					memset( &_v275, 0, _t101 << 2);
					asm("stosw");
					asm("stosb");
					GetModuleFileNameA(0,  &_v276, 0x104);
					E0041BE35( &_v16,  &_v276);
					if(E0041C7DB( &_v16, _t87, 0, 1) != 0xffffffff) {
						E0041C3A9( &_v16, _t69, _v16 - _t69);
						if(E0041C7DB( &_v16, _t87, 0, 1) != 0xffffffff) {
							E0041C3A9( &_v16, _t71, _v16 - _t71);
							E0041BF80(0x47e628,  &_v16);
						}
					}
					_t100 =  &_v16;
					L15:
					return E0041BEFB(_t100);
				}
			}


















                  0x0041b0aa
                  0x0041b0b0
                  0x0041b0b2
                  0x0041b0b7
                  0x0041b114
                  0x0041b121
                  0x0041b13d
                  0x0041b0b9
                  0x0041b0b9
                  0x0041b0c2
                  0x0041b0cb
                  0x0041b0cb
                  0x0041b0cd
                  0x0041b0cf
                  0x0041b0dc
                  0x0041b0e2
                  0x0041b0f1
                  0x0041b103
                  0x0041b10d
                  0x0041b10d
                  0x0041b103
                  0x0041b149
                  0x0041b1e0
                  0x0041b1e9
                  0x0041b1f2
                  0x0041b1f2
                  0x0041b1f4
                  0x0041b1f6
                  0x0041b203
                  0x0041b210
                  0x0041b2a7
                  0x0041b2a7
                  0x0041b22b
                  0x0041b235
                  0x0041b235
                  0x0041b246
                  0x0041b24c
                  0x0041b251
                  0x0041b259
                  0x0041b25e
                  0x0041b260
                  0x0041b261
                  0x0041b268
                  0x0041b272
                  0x0041b277
                  0x0041b28a
                  0x0041b296
                  0x0041b29b
                  0x00000000
                  0x0041b14f
                  0x0041b14f
                  0x0041b158
                  0x0041b166
                  0x0041b168
                  0x0041b16a
                  0x0041b175
                  0x0041b185
                  0x0041b199
                  0x0041b1a5
                  0x0041b1b9
                  0x0041b1c5
                  0x0041b1d3
                  0x0041b1d3
                  0x0041b1b9
                  0x0041b1d8
                  0x0041b29e
                  0x00000000
                  0x0041b29e

                  APIs
                  • GetTempPathA.KERNEL32(00000104,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041B203
                  • lstrlenA.KERNEL32(00000000,?,0047DFB8), ref: 0041B21D
                  • lstrcatA.KERNEL32(00000000,0042BC5C,?,0047DFB8), ref: 0041B235
                  • GetTickCount.KERNEL32 ref: 0041B23B
                    • Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
                    • Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
                    • Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406
                  • GetCurrentDirectoryA.KERNEL32(00000104,00000000,?,0047DFB8), ref: 0041B0DC
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,00000000,00000000,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041B175
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock$CountCurrentDirectoryFileModuleNamePathTempTicklstrcatlstrlen
                  • String ID: %sinst%d$(G$(G$\
                  • API String ID: 1059662260-1996247173
                  • Opcode ID: 48ad926f78310d290de6f5bcffd363833ff9a94a6cb62686b6747cace7ae5623
                  • Instruction ID: 4d0a8e3186ef891df92ba4b655dd0f9597cb8498d4d46a76b217ddde163e5ec8
                  • Opcode Fuzzy Hash: 48ad926f78310d290de6f5bcffd363833ff9a94a6cb62686b6747cace7ae5623
                  • Instruction Fuzzy Hash: 3951F671E001187BDB29D7A5CC5AFEE7368EB18304F5005AFB619E21D0DFB85AC58A9C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D100, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0040D100(void* __ecx, void* __esi, struct HWND__* _a4) {
				struct tagRECT _v20;
				struct tagRECT _v36;
				CHAR* _t18;
				intOrPtr _t25;
				struct HWND__* _t44;
				void* _t46;
				intOrPtr _t51;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				void* _t61;
				void* _t63;

				_t63 = __esi;
				_t61 = __ecx;
				_t46 = 0x47e850;
				if(( *0x47e193 & 0x00000002) == 0) {
					_t46 = 0x47edc8;
				}
				_t18 = E0041CD1E(_t46);
				_t44 = _a4;
				SetWindowTextA(_t44, _t18);
				_push(_t63);
				SetDlgItemTextA(_t44, 2, E0041CD1E(0x47e8b8));
				SetDlgItemTextA(_t44, 0x15, E0041CD1E(0x47edd4));
				 *0x47f280 = E0040710F(_t61, 0xa);
				_t25 = E0040710F(_t61, 0xb);
				_t51 =  *0x47f280; // 0x0
				 *0x47f284 = _t25;
				if(_t51 != 0) {
					_t51 =  *((intOrPtr*)(_t51 + 0x50));
					 *0x47f280 = _t51;
				}
				if(_t25 != 0) {
					_t25 =  *((intOrPtr*)(_t25 + 0x50));
					 *0x47f284 = _t25;
				}
				if(( *0x47e190 & 0x00000040) == 0 && _t25 != 0 && _t51 != 0) {
					ShowWindow(GetDlgItem(_t44, 0x15), 0);
					_t58 =  *0x47f280; // 0x0
					E0041EB9E(_t58,  &_v20);
					_t59 =  *0x47f284; // 0x0
					E0041EE6D(_t59,  &_v20);
					_t60 =  *0x47f280; // 0x0
					E0041EE9B(_t60, 4);
				}
				if(E0041C8FD(0x47e2f0, 0x90) != 0 && ( *0x47e192 & 0x00000008) != 0 && E00407D82(_t61) != 0) {
					GetWindowRect(_t44,  &_v20);
					GetWindowRect( *0x47e178,  &_v36);
					SetWindowPos(_t44, 0, _v20, _v36.bottom - _v20.bottom - _v20.top - 0x28, 0, 0, 0x205);
				}
				if( *0x47e114 != 0) {
					E0040EFE7();
				}
				SetTimer(_t44, 1, 0x64, 0);
				return 1;
			}















                  0x0040d100
                  0x0040d10f
                  0x0040d111
                  0x0040d116
                  0x0040d118
                  0x0040d118
                  0x0040d11d
                  0x0040d122
                  0x0040d127
                  0x0040d12d
                  0x0040d142
                  0x0040d152
                  0x0040d161
                  0x0040d166
                  0x0040d16b
                  0x0040d171
                  0x0040d178
                  0x0040d17a
                  0x0040d17d
                  0x0040d17d
                  0x0040d185
                  0x0040d187
                  0x0040d18a
                  0x0040d18a
                  0x0040d196
                  0x0040d1ac
                  0x0040d1b2
                  0x0040d1bc
                  0x0040d1c1
                  0x0040d1cb
                  0x0040d1d0
                  0x0040d1d8
                  0x0040d1d8
                  0x0040d1ee
                  0x0040d20f
                  0x0040d221
                  0x0040d23a
                  0x0040d23a
                  0x0040d248
                  0x0040d24f
                  0x0040d24f
                  0x0040d25b
                  0x0040d266

                  APIs
                  • SetWindowTextA.USER32(?,00000000), ref: 0040D127
                  • SetDlgItemTextA.USER32 ref: 0040D142
                  • SetDlgItemTextA.USER32 ref: 0040D152
                  • GetDlgItem.USER32 ref: 0040D1A5
                  • ShowWindow.USER32(00000000), ref: 0040D1AC
                  • GetWindowRect.USER32 ref: 0040D20F
                  • GetWindowRect.USER32 ref: 0040D221
                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000205), ref: 0040D23A
                  • SetTimer.USER32(?,00000001,00000064,00000000), ref: 0040D25B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$ItemText$Rect$ShowTimer
                  • String ID: PG
                  • API String ID: 4255782137-134009939
                  • Opcode ID: 27f53879b3db5f6865515ba562c75925164c84b3ab6133a0cfccc27409b06b41
                  • Instruction ID: 44f17c450aae22649b72e2471c6a04a4b740f7b282ca3080988efca9c19ea94f
                  • Opcode Fuzzy Hash: 27f53879b3db5f6865515ba562c75925164c84b3ab6133a0cfccc27409b06b41
                  • Instruction Fuzzy Hash: C041C774A003056BEB14E7B59C56F7E379DAB48704F4404BEFA06AB2D2CF799845871C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040BB7D, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 208COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040BB7D(intOrPtr __ecx, signed short _a4) {
				void* __edi;
				void* __esi;
				signed int _t10;
				long _t12;
				long _t19;
				long _t23;
				long _t24;
				intOrPtr _t25;
				long _t29;
				long _t41;
				char* _t45;
				char* _t47;
				char* _t49;
				long _t52;
				long _t54;
				char* _t58;
				intOrPtr _t63;
				intOrPtr _t70;
				char* _t73;
				void* _t75;
				char* _t76;

				_t70 = __ecx;
				if(_a4 >> 0x10 != 0) {
					return 0;
				}
				_t10 = _a4 & 0x0000ffff;
				__eflags = _t10 - 2;
				if(_t10 != 2) {
					__eflags = _t10 - 1;
					if(_t10 != 1) {
						__eflags = _t10 - 3;
						if(_t10 == 3) {
							_t12 = SendDlgItemMessageA( *(__ecx + 4), 0xb, 0xf0, 0, 0);
							__eflags = _t12 - 1;
							if(_t12 != 1) {
								_t19 = SendDlgItemMessageA( *(_t70 + 4), 0xc, 0xf0, 0, 0);
								asm("sbb eax, eax");
								_t12 = ( ~(_t19 - 1) & 0x000000fe) + 4;
								__eflags = _t12;
							}
							_t49 = "0";
							__eflags = _t12 - 2;
							 *0x47e65c = _t12;
							_t45 = _t49;
							_t73 = _t49;
							if(_t12 != 2) {
								__eflags = _t12 - 1;
								if(_t12 != 1) {
									__eflags = _t12 - 4;
									if(_t12 == 4) {
										_t73 = 0x42b9bc;
									}
								} else {
									_t45 = 0x42b9bc;
								}
							} else {
								_t49 = 0x42b9bc;
							}
							E0041D0FD(_t49, "<IT_Typical>", _t49);
							E0041D0FD(_t49, "<IT_Minimal>", _t45);
							E0041D0FD(_t49, "<IT_Custom>", _t73);
							E0041D728("<IT_Type>",  *0x47e65c);
							E00407827(_t70, _t70, _t73, 0);
							E00417D26(0x47dfb8, 0);
						}
						goto L34;
					}
					_t23 = SendDlgItemMessageA( *(__ecx + 4), 0xb, 0xf0, 0, 0);
					_t52 = 1;
					__eflags = _t23 - _t52;
					if(_t23 != _t52) {
						_t24 = SendDlgItemMessageA( *(_t70 + 4), 0xc, 0xf0, 0, 0);
						__eflags = _t24 - 1;
						if(_t24 != 1) {
							_t75 = 0x47e2f0;
							_t25 = E0041C8FD(0x47e2f0, 0xcc);
							_t54 =  *0x47e64c; // 0x13
							__eflags = _t54;
							if(__eflags > 0) {
								L14:
								 *0x47e650 = _t25;
								 *0x47e654 = 0;
								 *0x47e65c = 2;
								 *0x47e698 = E0041C8FD(_t75, 0xd8);
								 *0x47e69c = 0;
								 *0x47e6a0 = E0041C8FD(_t75, 0xdc);
								 *0x47e6a4 = 0;
								_push(0xe4);
								goto L15;
							}
							if(__eflags < 0) {
								L13:
								E0041B2CC(0x47dfb8,  *(_t70 + 4), E0041CD1E(0x47ed20), 0, 0);
								goto L34;
							}
							_t63 =  *0x47e648; // 0xfff01000
							__eflags = _t63 - _t25;
							if(_t63 >= _t25) {
								goto L14;
							}
							goto L13;
						} else {
							 *0x47e65c = 4;
							goto L16;
						}
					} else {
						_t75 = 0x47e2f0;
						 *0x47e65c = _t52;
						 *0x47e650 = E0041C8FD(0x47e2f0, 0xc8);
						 *0x47e654 = 0;
						 *0x47e698 = E0041C8FD(0x47e2f0, 0xd0);
						 *0x47e69c = 0;
						 *0x47e6a0 = E0041C8FD(0x47e2f0, 0xd4);
						 *0x47e6a4 = 0;
						_push(0xe0);
						L15:
						 *0x47e6a8 = E0041C8FD(_t75);
						 *0x47e6ac = 0;
						L16:
						_t29 =  *0x47e65c; // 0x2
						_t58 = "0";
						__eflags = _t29 - 2;
						_t47 = _t58;
						_t76 = _t58;
						if(_t29 != 2) {
							__eflags = _t29 - 1;
							if(_t29 != 1) {
								__eflags = _t29 - 4;
								if(_t29 == 4) {
									_t76 = 0x42b9bc;
								}
							} else {
								_t47 = 0x42b9bc;
							}
						} else {
							_t58 = 0x42b9bc;
						}
						E0041D0FD(_t58, "<IT_Typical>", _t58);
						E0041D0FD(_t58, "<IT_Minimal>", _t47);
						E0041D0FD(_t58, "<IT_Custom>", _t76);
						E0041D728("<IT_Type>",  *0x47e65c);
						E00407827(_t70, _t70, _t76, 0);
						__eflags =  *0x47e65c - 4;
						E00417EA6(0x47dfb8, 0);
						goto L34;
					}
				} else {
					_t41 = E0041BC79(0x47dfb8);
					__eflags = _t41;
					if(_t41 != 0) {
						E00407827(_t70, _t70, 0x47dfb8, 0);
						E0041A1B5(1);
					}
					L34:
					return 1;
				}
			}
























                  0x0040bb88
                  0x0040bb8d
                  0x00000000
                  0x0040bb8f
                  0x0040bb96
                  0x0040bb9b
                  0x0040bb9e
                  0x0040bbb9
                  0x0040bbbc
                  0x0040bd79
                  0x0040bd7c
                  0x0040bd97
                  0x0040bd99
                  0x0040bd9c
                  0x0040bda6
                  0x0040bdab
                  0x0040bdaf
                  0x0040bdaf
                  0x0040bdaf
                  0x0040bdb2
                  0x0040bdb7
                  0x0040bdba
                  0x0040bdbf
                  0x0040bdc1
                  0x0040bdc3
                  0x0040bdcc
                  0x0040bdcf
                  0x0040bdd8
                  0x0040bddb
                  0x0040bddd
                  0x0040bddd
                  0x0040bdd1
                  0x0040bdd1
                  0x0040bdd1
                  0x0040bdc5
                  0x0040bdc5
                  0x0040bdc5
                  0x0040bde8
                  0x0040bdf3
                  0x0040bdfe
                  0x0040be0e
                  0x0040be16
                  0x0040be21
                  0x0040be21
                  0x00000000
                  0x0040bd7c
                  0x0040bbd7
                  0x0040bbdb
                  0x0040bbdc
                  0x0040bbde
                  0x0040bc42
                  0x0040bc44
                  0x0040bc47
                  0x0040bc58
                  0x0040bc64
                  0x0040bc69
                  0x0040bc6f
                  0x0040bc71
                  0x0040bc9f
                  0x0040bca6
                  0x0040bcab
                  0x0040bcb1
                  0x0040bcc7
                  0x0040bccc
                  0x0040bcd7
                  0x0040bcdc
                  0x0040bce2
                  0x00000000
                  0x0040bce2
                  0x0040bc73
                  0x0040bc7f
                  0x0040bc95
                  0x00000000
                  0x0040bc95
                  0x0040bc75
                  0x0040bc7b
                  0x0040bc7d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040bc49
                  0x0040bc49
                  0x00000000
                  0x0040bc49
                  0x0040bbe0
                  0x0040bbe0
                  0x0040bbe5
                  0x0040bbfe
                  0x0040bc03
                  0x0040bc15
                  0x0040bc1a
                  0x0040bc25
                  0x0040bc2a
                  0x0040bc30
                  0x0040bce7
                  0x0040bcee
                  0x0040bcf3
                  0x0040bcf9
                  0x0040bcf9
                  0x0040bcfe
                  0x0040bd03
                  0x0040bd06
                  0x0040bd08
                  0x0040bd0a
                  0x0040bd13
                  0x0040bd16
                  0x0040bd1f
                  0x0040bd22
                  0x0040bd24
                  0x0040bd24
                  0x0040bd18
                  0x0040bd18
                  0x0040bd18
                  0x0040bd0c
                  0x0040bd0c
                  0x0040bd0c
                  0x0040bd2f
                  0x0040bd3a
                  0x0040bd45
                  0x0040bd55
                  0x0040bd5d
                  0x0040bd62
                  0x0040bd6f
                  0x00000000
                  0x0040bd6f
                  0x0040bba0
                  0x0040bba7
                  0x0040bbac
                  0x0040bbae
                  0x0040be2c
                  0x0040be35
                  0x0040be35
                  0x0040be3a
                  0x00000000
                  0x0040be3a

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID: G$<IT_Custom>$<IT_Minimal>$<IT_Type>$<IT_Typical>
                  • API String ID: 0-4188000229
                  • Opcode ID: a758c726f3fe749ae96dd320186b6d3493c3741125bcddf62dc6732be4bcaf85
                  • Instruction ID: 55622309c6d641a856be2f5c2618e352328d0658733466dd7ad14fd22a60ba25
                  • Opcode Fuzzy Hash: a758c726f3fe749ae96dd320186b6d3493c3741125bcddf62dc6732be4bcaf85
                  • Instruction Fuzzy Hash: 2C51F6B0B40214ABE6206F579C41F6A7758DB69708F90827FF209B62C1CF7D588187EE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040B143, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 154COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040B143(char __ecx, signed int _a4, char _a7) {
				char _v8;
				char _v20;
				void* __edi;
				void* __esi;
				signed int _t27;
				void* _t31;
				char _t90;
				char _t92;
				void* _t93;
				CHAR* _t94;

				_t90 = __ecx;
				_v8 = __ecx;
				if(_a4 >> 0x10 != 0) {
					return 0;
				}
				_t27 = _a4 & 0x0000ffff;
				if(_t27 != 2) {
					if(_t27 != 1) {
						if(_t27 != 3) {
							if(_t27 == 4) {
								_t94 = E00424DD9(0x104);
								if(_t94 == 0) {
									E0041D881(E0041CD1E(0x47e924));
								}
								E00424500(_t94, 0, 0x104);
								_push( *0x47e654);
								_t31 = E0041CD1E(0x47ec00);
								_t92 = _v8;
								E0040E27C( *(_t92 + 4), _t31, _t94,  *0x47e650);
								if( *_t94 != 0) {
									if( *((char*)(lstrlenA(_t94) + _t94 - 1)) != 0x5c) {
										lstrcatA(_t94, "\\");
									}
									if(( *0x47e193 & 0x00000004) == 0) {
										lstrcatA(_t94, E0041CD1E(0x47e35c));
									}
									SetWindowTextA(GetDlgItem( *(_t92 + 4), 0xa), _t94);
								}
								E00424DCE(_t94);
							}
						} else {
							E0041DBA4( *((intOrPtr*)(__ecx + 4)), 0xa,  &_a4);
							E0041BF12(0x47e338, _a4);
							E00424DCE(_a4);
							E00407827(_t90, _t90, _t93, 0);
							E00417D26(0x47dfb8, 0);
						}
					} else {
						E0041BDC5( &_v20);
						_v8 = 0;
						_a7 = E0040B4A9(__ecx,  &_v20,  &_v8);
						if(_v8 != 0) {
							E00424DCE(_v8);
						}
						if(_a7 != 0) {
							E0041BF80(0x47e338,  &_v20);
							E0041CDAE(0x47e338);
							E0041BFF8(0x47e338, 0x5c);
							E00407827(_t90, _t90, 0x47e338, 0);
							E00417EA6(0x47dfb8, 0);
						}
						E0041BEFB( &_v20);
					}
				} else {
					if(E0041BC79(0x47dfb8) != 0) {
						E00407827(_t90, _t90, 0x47dfb8, 0);
						E0041A1B5(1);
					}
				}
				return 1;
			}













                  0x0040b152
                  0x0040b157
                  0x0040b15a
                  0x00000000
                  0x0040b15c
                  0x0040b163
                  0x0040b16a
                  0x0040b188
                  0x0040b201
                  0x0040b25e
                  0x0040b26f
                  0x0040b276
                  0x0040b283
                  0x0040b288
                  0x0040b28c
                  0x0040b299
                  0x0040b2a6
                  0x0040b2ab
                  0x0040b2b2
                  0x0040b2bc
                  0x0040b2d0
                  0x0040b2d8
                  0x0040b2d8
                  0x0040b2e1
                  0x0040b2ef
                  0x0040b2ef
                  0x0040b2fe
                  0x0040b2fe
                  0x0040b305
                  0x0040b30a
                  0x0040b203
                  0x0040b20c
                  0x0040b21c
                  0x0040b224
                  0x0040b22f
                  0x0040b23a
                  0x0040b23a
                  0x0040b18a
                  0x0040b18d
                  0x0040b19e
                  0x0040b1a9
                  0x0040b1ac
                  0x0040b1b1
                  0x0040b1b6
                  0x0040b1ba
                  0x0040b1d4
                  0x0040b1db
                  0x0040b1e4
                  0x0040b1ec
                  0x0040b1f7
                  0x0040b1f7
                  0x0040b1bf
                  0x0040b1bf
                  0x0040b16c
                  0x0040b17a
                  0x0040b248
                  0x0040b251
                  0x0040b251
                  0x0040b17a
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID: $G$8G$8G$\G
                  • API String ID: 0-1143791198
                  • Opcode ID: 802426992f9d0df92792d56e7ea0250147a8a1dce1bdb17cc863aa0786f714fe
                  • Instruction ID: bee363c89d9278215f15d4d38191b35878fd9848968c0216f84cbe3fca6935de
                  • Opcode Fuzzy Hash: 802426992f9d0df92792d56e7ea0250147a8a1dce1bdb17cc863aa0786f714fe
                  • Instruction Fuzzy Hash: B441F471A00114AADB11BBA29C529FE7629EF95318F50407FF905B72C2CF3D4D8292DE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040FD20, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 141filewindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0040FD20(intOrPtr __ecx, void* __eflags) {
				BITMAPINFOHEADER* _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v44;
				char _v304;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr _t26;
				long _t27;
				long _t33;
				signed int _t42;
				void* _t48;
				long _t52;
				signed int _t53;
				intOrPtr* _t60;
				void* _t76;
				struct HDC__* _t77;

				_v12 = __ecx;
				_t19 = E0041C8FD(0x47e2f0, 0xc);
				_v24 = _t19;
				if(_t19 != 0) {
					E0041DBFF(0x47e2f0,  &_v304, ".bmp");
					_t22 =  *0x47f28c; // 0x22d1d10
					_t52 = 1;
					 *0x47f21c = _t52;
					 *0x47e290 = _t52;
					if(_t22 != 0) {
						E00424DCE(_t22);
					}
					_t23 = E00424DD9(4);
					 *0x47f28c = _t23;
					if(_t23 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t24 = E0041C8FD(0x47e2f0, 8);
					_t60 =  *0x47f28c; // 0x22d1d10
					 *_t60 = _t24 + _v24;
					_t26 = E0041C8FD(0x47e2f0, 0xc);
					_t27 = E0041C8FD(0x47e2f0, 8);
					if(E00401AC0(E0041CD1E(0x47e6c8),  &_v304, _t27, _t26) == 0) {
						_t76 = CreateFileA( &_v304, 0x80000000, _t52, 0, 3, 0x80, 0);
						if(_t76 != 0xffffffff) {
							_t33 = GetFileSize(_t76, 0);
							_v28 = 0;
							_t53 = E00410087(_v12, _t76, _t33,  &_v44,  &_v8,  &_v20,  &_v16,  &_v28);
							CloseHandle(_t76);
							DeleteFileA( &_v304);
							if(_t53 >= 0) {
								_t77 = GetDC( *0x47e178);
								 *0x47e180 = CreateDIBitmap(_t77, _v8, 4, _v16, _v8, 0);
								ReleaseDC( *0x47e178, _t77);
								E00424DCE(_v20);
								_t42 =  *0x47e180; // 0x0
								asm("sbb eax, eax");
								return ( ~_t42 & 0x0000006a) + 0xffffff97;
							}
							return _t53 | 0x00000001;
						}
						_push(0xffffff9c);
						goto L2;
					} else {
						_push(0xffffff9d);
						L2:
						_pop(_t48);
						return _t48;
					}
				}
				 *0x47e180 = 0;
				_push(1);
				goto L2;
			}

























                  0x0040fd2b
                  0x0040fd38
                  0x0040fd3f
                  0x0040fd44
                  0x0040fd60
                  0x0040fd65
                  0x0040fd70
                  0x0040fd71
                  0x0040fd77
                  0x0040fd7d
                  0x0040fd80
                  0x0040fd85
                  0x0040fd88
                  0x0040fd90
                  0x0040fd95
                  0x0040fda2
                  0x0040fda7
                  0x0040fdac
                  0x0040fdb4
                  0x0040fdbc
                  0x0040fdc0
                  0x0040fdca
                  0x0040fdec
                  0x0040fe11
                  0x0040fe16
                  0x0040fe21
                  0x0040fe2a
                  0x0040fe49
                  0x0040fe4b
                  0x0040fe58
                  0x0040fe60
                  0x0040fe76
                  0x0040fe8b
                  0x0040fe96
                  0x0040fe9f
                  0x0040fea4
                  0x0040feac
                  0x00000000
                  0x0040feb1
                  0x00000000
                  0x0040fe64
                  0x0040fe18
                  0x00000000
                  0x0040fdee
                  0x0040fdee
                  0x0040fd4e
                  0x0040fd4e
                  0x00000000
                  0x0040fd4e
                  0x0040fdec
                  0x0040fd46
                  0x0040fd4c
                  0x00000000

                  APIs
                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000000C,0047F208,00000001,00000000), ref: 0040FE0B
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040FE21
                  • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?), ref: 0040FE4B
                  • DeleteFileA.KERNEL32(?), ref: 0040FE58
                  • GetDC.USER32 ref: 0040FE6F
                  • CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 0040FE84
                  • ReleaseDC.USER32 ref: 0040FE96
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Create$BitmapCloseDeleteHandleReleaseSize
                  • String ID: $G$.bmp
                  • API String ID: 2008120840-2738061064
                  • Opcode ID: 3995a3750e7dd3da10834d1e6e5926b7dea0f0e3dab81c01293bf198082a347a
                  • Instruction ID: cf3e423417066c2770ee3d28dc9536839d589157f27dfd254e3d0e7e263d838b
                  • Opcode Fuzzy Hash: 3995a3750e7dd3da10834d1e6e5926b7dea0f0e3dab81c01293bf198082a347a
                  • Instruction Fuzzy Hash: 7C41E772A00214BBDB20ABA5EC45EEE37A9EB48714F50027FF215F61D1DB3859858B6C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0042673F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042673F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x47f494; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00424B9C(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00424560(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00424B9C(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										_t4 =  &_v8; // 0x42544e
										E00424AB4( *_t4);
										_v8 = _t32;
									}
									_t6 =  &_v8; // 0x42544e
									_t32 =  *_t6;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x47f494 = 2;
					goto L18;
				}
				 *0x47f494 = 1;
				goto L6;
			}















                  0x00426741
                  0x00426750
                  0x00426752
                  0x00426754
                  0x00426758
                  0x00426790
                  0x0042681a
                  0x00426868
                  0x00000000
                  0x00426868
                  0x0042681c
                  0x0042681e
                  0x0042682c
                  0x0042682e
                  0x00426830
                  0x0042683c
                  0x0042683f
                  0x00426847
                  0x0042684c
                  0x00426855
                  0x0042684e
                  0x0042684e
                  0x0042684e
                  0x0042685e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00426832
                  0x00426832
                  0x00426832
                  0x00426832
                  0x00426833
                  0x00426837
                  0x00426838
                  0x00000000
                  0x00426832
                  0x00426826
                  0x0042682a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042682a
                  0x00426796
                  0x00426798
                  0x004267a6
                  0x004267a9
                  0x004267ab
                  0x004267bb
                  0x004267c7
                  0x004267ce
                  0x004267d4
                  0x004267d8
                  0x004267db
                  0x004267e3
                  0x004267e7
                  0x004267f8
                  0x004267fa
                  0x004267fe
                  0x00426804
                  0x00426804
                  0x00426808
                  0x00426808
                  0x00426808
                  0x004267e7
                  0x0042680d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004267ad
                  0x004267ad
                  0x004267ad
                  0x004267ae
                  0x004267af
                  0x004267b5
                  0x004267b6
                  0x00000000
                  0x004267ad
                  0x0042679c
                  0x004267a0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004267a0
                  0x0042675c
                  0x00426760
                  0x00426774
                  0x00426778
                  0x00000000
                  0x00000000
                  0x0042677e
                  0x00000000
                  0x0042677e
                  0x00426762
                  0x00000000

                  APIs
                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 0042675A
                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 0042676E
                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 0042679A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0042544E), ref: 004267D2
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0042544E), ref: 004267F4
                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0042544E), ref: 0042680D
                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0042544E), ref: 00426820
                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0042685E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                  • String ID: NTB
                  • API String ID: 1823725401-3275800884
                  • Opcode ID: 09d6d9b367f5193bafd867d262349c5fc6bf43a9ea448f1c081074df28bd7e38
                  • Instruction ID: 70f4fe8edb7dadc6a306c9177d1c38149c5e187b45b6e61e3d9f52c0ed71f94f
                  • Opcode Fuzzy Hash: 09d6d9b367f5193bafd867d262349c5fc6bf43a9ea448f1c081074df28bd7e38
                  • Instruction Fuzzy Hash: F431F4B27062355FDB207F757C8483B769CEA85358792093FF545C3201DA298C82866D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00409E0C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115COMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00409E0C(void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _t24;
				signed int _t33;
				intOrPtr _t50;
				struct HWND__* _t59;
				void* _t80;
				struct HDC__* _t81;
				void* _t84;
				struct HWND__** _t88;

				_t84 = __esi;
				_t80 = __edi;
				if( *0x47e274 == 0) {
					_t59 = CreateDialogParamA( *0x47e17c, 0x12,  *0x47e178, E00405811, 0);
					if(E00424DD9(0x2c) == 0) {
						_t88 = 0;
					} else {
						_t88 = E0041EA76(_t26);
					}
					if(_t88 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_push(_t84);
					_push(_t80);
					SetWindowTextA(_t59, E0041CD1E(0x47e700));
					SetDlgItemTextA(_t59, 0x422, E0041CD1E(0x47e9c0));
					_t81 = GetDC( *0x47e178);
					_t33 = MulDiv(0xf4240, GetDeviceCaps(_t81, 0x5a), 0x48);
					asm("cdq");
					_t85 = _t33 / 0x535;
					ReleaseDC( *0x47e178, _t81);
					asm("cdq");
					asm("cdq");
					asm("cdq");
					asm("cdq");
					E0041EBAF(_t88, _t59, _t33 / 0x535 * 0x3d / 0x3e8, _t85 * 0x2d / 0x3e8, _t85 * 0xb2 / 0x3e8, (_t85 + _t85 * 4 << 2) / 0x3e8, 0xff3232, 2);
					if(E00424DD9(0xc) == 0) {
						_t50 = 0;
					} else {
						_t50 = E0041EEB9(_t49);
					}
					 *0x47e274 = _t50;
					if(_t50 != 0) {
						E00421569(_t50, _t88, _v8);
					}
					if(_t88 != 0) {
						E0041EA84(_t88);
						E00424DCE(_t88);
					}
					return DestroyWindow(_t59);
				}
				return _t24;
			}












                  0x00409e0c
                  0x00409e0c
                  0x00409e13
                  0x00409e38
                  0x00409e42
                  0x00409e4f
                  0x00409e44
                  0x00409e4b
                  0x00409e4b
                  0x00409e53
                  0x00409e60
                  0x00409e65
                  0x00409e66
                  0x00409e67
                  0x00409e74
                  0x00409e8b
                  0x00409e9d
                  0x00409eb0
                  0x00409eb6
                  0x00409ec5
                  0x00409ec7
                  0x00409ed8
                  0x00409eed
                  0x00409ef6
                  0x00409eff
                  0x00409f06
                  0x00409f17
                  0x00409f22
                  0x00409f19
                  0x00409f1b
                  0x00409f1b
                  0x00409f26
                  0x00409f2b
                  0x00409f34
                  0x00409f34
                  0x00409f3b
                  0x00409f3f
                  0x00409f45
                  0x00409f4a
                  0x00000000
                  0x00409f53
                  0x00409f54

                  APIs
                  • CreateDialogParamA.USER32(00000012,00405811,00000000,0047DFB8,00000000), ref: 00409E30
                  • SetWindowTextA.USER32(00000000,00000000), ref: 00409E74
                  • SetDlgItemTextA.USER32 ref: 00409E8B
                  • GetDC.USER32 ref: 00409E97
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00409EA4
                  • MulDiv.KERNEL32(000F4240,00000000), ref: 00409EB0
                  • ReleaseDC.USER32 ref: 00409EC7
                  • DestroyWindow.USER32(00000000,00000000,00000000,00000000,00FF3232,00000002,?,00000000,00415294,00000000,?,?,00000000), ref: 00409F4C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: TextWindow$CapsCreateDestroyDeviceDialogItemParamRelease
                  • String ID: $G
                  • API String ID: 2752067422-195990108
                  • Opcode ID: 6af5d555873dcb2e1cf5ac52fad9c6eeb51411011906c4e4908784347c516bc4
                  • Instruction ID: 64d2272f1d71ec0746e7bd42cd6953b95e96244998154a68e13917dbc3f7a5c2
                  • Opcode Fuzzy Hash: 6af5d555873dcb2e1cf5ac52fad9c6eeb51411011906c4e4908784347c516bc4
                  • Instruction Fuzzy Hash: BD31B0B1300205AFE724B772AC0AB7A368DDB88B55F50457EBA06D51E2DEBDCC41822D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E177, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 94windowstringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0040E177(void* __edx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr _a8, signed int _a11, intOrPtr _a12, intOrPtr* _a16) {
				signed char _v5;
				char _v6;
				char _v7;
				signed int _v8;
				intOrPtr _v16;
				void* _t26;
				intOrPtr* _t34;
				void* _t35;
				CHAR* _t42;
				void* _t50;
				CHAR* _t56;
				void* _t67;

				_t50 = __edx;
				_t26 = _a8 - 1;
				if(_t26 == 0) {
					SendMessageA(_a4, 0x464, 0, 0);
					L15:
					return 0;
				}
				if(_t26 != 1) {
					goto L15;
				}
				_t56 = E00424DD9(0x104);
				if(_t56 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_t56, 0, 0x104);
				_a11 = _a11 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v5 = _v5 & 0x00000000;
				_v7 = 0x3a;
				_v6 = 0x5c;
				__imp__SHGetPathFromIDListA(_a12, _t56);
				SendMessageA(_a4, 0x464, 0, _t56);
				_t42 =  &_v8;
				_v8 =  *_t56;
				if( *_t56 == 0x5c && _t56[1] == 0x5c) {
					_a11 = 1;
					_t42 = _t56;
					if( *((char*)(lstrlenA(_t56) + _t56 - 1)) != 0x5c) {
						lstrcatA(_t56, "\\");
					}
				}
				_t34 = _a16;
				_v16 =  *_t34;
				_t35 = E0040DE4D(_t42, 1);
				_t67 = _t50 -  *((intOrPtr*)(_t34 + 4));
				if(_t67 <= 0 && (_t67 < 0 || _t35 < _v16)) {
					SendMessageA(_a4, 0x465, 0, 0);
				}
				if(_a11 != 0) {
					E00424DCE(_t42);
				}
				goto L15;
			}















                  0x0040e177
                  0x0040e181
                  0x0040e182
                  0x0040e26f
                  0x0040e275
                  0x0040e279
                  0x0040e279
                  0x0040e189
                  0x00000000
                  0x00000000
                  0x0040e19c
                  0x0040e1a1
                  0x0040e1ae
                  0x0040e1b3
                  0x0040e1b8
                  0x0040e1bd
                  0x0040e1c1
                  0x0040e1c5
                  0x0040e1cc
                  0x0040e1d0
                  0x0040e1d8
                  0x0040e1ef
                  0x0040e1f3
                  0x0040e1f6
                  0x0040e1fc
                  0x0040e205
                  0x0040e209
                  0x0040e216
                  0x0040e21e
                  0x0040e21e
                  0x0040e216
                  0x0040e224
                  0x0040e22f
                  0x0040e232
                  0x0040e238
                  0x0040e23b
                  0x0040e250
                  0x0040e250
                  0x0040e258
                  0x0040e25b
                  0x0040e260
                  0x00000000

                  APIs
                  • SHGetPathFromIDListA.SHELL32(?,00000000), ref: 0040E1D8
                  • SendMessageA.USER32(?,00000464,00000000,00000000), ref: 0040E1EF
                  • lstrlenA.KERNEL32(00000000), ref: 0040E20B
                  • lstrcatA.KERNEL32(00000000,0042BC5C), ref: 0040E21E
                  • SendMessageA.USER32(?,00000465,00000000,00000000), ref: 0040E250
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • SendMessageA.USER32(?,00000464,00000000,00000000), ref: 0040E26F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: GlobalMessageSend$AllocFromListLockPathUnlocklstrcatlstrlen
                  • String ID: $G$:$\
                  • API String ID: 140795568-1825042209
                  • Opcode ID: 13d3db3d80b4cfebd66eed4fc2c78cd52229a23c903782d053dff0087ef01897
                  • Instruction ID: 21e24e243a6a30bb0ddabb7fae950f34981bca74c7c0db4a95f2ed546f01ef71
                  • Opcode Fuzzy Hash: 13d3db3d80b4cfebd66eed4fc2c78cd52229a23c903782d053dff0087ef01897
                  • Instruction Fuzzy Hash: 56318B71A05744FEEB21AB62DC49F8F7FA88F42714F1488AEF5403A2D2C6B89911875D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BD55, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 39libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BD55(intOrPtr* __ecx, intOrPtr _a4) {
				CHAR* _v0;
				struct HINSTANCE__* _t15;
				signed int _t19;
				intOrPtr* _t28;

				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x1c)) == 0) {
					_t3 = _t28 + 0x10; // 0x47e2e0
					E0041BF12(_t3, _a4);
					_t15 = LoadLibraryA(_v0);
					 *(_t28 + 0x1c) = _t15;
					if(_t15 != 0) {
						 *((intOrPtr*)(_t28 + 4)) = GetProcAddress(_t15, "Blit");
						_t7 = _t28 + 0x1c; // 0x0
						 *_t28 = GetProcAddress( *_t7, "GetDllVersion");
						_t8 = _t28 + 0x1c; // 0x0
						 *((intOrPtr*)(_t28 + 8)) = GetProcAddress( *_t8, "JPGToBMP");
						_t10 = _t28 + 0x1c; // 0x0
						_t19 = GetProcAddress( *_t10, "JPGToBMPEx");
						 *(_t28 + 0xc) = _t19;
						return _t19 & 0xffffff00 | _t19 != 0x00000000;
					}
					return 0;
				}
				return 1;
			}







                  0x0041bd56
                  0x0041bd5c
                  0x0041bd66
                  0x0041bd69
                  0x0041bd72
                  0x0041bd7a
                  0x0041bd7d
                  0x0041bd97
                  0x0041bd9a
                  0x0041bda4
                  0x0041bda6
                  0x0041bdb0
                  0x0041bdb3
                  0x0041bdb6
                  0x0041bdba
                  0x00000000
                  0x0041bdbe
                  0x00000000
                  0x0041bd7f
                  0x00000000

                  APIs
                  • LoadLibraryA.KERNEL32(?,?,00000000,004189FA,00000000,00000000,00000000,00000054,00000050,0000005C,0047E1B8,00000001,?,00000000), ref: 0041BD72
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: Blit$GetDllVersion$JPGToBMP$JPGToBMPEx
                  • API String ID: 1029625771-1379899007
                  • Opcode ID: d53f4ab7834049d4747db6ea862f86f46e16cf2d6d03149368ea9674d48f8cb4
                  • Instruction ID: 5d2a54117ffe63fd1fd62730380fadb6e88887b0d281db8f84bce1ccff9a787c
                  • Opcode Fuzzy Hash: d53f4ab7834049d4747db6ea862f86f46e16cf2d6d03149368ea9674d48f8cb4
                  • Instruction Fuzzy Hash: 9DF06970600711EEC7306F26EC04A9BBBE4EF90710760C92EE086825A0D738A886DF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040EDE3, Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E0040EDE3(int* __ecx) {
				int _t12;
				void* _t21;
				void* _t25;
				struct HDC__* _t27;
				int* _t28;
				void* _t29;

				_t28 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x10)) != 0) {
					E0040FC45(__ecx);
				}
				_t27 = GetDC( *0x47e178);
				_t12 = CreateCompatibleDC(_t27);
				_t28[4] = _t12;
				if(_t12 != 0) {
					_t3 =  &(_t28[1]); // 0x0
					_t25 = CreateCompatibleBitmap(_t27,  *_t28,  *_t3);
					ReleaseDC( *0x47e178, _t27);
					if(_t25 != 0) {
						_t5 =  &(_t28[4]); // 0x0
						if(SelectObject( *_t5, _t25) != 0) {
							_t7 =  &(_t28[3]); // 0x0
							_t8 =  &(_t28[2]); // 0x0
							_t9 =  &(_t28[1]); // 0x0
							_t10 =  &(_t28[4]); // 0x0
							BitBlt( *_t10, 0, 0,  *_t28,  *_t9,  *0x47e184,  *_t8,  *_t7, 0xcc0020);
							_push(1);
						} else {
							_t6 =  &(_t28[4]); // 0x0
							DeleteDC( *_t6);
							_push(0xfffffffd);
						}
						_pop(_t29);
						DeleteObject(_t25);
						return _t29;
					}
					_t4 =  &(_t28[4]); // 0x0
					DeleteDC( *_t4);
					_t21 = 0xfffffffe;
					return _t21;
				} else {
					return ReleaseDC( *0x47e178, _t27) | 0xffffffff;
				}
			}









                  0x0040ede5
                  0x0040edec
                  0x0040edee
                  0x0040edee
                  0x0040edff
                  0x0040ee02
                  0x0040ee0a
                  0x0040ee0d
                  0x0040ee21
                  0x0040ee2e
                  0x0040ee36
                  0x0040ee3e
                  0x0040ee4f
                  0x0040ee5a
                  0x0040ee6e
                  0x0040ee71
                  0x0040ee7a
                  0x0040ee83
                  0x0040ee86
                  0x0040ee8c
                  0x0040ee5c
                  0x0040ee5c
                  0x0040ee5f
                  0x0040ee65
                  0x0040ee65
                  0x0040ee8e
                  0x0040ee90
                  0x00000000
                  0x0040ee96
                  0x0040ee40
                  0x0040ee43
                  0x0040ee4b
                  0x00000000
                  0x0040ee0f
                  0x00000000
                  0x0040ee1c

                  APIs
                  • GetDC.USER32(0047F208), ref: 0040EDF9
                  • CreateCompatibleDC.GDI32(00000000), ref: 0040EE02
                  • ReleaseDC.USER32 ref: 0040EE16
                    • Part of subcall function 0040FC45: BitBlt.GDI32(00000000,00000000,0047F208,00000000,00000000,00000000,00000000,00CC0020,00000000), ref: 0040FC6A
                    • Part of subcall function 0040FC45: CreateCompatibleBitmap.GDI32(00000001,00000001), ref: 0040FC7A
                    • Part of subcall function 0040FC45: SelectObject.GDI32(00000000,00000000), ref: 0040FC84
                    • Part of subcall function 0040FC45: DeleteObject.GDI32(00000000), ref: 0040FC8B
                    • Part of subcall function 0040FC45: DeleteDC.GDI32(00000000), ref: 0040FC94
                  • CreateCompatibleBitmap.GDI32(00000000,0047F208,00000000), ref: 0040EE27
                  • ReleaseDC.USER32 ref: 0040EE36
                  • DeleteDC.GDI32(00000000), ref: 0040EE43
                  • SelectObject.GDI32(00000000,00000000), ref: 0040EE52
                  • DeleteDC.GDI32(00000000), ref: 0040EE5F
                  • DeleteObject.GDI32(00000000), ref: 0040EE90
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Delete$Object$CompatibleCreate$BitmapReleaseSelect
                  • String ID:
                  • API String ID: 1573005090-0
                  • Opcode ID: e6151709743439201e731339c2d96ddc398ce3e8a6b7f262f28ba73ccbc63d39
                  • Instruction ID: 32fa84cb7ac7508deeb8dbcab99f5a284d58c6a6701324cb506084c713f8559a
                  • Opcode Fuzzy Hash: e6151709743439201e731339c2d96ddc398ce3e8a6b7f262f28ba73ccbc63d39
                  • Instruction Fuzzy Hash: 90113A31201214FFEB311F66DC09A1A7AB5FB48B11B510A3EF666A04F0CB715866AB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412C58, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00412C58(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v16;
				struct _PROCESS_INFORMATION _v32;
				struct _STARTUPINFOA _v100;
				void* _t32;
				short _t40;
				short _t58;
				char* _t76;
				long _t110;
				void* _t111;

				_t114 = _a8;
				if(_a8 != 0) {
					E004164B1(0x47dfb8, _t114, 0x47e1ac);
					E0041A81A(_t114, 0x47e1ac);
					E0041B3B9(0x47dfb8, 0x47e1ac, 0x7fffffff);
					E0041BE99( &_v16, E0041CC95(0x47e1ac, 0, E0041C7DB(0x47e1ac, "\\", 0, 1)));
					_t76 = E0041CD1E( &_v16);
					ShellExecuteA(0, "open", E0041CD1E(0x47e1ac), 0, _t76, 1);
					_t32 = E0041BEFB( &_v16);
				}
				_t115 = _a4;
				if(_a4 != 0) {
					E004164B1(0x47dfb8, _t115, 0x47e1a0);
					E0041A81A(_t115, 0x47e1a0);
					E0041B3B9(0x47dfb8, 0x47e1a0, 0x7fffffff);
					E00424500( &_v32, 0, 0x10);
					E00424500( &_v100, 0, 0x44);
					_t111 = _t111 + 0x18;
					_v100.cb = 0x44;
					_t58 = 1;
					_v100.dwFlags = _t58;
					_v100.wShowWindow = _t58;
					E0041BDC5( &_v16);
					if(E0041BFE3(0x47e1a0, 0) != 0x22) {
						_push(E0041CD1E(0x47e1a0));
						E0041C467( &_v16, "\"%s\"");
						_t111 = _t111 + 0xc;
					} else {
						E0041BF80( &_v16, 0x47e1a0);
					}
					CreateProcessA(0, E0041CD1E( &_v16), 0, 0, 0, 0x4000000, 0, 0,  &_v100,  &_v32);
					CloseHandle(_v32.hProcess);
					_t32 = E0041BEFB( &_v16);
				}
				_t117 = _a12;
				if(_a12 != 0) {
					E004164B1(0x47dfb8, _t117, 0x47e284);
					E0041A81A(_t117, 0x47e284);
					E0041B3B9(0x47dfb8, 0x47e284, 0x7fffffff);
					E00424500( &_v32, 0, 0x10);
					_t110 = 0x44;
					E00424500( &_v100, 0, _t110);
					_v100.cb = _t110;
					_t40 = 1;
					_v100.dwFlags = _t40;
					_v100.wShowWindow = _t40;
					E0041BDC5( &_v16);
					_push(E0041CD1E(0x47e284));
					E0041C467( &_v16, "\"%s\"");
					CreateProcessA(0, E0041CD1E( &_v16), 0, 0, 0, 0x4000000, 0, 0,  &_v100,  &_v32);
					CloseHandle(_v32);
					return E0041BEFB( &_v16);
				}
				return _t32;
			}












                  0x00412c61
                  0x00412c6b
                  0x00412c75
                  0x00412c7d
                  0x00412c8a
                  0x00412cb0
                  0x00412cba
                  0x00412ccf
                  0x00412cd8
                  0x00412cd8
                  0x00412cdd
                  0x00412ce0
                  0x00412cee
                  0x00412cf6
                  0x00412d03
                  0x00412d0f
                  0x00412d1b
                  0x00412d20
                  0x00412d26
                  0x00412d2f
                  0x00412d30
                  0x00412d33
                  0x00412d37
                  0x00412d49
                  0x00412d60
                  0x00412d6a
                  0x00412d6f
                  0x00412d4b
                  0x00412d4f
                  0x00412d4f
                  0x00412d8e
                  0x00412d97
                  0x00412da0
                  0x00412da0
                  0x00412da5
                  0x00412da8
                  0x00412db6
                  0x00412dbe
                  0x00412dcb
                  0x00412dd7
                  0x00412de1
                  0x00412de5
                  0x00412df0
                  0x00412df5
                  0x00412df6
                  0x00412df9
                  0x00412dfd
                  0x00412e0c
                  0x00412e16
                  0x00412e3a
                  0x00412e43
                  0x00000000
                  0x00412e4c
                  0x00412e55

                  APIs
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,?,00000000,?,?,?,7FFFFFFF,0047E284,0047E284), ref: 00412E3A
                  • CloseHandle.KERNEL32(00000000,?,?,?,7FFFFFFF,0047E284,0047E284,0047E880,0047DFB8,00000000), ref: 00412E43
                  • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00412CCF
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,04000000,00000000,00000000,00000044,00000000,?,?,00000000,7FFFFFFF,0047E1A0,0047E1A0), ref: 00412D8E
                  • CloseHandle.KERNEL32(00000000,?,?,00000000,7FFFFFFF,0047E1A0,0047E1A0,0047E880,0047DFB8,00000000), ref: 00412D97
                    • Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$AllocCloseCreateHandleLockProcessUnlock$ExecuteFreeShell
                  • String ID: "%s"$D$open
                  • API String ID: 2852451536-1882215900
                  • Opcode ID: fbca33da4473706544aacee07d9e66cffff12c51ce9051d3352803ba41c6fea6
                  • Instruction ID: f4c14044bc5125cebcf83ce59b9b63798f6509ae67beb9561b870344e07d8ab8
                  • Opcode Fuzzy Hash: fbca33da4473706544aacee07d9e66cffff12c51ce9051d3352803ba41c6fea6
                  • Instruction Fuzzy Hash: C851C3B1A0021C7ADB10ABA2AC96EFFB72DDF40708F50411FB515A6182DF7C494186AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D917, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 150COMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E0040D917(void* _a4, short _a6, signed int _a8, signed int _a12) {
				void* _v8;
				int _v12;
				void* _v16;
				int _v20;
				signed int _v32;
				char _v44;
				signed int _t49;
				signed int _t51;
				unsigned int _t55;
				signed int _t59;
				signed int _t60;
				void* _t90;
				int _t113;
				void* _t114;

				_t49 = GetFileVersionInfoSizeA(_a4,  &_v20);
				_t113 = _t49;
				if(_t113 != 0) {
					_t90 = E00424DD9(_t113);
					__eflags = _t90;
					_v16 = _t90;
					if(_t90 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t51 = GetFileVersionInfoA(_a4, _v20, _t113, _t90);
					__eflags = _t51;
					if(_t51 != 0) {
						_v12 = 0;
						VerQueryValueA(_t90, "\\VarFileInfo\\Translation",  &_v8,  &_v12);
						_t55 = _v12;
						__eflags = 0x00000003 & _t55;
						if((0x00000003 & _t55) != 0) {
							L23:
							_push(0xfffffffc);
							goto L24;
						}
						__eflags = _t55;
						if(_t55 == 0) {
							goto L23;
						}
						__eflags = _t55 >> 2;
						if(_t55 >> 2 <= 0) {
							_t59 = _a8;
							_a4 = 0;
							__eflags = _t59;
							_a6 = 0x4b0;
							if(_t59 != 0) {
								 *_t59 = _a4;
							}
							L22:
							_push(1);
							goto L24;
						}
						_t60 = _a8;
						__eflags = _t60;
						if(_t60 != 0) {
							 *_t60 =  *_v8;
						}
						E0041BDC5( &_v32);
						_t115 = "%h";
						_push( *_v8 & 0x0000ffff);
						E0041C467( &_v32, "%h");
						while(1) {
							__eflags = _v32 & 0x00000003;
							if((_v32 & 0x00000003) == 0) {
								break;
							}
							E0041CA01(0x30, 0);
						}
						E0041BE35( &_v44, "\\StringFileInfo\\");
						E0041C0C5( &_v44, __eflags,  &_v32);
						E0041BF12( &_v32, 0x42e0c8);
						_push( *(_v8 + 2) & 0x0000ffff);
						E0041C467( &_v32, _t115);
						while(1) {
							__eflags = _v32 & 0x00000003;
							if(__eflags == 0) {
								break;
							}
							E0041CA01(0x30, 0);
						}
						E0041C0C5( &_v44, __eflags,  &_v32);
						E0041C047( &_v44, "\\FileDescription", 0);
						VerQueryValueA(_v16, E0041CD1E( &_v44),  &_a4,  &_v12);
						_t103 = _a12;
						__eflags = _a12;
						if(_a12 != 0) {
							E0041BF12(_t103, _a4);
						}
						E0041BEFB( &_v44);
						E0041BEFB( &_v32);
						goto L22;
					} else {
						_push(0xfffffffd);
						L24:
						_pop(_t114);
						E00424DCE(_v16);
						return _t114;
					}
				}
				return _t49 | 0xffffffff;
			}

















                  0x0040d926
                  0x0040d92b
                  0x0040d931
                  0x0040d942
                  0x0040d945
                  0x0040d947
                  0x0040d94a
                  0x0040d957
                  0x0040d95c
                  0x0040d965
                  0x0040d96a
                  0x0040d96c
                  0x0040d978
                  0x0040d986
                  0x0040d98b
                  0x0040d990
                  0x0040d992
                  0x0040daa7
                  0x0040daa7
                  0x00000000
                  0x0040daa7
                  0x0040d998
                  0x0040d99a
                  0x00000000
                  0x00000000
                  0x0040d9a3
                  0x0040d9a5
                  0x0040da8d
                  0x0040da90
                  0x0040da94
                  0x0040da96
                  0x0040da9c
                  0x0040daa1
                  0x0040daa1
                  0x0040daa3
                  0x0040daa3
                  0x00000000
                  0x0040daa3
                  0x0040d9ab
                  0x0040d9ae
                  0x0040d9b0
                  0x0040d9b7
                  0x0040d9b7
                  0x0040d9bc
                  0x0040d9c4
                  0x0040d9cc
                  0x0040d9d2
                  0x0040d9da
                  0x0040d9da
                  0x0040d9dd
                  0x00000000
                  0x00000000
                  0x0040d9e5
                  0x0040d9e5
                  0x0040d9f4
                  0x0040da00
                  0x0040da0d
                  0x0040da19
                  0x0040da1f
                  0x0040da27
                  0x0040da27
                  0x0040da2a
                  0x00000000
                  0x00000000
                  0x0040da32
                  0x0040da32
                  0x0040da40
                  0x0040da4e
                  0x0040da67
                  0x0040da6c
                  0x0040da6f
                  0x0040da71
                  0x0040da76
                  0x0040da76
                  0x0040da7e
                  0x0040da86
                  0x00000000
                  0x0040d96e
                  0x0040d96e
                  0x0040daa9
                  0x0040daa9
                  0x0040daad
                  0x00000000
                  0x0040dab5
                  0x0040d96c
                  0x00000000

                  APIs
                  • GetFileVersionInfoSizeA.VERSION(?,00410B65,00000003,00000000,?,?,?,?,?,?,00410B65,?,?,?), ref: 0040D926
                  • GetFileVersionInfoA.VERSION(?,00410B65,00000000,00000000,00000000,?,00410B65,00000003,00000000,?,?,?,?,?,?,00410B65), ref: 0040D965
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FileInfoVersion$Size
                  • String ID: $G$\FileDescription$\StringFileInfo\$\VarFileInfo\Translation
                  • API String ID: 2104008232-2658176319
                  • Opcode ID: 61150eeef0968c695101dd92a68d3607be4703a85986fb226b918cbcf9c81c13
                  • Instruction ID: d408d3d500f0ff9ed179e7d5978f6713b2840c9058f8741615ebd732b6ba7fd1
                  • Opcode Fuzzy Hash: 61150eeef0968c695101dd92a68d3607be4703a85986fb226b918cbcf9c81c13
                  • Instruction Fuzzy Hash: 37419071E04118AACB14EBD6DC81DEF7B78EF44354F54412BF811A72D1EB389A49CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00419146, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 136COMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00419146(void* __ecx, CHAR* _a4) {
				char _v16;
				struct _OSVERSIONINFOA _v164;
				CHAR* _t23;
				void* _t31;
				void* _t40;
				intOrPtr _t55;

				 *0x47e650 = 0;
				 *0x47e654 = 0;
				 *0x47e65c = 2;
				 *0x47e490 = 0;
				 *0x47e544 = 1;
				 *0x47e17c = _a4;
				 *0x47e184 = 0;
				 *0x47e180 = 0;
				 *0x47e178 = 0;
				0x47e1dc->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x47e1dc);
				 *0x47e84c = 0;
				E00424500(0x47e298, 0, 0x38);
				E00424500(0x47e118, 0, 0x4c);
				E00424500(0x47e780, 0, 8);
				E00424500("=BB", 0, 0x38);
				 *0x47e314 = E00424269;
				 *0x47e300 = E0042423D;
				 *0x47e304 = E00424295;
				 *0x47e30c = E00424316;
				 *0x47e308 = E004243AA;
				 *0x47e310 = E0042444A;
				 *0x47e32c = E0041D830;
				 *0x47e334 = E0041D728;
				 *0x47e328 = E0041D46F;
				 *0x47e330 = E0041D0FD;
				 *0x47e324 = 0x47e190;
				_t23 = E00424DD9(0x104);
				_a4 = _t23;
				if(_t23 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				E00424500(_a4, 0, 0x104);
				GetModuleFileNameA(0, _a4, 0x104);
				E0041BF12(0x47e6c8, _a4);
				E00424DCE(_a4);
				E0041BE35( &_v16, GetCommandLineA());
				E0041CD68( &_v16);
				_push(1);
				_push(0);
				_push("/SILENT");
				_t31 = E0041C6D0( &_v16);
				_t55 = 0xffffffffffffffff;
				if(_t31 != 0xffffffffffffffff) {
					 *0x47f27c = 1;
				}
				_push(1);
				_push(0);
				_push("/REVERT");
				if(E0041C6D0( &_v16) != _t55) {
					 *0x47f2d5 = 1;
				}
				 *0x47e6d8 = _t55;
				 *0x47e6dc = _t55;
				 *0x47e6e0 = _t55;
				 *0x47e6e4 = _t55;
				 *0x47e6e8 = _t55;
				 *0x47e6ec = _t55;
				 *0x47e6f0 = _t55;
				 *0x47e6f4 = _t55;
				E00424500( &_v164, 0, 0x94);
				_v164.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v164);
				if(_v164.dwPlatformId != 2) {
					 *0x47e19c = 0;
					if((_v164.dwBuildNumber & 0x0000ffff) <= 0x3e8) {
						 *0x47e299 = 1;
					}
				} else {
					 *0x47e19c = 1;
				}
				E0041BEFB( &_v16);
				_t40 = 1;
				return _t40;
			}









                  0x00419161
                  0x00419167
                  0x0041916d
                  0x00419177
                  0x0041917d
                  0x00419184
                  0x00419189
                  0x0041918f
                  0x00419195
                  0x0041919b
                  0x004191a1
                  0x004191af
                  0x004191b5
                  0x004191c2
                  0x004191cf
                  0x004191dc
                  0x004191e6
                  0x004191f1
                  0x004191fb
                  0x00419205
                  0x0041920f
                  0x00419219
                  0x00419223
                  0x0041922d
                  0x00419237
                  0x00419241
                  0x0041924b
                  0x00419255
                  0x0041925f
                  0x00419262
                  0x0041926f
                  0x00419274
                  0x0041927a
                  0x00419287
                  0x00419295
                  0x0041929d
                  0x004192ad
                  0x004192b5
                  0x004192ba
                  0x004192bc
                  0x004192bd
                  0x004192c5
                  0x004192ca
                  0x004192cf
                  0x004192d1
                  0x004192d1
                  0x004192d8
                  0x004192da
                  0x004192db
                  0x004192ea
                  0x004192ec
                  0x004192ec
                  0x004192fc
                  0x00419302
                  0x00419308
                  0x0041930e
                  0x00419314
                  0x0041931a
                  0x00419320
                  0x00419326
                  0x0041932c
                  0x0041933a
                  0x00419341
                  0x0041934e
                  0x00419362
                  0x00419372
                  0x00419374
                  0x00419374
                  0x00419350
                  0x00419350
                  0x00419350
                  0x0041937e
                  0x00419385
                  0x0041938a

                  APIs
                  • GetVersionExA.KERNEL32(0047E1DC,?,0047DFB8), ref: 004191A1
                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00419287
                  • GetCommandLineA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 004192A3
                  • GetVersionExA.KERNEL32(?,00000000,00000001,00000000), ref: 00419341
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Version$AllocCommandFileLineLockModuleNameUnlock
                  • String ID: $G$/REVERT$/SILENT$=BB
                  • API String ID: 4022919458-682978317
                  • Opcode ID: f776ea48a09c8f8f847d136ed6ee984ee553efc096e973d9a1180c81a32f13a8
                  • Instruction ID: 069071d22816293ed82681b1aff37c9fee1eff57cfef91bdab285aa600e63159
                  • Opcode Fuzzy Hash: f776ea48a09c8f8f847d136ed6ee984ee553efc096e973d9a1180c81a32f13a8
                  • Instruction Fuzzy Hash: 2F51A3B0A00214ABD7109F57FC46AC93FA8EB69748F9086BBF50C562A1D7B805C5CF9D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405F3F, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104memorystringwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E00405F3F(void** __ecx, void* __edi, signed int* _a4, CHAR* _a8, long _a12, long _a16) {
				long _v8;
				signed int _v20;
				signed int _v24;
				int _v28;
				CHAR* _v32;
				void _v48;
				void _v92;
				intOrPtr _v96;
				void* _v100;
				signed int* _t40;
				CHAR* _t41;
				int _t42;
				long _t45;
				void* _t50;
				signed int* _t52;
				long _t53;
				void** _t68;
				signed int _t70;
				void* _t81;
				long* _t88;

				_t81 = __edi;
				_t40 = _a4;
				_t68 = __ecx;
				if(_t40 == 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_v100 =  *_t40;
				}
				_t41 = _a8;
				_push(_t81);
				_v96 = 0xffff0002;
				_v48 = 0x23;
				_v32 = _t41;
				_t42 = lstrlenA(_t41);
				_v24 = _v24 | 0xffffffff;
				_v20 = _v20 | 0xffffffff;
				_v28 = _t42;
				_t70 = 0xa;
				memcpy( &_v92,  &_v48, _t70 << 2);
				_t45 = SendMessageA(_t68[3], 0x1100, 0,  &_v100);
				_v8 = _t45;
				if(_t45 == 0) {
					E0041D881("TreeView_InserItem failed");
				}
				_t88 = E00424DD9(0x1c);
				if(_t88 == 0) {
					_t88 = 0;
				} else {
					_t20 =  &(_t88[3]); // 0xc
					E0041BDC5(_t20);
				}
				if(_t88 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t68[1] = _t68[1] + 1;
				GlobalUnlock( *_t68);
				_t50 = GlobalReAlloc( *_t68, _t68[1] << 2, 0x42);
				 *_t68 = _t50;
				if(_t50 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t68[2] = GlobalLock( *_t68);
				_t52 = _a4;
				if(_t52 == 0) {
					_t53 = 0;
				} else {
					_t53 = _t52[6] + 1;
				}
				_t88[6] = _t53;
				_t30 =  &(_t88[3]); // 0xc
				 *_t88 = _v8;
				_t88[2] = _a12;
				_t88[1] = _a16;
				E0041BF12(_t30, _a8);
				 *(_t68[2] + _t68[1] * 4 - 4) = _t88;
				return _t88;
			}























                  0x00405f3f
                  0x00405f45
                  0x00405f4c
                  0x00405f4e
                  0x00405f57
                  0x00405f50
                  0x00405f52
                  0x00405f52
                  0x00405f5b
                  0x00405f5e
                  0x00405f60
                  0x00405f67
                  0x00405f6e
                  0x00405f71
                  0x00405f77
                  0x00405f7b
                  0x00405f81
                  0x00405f84
                  0x00405f99
                  0x00405f9b
                  0x00405fa3
                  0x00405fa6
                  0x00405fad
                  0x00405fb2
                  0x00405fba
                  0x00405fbf
                  0x00405fcb
                  0x00405fc1
                  0x00405fc1
                  0x00405fc4
                  0x00405fc4
                  0x00405fd4
                  0x00405fde
                  0x00405fe3
                  0x00405fe6
                  0x00405fe9
                  0x00405ffa
                  0x00406002
                  0x00406004
                  0x0040600e
                  0x00406013
                  0x0040601c
                  0x0040601f
                  0x00406025
                  0x0040602d
                  0x00406027
                  0x0040602a
                  0x0040602a
                  0x00406032
                  0x00406038
                  0x0040603b
                  0x00406040
                  0x00406046
                  0x00406049
                  0x00406054
                  0x0040605d

                  APIs
                  • lstrlenA.KERNEL32(?), ref: 00405F71
                  • SendMessageA.USER32(?,00001100,00000000,00000000), ref: 00405F9B
                  • GlobalUnlock.KERNEL32 ref: 00405FE9
                  • GlobalReAlloc.KERNEL32 ref: 00405FFA
                  • GlobalLock.KERNEL32 ref: 00406016
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockMessageSendUnlocklstrlen
                  • String ID: #$$G$TreeView_InserItem failed
                  • API String ID: 3808323675-3490677953
                  • Opcode ID: e24c319d5a726757bb0563f9117dc54036e36d4a3f5524520f9c0c91d46db45a
                  • Instruction ID: 3a63b91b1eafc2a219035d5167075837741d0a79a5db3777f340d1a2a78fdb77
                  • Opcode Fuzzy Hash: e24c319d5a726757bb0563f9117dc54036e36d4a3f5524520f9c0c91d46db45a
                  • Instruction Fuzzy Hash: 3E31AE71A0071ADFDB14DFA8D885AAEBBF4EF04350F10812AE915EB295DB78D902CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041F2A2, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0041F2A2(void* __ecx, void* __eflags) {
				char _v16;
				int _t12;
				_Unknown_base(*)()* _t16;
				struct HDC__* _t28;
				struct HINSTANCE__* _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t30 = __ecx;
				E0041BE35( &_v16, 0x42e0c8);
				E0041EEC5(__ecx,  &_v16);
				E0041EEC5(_t30, 0x47eaa4);
				E00420794(_t30);
				E0041F924(_t30, _t31);
				E0042037B(_t30);
				 *0x47e2b0 =  *0x47e2b0 & 0x00000000;
				_t28 = GetDC( *0x47e178);
				_t12 = GetDeviceCaps(_t28, 0xc);
				ReleaseDC( *0x47e178, _t28);
				if(_t12 > 4) {
					_t29 = LoadLibraryA("DDRAW.DLL");
					if(_t29 != 0) {
						_t16 = GetProcAddress(_t29, "DirectDrawEnumerateA");
						if(_t16 != 0) {
							 *_t16(E0041EEE8, _t30);
						}
						FreeLibrary(_t29);
					}
				}
				return E0041BEFB( &_v16);
			}










                  0x0041f2a2
                  0x0041f2aa
                  0x0041f2b5
                  0x0041f2c0
                  0x0041f2cc
                  0x0041f2d3
                  0x0041f2da
                  0x0041f2e1
                  0x0041f2ec
                  0x0041f2f9
                  0x0041f2fe
                  0x0041f30d
                  0x0041f316
                  0x0041f323
                  0x0041f327
                  0x0041f32f
                  0x0041f337
                  0x0041f33f
                  0x0041f33f
                  0x0041f342
                  0x0041f342
                  0x0041f327
                  0x0041f354

                  APIs
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                    • Part of subcall function 00420794: GetComputerNameA.KERNEL32 ref: 004207BF
                    • Part of subcall function 00420794: GetUserNameA.ADVAPI32(00000000,00000100), ref: 0042081E
                    • Part of subcall function 0041F924: GetDC.USER32(00000009), ref: 0041F94D
                    • Part of subcall function 0041F924: GetDeviceCaps.GDI32(00000000,00000008), ref: 0041F95E
                    • Part of subcall function 0041F924: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041F965
                    • Part of subcall function 0041F924: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041F96D
                    • Part of subcall function 0041F924: ReleaseDC.USER32 ref: 0041F978
                    • Part of subcall function 0042037B: GetSystemInfo.KERNEL32(?,?,?,00000000,?,?,?,?,?,0041F2E6,0047EAA4,00000000,0042E0C8,00000000,00000001,00000001), ref: 00420398
                  • GetDC.USER32(0047EAA4), ref: 0041F2F3
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041F2FE
                  • ReleaseDC.USER32 ref: 0041F30D
                  • LoadLibraryA.KERNEL32(DDRAW.DLL,?,00000000), ref: 0041F31D
                  • GetProcAddress.KERNEL32(00000000,DirectDrawEnumerateA), ref: 0041F32F
                  • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 0041F342
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CapsDevice$GlobalLibraryNameRelease$AddressAllocComputerFreeInfoLoadLockProcSystemUserlstrlen
                  • String ID: DDRAW.DLL$DirectDrawEnumerateA
                  • API String ID: 3711895086-3742168443
                  • Opcode ID: 8ce6a746315a39e90f5b78f71b5245f1acafca9eb35746d334086b2a2e85034c
                  • Instruction ID: f50d971d24eabad0d3942204518278dc3872f423c42921db3c5d4f9b29cc9474
                  • Opcode Fuzzy Hash: 8ce6a746315a39e90f5b78f71b5245f1acafca9eb35746d334086b2a2e85034c
                  • Instruction Fuzzy Hash: 9A0104307003246BEB21B767AC4AEBE7768EF80B05780007FF802922A1DF784947866D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00427450, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 46%
                  			E00427450(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x47f4a8 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x47f4ac; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x47f4b0; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x47f4a8(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x47f4a8 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x47f4ac = GetProcAddress(_t15, "GetActiveWindow");
					 *0x47f4b0 = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









                  0x00427451
                  0x00427453
                  0x0042745b
                  0x0042749f
                  0x0042749f
                  0x004274a6
                  0x004274aa
                  0x004274ae
                  0x004274b0
                  0x004274b7
                  0x004274bc
                  0x004274bc
                  0x004274b7
                  0x004274ae
                  0x00000000
                  0x004274cb
                  0x00427468
                  0x0042746c
                  0x004274d5
                  0x00000000
                  0x004274d5
                  0x0042747a
                  0x0042747e
                  0x00427483
                  0x00000000
                  0x00427485
                  0x00427493
                  0x0042749a
                  0x00000000
                  0x0042749a

                  APIs
                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00426B79,?,Microsoft Visual C++ Runtime Library,00012010,?,00428A94,?,00428AE4,?,?,?,Runtime Error!Program: ), ref: 00427462
                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0042747A
                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042748B
                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00427498
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                  • API String ID: 2238633743-4044615076
                  • Opcode ID: 03adae220ba2ac92e5781c7af44260b06c82da7134c75381eb46c402cf3aee39
                  • Instruction ID: b2c2bb2ec5988819b8827ed53610ddeb177762b4ce5a212ddc9ef857ebebcbae
                  • Opcode Fuzzy Hash: 03adae220ba2ac92e5781c7af44260b06c82da7134c75381eb46c402cf3aee39
                  • Instruction Fuzzy Hash: 28012571705332AF8760AFB56C84A1BBED8A6A4791750443EB505C2211DB78D8458B79
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004275DE, Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E004275DE(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x428b70);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x47f4d4; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00427802(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x47f4d4; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x47f4cc; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00425220(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00425220(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x428b24, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x428b20, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x47f4d4 = 2;
							goto L5;
						}
					} else {
						 *0x47f4d4 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























                  0x004275e1
                  0x004275e3
                  0x004275e8
                  0x004275f3
                  0x004275f4
                  0x004275fb
                  0x00427601
                  0x00427606
                  0x0042760c
                  0x00427654
                  0x00427657
                  0x0042765f
                  0x00427665
                  0x00427666
                  0x00427666
                  0x00427669
                  0x00427671
                  0x00427693
                  0x00000000
                  0x00427699
                  0x0042769c
                  0x0042769e
                  0x004276a3
                  0x004276a3
                  0x004276b3
                  0x004276c3
                  0x004276c5
                  0x004276ca
                  0x00000000
                  0x004276d0
                  0x004276d0
                  0x004276db
                  0x004276e0
                  0x004276e5
                  0x004276e8
                  0x00427704
                  0x00000000
                  0x0042771f
                  0x00427731
                  0x00427733
                  0x00427738
                  0x00000000
                  0x0042773a
                  0x0042773e
                  0x00427780
                  0x0042778f
                  0x00427794
                  0x00427797
                  0x00427799
                  0x0042779c
                  0x004277b6
                  0x00000000
                  0x004277d0
                  0x004277d3
                  0x004277d4
                  0x004277d5
                  0x004277db
                  0x004277de
                  0x004277d7
                  0x004277d7
                  0x004277d8
                  0x004277d8
                  0x004277f1
                  0x004277f5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004277f5
                  0x00427740
                  0x00427743
                  0x004277fb
                  0x004277fb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427743
                  0x0042773e
                  0x00427738
                  0x00427704
                  0x004276ca
                  0x00427673
                  0x00427685
                  0x00427685
                  0x0042760e
                  0x0042760e
                  0x0042760f
                  0x00427612
                  0x00427628
                  0x00427644
                  0x0042776c
                  0x0042776c
                  0x0042764a
                  0x0042764a
                  0x00000000
                  0x0042764a
                  0x0042762a
                  0x0042762a
                  0x00000000
                  0x0042762a
                  0x00427628
                  0x00427774
                  0x0042777f

                  APIs
                  • LCMapStringW.KERNEL32(00000000,00000100,00428B24,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00427620
                  • LCMapStringA.KERNEL32(00000000,00000100,00428B20,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0042763C
                  • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00427685
                  • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 004276BD
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00427715
                  • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0042772B
                  • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0042775E
                  • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 004277C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: String$ByteCharMultiWide
                  • String ID:
                  • API String ID: 352835431-0
                  • Opcode ID: 39097b5ecb80d1361a9f5b9b480cd0cb0502bb5e73b091448b002788b2a42ed1
                  • Instruction ID: 334531f8ad7043bf74cb80c6d62577d1daf6163ea5b5fe0c8e2428b528b5f75d
                  • Opcode Fuzzy Hash: 39097b5ecb80d1361a9f5b9b480cd0cb0502bb5e73b091448b002788b2a42ed1
                  • Instruction Fuzzy Hash: B751BF31605219EFCF219F94ED85EEF7FB4FB88750F60412AF910A1260C739A861DB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B749, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 143stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041B749(CHAR* _a4) {
				signed int _v5;
				signed int _v6;
				char* _v12;
				char _v24;
				int _t32;
				char* _t33;
				int _t35;
				int _t46;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				char* _t53;
				void* _t60;
				intOrPtr _t61;
				char* _t62;
				int _t63;
				char* _t71;
				int _t80;
				intOrPtr* _t84;

				_t80 =  *0x47e5a4; // 0x0
				if(lstrlenA(_a4) >= _t80) {
					_t32 =  *0x47e5a4; // 0x0
				} else {
					_t32 = lstrlenA(_a4);
				}
				_v12 = _t32;
				_t33 =  *0x47e374; // 0x7
				_t91 = _v12 - _t33;
				if(_v12 >= _t33) {
					_v12 = _t33;
				}
				if(E0041C1FA(0x47e374, _t91, _a4, 1) == 0) {
					_v5 = _v5 & 0x00000000;
					_v6 = _v6 & 0x00000000;
					_t60 = 0;
					__eflags = _v12;
					if(_v12 <= 0) {
						L21:
						_t61 =  *0x47e374; // 0x7
						_t35 = lstrlenA(_a4);
						__eflags = _t35 - _t61;
						if(_t35 > _t61) {
							L23:
							_t62 = E0041D46F("<__Internal_UpdateCannotUpdate1__>");
							__eflags = _t62;
							if(_t62 == 0) {
								_t62 = "This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program.";
							}
							E0041BDC5( &_v24);
							_push(_a4);
							_push(E0041CD1E(0x47e374));
							_push(E0041CD1E(0x47e5a4));
							E0041C467( &_v24, _t62);
							E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v24), 0, 0);
							_t71 =  &_v24;
							goto L26;
						}
						_t63 =  *0x47e5a4; // 0x0
						_t46 = lstrlenA(_a4);
						__eflags = _t46 - _t63;
						if(_t46 >= _t63) {
							L27:
							return 1;
						}
						goto L23;
					} else {
						goto L10;
					}
					do {
						L10:
						_t84 = _t60 + _a4;
						_t49 = E0041BFE3(0x47e5a4, _t60);
						__eflags =  *_t84 - _t49;
						if( *_t84 >= _t49) {
							L12:
							_t50 = E0041BFE3(0x47e5a4, _t60);
							__eflags =  *_t84 - _t50;
							if( *_t84 > _t50) {
								_v6 = 1;
							}
							_t51 = E0041BFE3(0x47e374, _t60);
							__eflags =  *_t84 - _t51;
							if( *_t84 > _t51) {
								__eflags = _v5;
								if(_v5 == 0) {
									goto L23;
								}
							}
							goto L16;
						}
						__eflags = _v6;
						if(_v6 == 0) {
							goto L23;
						}
						goto L12;
						L16:
						_t52 = E0041BFE3(0x47e374, _t60);
						__eflags =  *_t84 - _t52;
						if( *_t84 < _t52) {
							_v5 = 1;
						}
						_t60 = _t60 + 1;
						__eflags = _t60 - _v12;
					} while (_t60 < _v12);
					__eflags = _v5;
					if(_v5 != 0) {
						goto L27;
					}
					goto L21;
				} else {
					_t53 = E0041D46F("<__Internal_UpdateAlreadyInstalled__>");
					_t86 = _t53;
					if(_t53 == 0) {
						_t86 = "This update updates to version %s which is already installed on your system.";
					}
					E0041BDC5( &_v24);
					_push(E0041CD1E(0x47e374));
					E0041C467( &_v24, _t86);
					E0041B2CC(0x47dfb8, 0, E0041CD1E( &_v24), 0, 0);
					_t71 =  &_v24;
					L26:
					E0041BEFB(_t71);
					return 0;
				}
			}























                  0x0041b75b
                  0x0041b765
                  0x0041b76e
                  0x0041b767
                  0x0041b76a
                  0x0041b76a
                  0x0041b773
                  0x0041b776
                  0x0041b77b
                  0x0041b77e
                  0x0041b780
                  0x0041b780
                  0x0041b796
                  0x0041b7ea
                  0x0041b7ee
                  0x0041b7f2
                  0x0041b7f4
                  0x0041b7f7
                  0x0041b85f
                  0x0041b862
                  0x0041b868
                  0x0041b86a
                  0x0041b86c
                  0x0041b87d
                  0x0041b887
                  0x0041b88b
                  0x0041b88d
                  0x0041b88f
                  0x0041b88f
                  0x0041b897
                  0x0041b89c
                  0x0041b8a6
                  0x0041b8b1
                  0x0041b8b7
                  0x0041b8d0
                  0x0041b8d5
                  0x00000000
                  0x0041b8d5
                  0x0041b871
                  0x0041b877
                  0x0041b879
                  0x0041b87b
                  0x0041b8e1
                  0x00000000
                  0x0041b8e1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b7f9
                  0x0041b7f9
                  0x0041b802
                  0x0041b805
                  0x0041b80a
                  0x0041b80c
                  0x0041b814
                  0x0041b81a
                  0x0041b81f
                  0x0041b821
                  0x0041b823
                  0x0041b823
                  0x0041b82a
                  0x0041b82f
                  0x0041b831
                  0x0041b833
                  0x0041b837
                  0x00000000
                  0x00000000
                  0x0041b837
                  0x00000000
                  0x0041b831
                  0x0041b80e
                  0x0041b812
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b839
                  0x0041b83c
                  0x0041b841
                  0x0041b843
                  0x0041b845
                  0x0041b845
                  0x0041b849
                  0x0041b84a
                  0x0041b84a
                  0x0041b84f
                  0x0041b853
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b798
                  0x0041b79d
                  0x0041b7a2
                  0x0041b7a8
                  0x0041b7aa
                  0x0041b7aa
                  0x0041b7b2
                  0x0041b7be
                  0x0041b7c4
                  0x0041b7dd
                  0x0041b7e2
                  0x0041b8d8
                  0x0041b8d8
                  0x00000000
                  0x0041b8dd

                  APIs
                  • lstrlenA.KERNEL32(?,0047DFB8,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B761
                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B76A
                  • lstrlenA.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B868
                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,0041B732,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B877
                  Strings
                  • <__Internal_UpdateCannotUpdate1__>, xrefs: 0041B87D
                  • tG, xrefs: 0041B785
                  • This update updates to version %s which is already installed on your system., xrefs: 0041B7AA, 0041B7C2
                  • This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program., xrefs: 0041B88F, 0041B8B5
                  • <__Internal_UpdateAlreadyInstalled__>, xrefs: 0041B798
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: <__Internal_UpdateAlreadyInstalled__>$<__Internal_UpdateCannotUpdate1__>$This update supports updates from version %s up to version %s. You have version %s and it cannot be updated by this program.$This update updates to version %s which is already installed on your system.$tG
                  • API String ID: 1659193697-2960393938
                  • Opcode ID: 4f077f401ec29313c10081d60f452c3f145c5dd7c1f39a7ee232e5ecadab4a83
                  • Instruction ID: 2c201731e1a9713e9454e6b0e896347747a84652c475a149e91f5efb91133cad
                  • Opcode Fuzzy Hash: 4f077f401ec29313c10081d60f452c3f145c5dd7c1f39a7ee232e5ecadab4a83
                  • Instruction Fuzzy Hash: 6141B371A001186ACB12FBA68DC2AFE7A69DF44308F1440AFE445A3242DB795DC5C7EA
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004112B1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E004112B1(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				char _v28;
				struct _SHFILEOPSTRUCTA _v60;
				void* _t50;
				signed int _t60;
				long _t63;
				signed int _t66;
				signed int _t69;
				signed int _t73;
				signed int _t74;
				signed int _t79;
				signed char _t85;
				void* _t86;
				signed int* _t97;
				signed int _t110;
				signed int* _t129;
				signed int _t131;
				void* _t135;
				intOrPtr _t136;
				void* _t140;

				_t136 =  *0x47e504; // 0x0
				_v8 = 0;
				_v12 = 0;
				if(_t136 <= 0) {
					L31:
					return _v8;
				} else {
					do {
						_t129 = E0041E860(0x47e4f8, _v12);
						if(_t129[7] != _a4) {
							goto L29;
						}
						_t50 = E00412BA7(_t129[8]);
						_t138 = _t50;
						if(_t50 == 0) {
							goto L29;
						}
						_t7 =  &(_t129[1]); // 0x4
						_t94 = _t7;
						E004164B1(0x47dfb8, _t138, _t7);
						_t8 =  &(_t129[4]); // 0x10
						E004164B1(0x47dfb8, _t138, _t8);
						_t129[7] = _t129[7] | 0xffffffff;
						E0041A81A(_t138, _t94);
						_t11 =  &(_t129[4]); // 0x10
						E0041A81A(_t138, _t11);
						E0041B3B9(0x47dfb8, _t94, 0x7fffffff);
						_t12 =  &(_t129[4]); // 0x10
						E0041B3B9(0x47dfb8, _t12, 0x7fffffff);
						_t60 =  *_t129;
						if(_t60 != 4) {
							__eflags = _t60 - 5;
							if(_t60 != 5) {
								E00424500( &_v60, 0, 0x1e);
								_t63 =  *0x47e178; // 0x0
								_t135 = _t135 + 0xc;
								_v60.hwnd = _t63;
								_v60.fFlags = 0x650;
								E0041BFF8(_t94, 0);
								_v60.pFrom = E0041CD1E(_t94);
								_t66 =  *_t129;
								__eflags = _t66;
								if(_t66 == 0) {
									L11:
									_t19 =  &(_t129[4]); // 0x10
									_t95 = _t19;
									E0041BFF8(_t19, 0);
									_v60.pTo = E0041CD1E(_t95);
									L12:
									_t69 =  *_t129;
									_t110 = 1;
									__eflags = _t69 - _t110;
									if(_t69 != _t110) {
										__eflags = _t69 - 2;
										if(_t69 != 2) {
											__eflags = _t69 - 3;
											_t110 = ((0 | _t69 != 0x00000003) - 0x00000001 & 0x00000002) + 2;
											__eflags = _t110;
										}
										_v60.wFunc = _t110;
									} else {
										_v60.wFunc = 3;
									}
									_t25 =  &(_t129[4]); // 0x10
									_v16 = GetFileAttributesA(E0041CD1E(_t25));
									_t73 = SHFileOperationA( &_v60);
									__eflags = _t73;
									if(_t73 == 0) {
										__eflags =  *_t129 - _t73;
										if( *_t129 == _t73) {
											__eflags = _v16 - 0xffffffff;
											if(_v16 == 0xffffffff) {
												_v8 = _v8 + 1;
												_t31 =  &(_t129[4]); // 0x10
												_t85 = GetFileAttributesA(E0041CD1E(_t31));
												__eflags = _t85 - 0xffffffff;
												if(_t85 != 0xffffffff) {
													__eflags = _t85 & 0x00000010;
													if((_t85 & 0x00000010) == 0) {
														_t34 =  &(_t129[4]); // 0x10
														_t86 = E0041CD1E(_t34);
														_push(0x47e794);
														_push(_t86);
														E00421CE6(__eflags);
													}
												}
											}
										}
									}
									_t74 = _t129[4];
									_t36 =  &(_t129[4]); // 0x10
									_t97 = _t36;
									__eflags = _t74 - 4;
									if(_t74 <= 4) {
										goto L29;
									} else {
										_t131 =  *_t129;
										__eflags = _t131 - 2;
										if(_t131 == 2) {
											L26:
											E0041BE99( &_v28, E0041CC95(_t97, _t74 + 0xfffffffb, 4));
											E0041CD68( &_v28);
											_t79 = E0041C1FA( &_v28, __eflags, ".TTF", 1);
											__eflags = _t79;
											if(_t79 != 0) {
												AddFontResourceA(E0041CD1E(_t97));
												SendMessageA(0xffff, 0x1d, 0, 0);
											}
											E0041BEFB( &_v28);
											goto L29;
										}
										__eflags = _t131;
										if(_t131 != 0) {
											goto L29;
										}
										goto L26;
									}
								}
								__eflags = _t66 - 2;
								if(_t66 == 2) {
									goto L11;
								}
								__eflags = _t66 - 3;
								if(_t66 != 3) {
									goto L12;
								}
								goto L11;
							} else {
								RemoveDirectoryA(E0041CD1E(_t94));
								goto L29;
							}
						} else {
							_v8 = _v8 + 1;
							E00424269(E0041CD1E(_t94));
						}
						L29:
						_v12 = _v12 + 1;
						_t140 = _v12 -  *0x47e504; // 0x0
					} while (_t140 < 0);
					goto L31;
				}
			}

























                  0x004112b9
                  0x004112bf
                  0x004112c2
                  0x004112c5
                  0x004114da
                  0x004114de
                  0x004112cb
                  0x004112d3
                  0x004112e0
                  0x004112e8
                  0x00000000
                  0x00000000
                  0x004112f1
                  0x004112f6
                  0x004112f9
                  0x00000000
                  0x00000000
                  0x004112ff
                  0x004112ff
                  0x00411305
                  0x0041130a
                  0x00411310
                  0x00411315
                  0x0041131c
                  0x00411321
                  0x00411327
                  0x00411334
                  0x00411339
                  0x00411344
                  0x00411349
                  0x0041134e
                  0x00411365
                  0x00411368
                  0x00411385
                  0x0041138a
                  0x0041138f
                  0x00411394
                  0x00411399
                  0x0041139f
                  0x004113ab
                  0x004113ae
                  0x004113b0
                  0x004113b2
                  0x004113be
                  0x004113be
                  0x004113be
                  0x004113c5
                  0x004113d1
                  0x004113d4
                  0x004113d4
                  0x004113d8
                  0x004113d9
                  0x004113db
                  0x004113e6
                  0x004113e9
                  0x004113ed
                  0x004113f8
                  0x004113f8
                  0x004113f8
                  0x004113f9
                  0x004113dd
                  0x004113dd
                  0x004113dd
                  0x004113fc
                  0x0041140d
                  0x00411414
                  0x0041141a
                  0x0041141c
                  0x0041141e
                  0x00411420
                  0x00411422
                  0x00411426
                  0x00411428
                  0x0041142b
                  0x00411434
                  0x00411436
                  0x00411439
                  0x0041143b
                  0x0041143d
                  0x0041143f
                  0x00411442
                  0x00411447
                  0x0041144c
                  0x00411452
                  0x00411452
                  0x0041143d
                  0x00411439
                  0x00411426
                  0x00411420
                  0x00411457
                  0x0041145a
                  0x0041145a
                  0x0041145d
                  0x00411460
                  0x00000000
                  0x00411462
                  0x00411462
                  0x00411464
                  0x00411467
                  0x0041146d
                  0x0041147e
                  0x00411486
                  0x00411495
                  0x0041149a
                  0x0041149c
                  0x004114a6
                  0x004114b7
                  0x004114b7
                  0x004114c0
                  0x00000000
                  0x004114c0
                  0x00411469
                  0x0041146b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041146b
                  0x00411460
                  0x004113b4
                  0x004113b7
                  0x00000000
                  0x00000000
                  0x004113b9
                  0x004113bc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041136a
                  0x00411372
                  0x00000000
                  0x00411372
                  0x00411350
                  0x00411350
                  0x0041135b
                  0x0041135b
                  0x004114c5
                  0x004114c5
                  0x004114cb
                  0x004114cb
                  0x00000000
                  0x004114d9

                  APIs
                    • Part of subcall function 0041A81A: GetShortPathNameA.KERNEL32 ref: 0041A8E4
                    • Part of subcall function 0041A81A: GetFileAttributesA.KERNELBASE(00000000,?,0047E5F8,-00000001,00000000,00000000), ref: 0041A955
                    • Part of subcall function 0041A81A: GetShortPathNameA.KERNEL32 ref: 0041A96C
                  • RemoveDirectoryA.KERNEL32(00000000,00000010,7FFFFFFF,00000004,7FFFFFFF,00000010,00000004,00000010,00000004,00000001,0047F208,0047E880,00000000), ref: 00411372
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$NamePathShort$AllocAttributesDirectoryFileLockRemoveUnlock
                  • String ID: .TTF
                  • API String ID: 2727204524-1265958280
                  • Opcode ID: 049cd381d1cab2b93e529b609a5eb2fd534a0ad8c8c0e5ddd047e13911aedb5f
                  • Instruction ID: fefd7509dd6e5bca57800802f9db65f3eb1c2731682be84efcab5a7d41e1a5f7
                  • Opcode Fuzzy Hash: 049cd381d1cab2b93e529b609a5eb2fd534a0ad8c8c0e5ddd047e13911aedb5f
                  • Instruction Fuzzy Hash: 5251B130700209ABDB14EF76DC86AEE7764AF04714F60062FF616D66E1DB3899C58B5C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414A3D, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 158fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00414A3D(intOrPtr __ecx, void* _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v16;
				intOrPtr _v20;
				char _v32;
				char _v292;
				void* _t31;
				intOrPtr _t45;
				void* _t51;
				void* _t53;
				CHAR* _t61;
				int _t63;
				char* _t74;
				long _t105;
				void* _t108;
				void* _t109;
				intOrPtr _t114;

				_t74 = _a4;
				_v20 = __ecx;
				while(E0040DF52(E0041CD1E(_t74)) != 0) {
					_t78 = _t74;
					_a4 = CreateFileA(E0041CD1E(_t74), 0xc0000000, 0, 0, 3, 0x80, 0);
					_t105 = GetLastError();
					CloseHandle(_a4);
					if(_t105 == 0xc || _t105 == 0x20) {
						_t114 =  *0x47e19c; // 0x1
						if(_t114 == 0) {
							L10:
							__eflags =  *0x47e192 & 0x00000040;
							if(( *0x47e192 & 0x00000040) != 0) {
								E0041DBFF(_t78,  &_v292, ".tmp");
								E0041C0C5(0x47e6b0, __eflags, _t74);
								E0041BFF8(0x47e6b0, 0);
								E0041C047(0x47e6b0,  &_v292, 0);
								E0041BFF8(0x47e6b0, 0);
								E0041BF12(_t74,  &_v292);
								_t45 = 1;
								 *_a8 = _t45;
								return _t45;
							}
							E0041BDC5( &_v32);
							_push(E0041CD1E(_t74));
							E0041C467( &_v32, E0041CD1E(0x47ee40));
							_t109 = _t109 + 0xc;
							_t51 = E0041CD1E(0x47e700);
							_t53 = E0041B2CC(0x47dfb8,  *((intOrPtr*)(_v20 + 8)), E0041CD1E( &_v32), _t51, 5);
							__eflags = _t53 - 4;
							if(_t53 != 4) {
								E0041BEFB( &_v32);
								return 0;
							}
							E0041BEFB( &_v32);
							continue;
						}
						E0041BE99( &_v16, _t74);
						E0041C047( &_v16, ".delete_on_reboot0", 0);
						_t108 = 1;
						while(E0040DF52(E0041CD1E( &_v16)) != 0) {
							E0041C3A9( &_v16, _v16 - 1, 1);
							_push(_t108);
							E0041C467( &_v16, "%d");
							_t109 = _t109 + 0xc;
							_t108 = _t108 + 1;
						}
						_t61 = E0041CD1E( &_v16);
						_t63 = MoveFileExA(E0041CD1E(_t74), _t61, 0);
						__eflags = _t63;
						if(_t63 != 0) {
							E0041BF80(_a12,  &_v16);
							 *_a8 = 2;
							E0041BEFB( &_v16);
							break;
						}
						_t78 =  &_v16;
						E0041BEFB( &_v16);
						goto L10;
					} else {
						break;
					}
				}
				_t31 = 1;
				return _t31;
			}


















                  0x00414a47
                  0x00414a4c
                  0x00414a51
                  0x00414a76
                  0x00414a84
                  0x00414a90
                  0x00414a92
                  0x00414a9b
                  0x00414aa6
                  0x00414aac
                  0x00414b23
                  0x00414b23
                  0x00414b2a
                  0x00414bc7
                  0x00414bd6
                  0x00414bde
                  0x00414bed
                  0x00414bf5
                  0x00414c03
                  0x00414c0d
                  0x00414c0e
                  0x00000000
                  0x00414c0e
                  0x00414b33
                  0x00414b3f
                  0x00414b4f
                  0x00414b54
                  0x00414b5c
                  0x00414b79
                  0x00414b7e
                  0x00414b84
                  0x00414c12
                  0x00000000
                  0x00414c17
                  0x00414b8a
                  0x00000000
                  0x00414b8a
                  0x00414ab2
                  0x00414ac0
                  0x00414ac7
                  0x00414ac8
                  0x00414ae5
                  0x00414aea
                  0x00414af4
                  0x00414af9
                  0x00414afc
                  0x00414afc
                  0x00414b03
                  0x00414b11
                  0x00414b17
                  0x00414b19
                  0x00414b9b
                  0x00414ba6
                  0x00414bac
                  0x00000000
                  0x00414bac
                  0x00414b1b
                  0x00414b1e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00414a9b
                  0x00414bb3
                  0x00000000

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000080,00000000,00000001,00000000,00000001), ref: 00414A7E
                  • GetLastError.KERNEL32 ref: 00414A87
                  • CloseHandle.KERNEL32(00000000), ref: 00414A92
                  • MoveFileExA.KERNEL32 ref: 00414B11
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Unlock$AllocLock$File$CloseCreateErrorFreeHandleLastMovelstrlen
                  • String ID: .delete_on_reboot0$.tmp$@G
                  • API String ID: 1090038778-567893780
                  • Opcode ID: c8019068e1191b823d5cc3fbb0f74cded316c9d1d39c6097f7a376d3ce6d636d
                  • Instruction ID: 13ee51e1832359dd17840035b39a2d50a49c2f3663439cc94ee8a545bfb2738e
                  • Opcode Fuzzy Hash: c8019068e1191b823d5cc3fbb0f74cded316c9d1d39c6097f7a376d3ce6d636d
                  • Instruction Fuzzy Hash: 8D41B871A40119A6CF14BBA6DC96EEE77699F88308F10446FF506E3182DF3C5985C65C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413A88, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147stringfilewindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E00413A88(intOrPtr __ecx, void** _a4) {
				char _v5;
				void* _v20;
				intOrPtr _v24;
				char _v36;
				char _v52;
				void _v563;
				char _v564;
				intOrPtr _t32;
				int _t39;
				void* _t48;
				int _t68;
				void* _t75;
				signed int _t83;
				void* _t94;
				void* _t97;
				void* _t105;
				void* _t106;
				intOrPtr _t112;

				_t32 =  *0x47e6c8; // 0x44
				 *0x42bf9c =  *0x42bf9c + 1;
				_v24 = __ecx;
				E0041BE99( &_v20, E0041CC95(0x47e6c8, 0, _t32 + 0xfffffffd));
				E00427836( *0x42bf9c,  &_v52, 0xa);
				_t106 = _t105 + 0xc;
				_t97 = 0;
				_t39 = lstrlenA( &_v52);
				_t75 = 3;
				if(_t75 != _t39) {
					do {
						E0041BFF8( &_v20, 0x30);
						_t97 = _t97 + 1;
						_t68 = lstrlenA( &_v52);
						_t94 = 3;
					} while (_t97 < _t94 - _t68);
				}
				E0041C047( &_v20,  &_v52, 0);
				_v5 = 0;
				L3:
				while(1) {
					if(_v5 != 0 || E0040DF52(E0041CD1E( &_v20)) == 0) {
						_t112 =  *0x47f27c; // 0x1
						if(_t112 != 0 || DialogBoxParamA( *0x47e17c, 0x8a,  *(_v24 + 8), E00413748,  &_v20) == 0) {
							E0041A1B5(1);
						} else {
							goto L7;
						}
					} else {
						L7:
						_t48 = CreateFileA(E0041CD1E( &_v20), 0x80000000, 1, 0, 3, 0x80, 0);
						 *_a4 = _t48;
						if(_t48 != 0xffffffff) {
							E0041BF80(0x47e6c8,  &_v20);
							_push(1);
							_pop(0);
						} else {
							_t83 = 0x7f;
							_v564 = 0;
							memset( &_v563, 0, _t83 << 2);
							asm("stosw");
							asm("stosb");
							FormatMessageA(0x1000, 0, GetLastError(), 0x400,  &_v564, 0x200, 0);
							E0041BDC5( &_v36);
							_push( &_v564);
							_push(E0041CD1E( &_v20));
							E0041C467( &_v36, "File \"%s\" could not be opened. Error: %s");
							_t106 = _t106 + 0x1c;
							E0041B2A8( *(_v24 + 8), E0041CD1E( &_v36), 0);
							_v5 = 1;
							E0041BEFB( &_v36);
							continue;
						}
					}
					E0041BEFB( &_v20);
					return 0;
				}
			}





















                  0x00413a91
                  0x00413a96
                  0x00413aa2
                  0x00413ab7
                  0x00413ac8
                  0x00413ad3
                  0x00413ad9
                  0x00413adc
                  0x00413ae0
                  0x00413ae3
                  0x00413ae5
                  0x00413aea
                  0x00413af2
                  0x00413af4
                  0x00413af8
                  0x00413afb
                  0x00413ae5
                  0x00413b07
                  0x00413b0c
                  0x00000000
                  0x00413b14
                  0x00413b17
                  0x00413b2c
                  0x00413b32
                  0x00413c1d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413b60
                  0x00413b60
                  0x00413b79
                  0x00413b85
                  0x00413b87
                  0x00413c2d
                  0x00413c32
                  0x00413c34
                  0x00413b8d
                  0x00413b91
                  0x00413b98
                  0x00413b9e
                  0x00413ba0
                  0x00413ba2
                  0x00413bc2
                  0x00413bcb
                  0x00413bd9
                  0x00413bdf
                  0x00413be9
                  0x00413bee
                  0x00413c03
                  0x00413c0b
                  0x00413c0f
                  0x00000000
                  0x00413c0f
                  0x00413b87
                  0x00413c38
                  0x00413c43
                  0x00413c43

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                  • lstrlenA.KERNEL32(000000A8,0047E1B8,?,0000005C), ref: 00413ADC
                  • lstrlenA.KERNEL32(000000A8,00000030), ref: 00413AF4
                  • DialogBoxParamA.USER32 ref: 00413B52
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00413B79
                  • GetLastError.KERNEL32 ref: 00413BA3
                  • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000), ref: 00413BC2
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  Strings
                  • File "%s" could not be opened. Error: %s, xrefs: 00413BE3
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLocklstrlen$CreateDialogErrorFileFormatLastMessageParamUnlock
                  • String ID: File "%s" could not be opened. Error: %s
                  • API String ID: 1137091683-3606797700
                  • Opcode ID: 05c5874e8c84a40f5af4de4f2425b1f1c49626199820b519cbb6185dba5cbc98
                  • Instruction ID: ef9122ae9abc39f67992f30ed21fe6da80a0bf8a9b8eac584c3fd464a65e5e51
                  • Opcode Fuzzy Hash: 05c5874e8c84a40f5af4de4f2425b1f1c49626199820b519cbb6185dba5cbc98
                  • Instruction Fuzzy Hash: 8841E571A40219AADF10EBB5DC95FEE777CEF14304F40006EF105B61D1EB786A89CAA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004224AD, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 109fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E004224AD(void* __ecx, long _a4) {
				long _v8;
				int _v12;
				long _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t20;
				struct _OVERLAPPED* _t31;
				void* _t33;
				intOrPtr _t48;
				void* _t50;
				void* _t52;
				void* _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_t31 = 0;
				_t56 =  *0x47e540 - _t31; // 0x0
				_t2 = _t12 + 0x34; // 0xfc75ffd7
				_t48 =  *_t2;
				if(_t56 <= 0) {
					L6:
					_t52 = 0;
					_t59 =  *0x47e52c - _t52; // 0x0
					if(_t59 <= 0) {
						L19:
						_t13 = 0;
						L20:
						return _t13;
					} else {
						goto L7;
					}
					while(1) {
						L7:
						_t14 = E0041E860(0x47e520, _t52);
						if( *_t14 == _t48) {
							break;
						}
						_t52 = _t52 + 1;
						_t61 = _t52 -  *0x47e52c; // 0x0
						if(_t61 < 0) {
							continue;
						}
						goto L19;
					}
					_t15 = _t14 + 4;
					if(_t14 + 4 == 0) {
						goto L19;
					}
					_t50 = CreateFileA(E0041CD1E(_t15), 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t50 == 0xffffffff) {
						goto L19;
					}
					_a4 = GetFileSize(_t50, 0);
					if(E00424DD9(0xc) == 0) {
						_t33 = 0;
					} else {
						_t33 = E0041BDC5(_t19);
					}
					_t20 = E0041C65C(_t33, _a4);
					if(_t20 != 0) {
						_v8 = 0;
						_v12 = ReadFile(_t50, _t20, _a4,  &_v8, 0);
						CloseHandle(_t50);
						if(_v12 == 0 || _v8 != _a4) {
							goto L17;
						} else {
							_t13 = _t33;
							goto L20;
						}
					} else {
						CloseHandle(_t50);
						L17:
						if(_t33 != 0) {
							E0041BEFB(_t33);
							E00424DCE(_t33);
						}
						goto L19;
					}
				}
				while(E0041E860(0x47e534, _t31) != _t48) {
					_t31 =  &(_t31->Internal);
					_t58 = _t31 -  *0x47e540; // 0x0
					if(_t58 < 0) {
						continue;
					}
					goto L6;
				}
				_t48 = E0041E860(0x47e534,  &(_t31->Internal));
				goto L6;
			}


















                  0x004224b0
                  0x004224b1
                  0x004224b2
                  0x004224b6
                  0x004224b9
                  0x004224c0
                  0x004224c0
                  0x004224c3
                  0x004224ed
                  0x004224ed
                  0x004224ef
                  0x004224f5
                  0x0042258e
                  0x0042258e
                  0x00422590
                  0x00422594
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004224fb
                  0x004224fb
                  0x00422501
                  0x00422508
                  0x00000000
                  0x00000000
                  0x0042250a
                  0x0042250b
                  0x00422511
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00422513
                  0x00422515
                  0x0042251c
                  0x00000000
                  0x00000000
                  0x0042253c
                  0x00422541
                  0x00000000
                  0x00000000
                  0x0042254d
                  0x00422558
                  0x00422565
                  0x0042255a
                  0x00422561
                  0x00422561
                  0x0042256c
                  0x00422573
                  0x0042259c
                  0x004225ab
                  0x004225ae
                  0x004225b7
                  0x00000000
                  0x004225c1
                  0x004225c1
                  0x00000000
                  0x004225c1
                  0x00422575
                  0x00422576
                  0x0042257c
                  0x0042257e
                  0x00422582
                  0x00422588
                  0x0042258d
                  0x00000000
                  0x0042257e
                  0x00422573
                  0x004224ca
                  0x004224d7
                  0x004224d8
                  0x004224de
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004224e0
                  0x004224eb
                  0x00000000

                  APIs
                  • CreateFileA.KERNEL32(00000000,00000001,00000000,00000003,00000080,00000000,00000000,0047E490,00000000,00000000,?,?,?,00422691,00000000,00422D86), ref: 00422536
                  • GetFileSize.KERNEL32(00000000,00000000,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 00422545
                  • CloseHandle.KERNEL32(00000000,00422D86,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 00422576
                  • ReadFile.KERNEL32(00000000,00000000,00422D86,0047E490,00000000,00422D86,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 004225A4
                  • CloseHandle.KERNEL32(00000000,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 004225AE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$CloseHandle$CreateReadSize
                  • String ID: G$4G
                  • API String ID: 3664964396-1092705001
                  • Opcode ID: 9a6a8777cdfa7c77cb936d0936636049102e2a8def0660001574716ace2b74fb
                  • Instruction ID: 468c59607e689fc460535f1cb9d03b19926b13a079158055e4d039246126677d
                  • Opcode Fuzzy Hash: 9a6a8777cdfa7c77cb936d0936636049102e2a8def0660001574716ace2b74fb
                  • Instruction Fuzzy Hash: 61312C31701134FBDB206F76AD948AE7669EB48758BA0893FF106D3141DAB88DC187AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426A55, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00426A55(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x42dee8;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x42df78) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x42dee8; // 0x94000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x47f380; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x42dc34 == 1) {
						_t16 = _t54 + 0x42deec; // 0x428a94
						_t56 = _t16;
						_t19 = E00424970( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00425080( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E00424970( &_v424) + 1 > 0x3c) {
								_t49 = E00424970( &_v424) +  &_v424 - 0x3b;
								E004274E0(E00424970( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00425080( &_v164, "Runtime Error!\n\nProgram: ");
							E00425090( &_v164, _t49);
							E00425090( &_v164, "\n\n");
							_t12 = _t54 + 0x42deec; // 0x428a94
							E00425090( &_v164,  *_t12);
							_t17 = E00427450( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













                  0x00426a55
                  0x00426a5e
                  0x00426a61
                  0x00426a63
                  0x00426a68
                  0x00426a6c
                  0x00426a6f
                  0x00426a75
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00426a75
                  0x00426a7a
                  0x00426a7d
                  0x00426a83
                  0x00426a89
                  0x00426a91
                  0x00426b82
                  0x00426b82
                  0x00426b8d
                  0x00426b9f
                  0x00426aa8
                  0x00426aae
                  0x00426aca
                  0x00426ad8
                  0x00426ade
                  0x00426ae5
                  0x00426ae7
                  0x00426af7
                  0x00426b12
                  0x00426b1a
                  0x00426b1f
                  0x00426b1f
                  0x00426b2e
                  0x00426b3b
                  0x00426b4c
                  0x00426b51
                  0x00426b5e
                  0x00426b74
                  0x00426b7c
                  0x00426aae
                  0x00426a91
                  0x00426ba7

                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00426AC2
                  • GetStdHandle.KERNEL32(000000F4,00428A94,00000000,?,00000000,00000000), ref: 00426B98
                  • WriteFile.KERNEL32(00000000), ref: 00426B9F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$HandleModuleNameWrite
                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                  • API String ID: 3784150691-4022980321
                  • Opcode ID: 8d3ff2caa750b5588205c198fdd24b33ff3624019d3c0a2aa5729fd559ad871a
                  • Instruction ID: 0f70a1d10312b81e6f54c73e82e1ba1951fbcdd9d2096f1ce99f7ebea21e28fe
                  • Opcode Fuzzy Hash: 8d3ff2caa750b5588205c198fdd24b33ff3624019d3c0a2aa5729fd559ad871a
                  • Instruction Fuzzy Hash: 2731C672B012386FDF20D660EC45FAE376CEB45304FD104ABF544E6150EA78AA85CB5D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B61B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041B61B(void* __ecx, void* __esi, void* __eflags) {
				void* _v8;
				int _v12;
				char _v24;
				char _v284;
				void* __edi;
				long _t34;
				int* _t37;
				int* _t39;
				void* _t49;
				void* _t50;
				void* _t58;
				void* _t59;

				_t50 = __esi;
				_t49 = __ecx;
				E0041BDC5( &_v24);
				_push(E0041CD1E(0x47e350));
				E0041C467( &_v24, "%s installation couldn\'t be found. Try re-installing the application before running update.");
				_t39 = 0;
				if(RegOpenKeyExA( *0x47e588, E0041CD1E(0x47e58c), 0, 0x20019,  &_v8) != 0) {
					L5:
					__eflags =  *0x47e6bc - _t39; // 0x0
					if(__eflags == 0) {
						E0041B2A8(_t39, E0041CD1E( &_v24), _t39);
					} else {
						 *0x47e18c =  *0x47e18c & 0xffffffbf;
						E0041D728("<IsUpdate>", _t39);
						goto L9;
					}
				} else {
					_t58 =  *0x47e598 - _t39; // 0x0
					if(_t58 != 0) {
						L4:
						_push(_t50);
						_v12 = 0x104;
						E00424500( &_v284, _t39, 0x104);
						_t34 = RegQueryValueExA(_v8, E0041CD1E(0x47e598), _t39, _t39,  &_v284,  &_v12);
						RegCloseKey(_v8);
						__eflags = _t34 - _t39;
						if(_t34 == _t39) {
							__eflags =  *0x47e5a4 - _t39; // 0x0
							if(__eflags != 0) {
								__eflags =  *0x47e191 & 0x00000020;
								_push( &_v284);
								if(__eflags == 0) {
									_t37 = E0041B8EA(_t49, __eflags);
								} else {
									_t37 = E0041B749();
								}
								_t39 = _t37;
							} else {
								goto L9;
							}
						} else {
							goto L5;
						}
					} else {
						_t59 =  *0x47e5a4 - _t39; // 0x0
						if(_t59 != 0) {
							goto L4;
						} else {
							RegCloseKey(_v8);
							L9:
							_t39 = 1;
						}
					}
				}
				E0041BEFB( &_v24);
				return _t39;
			}















                  0x0041b61b
                  0x0041b626
                  0x0041b62b
                  0x0041b63a
                  0x0041b644
                  0x0041b64f
                  0x0041b671
                  0x0041b6dc
                  0x0041b6dc
                  0x0041b6e2
                  0x0041b708
                  0x0041b6e4
                  0x0041b6e4
                  0x0041b6f1
                  0x00000000
                  0x0041b6f1
                  0x0041b673
                  0x0041b673
                  0x0041b679
                  0x0041b691
                  0x0041b696
                  0x0041b697
                  0x0041b6a3
                  0x0041b6c6
                  0x0041b6d1
                  0x0041b6d7
                  0x0041b6da
                  0x0041b70f
                  0x0041b715
                  0x0041b71b
                  0x0041b72a
                  0x0041b72b
                  0x0041b734
                  0x0041b72d
                  0x0041b72d
                  0x0041b72d
                  0x0041b739
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b67b
                  0x0041b67b
                  0x0041b681
                  0x00000000
                  0x0041b683
                  0x0041b686
                  0x0041b717
                  0x0041b717
                  0x0041b717
                  0x0041b681
                  0x0041b679
                  0x0041b73e
                  0x0041b748

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  • RegOpenKeyExA.ADVAPI32(00000000,00000000,00020019,00000000,?,00000000,0047DFB8), ref: 0041B669
                  • RegCloseKey.ADVAPI32(00000000,?,00000000,0047DFB8), ref: 0041B686
                  • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,?,0047DFB8,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B6C6
                  • RegCloseKey.ADVAPI32(00000000,?,?,0047DFB8,?,00000000,0047DFB8), ref: 0041B6D1
                  Strings
                  • <IsUpdate>, xrefs: 0041B6EC
                  • PG, xrefs: 0041B630
                  • %s installation couldn't be found. Try re-installing the application before running update., xrefs: 0041B63E
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$AllocCloseLock$OpenQueryUnlockValue
                  • String ID: %s installation couldn't be found. Try re-installing the application before running update.$<IsUpdate>$PG
                  • API String ID: 1725748585-3551563719
                  • Opcode ID: a6a7fe9b5aa94a618adb24312834125a62caa7a1b1ccc239d4fd5e70e750e62b
                  • Instruction ID: b90e6fdb30e05719f3732ba3869b588a65d76d86e8ccd66f67b7a23a7f2ad67b
                  • Opcode Fuzzy Hash: a6a7fe9b5aa94a618adb24312834125a62caa7a1b1ccc239d4fd5e70e750e62b
                  • Instruction Fuzzy Hash: E2318BB190020CBFDB10AB92DD86DFE776CDB54308B50017FF505A2191EB384EC59AAE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041285D, Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 305stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041285D(intOrPtr _a4, signed int _a7, intOrPtr _a8, signed int _a12, char _a16) {
				signed int _v5;
				CHAR* _v12;
				CHAR* _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v36;
				char _v48;
				signed int _t96;
				CHAR* _t99;
				CHAR* _t101;
				void* _t102;
				signed int _t105;
				signed int _t111;
				signed int _t115;
				signed int _t118;
				signed int _t127;
				CHAR* _t139;
				signed int _t151;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				intOrPtr _t160;
				signed int _t200;
				void* _t201;
				void* _t203;
				CHAR* _t207;
				signed int _t212;
				void* _t214;

				_t160 = _a4;
				_t96 = _a12 * 0x1c;
				_t197 = _t96 + _t160;
				_v20 = _t96 + _t160;
				_v24 = _t96 + _t160 + 0x10;
				while(1) {
					_t199 = _v20;
					_t99 = E0041D46F(E0041CD1E(_v20));
					_t157 = _v24;
					_v16 = _t99;
					_t101 = E0041D46F(E0041CD1E(_t157));
					_a7 = _a7 & 0x00000000;
					_v5 = _v5 & 0x00000000;
					_v12 = _t101;
					if(_v16 == 0) {
						_t102 = E0041BFE3(_t199, 0);
						__eflags = _t102 - 0x22;
						if(_t102 == 0x22) {
							E0041BE99( &_v36, E0041CC95(_t199, 1,  *_t199 + 0xfffffffe));
							_t151 = E00424DD9(_v36 + 1);
							__eflags = _t151;
							_v16 = _t151;
							if(_t151 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							lstrcpyA(_v16, E0041CD1E( &_v36));
							_a7 = 1;
							E0041BEFB( &_v36);
						}
						__eflags = _v12;
					} else {
						_t207 = _t101;
					}
					if(_t207 != 0 || E0041BFE3(_t157, 0) != 0x22) {
						L13:
						if(_v16 == 0) {
							__eflags = _v12;
							if(_v12 == 0) {
								L32:
								_t200 =  *(_v20 + 0xc);
								if(_v16 == 0 || _v12 == 0) {
									_t158 = E0041425E(_t197, _v20);
									_t105 = E0041425E(_t197, _v24);
									__eflags = _t200;
									if(_t200 != 0) {
										__eflags = _t200 - 1;
										if(_t200 != 1) {
											__eflags = _t200 - 2;
											if(_t200 != 2) {
												__eflags = _t200 - 3;
												if(_t200 != 3) {
													__eflags = _t200 - 4;
													if(_t200 != 4) {
														__eflags = _t200 - 5;
														if(_t200 != 5) {
															__eflags = _t158 & _t105;
															L64:
															_t84 = __eflags != 0;
															__eflags = _t84;
															_t159 = _t158 & 0xffffff00 | _t84;
															goto L65;
														}
														__eflags = _t158 - _t105;
														_t159 = _t158 & 0xffffff00 | _t158 - _t105 <= 0x00000000;
														goto L65;
													}
													__eflags = _t158 - _t105;
													_t159 = _t158 & 0xffffff00 | _t158 - _t105 >= 0x00000000;
													goto L65;
												}
												__eflags = _t158 - _t105;
												_t159 = _t158 & 0xffffff00 | _t158 - _t105 < 0x00000000;
												goto L65;
											}
											__eflags = _t158 - _t105;
											_t159 = _t158 & 0xffffff00 | _t158 - _t105 > 0x00000000;
											goto L65;
										}
										__eflags = _t158 - _t105;
										goto L64;
									}
									__eflags = _t158 - _t105;
									_t159 = _t158 & 0xffffff00 | _t158 == _t105;
									goto L65;
								} else {
									_t111 = E00424A30(_v16, _v12);
									if(_t200 != 0) {
										__eflags = _t200 - 1;
										if(_t200 != 1) {
											__eflags = _t200 - 2;
											if(_t200 != 2) {
												__eflags = _t200 - 3;
												if(_t200 != 3) {
													__eflags = _t200 - 4;
													if(_t200 != 4) {
														__eflags = _t200 - 5;
														if(_t200 != 5) {
															_t159 = 0;
															__eflags = 0;
														} else {
															__eflags = _t111;
															_t159 = _t157 & 0xffffff00 | _t111 <= 0x00000000;
														}
													} else {
														__eflags = _t111;
														_t159 = _t157 & 0xffffff00 | _t111 >= 0x00000000;
													}
												} else {
													__eflags = _t111;
													_t159 = _t157 & 0xffffff00 | _t111 < 0x00000000;
												}
											} else {
												__eflags = _t111;
												_t159 = _t157 & 0xffffff00 | _t111 > 0x00000000;
											}
										} else {
											__eflags = _t111;
											_t159 = _t157 & 0xffffff00 | _t111 != 0x00000000;
										}
									} else {
										_t159 = _t157 & 0xffffff00 | _t111 == 0x00000000;
									}
									if(_a7 != 0) {
										E00424DCE(_v16);
									}
									if(_v5 != 0) {
										E00424DCE(_v12);
									}
									L65:
									if(_a12 == _a8 - 1) {
										return _t159;
									}
									if(_t159 == 0) {
										__eflags = _a16;
										if(_a16 == 0) {
											__eflags = 0;
											return 0;
										}
										L68:
										_a12 = _a12 + 1;
										_v20 = _v20 + 0x1c;
										_v24 = _v24 + 0x1c;
										continue;
									}
									if(_a16 != 0) {
										return 1;
									}
									goto L68;
								}
							}
							_t157 = 0;
							__eflags =  *0x47e4dc; // 0x8
							if(__eflags <= 0) {
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								_t201 = E0041E860(0x47e4d0, _t157);
								_t115 = E0041C176(_t201, __eflags, _v24, 1);
								__eflags = _t115;
								if(_t115 != 0) {
									break;
								}
								_t157 = _t157 + 1;
								__eflags = _t157 -  *0x47e4dc; // 0x8
								if(__eflags < 0) {
									continue;
								}
								goto L32;
							}
							__eflags =  *(_t201 + 0xc);
							if( *(_t201 + 0xc) == 0) {
								_t202 = _v20;
								_t118 = E00424DD9( *_v20 + 1);
								__eflags = _t118;
								_v16 = _t118;
								if(_t118 == 0) {
									E0041D881(E0041CD1E(0x47e924));
								}
								lstrcpyA(_v16, E0041CD1E(_t202));
								_a7 = 1;
							}
							goto L32;
						}
						if(_v12 != 0) {
							goto L32;
						}
						_t157 = 0;
						_t212 =  *0x47e4dc; // 0x8
						if(_t212 <= 0) {
							goto L32;
						} else {
							goto L16;
						}
						while(1) {
							L16:
							_t203 = E0041E860(0x47e4d0, _t157);
							if(E0041C176(_t203, _t212, _v20, 1) != 0) {
								break;
							}
							_t157 = _t157 + 1;
							_t214 = _t157 -  *0x47e4dc; // 0x8
							if(_t214 < 0) {
								continue;
							}
							goto L32;
						}
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) == 0) {
							_t204 = _v24;
							_t127 = E00424DD9( *_v24 + 1);
							__eflags = _t127;
							_v12 = _t127;
							if(_t127 == 0) {
								E0041D881(E0041CD1E(0x47e924));
							}
							lstrcpyA(_v12, E0041CD1E(_t204));
							_v5 = 1;
						}
						goto L32;
					} else {
						E0041BE99( &_v48, E0041CC95(_t157, 1,  *_t157 + 0xfffffffe));
						_t139 = E00424DD9(_v48 + 1);
						_v12 = _t139;
						if(_t139 == 0) {
							E0041D881(E0041CD1E(0x47e924));
						}
						lstrcpyA(_v12, E0041CD1E( &_v48));
						_v5 = 1;
						E0041BEFB( &_v48);
						goto L13;
					}
				}
			}































                  0x00412866
                  0x00412869
                  0x0041286e
                  0x00412876
                  0x00412879
                  0x0041287c
                  0x0041287c
                  0x00412887
                  0x0041288c
                  0x0041288f
                  0x0041289a
                  0x0041289f
                  0x004128a3
                  0x004128a9
                  0x004128af
                  0x004128b8
                  0x004128bd
                  0x004128bf
                  0x004128d4
                  0x004128de
                  0x004128e3
                  0x004128e6
                  0x004128e9
                  0x004128f6
                  0x004128fb
                  0x00412908
                  0x00412911
                  0x00412915
                  0x00412915
                  0x0041291a
                  0x004128b1
                  0x004128b1
                  0x004128b1
                  0x0041291d
                  0x00412984
                  0x00412987
                  0x00412a14
                  0x00412a17
                  0x00412a8a
                  0x00412a90
                  0x00412a93
                  0x00412b1b
                  0x00412b1d
                  0x00412b23
                  0x00412b26
                  0x00412b2f
                  0x00412b32
                  0x00412b38
                  0x00412b3b
                  0x00412b44
                  0x00412b47
                  0x00412b50
                  0x00412b53
                  0x00412b5c
                  0x00412b5f
                  0x00412b68
                  0x00412b6a
                  0x00412b6a
                  0x00412b6a
                  0x00412b6a
                  0x00000000
                  0x00412b6a
                  0x00412b61
                  0x00412b63
                  0x00000000
                  0x00412b63
                  0x00412b55
                  0x00412b57
                  0x00000000
                  0x00412b57
                  0x00412b49
                  0x00412b4b
                  0x00000000
                  0x00412b4b
                  0x00412b3d
                  0x00412b3f
                  0x00000000
                  0x00412b3f
                  0x00412b34
                  0x00000000
                  0x00412b34
                  0x00412b28
                  0x00412b2a
                  0x00000000
                  0x00412a9a
                  0x00412aa0
                  0x00412aa9
                  0x00412ab2
                  0x00412ab5
                  0x00412abe
                  0x00412ac1
                  0x00412aca
                  0x00412acd
                  0x00412ad6
                  0x00412ad9
                  0x00412ae2
                  0x00412ae5
                  0x00412aee
                  0x00412aee
                  0x00412ae7
                  0x00412ae7
                  0x00412ae9
                  0x00412ae9
                  0x00412adb
                  0x00412adb
                  0x00412add
                  0x00412add
                  0x00412acf
                  0x00412acf
                  0x00412ad1
                  0x00412ad1
                  0x00412ac3
                  0x00412ac3
                  0x00412ac5
                  0x00412ac5
                  0x00412ab7
                  0x00412ab7
                  0x00412ab9
                  0x00412ab9
                  0x00412aab
                  0x00412aad
                  0x00412aad
                  0x00412af4
                  0x00412af9
                  0x00412afe
                  0x00412b03
                  0x00412b08
                  0x00412b0d
                  0x00412b6d
                  0x00412b74
                  0x00000000
                  0x00412b98
                  0x00412b78
                  0x00412b90
                  0x00412b94
                  0x00412ba0
                  0x00000000
                  0x00412ba0
                  0x00412b80
                  0x00412b80
                  0x00412b83
                  0x00412b87
                  0x00000000
                  0x00412b87
                  0x00412b7e
                  0x00000000
                  0x00412b9c
                  0x00000000
                  0x00412b7e
                  0x00412a93
                  0x00412a19
                  0x00412a1b
                  0x00412a21
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412a23
                  0x00412a23
                  0x00412a30
                  0x00412a37
                  0x00412a3c
                  0x00412a3e
                  0x00000000
                  0x00000000
                  0x00412a40
                  0x00412a41
                  0x00412a47
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412a49
                  0x00412a4b
                  0x00412a4e
                  0x00412a50
                  0x00412a57
                  0x00412a5c
                  0x00412a5f
                  0x00412a62
                  0x00412a6f
                  0x00412a74
                  0x00412a80
                  0x00412a86
                  0x00412a86
                  0x00000000
                  0x00412a4e
                  0x00412990
                  0x00000000
                  0x00000000
                  0x00412996
                  0x00412998
                  0x0041299e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004129a4
                  0x004129a4
                  0x004129b1
                  0x004129bf
                  0x00000000
                  0x00000000
                  0x004129c1
                  0x004129c2
                  0x004129c8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004129ca
                  0x004129cf
                  0x004129d2
                  0x004129d8
                  0x004129df
                  0x004129e4
                  0x004129e7
                  0x004129ea
                  0x004129f7
                  0x004129fc
                  0x00412a08
                  0x00412a0e
                  0x00412a0e
                  0x00000000
                  0x0041292b
                  0x0041293e
                  0x00412948
                  0x00412950
                  0x00412953
                  0x00412960
                  0x00412965
                  0x00412972
                  0x0041297b
                  0x0041297f
                  0x00000000
                  0x0041297f
                  0x0041291d

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • lstrcpyA.KERNEL32(0047E880,00000000,00000000,00000001,-000000FE,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?,00000000,?,00000000), ref: 00412908
                  • lstrcpyA.KERNEL32(00000000,00000000,00000000,00000001,-000000FE,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?), ref: 00412972
                  • lstrcpyA.KERNEL32(00000000,00000000,0000001C,00000001,00000000,?,00000000,0041463E), ref: 00412A08
                  • lstrcpyA.KERNEL32(0047E880,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,0047DFB8,?,?,00000000,?,00000000), ref: 00412A80
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrcpy$Global$AllocLockUnlock
                  • String ID: $G$$G$$G$$G
                  • API String ID: 809881301-2871775856
                  • Opcode ID: 65cb576162cf48911098db171601cebb1f0e6c29937d8fd97abc63cb19e62d38
                  • Instruction ID: cc9ef96804eb6c6a808a539a243a32eeebaa1f91f1bd0f8a0d8b4aab0d3d3760
                  • Opcode Fuzzy Hash: 65cb576162cf48911098db171601cebb1f0e6c29937d8fd97abc63cb19e62d38
                  • Instruction Fuzzy Hash: D2A14871E44219AFCF30AF758A816FE77A4EF40304F20456FE412E3252DABC59D19A6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412E58, Relevance: 10.8, APIs: 7, Instructions: 328fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00412E58() {
				intOrPtr _v8;
				intOrPtr _v12;
				struct _OVERLAPPED* _v16;
				intOrPtr* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				long _v36;
				long _v40;
				char _v52;
				char _v64;
				long _v76;
				char _v88;
				char _v100;
				void* __edi;
				void* __ebp;
				signed int _t81;
				void* _t84;
				void* _t98;
				intOrPtr _t102;
				intOrPtr _t106;
				void* _t113;
				intOrPtr _t118;
				void* _t134;
				void* _t140;
				void* _t146;
				void* _t159;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t171;
				long* _t192;
				char _t234;
				void* _t237;
				void* _t246;

				_t81 =  *0x47e4c8; // 0x0
				_v32 = _t81;
				_v16 = 0;
				if(_t81 <= 0) {
					L41:
					return 1;
				} else {
					_v28 = 0x64;
					_t234 = "\r\n";
					do {
						_t165 = E0041E860(0x47e4bc, _v16);
						_v20 = _t165;
						_t84 = E00412BA7( *((intOrPtr*)(_t165 + 0x28)));
						_t239 = _t84;
						if(_t84 == 0) {
							goto L39;
						}
						_t7 = _t165 + 4; // 0x4
						_v12 = _t7;
						E004164B1(0x47dfb8, _t239, _t7);
						_t167 = _t165 + 0x10;
						E004164B1(0x47dfb8, _t239, _t167);
						_v8 = _v20 + 0x1c;
						E004164B1(0x47dfb8, _t239, _v20 + 0x1c);
						E0041BE99( &_v64, E0041CC95(_v12, 0, E0041C7DB(_v12, "\\", 0, 1)));
						E0040DC10(E0041CD1E( &_v64), 1);
						_t98 = E0040DF52(E0041CD1E(_v12));
						_t240 = _t98;
						if(_t98 == 0) {
							_t159 = E0041CD1E(_v12);
							_push(0x47e794);
							_push(_t159);
							E00421CE6(_t240);
							CloseHandle(CreateFileA(E0041CD1E(_v12), 0x40000000, 1, 0, 4, 0x80, 0));
						}
						if( *_v20 != 1) {
							E0041BDC5( &_v52);
							_t102 = E0041CAC5( &_v52, E0041CD1E(_v12), 0, 0);
							__eflags = _t102;
							if(_t102 < 0) {
								L24:
								E0041BEFB( &_v52);
								L38:
								E0041BEFB( &_v64);
								goto L39;
							}
							_t106 =  *_v20;
							__eflags = _t106;
							if(_t106 != 0) {
								__eflags = _t106 - 2;
								if(_t106 != 2) {
									__eflags = _t106 - 3;
									if(_t106 != 3) {
										__eflags = _t106 - 4;
										if(_t106 != 4) {
											__eflags = _t106 - 5;
											if(_t106 != 5) {
												__eflags = _t106 - 6;
												if(_t106 != 6) {
													__eflags = _t106 - 7;
													if(_t106 == 7) {
														_t113 = E0041CD1E(_v8);
														E0041CBF9( &_v52, __eflags, E0041CD1E(_t167), _t113, 0, 0, 1);
													}
													L35:
													E0041CE0E( &_v52, E0041CD1E(_v12));
													_t192 =  &_v52;
													L36:
													E0041BEFB(_t192);
													if(_v32 > 0) {
														asm("cdq");
														E00414C1B(_v28 % _v32, _t234, _t237, _v28 / _v32, 0);
													}
													goto L38;
												}
												E0041BDC5( &_v100);
												_v24 = 0;
												E0041BDC5( &_v88);
												while(1) {
													_push(_v24);
													_t118 = E0041C9D2( &_v52);
													__eflags = _t118;
													if(_t118 == 0) {
														break;
													}
													E0041C92F( &_v52,  &_v24,  &_v100);
													__eflags = E0041CC5D( &_v100, E0041CD1E(_t167));
													if(__eflags == 0) {
														E0041C0C5( &_v88, __eflags,  &_v100);
														E0041C047( &_v88, _t234, 0);
													}
												}
												E0041BF80( &_v52,  &_v88);
												E0041BEFB( &_v88);
												E0041BEFB( &_v100);
												goto L35;
											}
											E0041C047(_t167, _t234, 0);
											E0041C047(_v8, _t234, 0);
											_push(0);
											_push(0);
											_push(E0041CD1E(_t167));
											_t134 = E0041C6D0( &_v52);
											__eflags = _t134 - 0xffffffff;
											if(_t134 != 0xffffffff) {
												_push(0);
												L26:
												_push(_t134);
												L13:
												_push(E0041CD1E(_v8));
												E0041CA20( &_v52);
												goto L35;
											}
											goto L24;
										}
										E0041C047(_t167, _t234, 0);
										E0041C047(_v8, _t234, 0);
										_push(0);
										_push(0);
										_push(E0041CD1E(_t167));
										_t140 = E0041C6D0( &_v52);
										__eflags = _t140 - 0xffffffff;
										if(_t140 == 0xffffffff) {
											goto L24;
										}
										_push(0);
										_push( *_t167 + _t140);
										goto L13;
									}
									E0041C047(_t167, _t234, 0);
									E0041C416( &_v52, E0041CD1E(_t167), 0, 1, 0);
									goto L35;
								}
								E0041C047(_t167, _t234, 0);
								_push(0);
								_push(0);
								_push(E0041CD1E(_t167));
								_t146 = E0041C6D0( &_v52);
								__eflags = _t146 - 0xffffffff;
								if(_t146 == 0xffffffff) {
									goto L24;
								}
								_push(0);
								_t134 =  *_t167 + _t146 - 2;
								goto L26;
							}
							E0041C047(_v8, _t234, 0);
							_push(0);
							_push(0);
							goto L13;
						}
						_t171 = CreateFileA(E0041CD1E(_v12), 0xc0000000, 1, 0, 4, 0x80, 0);
						if(_t171 == 0xffffffff) {
							goto L38;
						}
						_v36 = 0;
						SetFilePointer(_t171, 0,  &_v36, 2);
						E0041BE99( &_v76, _v8);
						if(GetFileSize(_t171, 0) > 0) {
							E0041CA20( &_v76, _t234, 0, 0);
						}
						_v40 = 0;
						WriteFile(_t171, E0041CD1E( &_v76), _v76,  &_v40, 0);
						CloseHandle(_t171);
						_t192 =  &_v76;
						goto L36;
						L39:
						_v16 = _v16 + 1;
						_v28 = _v28 + 0x64;
						_t246 = _v16 -  *0x47e4c8; // 0x0
					} while (_t246 < 0);
					goto L41;
				}
			}





































                  0x00412e5e
                  0x00412e66
                  0x00412e6b
                  0x00412e6e
                  0x0041320c
                  0x00413210
                  0x00412e74
                  0x00412e76
                  0x00412e7d
                  0x00412e82
                  0x00412e8f
                  0x00412e91
                  0x00412e97
                  0x00412e9c
                  0x00412e9f
                  0x00000000
                  0x00000000
                  0x00412ea5
                  0x00412eae
                  0x00412eb1
                  0x00412eb6
                  0x00412ebf
                  0x00412ed0
                  0x00412ed3
                  0x00412ef6
                  0x00412f06
                  0x00412f16
                  0x00412f1b
                  0x00412f1e
                  0x00412f23
                  0x00412f28
                  0x00412f2d
                  0x00412f33
                  0x00412f58
                  0x00412f58
                  0x00412f64
                  0x00412ff4
                  0x00413007
                  0x0041300c
                  0x0041300e
                  0x00413104
                  0x00413107
                  0x004131ec
                  0x004131ef
                  0x00000000
                  0x004131ef
                  0x00413017
                  0x00413019
                  0x0041301b
                  0x0041303f
                  0x00413042
                  0x00413074
                  0x00413077
                  0x0041309b
                  0x0041309e
                  0x004130d5
                  0x004130d8
                  0x00413118
                  0x0041311b
                  0x00413199
                  0x0041319c
                  0x004131a5
                  0x004131b6
                  0x004131b6
                  0x004131bb
                  0x004131c7
                  0x004131cc
                  0x004131cf
                  0x004131cf
                  0x004131d7
                  0x004131dd
                  0x004131e7
                  0x004131e7
                  0x00000000
                  0x004131d7
                  0x00413120
                  0x00413128
                  0x0041312b
                  0x00413130
                  0x00413130
                  0x00413136
                  0x0041313b
                  0x0041313d
                  0x00000000
                  0x00000000
                  0x0041314a
                  0x0041315f
                  0x00413161
                  0x0041316a
                  0x00413174
                  0x00413174
                  0x00413161
                  0x00413182
                  0x0041318a
                  0x00413192
                  0x00000000
                  0x00413192
                  0x004130de
                  0x004130e8
                  0x004130ed
                  0x004130ee
                  0x004130f6
                  0x004130fa
                  0x004130ff
                  0x00413102
                  0x00413111
                  0x00413112
                  0x00413112
                  0x00413029
                  0x00413031
                  0x00413035
                  0x00000000
                  0x00413035
                  0x00000000
                  0x00413102
                  0x004130a4
                  0x004130ae
                  0x004130b3
                  0x004130b4
                  0x004130bc
                  0x004130c0
                  0x004130c5
                  0x004130c8
                  0x00000000
                  0x00000000
                  0x004130cc
                  0x004130cf
                  0x00000000
                  0x004130cf
                  0x0041307d
                  0x00413091
                  0x00000000
                  0x00413091
                  0x00413048
                  0x0041304d
                  0x0041304e
                  0x00413056
                  0x0041305a
                  0x0041305f
                  0x00413062
                  0x00000000
                  0x00000000
                  0x0041306a
                  0x0041306b
                  0x00000000
                  0x0041306b
                  0x00413022
                  0x00413027
                  0x00413028
                  0x00000000
                  0x00413028
                  0x00412f89
                  0x00412f8e
                  0x00000000
                  0x00000000
                  0x00412f9c
                  0x00412f9f
                  0x00412fab
                  0x00412fba
                  0x00412fc2
                  0x00412fc2
                  0x00412fd2
                  0x00412fdc
                  0x00412fe3
                  0x00412fe9
                  0x00000000
                  0x004131f4
                  0x004131f4
                  0x004131f7
                  0x004131fe
                  0x004131fe
                  0x00000000
                  0x0041320b

                  APIs
                    • Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0040DC10: GetCurrentDirectoryA.KERNEL32(00000104,00000001,00000000,00000004,0047DFB8,00000010,00000004,00000010,00000004,00000001,0047F208,0047E880,00000000), ref: 0040DC73
                    • Part of subcall function 0040DC10: SetCurrentDirectoryA.KERNELBASE(?), ref: 0040DC9B
                    • Part of subcall function 0040DC10: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,004237A4,00000000,00000000,0047F208,00000001), ref: 0040DD05
                    • Part of subcall function 0040DC10: lstrlenA.KERNEL32(?), ref: 0040DD16
                    • Part of subcall function 0040DC10: lstrlenA.KERNEL32(?), ref: 0040DD20
                    • Part of subcall function 0040DC10: lstrlenA.KERNEL32(?), ref: 0040DD30
                    • Part of subcall function 0040DC10: SetCurrentDirectoryA.KERNELBASE(00000000), ref: 0040DD5B
                    • Part of subcall function 0040DC10: CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040DD67
                    • Part of subcall function 0040DC10: SetCurrentDirectoryA.KERNELBASE(00000000), ref: 0040DD72
                  • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000004,00000080,00000000,00000000,0047E794,00000000,00000000,00000000,0042BC5C,00000000,00000001,?), ref: 00412F51
                  • CloseHandle.KERNEL32(00000000), ref: 00412F58
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CAC5: CreateFileA.KERNELBASE(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,747DFBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                    • Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE
                  • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000004,00000080,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,?,-00000010,00000004), ref: 00412F83
                  • SetFilePointer.KERNEL32(00000000,00000000,?,00000002), ref: 00412F9F
                  • GetFileSize.KERNEL32(00000000,00000000,?), ref: 00412FB2
                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00412FDC
                  • CloseHandle.KERNEL32(00000000), ref: 00412FE3
                    • Part of subcall function 00421CE6: lstrlenA.KERNEL32(0047DFB8,?,0047DFB8,?,00411457,00000000,0047E794), ref: 00421CFC
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$DirectoryFile$Current$AllocCreateLock$CloseHandleUnlock$PointerSizeWrite
                  • String ID:
                  • API String ID: 2476745626-0
                  • Opcode ID: ce08af38f1a14a7eaa29a8a45040529bef0bc21b7ccd4226394128b8269597af
                  • Instruction ID: ffb1d7bd0d554ea9a3b8ed63be469a5a1bbe6e3829c611c30b3a7cfdc5e1920b
                  • Opcode Fuzzy Hash: ce08af38f1a14a7eaa29a8a45040529bef0bc21b7ccd4226394128b8269597af
                  • Instruction Fuzzy Hash: 7CA14E70940118BACF24EBA6DDD5DEF7B79AF05358F10012FF106A6192DF385A85CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00420151, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 180stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00420151(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v8;
				long _v12;
				long _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v32;
				char _v44;
				char _v56;
				char _v68;
				char _v80;
				void* __edi;
				void* __ebp;
				intOrPtr* _t58;
				void* _t78;
				int _t86;
				int _t87;
				signed int _t92;
				long _t102;
				intOrPtr _t104;
				intOrPtr _t137;
				void* _t139;
				CHAR* _t140;
				intOrPtr _t141;
				long _t142;
				CHAR* _t144;
				intOrPtr _t146;
				void* _t147;

				_t139 = __edx;
				_v24 = __ecx;
				_t142 = 0;
				_v16 = 0;
				_v20 = 0;
				E0041BDC5( &_v44);
				_t58 = E00424DD9(0x13c);
				if(_t58 == 0) {
					_v12 = 0;
				} else {
					_t5 = _t58 + 4; // 0x4
					_t146 = _t5;
					_t137 = 0x1a;
					_t141 = _t146;
					 *_t58 = _t137;
					_t104 = _t137;
					do {
						E0041BDC5(_t141);
						_t141 = _t141 + 0xc;
						_t104 = _t104 - 1;
					} while (_t104 != 0);
					_v12 = _t146;
					_t142 = 0;
				}
				if(_v12 == _t142) {
					L7:
					 *0x47e2c8 =  *0x47e2c8 + 1;
				} else {
					_t102 = GetLogicalDriveStringsA(_t142, _t142);
					_t140 = E00424DD9(_t102);
					if(_t140 != 0) {
						GetLogicalDriveStringsA(_t102, _t140);
						_t144 = _t140;
						E0041BE35( &_v80, "(HD space placeholder)");
						E0041EEC5(_v24,  &_v80);
						__eflags =  *_t140;
						if( *_t140 != 0) {
							_v8 = _v12;
							do {
								E0041BF12(_v8, _t144);
								_t86 = GetDriveTypeA(E0041CD1E(_v8));
								__eflags = _t86 - 3;
								if(_t86 == 3) {
									_v16 = _v16 + 1;
									E0041BF12( &_v44, "    ");
									E0041C0C5( &_v44, __eflags, _v8);
									E0041BFF8( &_v44, 9);
									_t92 = E0040DE4D(E0041CD1E(_v8), 1);
									__eflags = _t139 -  *0x47e654; // 0x0
									_v32 = _t92;
									if(__eflags <= 0) {
										if(__eflags < 0) {
											L14:
											_t24 =  &_v20;
											 *_t24 = _v20 + 1;
											__eflags =  *_t24;
										} else {
											__eflags = _t92 -  *0x47e650; // 0x207a58a
											if(__eflags < 0) {
												goto L14;
											}
										}
									}
									E0041BDC5( &_v56);
									E0041D95E(_v32, _t103,  &_v56);
									_t147 = _t147 + 0xc;
									E0041C0C5( &_v44, __eflags,  &_v56);
									E0041EEC5(_v24,  &_v44);
									E0041BEFB( &_v56);
								}
								_v8 = _v8 + 0xc;
								_t87 = lstrlenA(_t144);
								__eflags = _t144[_t87 + 1];
								_t144 =  &(_t144[_t87 + 1]);
							} while (__eflags != 0);
						}
						E00424DCE(_t140);
						_push(3);
						E004190EC(_v12, _t140);
						E0041BF80( &_v44, 0x47ea44);
						E0041C047( &_v44, "\t\t", 0);
						E0041BDC5( &_v68);
						E0041D95E( *0x47e650,  *0x47e654,  &_v68);
						E0041C0C5( &_v44, __eflags,  &_v68);
						E0041BFF8( &_v44, 9);
						__eflags = _v20 - _v16;
						if(__eflags != 0) {
							_push(0x47e8f4);
						} else {
							 *0x47e2c0 =  *0x47e2c0 + 1;
							_push(0x47e8dc);
						}
						E0041C0C5( &_v44, __eflags);
						_t78 = E0041CD1E( &_v44);
						E0041CBF9(_v24, __eflags, E0041CD1E( &_v80), _t78, 0, 0, 1);
						E0041BEFB( &_v68);
						E0041BEFB( &_v80);
					} else {
						goto L7;
					}
				}
				return E0041BEFB( &_v44);
			}






























                  0x00420151
                  0x00420159
                  0x0042015c
                  0x00420162
                  0x00420165
                  0x00420168
                  0x00420172
                  0x0042017a
                  0x0042019c
                  0x0042017c
                  0x0042017e
                  0x0042017e
                  0x00420181
                  0x00420182
                  0x00420184
                  0x00420186
                  0x00420188
                  0x0042018a
                  0x0042018f
                  0x00420192
                  0x00420192
                  0x00420195
                  0x00420198
                  0x00420198
                  0x004201a2
                  0x004201bd
                  0x004201bd
                  0x004201a4
                  0x004201ae
                  0x004201b6
                  0x004201bb
                  0x004201ca
                  0x004201d4
                  0x004201d6
                  0x004201e2
                  0x004201e7
                  0x004201ea
                  0x004201f3
                  0x004201f6
                  0x004201fa
                  0x00420208
                  0x0042020e
                  0x00420211
                  0x00420217
                  0x00420222
                  0x0042022d
                  0x00420237
                  0x00420247
                  0x0042024f
                  0x00420256
                  0x00420259
                  0x0042025b
                  0x00420265
                  0x00420265
                  0x00420265
                  0x00420265
                  0x0042025d
                  0x0042025d
                  0x00420263
                  0x00000000
                  0x00000000
                  0x00420263
                  0x0042025b
                  0x0042026b
                  0x00420278
                  0x0042027d
                  0x00420287
                  0x00420293
                  0x0042029b
                  0x0042029b
                  0x004202a0
                  0x004202a5
                  0x004202ab
                  0x004202b0
                  0x004202b0
                  0x004201f6
                  0x004202bb
                  0x004202c4
                  0x004202c6
                  0x004202d3
                  0x004202e3
                  0x004202eb
                  0x00420300
                  0x0042030f
                  0x00420319
                  0x00420321
                  0x00420324
                  0x00420333
                  0x00420326
                  0x00420326
                  0x0042032c
                  0x0042032c
                  0x0042033b
                  0x00420347
                  0x00420359
                  0x00420361
                  0x00420369
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004201bb
                  0x0042037a

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                  • GetLogicalDriveStringsA.KERNEL32 ref: 004201AC
                  • GetLogicalDriveStringsA.KERNEL32 ref: 004201CA
                  • GetDriveTypeA.KERNEL32(00000000,00000000,?,(HD space placeholder),?,?,?,?,?,?,?,?,?,0042168B,00000000,00000000), ref: 00420208
                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0042168B,00000000,00000000,00000000,00000000,00000000), ref: 004202A5
                    • Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
                    • Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
                    • Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocDriveLock$LogicalStringsUnlock$Typelstrlen
                  • String ID: $(HD space placeholder)
                  • API String ID: 88277077-3858189379
                  • Opcode ID: 4413343c6dada0bd3077a0a3251622b39917ba5774e06876e684359967b27202
                  • Instruction ID: 262f8474926e1645baff895f9dfb9859fe624d7e810762e3b04d7bb70cf72b9e
                  • Opcode Fuzzy Hash: 4413343c6dada0bd3077a0a3251622b39917ba5774e06876e684359967b27202
                  • Instruction Fuzzy Hash: 4D515371E00219EACB14EBA2EC859EEBB75EF18314F54005FF505B3192DB385E85CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00423A3D, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E00423A3D() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _v48;
				CHAR* _v52;
				CHAR* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t25;
				void* _t49;
				CHAR* _t51;
				void* _t72;
				CHAR* _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t81;

				_push(0xffffffff);
				_push(0x4286f8);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_push(_t49);
				_push(_t77);
				_push(_t72);
				_v28 = _t81 - 0x30;
				_t78 = _t77 | 0xffffffff;
				if( *0x47f240 != 0) {
					E00407B45(_t49, _t72, _t78, 1);
					_t75 = E00424DD9(0x104);
					_v48 = _t75;
					if(_t75 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t25 = E00424DD9(0x104);
					_v52 = _t25;
					if(_t25 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t51 = E00424DD9(0x104);
					_v56 = _t51;
					if(_t51 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t75, 0, 0x104);
					E00424500(_v52, 0, 0x104);
					E00424500(_t51, 0, 0x104);
					lstrcatA(_t75, E0041CD1E(0x47e1b8));
					lstrcatA(_v52, E0041CD1E(0x47e1c4));
					lstrcatA(_t51, E0041CD1E(0x47e1d0));
					_v8 = _v8 & 0x00000000;
					_t78 =  *0x47f240( *0x47e178, _v48, 0x104, _v52, 0x104, _t51, 0x104);
					_v32 = _t78;
					_v8 = _v8 | 0xffffffff;
					E0041BF12(0x47e1b8, _v48);
					E0041BF12(0x47e1c4, _v52);
					E0041BF12(0x47e1d0, _t51);
					E00424DCE(_v48);
					E00424DCE(_v52);
					E00424DCE(_t51);
					if(_t78 == 1) {
						if(_t78 != 2) {
							goto L14;
						} else {
							goto L12;
						}
					} else {
						if(_t78 == 2) {
							L12:
							if( *0x42bf98 == 0xffffffff) {
								L14:
								_t78 = 0;
							} else {
								_t78 = 1;
							}
						} else {
							E0041A1B5(1);
						}
					}
				}
				if(_t78 <= 0) {
					E004145F6(0x47e880, 6);
					E004112B1(6);
				}
				 *[fs:0x0] = _v20;
				return _t78;
			}





















                  0x00423a40
                  0x00423a42
                  0x00423a47
                  0x00423a52
                  0x00423a53
                  0x00423a5d
                  0x00423a5e
                  0x00423a5f
                  0x00423a60
                  0x00423a63
                  0x00423a6d
                  0x00423a75
                  0x00423a87
                  0x00423a89
                  0x00423a8e
                  0x00423a9b
                  0x00423aa0
                  0x00423aa2
                  0x00423aa8
                  0x00423aad
                  0x00423aba
                  0x00423abf
                  0x00423ac7
                  0x00423ac9
                  0x00423ace
                  0x00423adb
                  0x00423ae0
                  0x00423ae5
                  0x00423af0
                  0x00423af9
                  0x00423b13
                  0x00423b23
                  0x00423b31
                  0x00423b33
                  0x00423b4d
                  0x00423b4f
                  0x00423b52
                  0x00423b71
                  0x00423b7e
                  0x00423b89
                  0x00423b91
                  0x00423b99
                  0x00423b9f
                  0x00423baa
                  0x00423bc2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423bac
                  0x00423baf
                  0x00423bc4
                  0x00423bcb
                  0x00423bd2
                  0x00423bd2
                  0x00423bcd
                  0x00423bcf
                  0x00423bcf
                  0x00423bb1
                  0x00423bb8
                  0x00423bb8
                  0x00423baf
                  0x00423baa
                  0x00423bd6
                  0x00423be1
                  0x00423bea
                  0x00423bea
                  0x00423bf4
                  0x00423bff

                  APIs
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407B99
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407BA9
                    • Part of subcall function 00407B45: DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C0B
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C22
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C39
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C50
                  • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B13
                  • lstrcatA.KERNEL32(FFFFFFFF,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B23
                  • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,0047E50C,00000000,00000000,FFFFFFFF,0000000E,00000000,0047DFB8), ref: 00423B31
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DeleteObject$Globallstrcat$AllocDestroyLockUnlockWindow
                  • String ID: $G$$G$$G
                  • API String ID: 1134962081-397660746
                  • Opcode ID: df6fcd672bf3ab2fa7e4feb5633386ca3948e2e91a1d1d585c446a39a409343c
                  • Instruction ID: 5d6d0fb6400b280bbebfd3ce72b31f39c0bee1e24df1173561ddc6a405f6c54f
                  • Opcode Fuzzy Hash: df6fcd672bf3ab2fa7e4feb5633386ca3948e2e91a1d1d585c446a39a409343c
                  • Instruction Fuzzy Hash: 5E412771F001246ACB147B66BC46BEE792ADF84724F50423FF505A22D2CF3C1C8186AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004102F6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E004102F6(intOrPtr* __ecx) {
				char _v8;
				long _v12;
				char _v24;
				char _v36;
				char _v48;
				void* _t53;
				void* _t55;
				void* _t61;
				CHAR* _t68;
				void* _t99;
				intOrPtr _t100;
				intOrPtr* _t101;
				intOrPtr _t105;
				intOrPtr _t107;

				_t101 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = 0;
				E0041BDC5( &_v24);
				while(1) {
					_push(_v8);
					if(E0041C9D2(0x47e5bc) == 0) {
						break;
					}
					E0041C92F(0x47e5bc,  &_v8,  &_v24);
					_t99 = CreateFileA(E0041CD1E( &_v24), 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t99 == 0xffffffff) {
						L13:
						E0041BEFB( &_v24);
						return 0;
					}
					_v12 = GetFileSize(_t99, 0);
					CloseHandle(_t99);
					_t100 = _v12;
					 *_t101 = _t100;
					E0041BE99( &_v36,  &_v24);
					E0041C3A9( &_v36, _v36 + 0xfffffffd, 3);
					E0041C047( &_v36, "BMP", 0);
					_t105 =  *0x47f27c; // 0x1
					if(_t105 == 0) {
						E0041BE35( &_v48, E0041CD1E(0x47eea0));
						E0041BFF8( &_v48, 0x20);
						E0041C0C5( &_v48, _t105,  &_v24);
						_t68 = E0041CD1E( &_v48);
						_t20 = _t101 + 8; // 0x0
						SetDlgItemTextA( *_t20, 0x14, _t68);
						E0041BEFB( &_v48);
					}
					_t53 =  *0x47e2dc(E0041CD1E( &_v24), E0041CD1E( &_v36), E00415012, E0041505D);
					_t106 = _t53;
					if(_t53 <= 0) {
						E0041BEFB( &_v36);
						goto L13;
					} else {
						_t55 = E0041CD1E( &_v36);
						_push(0x47e794);
						_push(_t55);
						E00421CE6(_t106);
						_t107 =  *0x47e610; // 0x0
						if(_t107 != 0) {
							if(E00424DD9(0xc) == 0) {
								_t61 = 0;
								__eflags = 0;
							} else {
								_t61 = E0041BE99(_t60,  &_v36);
							}
							E0041E87A(0x47e634, _t61, 0xffffffff);
						}
						E0040D85F(E0041CD1E( &_v24));
						 *((intOrPtr*)(_t101 + 4)) =  *((intOrPtr*)(_t101 + 4)) + _t100;
						E0041BEFB( &_v36);
						continue;
					}
				}
				E0041BEFB( &_v24);
				return 1;
			}

















                  0x004102fe
                  0x00410306
                  0x00410309
                  0x0041030c
                  0x00410311
                  0x00410311
                  0x00410320
                  0x00000000
                  0x00000000
                  0x00410333
                  0x00410357
                  0x0041035c
                  0x00410483
                  0x00410486
                  0x00000000
                  0x0041048b
                  0x0041036b
                  0x0041036e
                  0x00410374
                  0x0041037e
                  0x00410380
                  0x00410391
                  0x0041039f
                  0x004103a4
                  0x004103aa
                  0x004103ba
                  0x004103c4
                  0x004103d0
                  0x004103d8
                  0x004103e0
                  0x004103e3
                  0x004103ec
                  0x004103ec
                  0x0041040d
                  0x00410413
                  0x00410418
                  0x0041047e
                  0x00000000
                  0x0041041a
                  0x0041041a
                  0x0041041f
                  0x00410424
                  0x0041042a
                  0x0041042f
                  0x00410435
                  0x00410441
                  0x00410450
                  0x00410450
                  0x00410443
                  0x00410449
                  0x00410449
                  0x0041045a
                  0x0041045a
                  0x00410468
                  0x0041046d
                  0x00410474
                  0x00000000
                  0x00410474
                  0x00410418
                  0x00410492
                  0x00000000

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00000000,00000003,0047E880,00000000,?,?,00412577), ref: 00410351
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,00412577,00000000,00000000,00000000,00000000,0047E880,0047DFB8,?,00000000,0041520C,00000000,?), ref: 00410364
                  • CloseHandle.KERNEL32(00000000,?,?,00412577,00000000,00000000,00000000,00000000,0047E880,0047DFB8,?,00000000,0041520C,00000000,?), ref: 0041036E
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C3A9: GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
                    • Part of subcall function 0041C3A9: GlobalReAlloc.KERNEL32 ref: 0041C3E5
                    • Part of subcall function 0041C3A9: GlobalLock.KERNEL32 ref: 0041C406
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • SetDlgItemTextA.USER32 ref: 004103E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$Unlock$File$CloseCreateHandleItemSizeTextlstrlen
                  • String ID: 4G$BMP
                  • API String ID: 344598365-661391485
                  • Opcode ID: 38262aa651b9e8356e42a0337b5908c3521fec37494197ef42125fa72b51bc5d
                  • Instruction ID: 6e1de597df35e38bd71d78d36fecd714cf96043b4dc7f9fd8b62fa2553890872
                  • Opcode Fuzzy Hash: 38262aa651b9e8356e42a0337b5908c3521fec37494197ef42125fa72b51bc5d
                  • Instruction Fuzzy Hash: 39418371940209AACF14EBF6DC969EE7778AF18308F10452FF202B21D2DF785A85C669
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040612F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040612F(void* __ecx, intOrPtr* _a4) {
				struct tagPOINT _v12;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				int _v40;
				int _v44;
				intOrPtr _v64;
				void* _v68;
				intOrPtr _t37;
				struct HWND__* _t38;
				long _t40;
				intOrPtr _t44;
				intOrPtr _t49;
				intOrPtr _t58;
				signed int _t59;
				intOrPtr _t61;
				int _t64;
				intOrPtr* _t74;
				intOrPtr* _t75;
				void* _t76;

				_t74 = _a4;
				_t76 = __ecx;
				_t37 =  *((intOrPtr*)(_t74 + 8));
				_t64 = 0;
				if(_t37 != 0xfffffe64) {
					if(_t37 != 0xfffffe6d) {
						if(_t37 != 0xfffffe6e) {
							goto L3;
						}
						_t58 = E0040607A(__ecx,  *((intOrPtr*)(_t74 + 0x3c)));
						if(_t58 != 0xffffffff) {
							 *((intOrPtr*)(__ecx + 0x10)) = _t58;
						}
						goto L20;
					}
					_t59 = E0040607A(__ecx,  *((intOrPtr*)(_t74 + 0x10)));
					if(_t59 != 0xffffffff) {
						_t61 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t59 * 4)) + 8));
						 *((intOrPtr*)(_t74 + 0x28)) = _t61;
						 *((intOrPtr*)(_t74 + 0x24)) = _t61;
					}
					goto L20;
				} else {
					if( *((short*)(_t74 + 0xc)) == 0x20) {
						_t64 = 1;
					}
					L3:
					if(_t37 == 0xfffffffe || _t37 == 0xfffffffd || _t64 != 0) {
						_t38 =  *(_t76 + 0xc);
						if( *_t74 != _t38) {
							goto L27;
						}
						if(_t64 != 0) {
							_t40 = SendMessageA(_t38, 0x110a, 9, 0);
							L17:
							if(E0040607A(_t76, _t40) == 0xffffffff) {
								goto L27;
							}
							_t75 = E00406060(_t76, _t41);
							if(_t75 == 0) {
								goto L27;
							}
							if( *((intOrPtr*)(_t75 + 8)) != 2) {
								_v68 = 0x32;
								_v64 =  *_t75;
								_t44 =  *((intOrPtr*)(_t75 + 8));
								if(_t44 != 0) {
									if(_t44 == 1 || _t44 == 3) {
										 *((intOrPtr*)(_t75 + 8)) = 0;
										_v40 = 0;
										_v44 = 0;
									}
								} else {
									_t49 = 1;
									 *((intOrPtr*)(_t75 + 8)) = _t49;
									_v40 = _t49;
									_v44 = _t49;
								}
								SendMessageA( *(_t76 + 0xc), 0x110d, 0,  &_v68);
								E004062C4(_t76,  *_t75,  *((intOrPtr*)(_t75 + 8)));
								E00406506(_t76);
								goto L27;
							}
							L20:
							return 0;
						}
						GetCursorPos( &_v12);
						ScreenToClient( *(_t76 + 0xc),  &_v12);
						_v28 = _v12.x;
						_v24 = _v12.y;
						_t40 = SendMessageA( *(_t76 + 0xc), 0x1111, 0,  &_v28);
						if((_v20 & 0x00000002) == 2) {
							goto L17;
						}
						goto L27;
					} else {
						L27:
						return 1;
					}
				}
			}























                  0x00406138
                  0x0040613b
                  0x0040613f
                  0x00406142
                  0x00406149
                  0x004061c4
                  0x004061eb
                  0x00000000
                  0x00000000
                  0x004061f6
                  0x004061fe
                  0x00406200
                  0x00406200
                  0x00000000
                  0x004061fe
                  0x004061cb
                  0x004061d3
                  0x004061db
                  0x004061de
                  0x004061e1
                  0x004061e1
                  0x00000000
                  0x0040614b
                  0x00406150
                  0x00406152
                  0x00406152
                  0x00406154
                  0x00406157
                  0x00406166
                  0x0040616b
                  0x00000000
                  0x00000000
                  0x00406173
                  0x0040620e
                  0x00406214
                  0x0040621f
                  0x00000000
                  0x00000000
                  0x00406229
                  0x0040622d
                  0x00000000
                  0x00000000
                  0x00406233
                  0x0040623b
                  0x00406242
                  0x00406245
                  0x0040624a
                  0x0040625d
                  0x00406264
                  0x00406267
                  0x0040626a
                  0x0040626a
                  0x0040624c
                  0x0040624e
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406255
                  0x0040627a
                  0x00406287
                  0x0040628e
                  0x00000000
                  0x0040628e
                  0x00406235
                  0x00000000
                  0x00406235
                  0x0040617d
                  0x0040618a
                  0x00406193
                  0x00406199
                  0x004061a9
                  0x004061b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406293
                  0x00406293
                  0x00000000
                  0x00406293
                  0x00406157

                  APIs
                  • GetCursorPos.USER32(?), ref: 0040617D
                  • ScreenToClient.USER32 ref: 0040618A
                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 004061A9
                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040620E
                  • SendMessageA.USER32(?,0000110D,00000000,00000032), ref: 0040627A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: MessageSend$ClientCursorScreen
                  • String ID: 2
                  • API String ID: 41388912-450215437
                  • Opcode ID: 2a1799bccda79db75d656728ceaf8dabbfcc03810baa88552f5a0faf615ffa00
                  • Instruction ID: f8a9f1cfee04589b8875d05137da50bc283deff4bee9bf1f4b822495c2b9fb2d
                  • Opcode Fuzzy Hash: 2a1799bccda79db75d656728ceaf8dabbfcc03810baa88552f5a0faf615ffa00
                  • Instruction Fuzzy Hash: 6D418270A00605AFCB20EF68C8849AEB7B5BF44324B21467FE117E62D0D7359DB28B59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00419BE3, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00419BE3(void* __eflags) {
				void* _v8;
				long _v12;
				char _v24;
				intOrPtr _v28;
				char _v288;
				char _v548;
				intOrPtr _t32;
				intOrPtr _t39;
				intOrPtr _t40;
				void* _t42;
				intOrPtr _t44;
				void* _t47;
				char _t69;
				intOrPtr* _t79;
				void* _t95;

				_v8 = E0041C8FD(0x47e2f0, 0x2c);
				_t32 = E0041C8FD(0x47e2f0, 0x28);
				_v28 = _t32;
				_v12 = 0;
				if(_t32 <= 0) {
					L6:
					return 1;
				}
				_t69 = "\r\n";
				while(1) {
					E0041BDC5( &_v24);
					E0041CAC5( &_v24, E0041CD1E(0x47e6c8), _v8, 4);
					_v8 = _v8 + 4;
					E0041DBFF( &_v24,  &_v288, ".TTF");
					_t39 = 1;
					 *0x47f21c = _t39;
					 *0x47e290 = _t39;
					_t40 =  *0x47f28c; // 0x22d1d10
					if(_t40 != 0) {
						E00424DCE(_t40);
					}
					 *0x47f28c = E00424DD9(4);
					_t42 = E0041C8FD( &_v24, 0);
					_t79 =  *0x47f28c; // 0x22d1d10
					 *_t79 = _t42 + _v8;
					_t44 = E0041C8FD( &_v24, 0);
					_t47 = E00401AC0(E0041CD1E(0x47e6c8),  &_v288, _v8, _t44);
					_t95 = _t95 + 0x10;
					if(_t47 != 0) {
						break;
					}
					_v8 = _v8 + E0041C8FD( &_v24, 0);
					E0041DBFF( &_v24,  &_v548, ".FOT");
					CreateScalableFontResourceA(0,  &_v548,  &_v288, 0);
					AddFontResourceA( &_v548);
					E0041C047(0x47e570,  &_v548, 0);
					E0041C047(0x47e570, _t69, 0);
					E0041C047(0x47e570,  &_v288, 0);
					E0041C047(0x47e570, _t69, 0);
					E0041BEFB( &_v24);
					_v12 = _v12 + 1;
					if(_v12 < _v28) {
						continue;
					}
					goto L6;
				}
				DeleteFileA( &_v288);
				E0041BEFB( &_v24);
				return 0;
			}


















                  0x00419c01
                  0x00419c04
                  0x00419c0b
                  0x00419c10
                  0x00419c13
                  0x00419d50
                  0x00000000
                  0x00419d50
                  0x00419c1e
                  0x00419c23
                  0x00419c26
                  0x00419c3e
                  0x00419c43
                  0x00419c53
                  0x00419c5c
                  0x00419c5d
                  0x00419c62
                  0x00419c67
                  0x00419c6e
                  0x00419c71
                  0x00419c76
                  0x00419c7f
                  0x00419c88
                  0x00419c90
                  0x00419c97
                  0x00419c9c
                  0x00419cb7
                  0x00419cbc
                  0x00419cc1
                  0x00000000
                  0x00000000
                  0x00419cd0
                  0x00419cdf
                  0x00419cf6
                  0x00419d03
                  0x00419d13
                  0x00419d1c
                  0x00419d2b
                  0x00419d34
                  0x00419d3c
                  0x00419d41
                  0x00419d4a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00419d4a
                  0x00419d5e
                  0x00419d67
                  0x00000000

                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041CAC5: CreateFileA.KERNELBASE(0047DFB8,80000000,00000001,00000000,00000003,00000080,00000000,747DFBD0,0047E2F0,00000000,?,0047DFB8), ref: 0041CAE5
                    • Part of subcall function 0041DBFF: GetTempPathA.KERNELBASE(00000104,00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC46
                    • Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,C:\,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC5C
                    • Part of subcall function 0041DBFF: GetTickCount.KERNEL32 ref: 0041DC6F
                    • Part of subcall function 0041DBFF: lstrlenA.KERNEL32(00000000,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001,?,00000000), ref: 0041DC79
                    • Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,aiw,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA1
                    • Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,0000005C,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCA8
                    • Part of subcall function 0041DBFF: lstrcatA.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCAE
                    • Part of subcall function 0041DBFF: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,0047E2F0,00000000,000000A8,0000005C,0047E1B8,00000001), ref: 0041DCBF
                  • CreateScalableFontResourceA.GDI32(00000000,?,?,00000000,00000000,0000002C,0047E2F0,00000001,00000000), ref: 00419CF6
                  • AddFontResourceA.GDI32(?), ref: 00419D03
                  • DeleteFileA.KERNEL32(?,0000002C,0047E2F0,00000001,00000000), ref: 00419D5E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Globallstrcat$AllocCreateFileFontLockResource$CountDeletePathScalableTempTickUnlocklstrlen
                  • String ID: .FOT$.TTF$pG
                  • API String ID: 2855166206-2355402239
                  • Opcode ID: da263dae11c4dccd75cfe5de3c3717d08b13cab50d91d4aa04446e2cf5d485cd
                  • Instruction ID: b0307000140c279c1ff1cafe2788717768607d41d640f69ff04e345ebede6464
                  • Opcode Fuzzy Hash: da263dae11c4dccd75cfe5de3c3717d08b13cab50d91d4aa04446e2cf5d485cd
                  • Instruction Fuzzy Hash: 61415671940118AACB15EBA6EC86DEE77BCEB48704F5040AFF205E3192DB385E85CB59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F33B, Relevance: 10.6, APIs: 7, Instructions: 116fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040F33B(int* __ecx, void* __edx, void* __eflags, CHAR* _a4) {
				BITMAPINFO* _v8;
				char _v12;
				int _v16;
				long _v20;
				void* _v24;
				char _v40;
				intOrPtr _t34;
				intOrPtr _t37;
				CHAR* _t38;
				int _t49;
				BITMAPINFO* _t50;
				intOrPtr _t52;
				intOrPtr _t56;
				intOrPtr _t60;
				void* _t67;
				unsigned int _t73;
				void* _t81;
				int* _t82;

				_t81 = __edx;
				_t33 = _a4;
				_t34 =  *0x47e780; // 0x0
				_t84 = _a4 + _t33 * 2 << 2;
				_t82 = __ecx;
				E0041A81A(__eflags, _t34 + (_a4 + _t33 * 2 << 2));
				_t37 =  *0x47e780; // 0x0
				_t38 = E0041CD1E(_t84 + _t37);
				_a4 = _t38;
				_t67 = CreateFileA(_t38, 0x80000000, 1, 0, 3, 0x80, 0);
				_v20 = GetFileSize(_t67, 0);
				if(_t67 == 0xffffffff) {
					return DeleteFileA(_a4);
				}
				E0040FC45(_t82);
				_v16 = 0;
				_v20 = E00410087(_t82, _t67, _v20,  &_v40,  &_v8,  &_v12,  &_v24,  &_v16);
				CloseHandle(_t67);
				_t49 = DeleteFileA(_a4);
				__eflags = _v20;
				if(_v20 >= 0) {
					_t50 = _v8;
					_t73 =  *(_t50 + 4);
					 *_t82 = _t73;
					_t82[1] =  *(_t50 + 8);
					_t52 =  *0x47e170; // 0x0
					asm("cdq");
					_t22 =  &(_t82[1]); // 0x0
					_t82[2] = (_t52 - _t81 >> 1) - (_t73 >> 1);
					_t56 =  *0x47e174; // 0x0
					asm("cdq");
					_t82[3] = (_t56 - _t81 >> 1) - ( *_t22 >> 1);
					_t60 = E0040EDE3(_t82);
					__eflags = _t60;
					if(_t60 >= 0) {
						_t26 =  &(_t82[1]); // 0x0
						_t61 =  *_t26;
						_t78 =  *_t82;
						_t29 =  &(_t82[3]); // 0x0
						_t30 =  &(_t82[2]); // 0x0
						StretchDIBits( *0x47e184,  *_t30,  *_t29,  *_t82,  *_t26, 0, 0, _t78, _t61, _v24, _v8, 0, 0xcc0020);
						E00424DCE(_v12);
						return DeleteObject(_v16);
					}
					return E00424DCE(_v12);
				}
				return _t49;
			}





















                  0x0040f33b
                  0x0040f341
                  0x0040f34a
                  0x0040f34f
                  0x0040f352
                  0x0040f35c
                  0x0040f361
                  0x0040f369
                  0x0040f370
                  0x0040f38a
                  0x0040f397
                  0x0040f39a
                  0x00000000
                  0x0040f39f
                  0x0040f3ac
                  0x0040f3c7
                  0x0040f3d4
                  0x0040f3d7
                  0x0040f3e0
                  0x0040f3e6
                  0x0040f3e9
                  0x0040f3ef
                  0x0040f3f2
                  0x0040f3f5
                  0x0040f3fa
                  0x0040f3fd
                  0x0040f402
                  0x0040f40b
                  0x0040f40e
                  0x0040f411
                  0x0040f416
                  0x0040f421
                  0x0040f424
                  0x0040f429
                  0x0040f42b
                  0x0040f438
                  0x0040f438
                  0x0040f43b
                  0x0040f44f
                  0x0040f452
                  0x0040f45b
                  0x0040f464
                  0x00000000
                  0x0040f46d
                  0x00000000
                  0x0040f435
                  0x0040f477

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000064,00000060,00000000,00404E9E,?,004051FC,0045AA60,00000000), ref: 0040F384
                  • GetFileSize.KERNEL32(00000000,00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001,?,00000000), ref: 0040F38E
                  • DeleteFileA.KERNEL32(00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001,?,00000000), ref: 0040F39F
                  • CloseHandle.KERNEL32(00000000,00000000,00404E9E,00000000,00000000,00000000,00000000,00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000), ref: 0040F3D7
                  • DeleteFileA.KERNEL32(00000000,?,004051FC,0045AA60,00000000,00404E9E,00000000,00000000,00000000,0047E1B8,00000001,?,00000000), ref: 0040F3E0
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Global$Delete$AllocCloseCreateHandleLockSizeUnlock
                  • String ID:
                  • API String ID: 3562677592-0
                  • Opcode ID: 63be94b49783e533935e19cf314129601f4d4d3528a53a33a7546e7259e29ac7
                  • Instruction ID: 17d04eb565bbb5c163c28542497edf53ee781f36736893d5f3475824fe2b72b9
                  • Opcode Fuzzy Hash: 63be94b49783e533935e19cf314129601f4d4d3528a53a33a7546e7259e29ac7
                  • Instruction Fuzzy Hash: D3415F71A00515EFCB249F69DD49DAEBFB9FF48310B50423AF509E3260DB34A951CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D2FA, Relevance: 10.6, APIs: 7, Instructions: 107windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0040D2FA(intOrPtr __ecx, void* __edi, void* __ebp, signed short _a4) {
				long _v4;
				long _v8;
				long _v12;
				long _v13;
				void* _v16;
				intOrPtr _v17;
				void* __ebx;
				void* __esi;
				unsigned int _t20;
				long _t23;
				long _t24;
				long _t25;
				signed int _t28;
				long _t36;
				void* _t37;
				void* _t49;
				void* _t51;
				intOrPtr _t52;
				void* _t53;

				_t53 = __ebp;
				_t49 = __edi;
				_t20 = _a4;
				_t52 = __ecx;
				if(_t20 >> 0x10 != 0 || _t20 != 1 && _t20 != 3) {
					return 0;
				} else {
					_push(_t53);
					_push(_t49);
					E0041412C(_t37, _t49);
					_v13 = 0;
					_v8 = 0;
					_v4 = 0;
					_v12 = 0;
					_t23 = SendDlgItemMessageA( *(_t52 + 4), 0x14, 0xf0, 0, 0);
					if(_t23 == 1) {
						_v13 = _t23;
					}
					_t24 = SendDlgItemMessageA( *(_t52 + 4), 0x17, 0xf0, 0, 0);
					if(_t24 == 1) {
						_v8 = _t24;
					}
					_t25 = SendDlgItemMessageA( *(_t52 + 4), 0x16, 0xf0, 0, 0);
					if(_t25 == 1) {
						_v4 = _t25;
					}
					if(IsWindowVisible(GetDlgItem( *(_t52 + 4), 0x46)) != 0) {
						_t36 = SendDlgItemMessageA( *(_t52 + 4), 0x46, 0xf0, 0, 0);
						if(_t36 == 1) {
							_v12 = _t36;
						}
					}
					_t28 = _a4 & 0x0000ffff;
					_pop(_t51);
					if(_t28 != 1) {
						if(_t28 == 3) {
							E00407827(_t52, _t51, _t52, 0);
							E00417D26(0x47dfb8, 0);
						}
					} else {
						E00407827(_t52, _t51, _t52, 0);
						if(_v17 == 0) {
							E00412C58(_v4, _v8, _v12);
							E00417EA6(0x47dfb8, 0);
						} else {
							E00424003();
							E00411D82();
							PostQuitMessage(1);
						}
					}
					return 1;
				}
			}






















                  0x0040d2fa
                  0x0040d2fa
                  0x0040d2fa
                  0x0040d303
                  0x0040d30d
                  0x00000000
                  0x0040d323
                  0x0040d323
                  0x0040d324
                  0x0040d32a
                  0x0040d341
                  0x0040d348
                  0x0040d34c
                  0x0040d350
                  0x0040d354
                  0x0040d359
                  0x0040d35b
                  0x0040d35b
                  0x0040d367
                  0x0040d36c
                  0x0040d36e
                  0x0040d36e
                  0x0040d37a
                  0x0040d37f
                  0x0040d381
                  0x0040d381
                  0x0040d399
                  0x0040d3a3
                  0x0040d3a8
                  0x0040d3aa
                  0x0040d3aa
                  0x0040d3a8
                  0x0040d3ae
                  0x0040d3b3
                  0x0040d3b8
                  0x0040d407
                  0x0040d40c
                  0x0040d417
                  0x0040d417
                  0x0040d3ba
                  0x0040d3bd
                  0x0040d3c6
                  0x0040d3f2
                  0x0040d3fd
                  0x0040d3c8
                  0x0040d3c8
                  0x0040d3d2
                  0x0040d3d9
                  0x0040d3d9
                  0x0040d3c6
                  0x00000000
                  0x0040d41c

                  APIs
                  • SendDlgItemMessageA.USER32(?,00000014,000000F0,00000000,00000000), ref: 0040D354
                  • SendDlgItemMessageA.USER32(?,00000017,000000F0,00000000,00000000), ref: 0040D367
                  • SendDlgItemMessageA.USER32(?,00000016,000000F0,00000000,00000000), ref: 0040D37A
                  • GetDlgItem.USER32 ref: 0040D38A
                  • IsWindowVisible.USER32(00000000), ref: 0040D391
                  • SendDlgItemMessageA.USER32(?,00000046,000000F0,00000000,00000000), ref: 0040D3A3
                  • PostQuitMessage.USER32(00000001), ref: 0040D3D9
                    • Part of subcall function 00412C58: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00412CCF
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ItemMessage$Send$ExecutePostQuitShellVisibleWindow
                  • String ID:
                  • API String ID: 3842003878-0
                  • Opcode ID: 54de036da2a81d597b5cfd85777855c51b7d06fd8c14f802e07017e065111d94
                  • Instruction ID: 40df1cb1daf66bccd2bfbafc100118adea5f07f781d5d0cd9cb67cf283506348
                  • Opcode Fuzzy Hash: 54de036da2a81d597b5cfd85777855c51b7d06fd8c14f802e07017e065111d94
                  • Instruction Fuzzy Hash: EE310D30A483446AD62177A54C40D7FBADDEBD5744F40843FF985622D2C53A9C4A973F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004062C4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 96windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004062C4(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				long _v44;
				char _v48;
				long _v84;
				void* _v88;
				long _v124;
				void* _v128;
				long _t37;
				long _t39;
				long _t44;
				int _t47;
				intOrPtr _t48;
				void* _t57;

				_push(_a4);
				_t57 = __ecx;
				_t47 = 4;
				_t37 = SendMessageA( *(__ecx + 0xc), 0x110a, _t47, ??);
				_v8 = _t37;
				if(_a4 != 0) {
					_v84 = _t37;
					_v88 = _t47;
					_t39 = SendMessageA( *(_t57 + 0xc), 0x110c, 0,  &_v88);
					_t48 = _a8;
					if(_t39 == 0) {
						goto L6;
					} else {
						_t37 = E00406060(_t57, E0040607A(_t57, _v84));
						if(_t37 != 0) {
							if( *((intOrPtr*)(_t37 + 8)) != 2) {
								 *((intOrPtr*)(_t37 + 8)) = _t48;
								_v48 = 0x32;
								_v44 = _v8;
								_v20 = _t48;
								_v24 = _t48;
								_t44 =  &_v48;
								L5:
								SendMessageA( *(_t57 + 0xc), 0x110d, 0, _t44);
								while(1) {
									L6:
									E004062C4(_t57, _v8, _t48);
									_t37 = SendMessageA( *(_t57 + 0xc), 0x110a, 1, _v8);
									_v8 = _t37;
									if(_t37 == 0) {
										goto L11;
									}
									_v124 = _t37;
									_v128 = 4;
									if(SendMessageA( *(_t57 + 0xc), 0x110c, 0,  &_v128) == 0) {
										continue;
									} else {
										_t37 = E00406060(_t57, E0040607A(_t57, _v124));
										if(_t37 != 0) {
											if( *((intOrPtr*)(_t37 + 8)) == 2) {
												continue;
											} else {
												 *((intOrPtr*)(_t37 + 8)) = _t48;
												_v48 = 0x32;
												_v44 = _v8;
												_v20 = _t48;
												_v24 = _t48;
												_t44 =  &_v48;
												goto L5;
											}
											L12:
										}
									}
									goto L11;
								}
								goto L11;
							}
							goto L6;
						}
					}
				}
				L11:
				return _t37;
				goto L12;
			}


















                  0x004062d3
                  0x004062d6
                  0x004062da
                  0x004062e4
                  0x004062ea
                  0x004062ed
                  0x004062f3
                  0x00406301
                  0x00406307
                  0x00406309
                  0x0040630e
                  0x00000000
                  0x00406310
                  0x0040631d
                  0x00406324
                  0x0040632e
                  0x00406333
                  0x00406336
                  0x0040633d
                  0x00406340
                  0x00406343
                  0x00406346
                  0x00406349
                  0x00406354
                  0x00406356
                  0x00406356
                  0x0040635c
                  0x0040636e
                  0x00406372
                  0x00406375
                  0x00000000
                  0x00000000
                  0x00406377
                  0x00406385
                  0x00406393
                  0x00000000
                  0x00406395
                  0x004063a2
                  0x004063a9
                  0x004063af
                  0x00000000
                  0x004063b1
                  0x004063b4
                  0x004063b7
                  0x004063be
                  0x004063c1
                  0x004063c4
                  0x004063c7
                  0x00000000
                  0x004063c7
                  0x00000000
                  0x004063af
                  0x004063a9
                  0x00000000
                  0x00406393
                  0x00000000
                  0x00406356
                  0x00000000
                  0x0040632e
                  0x00406324
                  0x0040630e
                  0x004063d3
                  0x004063d3
                  0x00000000

                  APIs
                  • SendMessageA.USER32(?,0000110A,00000004,?), ref: 004062E4
                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00406307
                  • SendMessageA.USER32(?,0000110D,00000000,00000032), ref: 00406354
                  • SendMessageA.USER32(?,0000110A,00000001,?), ref: 0040636E
                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040638F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: 2
                  • API String ID: 3850602802-450215437
                  • Opcode ID: 39c45cc5b37b1b84ea6d5fa9529c823bae7bf4d2b75c7038cd662bec360d4a93
                  • Instruction ID: faac35d2f29a5aafd93d9db01ac471e448461c6527a0e82b97acf963d26bb515
                  • Opcode Fuzzy Hash: 39c45cc5b37b1b84ea6d5fa9529c823bae7bf4d2b75c7038cd662bec360d4a93
                  • Instruction Fuzzy Hash: 98312F70E00208AADB11DF95CD41AAEBBBABF48354F25802AE506B62D0D7749964DF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041412C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0041412C(void* __ebx, void* __edi) {
				signed int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v32;
				char _v292;
				char _v552;
				void* _t28;
				signed int _t33;
				CHAR* _t53;
				intOrPtr _t58;
				intOrPtr _t61;
				CHAR* _t68;
				void* _t73;
				intOrPtr* _t74;
				intOrPtr _t75;

				_t75 =  *0x47e6b0; // 0x0
				if(_t75 != 0) {
					_v20 = E0041CD1E(0x47e6b0);
					_t58 =  *0x47e6b0; // 0x0
					_t28 = E0041DD95(__ebx, _t29, _t58 + 1,  &_v12,  &_v16);
					_t74 = _t73 + 0x10;
					if(_t28 != 0) {
						_v8 = 0;
						if(_v16 <= 0) {
							L8:
							E00424DCE(_v12);
							 *_t74 = 0x42e0c8;
							return E0041BF12(0x47e6b0);
						}
						_push(__ebx);
						do {
							_t61 = _v12;
							_t33 = _v8 << 2;
							_t68 =  *((intOrPtr*)(_t33 + _t61)) + _v20;
							_t53 =  *((intOrPtr*)(_t33 + _t61 + 4)) + _v20;
							if(MoveFileExA(_t53, _t68, 5) == 0) {
								E0041BE99( &_v32, 0x47dfc8);
								E0041C047( &_v32, "\\WININIT.INI", 0);
								E00424500( &_v552, 0, 0x104);
								E00424500( &_v292, 0, 0x104);
								_t74 = _t74 + 0x18;
								GetShortPathNameA(_t68,  &_v552, 0x104);
								GetShortPathNameA(_t53,  &_v292, 0x104);
								WritePrivateProfileStringA("Rename",  &_v552,  &_v292, E0041CD1E( &_v32));
								E0041BEFB( &_v32);
							}
							_v8 = _v8 + 2;
						} while (_v8 < _v16);
						goto L8;
					}
				}
				return _t28;
			}



















                  0x00414138
                  0x0041413e
                  0x00414151
                  0x00414159
                  0x00414162
                  0x00414167
                  0x0041416c
                  0x00414175
                  0x00414178
                  0x00414242
                  0x00414245
                  0x0041424f
                  0x00000000
                  0x00414256
                  0x0041417e
                  0x00414185
                  0x00414188
                  0x0041418b
                  0x00414197
                  0x0041419a
                  0x004141a7
                  0x004141b5
                  0x004141c4
                  0x004141d3
                  0x004141e2
                  0x004141e7
                  0x004141f9
                  0x00414204
                  0x00414222
                  0x0041422b
                  0x0041422b
                  0x00414230
                  0x00414237
                  0x00000000
                  0x00414241
                  0x0041416c
                  0x0041425d

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • MoveFileExA.KERNEL32 ref: 0041419F
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • GetShortPathNameA.KERNEL32 ref: 004141F9
                  • GetShortPathNameA.KERNEL32 ref: 00414204
                  • WritePrivateProfileStringA.KERNEL32(Rename,?,?,00000000), ref: 00414222
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock$NamePathShort$FileFreeMovePrivateProfileStringWritelstrlen
                  • String ID: Rename$\WININIT.INI
                  • API String ID: 3587727116-382979624
                  • Opcode ID: d61e163e4b1642f25e9412c7ee909ea501c5c7ad710714f0a50dc1e1a82e982a
                  • Instruction ID: 6ccb05560540a31af43dede7ab03aa05fb632c09e9ebc2799af0b626637c211d
                  • Opcode Fuzzy Hash: d61e163e4b1642f25e9412c7ee909ea501c5c7ad710714f0a50dc1e1a82e982a
                  • Instruction Fuzzy Hash: B03182B1D00118BBDB20EB95EC85EEEB778EF84304F5041AEF505A3181DB386A85CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040585D, Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040585D(struct HWND__* _a4, long _a8, signed short _a12, long _a16) {
				long _t35;
				long _t38;
				long _t41;
				void* _t42;
				long _t50;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 == 0x111) {
						_t50 = SendDlgItemMessageA(_a4, 0x42a, 0xe, 0, 0);
						__eflags = _t50;
						EnableWindow(GetDlgItem(_a4, 1), 0 | __eflags > 0x00000000);
						__eflags = _a12 >> 0x10;
						if(_a12 >> 0x10 == 0) {
							__eflags = _a12 - 1;
							if(_a12 == 1) {
								_t14 = _t50 + 1; // 0x1
								_t35 = E00424DD9(_t14);
								__eflags = _t35;
								_a8 = _t35;
								if(_t35 != 0) {
									_t16 = _t50 + 1; // 0x1
									SendDlgItemMessageA(_a4, 0x42a, 0xd, _t16, _t35);
									_t62 = _a8;
									 *((char*)(_a8 + _t50)) =  *(_a8 + _t50) & 0x00000000;
									_t38 =  *0x47df4c;
									__eflags = _t38;
									if(_t38 != 0) {
										E0041BF12(_t38 + 0x1c, _t62);
									}
									E00424DCE(_t62);
								}
							}
							EndDialog(_a4, _a12 & 0x0000ffff);
						}
					}
					__eflags = 0;
					return 0;
				}
				_t41 = _a16;
				 *0x47df4c = _t41;
				if(_t41 != 0) {
					SetWindowTextA(_a4, E0041CD1E(_t41 + 0x10));
					SetDlgItemTextA(_a4, 0x449, E0041CD1E( *0x47df4c + 4));
				}
				_t42 = 1;
				return _t42;
			}








                  0x00405867
                  0x004058ab
                  0x004058b5
                  0x004058d2
                  0x004058d6
                  0x004058e8
                  0x004058f4
                  0x004058f7
                  0x004058f9
                  0x004058fe
                  0x00405900
                  0x00405904
                  0x00405909
                  0x0040590c
                  0x0040590f
                  0x00405912
                  0x0040591c
                  0x0040591e
                  0x00405921
                  0x00405925
                  0x0040592a
                  0x0040592c
                  0x00405932
                  0x00405932
                  0x00405938
                  0x0040593d
                  0x0040590f
                  0x00405946
                  0x00405946
                  0x004058f7
                  0x0040594e
                  0x00000000
                  0x00405950
                  0x00405869
                  0x0040586e
                  0x00405873
                  0x00405881
                  0x0040589d
                  0x0040589d
                  0x004058a5
                  0x00000000

                  APIs
                  • SetWindowTextA.USER32(?,00000000), ref: 00405881
                  • SetDlgItemTextA.USER32 ref: 0040589D
                  • SendDlgItemMessageA.USER32(?,0000042A,0000000E,00000000,00000000), ref: 004058D0
                  • GetDlgItem.USER32 ref: 004058E1
                  • EnableWindow.USER32(00000000), ref: 004058E8
                  • SendDlgItemMessageA.USER32(?,0000042A,0000000D,00000001,00000000), ref: 0040591C
                  • EndDialog.USER32(?,00000001), ref: 00405946
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Item$Global$MessageSendTextWindow$AllocDialogEnableLockUnlock
                  • String ID:
                  • API String ID: 6122972-0
                  • Opcode ID: 98e64860257a9b305ad77235a9a85b4545619def014f5d57034860a6271ff690
                  • Instruction ID: f49f642065d340e3a7ad1b65ce0aa73714bfea6f3ab2296c2f665de5166f183d
                  • Opcode Fuzzy Hash: 98e64860257a9b305ad77235a9a85b4545619def014f5d57034860a6271ff690
                  • Instruction Fuzzy Hash: B7213E71600209ABEB109F61DC45FAB3BA8EF44760F44843AFD05EA1A1DB79D951CF68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413C46, Relevance: 10.6, APIs: 7, Instructions: 71fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00413C46(void* __ecx, void* __edx, void* __eflags, long _a4, CHAR* _a8) {
				void* _v8;
				long _v12;
				void _v32012;
				void* __ebp;
				void* _t18;
				void* _t35;
				void* _t37;
				void* _t41;

				_t35 = __edx;
				E00425220(0x7d08, __ecx);
				_t18 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				_v8 = _t18;
				if(_t18 != 0xffffffff) {
					E0040D85F(_a8);
					_t37 = CreateFileA(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
					if(_t37 != 0xffffffff) {
						_a4 = 0;
						do {
							ReadFile(_v8,  &_v32012, 0x7d00,  &_a4, 0);
							WriteFile(_t37,  &_v32012, _a4,  &_v12, 0);
							E00414F7F(_t35, _t41, _a4);
						} while (_a4 == 0x7d00);
						CloseHandle(_v8);
						return CloseHandle(_t37);
					}
					return CloseHandle(_v8);
				}
				return _t18;
			}











                  0x00413c46
                  0x00413c4e
                  0x00413c72
                  0x00413c77
                  0x00413c7a
                  0x00413c7f
                  0x00413c96
                  0x00413c9b
                  0x00413ca8
                  0x00413cb0
                  0x00413cc0
                  0x00413cd6
                  0x00413cdf
                  0x00413ce7
                  0x00413cf3
                  0x00000000
                  0x00413cf6
                  0x00000000
                  0x00413ca0
                  0x00413cfc

                  APIs
                  • CreateFileA.KERNEL32(0047E880,80000000,00000001,00000000,00000003,00000080,00000000,00000001,00000000,00000000,?,00412393,00000000,00000000,00000000,00000000), ref: 00413C72
                    • Part of subcall function 0040D85F: GetFileAttributesA.KERNEL32(l.B,0047E788,00422E6C,00000000), ref: 0040D865
                    • Part of subcall function 0040D85F: SetFileAttributesA.KERNEL32(l.B,00000000), ref: 0040D874
                    • Part of subcall function 0040D85F: DeleteFileA.KERNEL32(l.B), ref: 0040D87B
                  • CreateFileA.KERNEL32(00000003,40000000,00000001,00000000,00000002,00000080,00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C), ref: 00413C94
                  • CloseHandle.KERNEL32(00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0042C1D8,0042BC5C,00000002,00000000), ref: 00413CA0
                  • ReadFile.KERNEL32(00000000,?,00007D00,0047E880,00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001), ref: 00413CC0
                  • WriteFile.KERNEL32(00000000,?,0047E880,0047E880,00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001), ref: 00413CD6
                  • CloseHandle.KERNEL32(00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0042C1D8,0042BC5C,00000002,00000000), ref: 00413CF3
                  • CloseHandle.KERNEL32(00000000,?,00412393,00000000,00000000,00000000,00000000,00000000,00000000,0042BC5C,00000000,00000001,0042C1D8,0042BC5C,00000002,00000000), ref: 00413CF6
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$CloseHandle$AttributesCreate$DeleteReadWrite
                  • String ID:
                  • API String ID: 4193614173-0
                  • Opcode ID: 4695edea306db9e0e244aa9cf59e96a1a6b44e21d00fac8a367ea497388d7424
                  • Instruction ID: d6a8e47d74a94cecba19c6bbf340d7de880066c1608b2e882d88da8b899a33ac
                  • Opcode Fuzzy Hash: 4695edea306db9e0e244aa9cf59e96a1a6b44e21d00fac8a367ea497388d7424
                  • Instruction Fuzzy Hash: 56119D3290101CBAEF215F55DC85EEF7F7CEF443A1F10417AB518A61A0CB345E819BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041F924, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0041F924(intOrPtr __ecx, void* __eflags) {
				int _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _t18;
				int _t25;
				struct HDC__* _t32;
				int _t34;
				void* _t37;

				_t37 = __eflags;
				_v12 = __ecx;
				E0041BE99( &_v24, 0x47eac8);
				E0041BFF8( &_v24, 9);
				_t32 = GetDC( *0x47e178);
				_t25 = GetDeviceCaps(_t32, 8);
				_v8 = GetDeviceCaps(_t32, 0xa);
				_t34 = GetDeviceCaps(_t32, 0xc);
				ReleaseDC( *0x47e178, _t32);
				_t18 = _v8;
				_push(_t34);
				 *0x47e6e8 = _t18;
				_push(_t18);
				_push(_t25);
				 *0x47e6e4 = _t25;
				 *0x47e6ec = _t34;
				E0041C467( &_v24, "%dx%d %d ");
				E0041C0C5( &_v24, _t37, 0x47ead4);
				E0041EEC5(_v12,  &_v24);
				return E0041BEFB( &_v24);
			}











                  0x0041f924
                  0x0041f92c
                  0x0041f938
                  0x0041f942
                  0x0041f959
                  0x0041f963
                  0x0041f96a
                  0x0041f970
                  0x0041f978
                  0x0041f97e
                  0x0041f981
                  0x0041f982
                  0x0041f987
                  0x0041f988
                  0x0041f992
                  0x0041f998
                  0x0041f99e
                  0x0041f9ae
                  0x0041f9ba
                  0x0041f9cb

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  • GetDC.USER32(00000009), ref: 0041F94D
                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0041F95E
                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041F965
                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041F96D
                  • ReleaseDC.USER32 ref: 0041F978
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                    • Part of subcall function 0041C0C5: GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
                    • Part of subcall function 0041C0C5: GlobalReAlloc.KERNEL32 ref: 0041C0EB
                    • Part of subcall function 0041C0C5: GlobalLock.KERNEL32 ref: 0041C10C
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocCapsDeviceLockUnlocklstrlen$FreeRelease
                  • String ID: %dx%d %d
                  • API String ID: 2849383836-986776345
                  • Opcode ID: 6701b937088444dcc262592f75ddd3e1e35e50d4286847ffe524a57a5883be79
                  • Instruction ID: 939847e7418d91016d4a78c6a461a2bb1d59a8861e3360f60a2477e60b39c450
                  • Opcode Fuzzy Hash: 6701b937088444dcc262592f75ddd3e1e35e50d4286847ffe524a57a5883be79
                  • Instruction Fuzzy Hash: 91119471900218AFDB00EBA6DC46DEF7B7CFB14B00F50007BB505A3191DA745D458B69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414081, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E00414081(char* _a4, intOrPtr _a8) {
				char _v8;
				void* _v12;
				int _v16;
				char _v28;
				long _t21;
				void* _t29;

				_t21 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0, 0x2001f,  &_v12);
				if(_t21 == 0) {
					_v8 = 0;
					_v16 = 4;
					RegQueryValueExA(_v12, _a4, 0, 0,  &_v8,  &_v16);
					_v8 = _v8 + 1;
					RegSetValueExA(_v12, _a4, 0, 4,  &_v8, 4);
					RegCloseKey(_v12);
					E0041BE35( &_v28, _a4);
					_t40 = _a8;
					if(_a8 != 0) {
						E0041C047( &_v28, "|ctrl", 0);
					}
					_t29 = E0041CD1E( &_v28);
					_push(0x47e800);
					_push(_t29);
					E00421CE6(_t40);
					return E0041BEFB( &_v28);
				}
				return _t21;
			}









                  0x0041409e
                  0x004140a6
                  0x004140ab
                  0x004140b5
                  0x004140c2
                  0x004140ce
                  0x004140da
                  0x004140e3
                  0x004140ef
                  0x004140f4
                  0x004140f7
                  0x00414102
                  0x00414102
                  0x0041410a
                  0x0041410f
                  0x00414114
                  0x0041411a
                  0x00000000
                  0x00414122
                  0x00414129

                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\SharedDLLs,00000000,0002001F,0047E880,00000000,?,000000C0,000000BC,00000003,0047E880,00000000), ref: 0041409E
                  • RegQueryValueExA.ADVAPI32(?,?,00000000), ref: 004140C2
                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 004140DA
                  • RegCloseKey.ADVAPI32(?), ref: 004140E3
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  Strings
                  • |ctrl, xrefs: 004140FA
                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00414094
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockValuelstrlen$CloseOpenQueryUnlock
                  • String ID: Software\Microsoft\Windows\CurrentVersion\SharedDLLs$|ctrl
                  • API String ID: 707054961-2170158477
                  • Opcode ID: 9287fe5cdd0942b607070d4ffcbdb31c284ae224106b6bf49031bb986ee66167
                  • Instruction ID: 273fb6a66b4209d3a46defa7447582479fda1a1bfef144c825d9ad7138c78fa8
                  • Opcode Fuzzy Hash: 9287fe5cdd0942b607070d4ffcbdb31c284ae224106b6bf49031bb986ee66167
                  • Instruction Fuzzy Hash: 5A111FB594010DBEDB10EFD1DC86EEEBB7CEB14348F50406AB605A10A1DB345E85DB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D76B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040D76B(void* __eflags, struct HWND__* _a4) {
				CHAR* _t2;
				void* _t24;
				struct HWND__* _t25;

				_t2 = E0041CD1E(0x47e8a0);
				_t25 = _a4;
				SetDlgItemTextA(_t25, 3, _t2);
				SetDlgItemTextA(_t25, 1, E0041CD1E(0x47e8d0));
				SetDlgItemTextA(_t25, 2, E0041CD1E(0x47e8b8));
				if(E00419E8A() == 0) {
					if(E00419E6A() != 0) {
						_t24 = 0x47ef6c;
						goto L4;
					}
				} else {
					_t24 = 0x47e8c4;
					L4:
					SetDlgItemTextA(_t25, 1, E0041CD1E(_t24));
				}
				if( *0x47e114 != 0) {
					SetDlgItemTextA(_t25, 0x41f, E0041CD1E(0x47df68));
					E0040EFE7();
				}
				return 1;
			}






                  0x0040d773
                  0x0040d778
                  0x0040d786
                  0x0040d796
                  0x0040d7a6
                  0x0040d7b6
                  0x0040d7c8
                  0x0040d7ca
                  0x00000000
                  0x0040d7ca
                  0x0040d7b8
                  0x0040d7b8
                  0x0040d7cf
                  0x0040d7d8
                  0x0040d7d8
                  0x0040d7e1
                  0x0040d7f4
                  0x0040d7fb
                  0x0040d7fb
                  0x0040d805

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • SetDlgItemTextA.USER32 ref: 0040D786
                  • SetDlgItemTextA.USER32 ref: 0040D796
                  • SetDlgItemTextA.USER32 ref: 0040D7A6
                  • SetDlgItemTextA.USER32 ref: 0040D7D8
                  • SetDlgItemTextA.USER32 ref: 0040D7F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ItemText$Global$AllocLockUnlock
                  • String ID: lG
                  • API String ID: 1320547164-1663926740
                  • Opcode ID: 91e4bd00f38452d55a2895847701c7ccddab22c0fce15f7968b8967b6b60ab5d
                  • Instruction ID: d8f0bfc246ea1dac22b33ef5546518489f320966156894edd493a4645e0109dc
                  • Opcode Fuzzy Hash: 91e4bd00f38452d55a2895847701c7ccddab22c0fce15f7968b8967b6b60ab5d
                  • Instruction Fuzzy Hash: D7018460A5020426D11476661C96FFE061F8FC9744F14C47FF6067B2C2CF6D0C8A927E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406D11, Relevance: 10.6, APIs: 7, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00406D11(intOrPtr* __ecx, void* __eflags) {
				signed int _t21;
				void* _t25;
				struct HDC__* _t34;
				intOrPtr* _t35;

				_t35 = __ecx;
				_t1 = _t35 + 8; // 0x8
				E00406DE2(_t1);
				_t2 = _t35 + 0x70; // 0x70
				E0041E814(_t2);
				_t3 = _t35 + 0x84; // 0x84
				E0041E814(_t3);
				 *_t35 = 0x4285cc;
				 *((intOrPtr*)(_t35 + 0xa8)) = 0;
				 *((char*)(_t35 + 0xac)) = 1;
				 *((intOrPtr*)(_t35 + 0x98)) = 0;
				if( *0x47df5c == 0) {
					_t25 = GlobalAlloc(0x42, 0);
					 *0x47df5c = _t25;
					 *0x47df58 = GlobalLock(_t25);
				}
				 *((intOrPtr*)(_t35 + 0x9c)) = 0;
				 *((intOrPtr*)(_t35 + 0xa0)) = 0;
				 *((intOrPtr*)(_t35 + 0xa4)) = LoadCursorA(0, 0x7f00);
				_t34 = GetDC( *0x47e178);
				_t21 = MulDiv(0xf4240, GetDeviceCaps(_t34, 0x5a), 0x48);
				asm("cdq");
				 *0x42b91c = _t21 / 0x535;
				ReleaseDC( *0x47e178, _t34);
				if(( *0x47e192 & 0x00000004) == 0) {
					 *0x42b91c = 0x3e8;
				}
				return _t35;
			}







                  0x00406d12
                  0x00406d15
                  0x00406d18
                  0x00406d1d
                  0x00406d20
                  0x00406d25
                  0x00406d2b
                  0x00406d32
                  0x00406d38
                  0x00406d3e
                  0x00406d45
                  0x00406d51
                  0x00406d56
                  0x00406d5d
                  0x00406d68
                  0x00406d68
                  0x00406d73
                  0x00406d79
                  0x00406d85
                  0x00406d97
                  0x00406daa
                  0x00406db0
                  0x00406dbf
                  0x00406dc4
                  0x00406dd1
                  0x00406dd3
                  0x00406dd3
                  0x00406de1

                  APIs
                    • Part of subcall function 0041E814: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0040E8F7,00000000,0042290E,00000000,00000001,00000000,00000000,00000000,0000005C,00000000,00000000,00000000,00000001), ref: 0041E82A
                    • Part of subcall function 0041E814: GlobalLock.KERNEL32 ref: 0041E834
                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00406D56
                  • GlobalLock.KERNEL32 ref: 00406D62
                  • LoadCursorA.USER32 ref: 00406D7F
                  • GetDC.USER32 ref: 00406D91
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00406D9E
                  • MulDiv.KERNEL32(000F4240,00000000), ref: 00406DAA
                  • ReleaseDC.USER32 ref: 00406DC4
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$CapsCursorDeviceLoadRelease
                  • String ID:
                  • API String ID: 360201357-0
                  • Opcode ID: 2efe2023bf81b3e24329aa99aa27404b0337e545e5a23960d49dfbc65c8d11dc
                  • Instruction ID: 5ece2d926049a6a0ac0f62f40905e0d7ac656334098489eecc411e68072f2eeb
                  • Opcode Fuzzy Hash: 2efe2023bf81b3e24329aa99aa27404b0337e545e5a23960d49dfbc65c8d11dc
                  • Instruction Fuzzy Hash: AD110A707017509FE3219F26EC0AB6A7BF4EF55701F80447EEA5A962A0DB741486CF29
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040E27C, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040E285
                  • SHBrowseForFolderA.SHELL32(?), ref: 0040E2B7
                  • SHGetPathFromIDListA.SHELL32(00000000,w@), ref: 0040E2C3
                  • SHGetMalloc.SHELL32(00000000), ref: 0040E2D1
                  • CoUninitialize.OLE32 ref: 0040E2E5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: BrowseFolderFromInitializeListMallocPathUninitialize
                  • String ID: w@
                  • API String ID: 50853812-3933844196
                  • Opcode ID: 871ff91e918a476b10dcbb04aa0b531a60d8972d50d1ef0aa5e56f6c00e180a7
                  • Instruction ID: dcf86f71e1ec0a2d11d85a577e1a136d4c66ffd2969777ac98c319ca4d3b7e98
                  • Opcode Fuzzy Hash: 871ff91e918a476b10dcbb04aa0b531a60d8972d50d1ef0aa5e56f6c00e180a7
                  • Instruction Fuzzy Hash: D0010475A01209EFCB10DFA5D949BEF7BF8FB48306F104069E401E6290DB749A16CFA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C467, Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 178stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0041C467(intOrPtr* _a4, CHAR* _a8) {
				signed char _v5;
				char _v6;
				signed char* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v31;
				char _v32;
				char _v48;
				signed int _v83;
				char _v84;
				signed char* _t86;
				signed char* _t89;
				signed char _t90;
				signed int _t91;
				char* _t95;
				signed char* _t97;
				signed char* _t107;
				signed char _t108;
				signed int _t111;
				signed char _t112;
				signed char* _t116;
				CHAR* _t121;
				void* _t123;
				void* _t127;
				void* _t129;
				void* _t132;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed char _t142;
				signed char _t143;
				intOrPtr _t144;
				void* _t145;
				void* _t146;

				_t144 =  *_a4;
				_t143 = 0;
				E0041C047(_a4, _a8, 0);
				if(lstrlenA(_a8) - 1 > 0) {
					_t86 =  &_a8;
					_v12 = _t86;
					while(1) {
						_t121 = _a8;
						if( *((char*)(_t143 + _t121)) != 0x25) {
							goto L35;
						}
						_t123 =  *((char*)(_t143 + _t121 + 1)) - 0x62;
						if(_t123 == 0) {
							_t89 =  &(_t86[4]);
							_v12 = _t89;
							_t90 =  *_t89;
							__eflags = _t90;
							if(__eflags != 0) {
								_t53 =  &_v16;
								 *_t53 = _v16 & 0x00000000;
								__eflags =  *_t53;
								_v20 = 0x1f;
								do {
									_t138 = 1;
									_t139 = _t138 << _v20;
									__eflags = _t90 & _t139;
									_t140 = _t139 & 0xffffff00 | (_t90 & _t139) != 0x00000000;
									__eflags = _t140;
									if(_t140 != 0) {
										L29:
										_t63 =  &_v16;
										 *_t63 = _v16 + 1;
										__eflags =  *_t63;
										 *((char*)(_t145 + _v16 - 0x50)) = _t140 + 0x30;
									} else {
										__eflags = _v16;
										if(_v16 != 0) {
											goto L29;
										}
									}
									_t67 =  &_v20;
									 *_t67 = _v20 - 1;
									__eflags =  *_t67;
								} while ( *_t67 >= 0);
								_t91 = _v16;
								_t70 = _t145 + _t91 - 0x50;
								 *_t70 =  *(_t145 + _t91 - 0x50) & 0x00000000;
								__eflags =  *_t70;
							} else {
								_v83 = _v83 & _t90;
								_v84 = 0x30;
							}
							E0041CBF9(_a4, __eflags, "%b",  &_v84, _t143 + _t144, 1, 1);
							_t95 =  &_v84;
							goto L33;
						} else {
							_t127 = _t123 - 1;
							if(_t127 == 0) {
								_t97 =  &(_t86[4]);
								_v12 = _t97;
								_v5 = _v5 & 0x00000000;
								_v6 =  *_t97;
								E0041CBF9(_a4, __eflags, "%d",  &_v6, _t143 + _t144, 1, 1);
								_t144 = _t144 - 1;
							} else {
								_t129 = _t127 - 1;
								if(_t129 == 0) {
									_v12 =  &(_t86[4]);
									E00427836(_t86[4],  &_v48, 0xa);
									_t146 = _t146 + 0xc;
									E0041CBF9(_a4, __eflags, "%d",  &_v48, _t143 + _t144, 1, 1);
									_t95 =  &_v48;
									goto L33;
								} else {
									_t132 = _t129 - 4;
									if(_t132 == 0) {
										_t107 =  &(_t86[4]);
										_v12 = _t107;
										_t108 =  *_t107;
										__eflags = _t108;
										_v20 = _t108;
										if(__eflags != 0) {
											_t142 = 0;
											__eflags = 0;
											_v16 = 0x1c;
											do {
												_t111 = _v20 >> _v16 & 0x0000000f;
												__eflags = _t142;
												if(_t142 != 0) {
													L15:
													__eflags = _t111 - 0xa;
													if(_t111 >= 0xa) {
														_t112 = _t111 + 0x37;
														__eflags = _t112;
													} else {
														_t112 = _t111 + 0x30;
													}
													 *(_t145 + _t142 - 0x1c) = _t112;
													_t142 = _t142 + 1;
													__eflags = _t142;
												} else {
													__eflags = _t111;
													if(_t111 != 0) {
														goto L15;
													}
												}
												_t26 =  &_v16;
												 *_t26 = _v16 - 4;
												__eflags =  *_t26;
											} while ( *_t26 >= 0);
											_t28 = _t145 + _t142 - 0x1c;
											 *_t28 =  *(_t145 + _t142 - 0x1c) & 0x00000000;
											__eflags =  *_t28;
										} else {
											_v31 = _v31 & _t108;
											_v32 = 0x30;
										}
										E0041CBF9(_a4, __eflags, "%h",  &_v32, _t143 + _t144, 1, 1);
										_t95 =  &_v32;
										L33:
										_push(_t95);
										goto L34;
									} else {
										_t153 = _t132 == 0xb;
										if(_t132 == 0xb) {
											_t116 =  &(_t86[4]);
											_v12 = _t116;
											_v20 =  *_t116;
											E0041CBF9(_a4, _t153, "%s",  *_t116, _t143 + _t144, 1, 1);
											_push(_v20);
											L34:
											_t79 = lstrlenA() - 2; // 0x3a73656c
											_t144 = _t144 + _t79;
										}
									}
								}
							}
						}
						L35:
						_t143 = _t143 + 1;
						if(_t143 < lstrlenA(_a8) - 1) {
							_t86 = _v12;
							continue;
						}
						goto L36;
					}
				}
				L36:
				return _a4;
			}





































                  0x0041c473
                  0x0041c475
                  0x0041c47b
                  0x0041c48e
                  0x0041c494
                  0x0041c497
                  0x0041c49f
                  0x0041c49f
                  0x0041c4a6
                  0x00000000
                  0x00000000
                  0x0041c4b1
                  0x0041c4b4
                  0x0041c5d1
                  0x0041c5d4
                  0x0041c5d7
                  0x0041c5d9
                  0x0041c5db
                  0x0041c5e6
                  0x0041c5e6
                  0x0041c5e6
                  0x0041c5ea
                  0x0041c5f1
                  0x0041c5f6
                  0x0041c5f7
                  0x0041c5f9
                  0x0041c5fb
                  0x0041c5fe
                  0x0041c600
                  0x0041c608
                  0x0041c60e
                  0x0041c60e
                  0x0041c60e
                  0x0041c611
                  0x0041c602
                  0x0041c602
                  0x0041c606
                  0x00000000
                  0x00000000
                  0x0041c606
                  0x0041c615
                  0x0041c615
                  0x0041c615
                  0x0041c615
                  0x0041c61a
                  0x0041c61d
                  0x0041c61d
                  0x0041c61d
                  0x0041c5dd
                  0x0041c5dd
                  0x0041c5e0
                  0x0041c5e0
                  0x0041c636
                  0x0041c63b
                  0x00000000
                  0x0041c4ba
                  0x0041c4ba
                  0x0041c4bb
                  0x0041c5a6
                  0x0041c5ac
                  0x0041c5af
                  0x0041c5b7
                  0x0041c5c9
                  0x0041c5ce
                  0x0041c4c1
                  0x0041c4c1
                  0x0041c4c2
                  0x0041c57a
                  0x0041c57d
                  0x0041c582
                  0x0041c599
                  0x0041c59e
                  0x00000000
                  0x0041c4c8
                  0x0041c4c8
                  0x0041c4cb
                  0x0041c4ff
                  0x0041c502
                  0x0041c505
                  0x0041c507
                  0x0041c509
                  0x0041c50c
                  0x0041c517
                  0x0041c517
                  0x0041c519
                  0x0041c520
                  0x0041c528
                  0x0041c52b
                  0x0041c52d
                  0x0041c533
                  0x0041c533
                  0x0041c536
                  0x0041c53c
                  0x0041c53c
                  0x0041c538
                  0x0041c538
                  0x0041c538
                  0x0041c53e
                  0x0041c542
                  0x0041c542
                  0x0041c52f
                  0x0041c52f
                  0x0041c531
                  0x00000000
                  0x00000000
                  0x0041c531
                  0x0041c543
                  0x0041c543
                  0x0041c543
                  0x0041c543
                  0x0041c549
                  0x0041c549
                  0x0041c549
                  0x0041c50e
                  0x0041c50e
                  0x0041c511
                  0x0041c511
                  0x0041c562
                  0x0041c567
                  0x0041c63e
                  0x0041c63e
                  0x00000000
                  0x0041c4cd
                  0x0041c4cd
                  0x0041c4d0
                  0x0041c4d6
                  0x0041c4db
                  0x0041c4ef
                  0x0041c4f2
                  0x0041c4f7
                  0x0041c63f
                  0x0041c641
                  0x0041c641
                  0x0041c641
                  0x0041c4d0
                  0x0041c4cb
                  0x0041c4c2
                  0x0041c4bb
                  0x0041c645
                  0x0041c648
                  0x0041c64e
                  0x0041c49c
                  0x00000000
                  0x0041c49c
                  0x00000000
                  0x0041c64e
                  0x0041c49f
                  0x0041c654
                  0x0041c65b

                  APIs
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                  • lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                  • lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000000,00000001,0042DB90,74786980,0042DB90,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC0B
                    • Part of subcall function 0041CBF9: lstrlenA.KERNEL32(00000001,?,0041C63B,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041CC12
                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrlen$Global$AllocLockUnlock
                  • String ID: 0$0$Files:
                  • API String ID: 4127010206-878858382
                  • Opcode ID: 113a8afbf2adde3107a447d089c6d2c3fd82a06444fa93a62c1bca81b52230a8
                  • Instruction ID: 0ebba43547ad7c447cfe6da4dc9b66f8907a2b5e87f98b2ae228ac07d7ae3c7d
                  • Opcode Fuzzy Hash: 113a8afbf2adde3107a447d089c6d2c3fd82a06444fa93a62c1bca81b52230a8
                  • Instruction Fuzzy Hash: 7651CE31E44259BBEF05CFA8CCC5BEEBBB5EF04304F14805AE401AA281D779AA85CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041ED05, Relevance: 9.2, APIs: 6, Instructions: 150windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0041ED05(struct HWND__** __ecx) {
				signed int _v8;
				signed int _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct HDC__* _t61;
				signed int _t67;
				signed int _t73;
				signed int _t74;
				void* _t81;
				signed int _t83;
				void* _t95;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t109;
				long _t120;
				signed int _t121;
				struct HDC__* _t122;
				long _t123;
				struct HWND__** _t124;

				_t124 = __ecx;
				_t61 =  *(__ecx + 4);
				if(_t61 == 0 || ( *(__ecx + 0x24) & 0x00000004) != 0) {
					L16:
					return 0;
				} else {
					_t120 = 2;
					_v28.left = _t120;
					_v28.right =  *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x14)) - _t120;
					_v28.top = _t120;
					_v28.bottom =  *((intOrPtr*)(__ecx + 0x20)) -  *((intOrPtr*)(__ecx + 0x18)) - _t120;
					if(FillRect(_t61,  &_v28, 0x10) != 0) {
						_t104 = 0x64;
						_t67 = ( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x14)) - 4) *  *(__ecx + 0x10);
						asm("cdq");
						_t113 = _t67 % _t104;
						_t105 = _t67 / _t104;
						if(( *(__ecx + 0x24) & 0x00000001) == 0) {
							_t121 =  *((intOrPtr*)(__ecx + 0x28)) + 2;
							asm("cdq");
							_t73 = (_t121 - _t113 >> 1) + _t105;
							_t106 = 0;
							asm("cdq");
							_t74 = _t73 / _t121;
							_t113 = _t73 % _t121;
							_v12 = _t74;
							if(_t74 <= 0) {
								L11:
								if((_t124[9] & 0x00000001) == 0 || E0041EB0F(_t124, _t113) >= 0) {
									_t122 = GetDC( *_t124);
									if(_t122 != 0) {
										if(BitBlt(_t122, _t124[5], _t124[6], _t124[7] - _t124[5], _t124[8] - _t124[6], _t124[1], 0, 0, 0xcc0020) != 0) {
											_push(1);
										} else {
											_push(0xfffffff7);
										}
										_pop(_t95);
										ReleaseDC( *_t124, _t122);
										return _t95;
									}
									goto L16;
								} else {
									_push(0xfffffff8);
									L14:
									_pop(_t81);
									return _t81;
								}
							}
							_t123 = 3;
							while(1) {
								_t83 =  &(_t124[0xa]->i);
								_v44.top = _t123;
								_t113 = _t83 * _t106 + _t123;
								_t109 = _t106 + 1;
								_v8 = _t109;
								_v44.left = _t83 * _t106 + _t123;
								_v44.right = _t109 * _t83 + 1;
								_v44.bottom = _t124[8] - _t124[6] - _t123;
								if(FillRect(_t124[1],  &_v44, _t124[3]) == 0) {
									break;
								}
								_t106 = _v8;
								if(_t106 < _v12) {
									continue;
								}
								goto L11;
							}
							L6:
							_push(0xfffffff9);
							goto L14;
						}
						_v44.left = _t120;
						_v44.top = _t120;
						_v44.right = _t105 + 2;
						_v44.bottom =  *((intOrPtr*)(__ecx + 0x20)) -  *((intOrPtr*)(__ecx + 0x18)) - _t120;
						if(FillRect( *(__ecx + 4),  &_v44,  *(__ecx + 0xc)) != 0) {
							goto L11;
						}
						goto L6;
					}
					_push(0xfffffffa);
					goto L14;
				}
			}























                  0x0041ed0d
                  0x0041ed10
                  0x0041ed15
                  0x0041ee27
                  0x00000000
                  0x0041ed25
                  0x0041ed2d
                  0x0041ed38
                  0x0041ed3b
                  0x0041ed44
                  0x0041ed49
                  0x0041ed55
                  0x0041ed66
                  0x0041ed6a
                  0x0041ed6e
                  0x0041ed6f
                  0x0041ed75
                  0x0041ed77
                  0x0041eda7
                  0x0041edac
                  0x0041edb1
                  0x0041edb3
                  0x0041edb5
                  0x0041edb6
                  0x0041edb6
                  0x0041edba
                  0x0041edbd
                  0x0041ee03
                  0x0041ee07
                  0x0041ee21
                  0x0041ee25
                  0x0041ee54
                  0x0041ee5a
                  0x0041ee56
                  0x0041ee56
                  0x0041ee56
                  0x0041ee5c
                  0x0041ee60
                  0x00000000
                  0x0041ee66
                  0x00000000
                  0x0041ee14
                  0x0041ee14
                  0x0041ee16
                  0x0041ee16
                  0x00000000
                  0x0041ee16
                  0x0041ee07
                  0x0041edc1
                  0x0041edc2
                  0x0041edc8
                  0x0041edcb
                  0x0041edd3
                  0x0041edd5
                  0x0041edd6
                  0x0041ede3
                  0x0041ede6
                  0x0041edeb
                  0x0041edf9
                  0x00000000
                  0x00000000
                  0x0041edfb
                  0x0041ee01
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041ee01
                  0x0041eda0
                  0x0041eda0
                  0x00000000
                  0x0041eda0
                  0x0041ed85
                  0x0041ed88
                  0x0041ed8d
                  0x0041ed90
                  0x0041ed9e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041ed9e
                  0x0041ed57
                  0x00000000
                  0x0041ed57

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FillRect$Release
                  • String ID:
                  • API String ID: 1083154806-0
                  • Opcode ID: 39eeff6ec04cb99a4edfaf3109efffefae14775aa6b410768b86bd2bcacc964e
                  • Instruction ID: 51cebc95b3b2b8c5e61734997514edc2417931a881d4bd94c21e6ef9b22fab1f
                  • Opcode Fuzzy Hash: 39eeff6ec04cb99a4edfaf3109efffefae14775aa6b410768b86bd2bcacc964e
                  • Instruction Fuzzy Hash: 4C51E375A007069FDB24CF6ACD45AABFBF9EF88710F10461EE942D2690D770E981CB18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040A736, Relevance: 9.1, APIs: 6, Instructions: 120stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040A736(char __ecx) {
				char _v8;
				char _v12;
				char _v272;
				int _t36;
				char _t84;
				void* _t86;

				_t84 = __ecx;
				_v8 = __ecx;
				if(( *0x47e194 & 0x00000001) != 0) {
					E0041DBA4( *((intOrPtr*)(__ecx + 4)), 0x14,  &_v12);
					_t86 = _t86 + 0xc;
					E0041BF12(0x47e1b8, _v12);
					_t36 = E00424DCE(_v12);
				}
				if(( *0x47e194 & 0x00000004) != 0) {
					E0041DBA4( *(_t84 + 4), 0x15,  &_v12);
					_t86 = _t86 + 0xc;
					E0041BF12(0x47e1c4, _v12);
					_t36 = E00424DCE(_v12);
				}
				if(( *0x47e194 & 0x00000010) != 0) {
					if(( *0x47e190 & 0x00000080) == 0) {
						E0041DBA4( *(_t84 + 4), 0x16,  &_v8);
						E0041BF12(0x47e1d0, _v8);
						return E00424DCE(_v8);
					}
					GetDlgItemTextA( *(_t84 + 4), 0x17,  &_v272, 0x104);
					_t36 = lstrlenA( &_v272);
					if(_t36 ==  *0x47e664) {
						E0041BF12(0x47e1d0,  &_v272);
						E0041BFF8(0x47e1d0, 0x2d);
						GetDlgItemTextA( *(_v8 + 4), 0x18,  &_v272, 0x104);
						if(lstrlenA( &_v272) !=  *0x47e668) {
							L10:
							return E0041BF12(0x47e1d0, 0x42e0c8);
						}
						E0041C047(0x47e1d0,  &_v272, 0);
						E0041BFF8(0x47e1d0, 0x2d);
						GetDlgItemTextA( *(_v8 + 4), 0x19,  &_v272, 0x104);
						if(lstrlenA( &_v272) !=  *0x47e66c) {
							goto L10;
						}
						return E0041C047(0x47e1d0,  &_v272, 0);
					}
				}
				return _t36;
			}









                  0x0040a748
                  0x0040a74b
                  0x0040a74e
                  0x0040a759
                  0x0040a75e
                  0x0040a769
                  0x0040a771
                  0x0040a776
                  0x0040a77e
                  0x0040a789
                  0x0040a78e
                  0x0040a799
                  0x0040a7a1
                  0x0040a7a6
                  0x0040a7ae
                  0x0040a7bb
                  0x0040a8a1
                  0x0040a8b1
                  0x00000000
                  0x0040a8be
                  0x0040a7d8
                  0x0040a7e7
                  0x0040a7ef
                  0x0040a803
                  0x0040a80c
                  0x0040a825
                  0x0040a836
                  0x0040a88a
                  0x00000000
                  0x0040a891
                  0x0040a843
                  0x0040a84c
                  0x0040a865
                  0x0040a876
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040a883
                  0x0040a7ef
                  0x0040a8c3

                  APIs
                  • GetDlgItemTextA.USER32 ref: 0040A7D8
                  • lstrlenA.KERNEL32(?), ref: 0040A7E7
                  • GetDlgItemTextA.USER32 ref: 0040A825
                  • lstrlenA.KERNEL32(?), ref: 0040A82E
                  • GetDlgItemTextA.USER32 ref: 0040A865
                  • lstrlenA.KERNEL32(?), ref: 0040A86E
                    • Part of subcall function 0041DBA4: GetDlgItem.USER32 ref: 0041DBAF
                    • Part of subcall function 0041DBA4: GetWindowTextLengthA.USER32(00000000), ref: 0041DBB8
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                    • Part of subcall function 0041BF12: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: ItemTextlstrlen$Global$AllocLengthLockUnlockWindow
                  • String ID:
                  • API String ID: 3218319920-0
                  • Opcode ID: a958e4ce70b71c14c951e7f8eeb3b4799bad585ea4ebaa6a7b20b7fa26e27c02
                  • Instruction ID: c3ea2f18b3b25a3017e395926b3782d2fe5e2a6f3110804de850d1408f6535d8
                  • Opcode Fuzzy Hash: a958e4ce70b71c14c951e7f8eeb3b4799bad585ea4ebaa6a7b20b7fa26e27c02
                  • Instruction Fuzzy Hash: 834104B5600218ABEB11E751DC42FDD77A8DF08708F4081BBF608A21E2D7789E819F4D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004272C5, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E004272C5(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x428b28);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x47f4a4; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x47f4cc; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00425220(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00424500(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x47f4bc; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x428b24, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x428b20, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x47f4a4 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















                  0x004272c8
                  0x004272ca
                  0x004272cf
                  0x004272da
                  0x004272db
                  0x004272e2
                  0x004272e8
                  0x004272eb
                  0x004272f4
                  0x00427334
                  0x00427337
                  0x00427360
                  0x00000000
                  0x00427366
                  0x00427369
                  0x0042736b
                  0x00427370
                  0x00427370
                  0x00427380
                  0x0042738a
                  0x00427390
                  0x00427395
                  0x00000000
                  0x00427397
                  0x00427397
                  0x004273a4
                  0x004273a9
                  0x004273ac
                  0x004273ae
                  0x004273b4
                  0x004273c9
                  0x004273cf
                  0x00000000
                  0x004273d1
                  0x004273e0
                  0x004273e8
                  0x00000000
                  0x004273ea
                  0x004273f2
                  0x004273f2
                  0x004273e8
                  0x004273cf
                  0x00427395
                  0x00427339
                  0x00427339
                  0x0042733e
                  0x00427340
                  0x00427340
                  0x00427352
                  0x00427352
                  0x004272f6
                  0x004272f9
                  0x004272fc
                  0x0042730c
                  0x00427326
                  0x004273fa
                  0x004273fa
                  0x0042732c
                  0x0042732e
                  0x00000000
                  0x0042732e
                  0x0042730e
                  0x0042730e
                  0x0042732f
                  0x0042732f
                  0x00000000
                  0x0042732f
                  0x0042730c
                  0x00427402
                  0x0042740d

                  APIs
                  • GetStringTypeW.KERNEL32(00000001,00428B24,00000001,00000000,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 00427304
                  • GetStringTypeA.KERNEL32(00000000,00000001,00428B20,00000001,00000000,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 0042731E
                  • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 00427352
                  • MultiByteToWideChar.KERNEL32(00426E86,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,00426E86,00000001,00000020,00000100,?,00000000), ref: 0042738A
                  • MultiByteToWideChar.KERNEL32(00426E86,00000001,00000100,00000020,?,00000100,?,00000100,00000000,00426E86,00000001,00000020,00000100,?), ref: 004273E0
                  • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,00426E86,00000001,00000020,00000100,?), ref: 004273F2
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: StringType$ByteCharMultiWide
                  • String ID:
                  • API String ID: 3852931651-0
                  • Opcode ID: 61453ecd1c249a1ce5133ae697db4f5c2d8e35c1aecd411161b274758355ec87
                  • Instruction ID: 6be327ffa1a4198f4d6f994e72d681d04775553015f1cfaff04cbce36024448d
                  • Opcode Fuzzy Hash: 61453ecd1c249a1ce5133ae697db4f5c2d8e35c1aecd411161b274758355ec87
                  • Instruction Fuzzy Hash: 11418B7270522AAFCF20CF94EC85AAF3F68FB09350F50442AFD11D22A0D7788951DB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A2C6, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0041A2C6(void* __ecx) {
				CHAR* _v8;
				void* _t10;
				void* _t14;
				char* _t17;
				CHAR* _t20;
				void* _t34;

				_push(__ecx);
				_t34 = __ecx;
				if(( *0x47e192 & 0x00000020) == 0) {
					L6:
					_push(1);
					L7:
					_pop(_t10);
					return _t10;
				}
				E0041B3B9(__ecx, 0x47e670, 0x7fffffff);
				E0041B3B9(_t34, 0x47e67c, 0x7fffffff);
				_t14 = E0041CD1E(0x47e67c);
				if(E0041DAE7( *0x47e660, E0041CD1E(0x47e670), _t14,  &_v8) <= 0) {
					__eflags =  *0x47e338; // 0x10
					if(__eflags != 0) {
						goto L6;
					}
					_t17 = E0041D46F("<__Internal_DirNotFound__>");
					__eflags = _t17;
					if(_t17 == 0) {
						_t17 = "Couldn\'t read destination directory from registry. Aborting";
					}
					E0041B2A8(0, _t17, 0);
					_push(0xffffffec);
					goto L7;
				}
				E0041BF12(0x47e338, _v8);
				_t20 = _v8;
				if( *_t20 != 0 &&  *((char*)(lstrlenA(_t20) + _v8 - 1)) != 0x5c) {
					E0041BFF8(0x47e338, 0x5c);
				}
				E00424DCE(_v8);
				goto L6;
			}









                  0x0041a2c9
                  0x0041a2d3
                  0x0041a2d5
                  0x0041a35e
                  0x0041a35e
                  0x0041a360
                  0x0041a360
                  0x0041a364
                  0x0041a364
                  0x0041a2e6
                  0x0041a2f3
                  0x0041a301
                  0x0041a322
                  0x0041a367
                  0x0041a36d
                  0x00000000
                  0x00000000
                  0x0041a374
                  0x0041a379
                  0x0041a37b
                  0x0041a37d
                  0x0041a37d
                  0x0041a38a
                  0x0041a38f
                  0x00000000
                  0x0041a38f
                  0x0041a32e
                  0x0041a333
                  0x0041a339
                  0x0041a350
                  0x0041a350
                  0x0041a358
                  0x00000000

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • lstrlenA.KERNEL32(0041817C,0041817C,00000001,00000000,?,0041817C,?,?,0047DFB8,00000000), ref: 0041A33C
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock$lstrlen
                  • String ID: 8G$<__Internal_DirNotFound__>$Couldn't read destination directory from registry. Aborting$pG$|G
                  • API String ID: 878976672-2294415296
                  • Opcode ID: 1d2f0c179e2808cabb6edd0fc3a47c8b5d393f36232cda0ed35bcb0b05661669
                  • Instruction ID: 98707ccd7f9e9314107195a16b5fe33a87529964cf95b42a167967a965c268bb
                  • Opcode Fuzzy Hash: 1d2f0c179e2808cabb6edd0fc3a47c8b5d393f36232cda0ed35bcb0b05661669
                  • Instruction Fuzzy Hash: B7113B706412286ADB1173668C06FEF2A5DCF45324F6441AFFD18E72D1CB6C0D8092AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A256, Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041A256(void* __ecx) {
				struct tagMSG _v32;
				intOrPtr _t15;
				void* _t24;

				_t24 = __ecx;
				L1:
				while(PeekMessageA( &_v32, 0, 0, 0, 0) != 0) {
					if(GetMessageA( &_v32, 0, 0, 0) == 0) {
						return _v32.wParam;
					}
					_t3 = _t24 + 0x158; // 0x0
					_t15 =  *_t3;
					if(_t15 == 0 || IsDialogMessageA( *(_t15 + 4),  &_v32) == 0) {
						TranslateMessage( &_v32);
						DispatchMessageA( &_v32);
					}
				}
				WaitMessage();
				goto L1;
			}






                  0x0041a25e
                  0x00000000
                  0x0041a262
                  0x0041a283
                  0x0041a2c5
                  0x0041a2c5
                  0x0041a285
                  0x0041a285
                  0x0041a28d
                  0x0041a2a5
                  0x0041a2af
                  0x0041a2af
                  0x0041a28d
                  0x0041a2b7
                  0x00000000

                  APIs
                  • PeekMessageA.USER32 ref: 0041A26A
                  • GetMessageA.USER32 ref: 0041A27B
                  • IsDialogMessageA.USER32(?,?,?,0041529B,00000000,?,?,00000000), ref: 0041A297
                  • TranslateMessage.USER32(?), ref: 0041A2A5
                  • DispatchMessageA.USER32 ref: 0041A2AF
                  • WaitMessage.USER32(?,0041529B,00000000,?,?,00000000), ref: 0041A2B7
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Message$DialogDispatchPeekTranslateWait
                  • String ID:
                  • API String ID: 3298547167-0
                  • Opcode ID: 604008bfe091b565b834a33188d37d6adf91f7f09843a3d340f2d604e6b1a507
                  • Instruction ID: 9a9fed00297a081154bdabad59b2a154639d1f590cc810b1ff3e124008c44952
                  • Opcode Fuzzy Hash: 604008bfe091b565b834a33188d37d6adf91f7f09843a3d340f2d604e6b1a507
                  • Instruction Fuzzy Hash: BC012171A03116AB8B209BA5DC4CCEFBB7CEF417917444069B805D2214DA39E946C7B9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040C66A, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 212windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040C66A(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v28;
				char _v40;
				signed int _v44;
				intOrPtr _v64;
				char* _v68;
				long _v80;
				void* _v84;
				char _v340;
				void* __edi;
				void* __ebp;
				signed int* _t84;
				signed int* _t111;
				void* _t129;
				signed int* _t131;
				signed int* _t144;
				signed int* _t167;
				signed int _t169;
				long _t171;
				signed int _t172;
				signed int* _t174;
				void* _t176;

				_t129 = __ecx;
				_t174 = 0;
				 *0x47e608 = 0;
				_t84 =  *(__ecx + 0xb0);
				_t169 = _t84[1];
				_v44 = _t169;
				if(_t169 != 0) {
					_t131 =  *0x47e604; // 0x0
					if(_t131 != 0) {
						_push(3);
						E0040C90C(_t131, _t169);
					}
					_t84 = E00424DD9((_t169 << 4) + 4);
					if(_t84 != _t174) {
						 *_t84 = _t169;
						_t4 =  &(_t84[1]); // 0x4
						_t174 = _t4;
						_t84 = _t169 - 1;
						if(_t84 >= 0) {
							_t6 =  &(_t174[1]); // 0x8
							_v12 = _t6;
							_v8 =  &(_t84[0]);
							do {
								_t84 = E0041BDC5(_v12);
								_v12 = _v12 + 0x10;
								_t12 =  &_v8;
								 *_t12 = _v8 - 1;
							} while ( *_t12 != 0);
						}
					}
					 *0x47e604 = _t174;
					if(_t174 == 0) {
						_t84 = E0041D881(E0041CD1E(0x47e924));
					}
					_v12 = _v12 & 0x00000000;
					 *0x47e608 = _t169;
					if(_t169 > 0) {
						_v16 = _v16 & 0x00000000;
						do {
							_t84 = E00406060( *((intOrPtr*)(_t129 + 0xb0)), _v12);
							_v8 = _t84;
							if(_t84 != 0) {
								E0041BDC5( &_v40);
								E0041BDC5( &_v28);
								_t171 =  *_v8;
								E00424500( &_v84, 0, 0x28);
								_t176 = _t176 + 0xc;
								_v68 =  &_v340;
								_v84 = 0x11;
								_v64 = 0x100;
								_v80 = _t171;
								SendMessageA( *( *((intOrPtr*)(_t129 + 0xb0)) + 0xc), 0x110c, 0,  &_v84);
								E0041BF12( &_v28, _v68);
								if(E0041C7DB( &_v28, "(", 0, 1) != 0xffffffff) {
									E0041C3A9( &_v28, _t98 - 1, _v28 - _t98 + 1);
								}
								E0041BF80( &_v40,  &_v28);
								while(1) {
									_t171 = SendMessageA( *( *((intOrPtr*)(_t129 + 0xb0)) + 0xc), 0x110a, 3, _t171);
									if(_t171 == 0) {
										break;
									}
									_v80 = _t171;
									SendMessageA( *( *((intOrPtr*)(_t129 + 0xb0)) + 0xc), 0x110c, 0,  &_v84);
									E0041BF12( &_v28, _v68);
									if(E0041C7DB( &_v28, "(", 0, 1) != 0xffffffff) {
										E0041C3A9( &_v28, _t118 - 1, _v28 - _t118 + 1);
									}
									E0041CA20( &_v40, "_", 0, 0);
									E0041CA20( &_v40, E0041CD1E( &_v28), 0, 0);
								}
								E0041CA20( &_v40, "<II_", 0, 0);
								E0041C047( &_v40, ">", 0);
								_t172 = _v8;
								__eflags =  *((intOrPtr*)(_t172 + 8));
								if( *((intOrPtr*)(_t172 + 8)) <= 0) {
									_push("0");
								} else {
									_push(0x42b9bc);
								}
								_push(E0041CD1E( &_v40));
								E0041D0FD( &_v40);
								_v8 = _v8 & 0x00000000;
								__eflags =  *((intOrPtr*)(_t172 + 0x18));
								if( *((intOrPtr*)(_t172 + 0x18)) > 0) {
									do {
										_t111 =  *0x47e604; // 0x0
										E0041BFF8( &(_t111[1]) + _v16, 9);
										_v8 = _v8 + 1;
										__eflags = _v8 -  *((intOrPtr*)(_t172 + 0x18));
									} while (_v8 <  *((intOrPtr*)(_t172 + 0x18)));
								}
								_t167 =  *0x47e604; // 0x0
								__eflags =  *((intOrPtr*)(_t172 + 8));
								 *(_t167 + _v16) = 0 |  *((intOrPtr*)(_t172 + 8)) > 0x00000000;
								_t144 =  *0x47e604; // 0x0
								__eflags = _t172 + 0xc;
								_t75 =  &(_t144[1]); // 0x4
								E0041C0C5(_t75 + _v16, _t172 + 0xc, _t172 + 0xc);
								E0041BEFB( &_v28);
								_t84 = E0041BEFB( &_v40);
								_t169 = _v44;
							}
							_v12 = _v12 + 1;
							_v16 = _v16 + 0x10;
							__eflags = _v12 - _t169;
						} while (_v12 < _t169);
					}
				}
				return _t84;
			}



























                  0x0040c675
                  0x0040c677
                  0x0040c679
                  0x0040c680
                  0x0040c686
                  0x0040c68b
                  0x0040c68e
                  0x0040c694
                  0x0040c69c
                  0x0040c69e
                  0x0040c6a0
                  0x0040c6a0
                  0x0040c6ae
                  0x0040c6b6
                  0x0040c6b8
                  0x0040c6ba
                  0x0040c6ba
                  0x0040c6bd
                  0x0040c6c2
                  0x0040c6c4
                  0x0040c6c8
                  0x0040c6cb
                  0x0040c6ce
                  0x0040c6d1
                  0x0040c6d6
                  0x0040c6da
                  0x0040c6da
                  0x0040c6da
                  0x0040c6ce
                  0x0040c6c2
                  0x0040c6e1
                  0x0040c6e7
                  0x0040c6f4
                  0x0040c6f9
                  0x0040c6fa
                  0x0040c6fe
                  0x0040c706
                  0x0040c70c
                  0x0040c716
                  0x0040c71f
                  0x0040c726
                  0x0040c729
                  0x0040c732
                  0x0040c73a
                  0x0040c746
                  0x0040c74c
                  0x0040c757
                  0x0040c75a
                  0x0040c76e
                  0x0040c775
                  0x0040c77c
                  0x0040c782
                  0x0040c78a
                  0x0040c7a3
                  0x0040c7b1
                  0x0040c7b1
                  0x0040c7bd
                  0x0040c7c2
                  0x0040c7d6
                  0x0040c7da
                  0x00000000
                  0x00000000
                  0x0040c7df
                  0x0040c7f3
                  0x0040c7fb
                  0x0040c814
                  0x0040c822
                  0x0040c822
                  0x0040c833
                  0x0040c848
                  0x0040c848
                  0x0040c85e
                  0x0040c86d
                  0x0040c872
                  0x0040c875
                  0x0040c879
                  0x0040c882
                  0x0040c87b
                  0x0040c87b
                  0x0040c87b
                  0x0040c88f
                  0x0040c890
                  0x0040c895
                  0x0040c899
                  0x0040c89d
                  0x0040c89f
                  0x0040c89f
                  0x0040c8ad
                  0x0040c8b2
                  0x0040c8b8
                  0x0040c8b8
                  0x0040c89f
                  0x0040c8bd
                  0x0040c8c8
                  0x0040c8ce
                  0x0040c8d1
                  0x0040c8d7
                  0x0040c8db
                  0x0040c8df
                  0x0040c8e7
                  0x0040c8ef
                  0x0040c8f4
                  0x0040c8f4
                  0x0040c8f7
                  0x0040c8fa
                  0x0040c8fe
                  0x0040c8fe
                  0x0040c716
                  0x0040c706
                  0x0040c90b

                  APIs
                  • SendMessageA.USER32(00000000,0000110C,00000000,?), ref: 0040C782
                  • SendMessageA.USER32(00000000,0000110A,00000003,?), ref: 0040C7D4
                  • SendMessageA.USER32(00000000,0000110C,00000000,00000011), ref: 0040C7F3
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                    • Part of subcall function 0041C7DB: lstrlenA.KERNEL32(0047DFB8,00000000,0047DE94,0042BC5C,0042BC5C,00000000,00000001,0047E6C8,?,0047DFB8), ref: 0041C7E9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: GlobalMessageSend$AllocLockUnlocklstrlen
                  • String ID: $G$<II_
                  • API String ID: 1494865645-922916322
                  • Opcode ID: b9f56a72e6b5cccd65ee82c4a017a634706126ff13888642351831db160f8511
                  • Instruction ID: f4c6c7f1c56e6f66badf9017ba5c36f6f732dc675927b6575f4ba8211be110fc
                  • Opcode Fuzzy Hash: b9f56a72e6b5cccd65ee82c4a017a634706126ff13888642351831db160f8511
                  • Instruction Fuzzy Hash: A681AE71A40209EBDB14EB95CC82FEEB7B5EF04704F60416EE501BB2D1DB74A985CB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00411692, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00411692(intOrPtr __ecx, void* __eflags, long _a4, long* _a8, intOrPtr* _a12, char* _a16) {
				intOrPtr _v8;
				char _v20;
				void* _t24;
				short _t32;
				void* _t35;
				void* _t53;
				void* _t55;
				void* _t83;
				long _t84;
				signed int _t86;
				signed int _t87;

				_t84 = _a4;
				_t3 = _t84 + 0x34; // 0x0
				_v8 = __ecx;
				_t24 = E0041CD1E(0x47e6c8);
				_t60 = _a8;
				if(E0041CAC5(_a8, _t24,  *_a12,  *_t3) >= 0) {
					E004164B1(0x47dfb8, __eflags, _t60);
					E0041A81A(__eflags, _t60);
					E0041B3B9(0x47dfb8, _t60, 0x7fffffff);
					 *_a16 = 1;
					_t8 = _t84 + 0x34; // 0x0
					 *0x47f200 =  *0x47f200 +  *_t8;
					_t32 = E0040DF52(E0041CD1E(_t60));
					__eflags = _t32;
					if(_t32 != 0) {
						_t83 = CreateFileA(E0041CD1E(_t60), 0x80000000, 1, 0, 3, 0x80, 0);
						__eflags = _t83 - 0xffffffff;
						if(_t83 != 0xffffffff) {
							_a4 = _a4 & 0x00000000;
							 *((intOrPtr*)(_t84 + 0x34)) = GetFileSize(_t83,  &_a4);
							_t19 = _t84 + 0x10; // 0x47e890
							_t20 = _t84 + 0x18; // 0x47e898
							GetFileTime(_t83, _t20, 0, _t19);
							CloseHandle(_t83);
							_t21 = _t84 + 0x24; // 0x47e8a4
							_t22 = _t84 + 0x20; // 0x47e8a0
							E0040D883(E0041CD1E(_t60), _t22, _t21);
							__eflags = _t84 + 0x28;
							E0040D917(E0041CD1E(_t60), _t84 + 0x28, 0);
						}
						_t35 = 1;
						return _t35;
					}
					E0041BDC5( &_v20);
					_push(E0041CD1E(_t60));
					E0041C467( &_v20, E0041CD1E(0x47ee94));
					_t53 = E0041CD1E(0x47e700);
					_t86 =  *(_v8 + 8);
					_t55 = E0041B2CC(0x47dfb8, _t86, E0041CD1E( &_v20), _t53, 4);
					__eflags = _t55 - 7;
					if(_t55 != 7) {
						_t87 = 0;
						__eflags = 0;
					} else {
						_t87 = _t86 | 0xffffffff;
					}
					E0041BEFB( &_v20);
					return _t87;
				}
				E0041B2A8( *((intOrPtr*)(__ecx + 8)), "Couldn\'t read filename - skipping file", 0);
				return 0;
			}














                  0x0041169d
                  0x004116a3
                  0x004116ab
                  0x004116b0
                  0x004116b5
                  0x004116c2
                  0x004116e7
                  0x004116ef
                  0x004116fc
                  0x00411706
                  0x00411709
                  0x0041170c
                  0x00411718
                  0x0041171d
                  0x00411720
                  0x004117a8
                  0x004117aa
                  0x004117ad
                  0x004117af
                  0x004117be
                  0x004117c1
                  0x004117c5
                  0x004117cc
                  0x004117d3
                  0x004117d9
                  0x004117df
                  0x004117e9
                  0x004117f1
                  0x004117ff
                  0x00411804
                  0x00411809
                  0x00000000
                  0x00411809
                  0x00411725
                  0x00411731
                  0x00411741
                  0x0041174e
                  0x00411759
                  0x00411768
                  0x0041176d
                  0x00411770
                  0x00411777
                  0x00411777
                  0x00411772
                  0x00411772
                  0x00411772
                  0x0041177c
                  0x00000000
                  0x00411781
                  0x004116d3
                  0x00000000

                  Strings
                  • Couldn't read filename - skipping file, xrefs: 004116C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocCreateFileLockUnlock
                  • String ID: Couldn't read filename - skipping file
                  • API String ID: 386137224-3589919851
                  • Opcode ID: 1a17dde42886f2bb9dc47f863d57d7fd9d6951654acd95ed662d069c9873e807
                  • Instruction ID: 9ba8b95a0a887d455509938602594151a60fc8a1d70c9b17fb128ea7c1c85513
                  • Opcode Fuzzy Hash: 1a17dde42886f2bb9dc47f863d57d7fd9d6951654acd95ed662d069c9873e807
                  • Instruction Fuzzy Hash: 7A41E6716002046BCB10AB65DC86FFE72ADAF44318F10453FFA06E72D2DF38A8858769
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041CA20, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65memorystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041CA20(long* __ecx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _t21;
				void* _t24;
				intOrPtr _t29;
				void* _t40;
				int _t43;

				_t29 = _a8;
				_t46 = __ecx;
				if(_t29 <=  *((intOrPtr*)(__ecx))) {
					_t43 = lstrlenA(_a4);
					if(_a12 != 0) {
						_t43 = _a12;
					}
					_t5 =  &(_t46[1]); // 0x0
					 *_t46 =  *_t46 + _t43;
					GlobalUnlock( *_t5);
					_t6 =  &(_t46[1]); // 0x0
					_t21 = GlobalReAlloc( *_t6,  *_t46, 0x42);
					_t46[1] = _t21;
					if(_t21 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t8 =  &(_t46[1]); // 0x0
					_t46[2] = GlobalLock( *_t8);
					_t24 =  *_t46 - 1;
					_t40 = _t43 + _t29;
					if(_t24 < _t40) {
						goto L9;
					} else {
						do {
							_t11 =  &(_t46[2]); // 0x6b636142
							 *((char*)( *_t11 + _t24)) =  *((intOrPtr*)( *_t11 - _t43 + _t24));
							_t24 = _t24 - 1;
						} while (_t24 >= _t40);
						_t29 = _a8;
						L9:
						while(_t24 >= _t29) {
							_t16 =  &(_t46[2]); // 0x6b636142
							 *((char*)( *_t16 + _t24)) =  *((intOrPtr*)(_t24 - _t29 + _a4));
							_t24 = _t24 - 1;
						}
						return _t46;
					}
				}
				return __ecx;
			}








                  0x0041ca24
                  0x0041ca28
                  0x0041ca2c
                  0x0041ca43
                  0x0041ca45
                  0x0041ca47
                  0x0041ca47
                  0x0041ca4a
                  0x0041ca4d
                  0x0041ca4f
                  0x0041ca59
                  0x0041ca5c
                  0x0041ca64
                  0x0041ca67
                  0x0041ca74
                  0x0041ca79
                  0x0041ca7a
                  0x0041ca83
                  0x0041ca88
                  0x0041ca89
                  0x0041ca8e
                  0x00000000
                  0x0041ca90
                  0x0041ca90
                  0x0041ca90
                  0x0041ca9a
                  0x0041ca9d
                  0x0041ca9e
                  0x0041caa2
                  0x00000000
                  0x0041caa5
                  0x0041caac
                  0x0041cab6
                  0x0041cab9
                  0x0041cab9
                  0x00000000
                  0x0041cabe
                  0x0041ca8e
                  0x00000000

                  APIs
                  • lstrlenA.KERNEL32(00000001,0042DB90,00000000,00000000,?,0041CC46,00000000,00000000,00000000,00000000,00000001,00000001,00000000,0041C63B,?,0041C63B), ref: 0041CA39
                  • GlobalUnlock.KERNEL32(00000000,?,0041CC46,00000000,00000000,00000000,00000000,00000001,00000001,00000000,0041C63B,?,0041C63B,0042D4D0), ref: 0041CA4F
                  • GlobalReAlloc.KERNEL32 ref: 0041CA5C
                  • GlobalLock.KERNEL32 ref: 0041CA7D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlocklstrlen
                  • String ID: $G
                  • API String ID: 1193986054-195990108
                  • Opcode ID: 5d35e7ea65a2d6825d976dd3d6991c87e1c56d6275482e42d3e240b4916bb047
                  • Instruction ID: 5603829e847da92005f6a023f110383f11d6e5884fcbf5cfa6c8cd2347ef54ab
                  • Opcode Fuzzy Hash: 5d35e7ea65a2d6825d976dd3d6991c87e1c56d6275482e42d3e240b4916bb047
                  • Instruction Fuzzy Hash: AC11D5313407059FC7219F69CCC4A9ABBA5EF48394764882EE596C7211C734DC81CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00424316, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 46%
                  			E00424316(char _a4) {
				void* _v8;
				int _v12;
				signed int _t13;
				signed int _t16;
				char* _t25;

				_push(_t27);
				_t25 = _a4;
				_t13 = E0040DB19(_t25);
				if(_t13 == 0) {
					__eflags = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0, 0x2001f,  &_v8);
					if(__eflags != 0) {
						_push(0xfffffffe);
					} else {
						_a4 = 0;
						_v12 = 4;
						RegQueryValueExA(_v8, _t25, 0, 0,  &_a4,  &_v12);
						_a4 = _a4 + 1;
						RegSetValueExA(_v8, _t25, 0, 4,  &_a4, 4);
						RegCloseKey(_v8);
						_push(0x47e800);
						_push(_t25);
						E00421CE6(__eflags);
						_push(1);
					}
					_pop(_t16);
				} else {
					_t16 = _t13 | 0xffffffff;
				}
				return _t16;
			}








                  0x0042431a
                  0x0042431c
                  0x00424321
                  0x00424329
                  0x0042434c
                  0x0042434e
                  0x004243a1
                  0x00424350
                  0x00424353
                  0x00424361
                  0x00424368
                  0x00424371
                  0x0042437e
                  0x00424387
                  0x0042438d
                  0x00424392
                  0x00424398
                  0x0042439d
                  0x0042439d
                  0x004243a3
                  0x0042432b
                  0x0042432b
                  0x0042432b
                  0x004243a7

                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\SharedDLLs,00000000,0002001F,?), ref: 00424346
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?), ref: 00424368
                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000004,00000004), ref: 0042437E
                  • RegCloseKey.ADVAPI32(?), ref: 00424387
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0042433C
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Value$CloseOpenQuery
                  • String ID: Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                  • API String ID: 237177642-3400865229
                  • Opcode ID: a265586fcd8e2d4ae3d60842d183ecd60b40a79d569d049d288659a66fc2cb46
                  • Instruction ID: 2afa97585fa973cdf6ebdfa308dfe96903249848b8f16a545dfa2517b57cc3af
                  • Opcode Fuzzy Hash: a265586fcd8e2d4ae3d60842d183ecd60b40a79d569d049d288659a66fc2cb46
                  • Instruction Fuzzy Hash: D011C8B1740118BEDB208B92EC49FAF7F7CEBC5758F60412ABA05A50D1CA744A058638
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C047, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46memorystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041C047(long* __ecx, CHAR* _a4, intOrPtr _a8) {
				long _t15;
				void* _t17;
				char _t23;
				void* _t28;
				int _t32;
				long* _t33;

				_t33 = __ecx;
				_t32 = lstrlenA(_a4);
				if(_a8 != 0) {
					_t32 = _a8;
				}
				_t4 =  &(_t33[1]); // 0x8415ff57
				 *_t33 =  *_t33 + _t32;
				GlobalUnlock( *_t4);
				_t5 =  &(_t33[1]); // 0x8415ff57
				_t15 = GlobalReAlloc( *_t5,  *_t33, 0x42);
				_t33[1] = _t15;
				if(_t15 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t7 =  &(_t33[1]); // 0x8415ff57
				_t33[2] = GlobalLock( *_t7);
				_t17 = 0;
				if(_t32 > 0) {
					do {
						_t10 =  &(_t33[2]); // 0x8d004282
						_t23 =  *((intOrPtr*)(_t17 + _a4));
						_t28 =  *_t33 - _t32 + _t17;
						_t17 = _t17 + 1;
						 *((char*)(_t28 +  *_t10)) = _t23;
					} while (_t17 < _t32);
				}
				return _t33;
			}









                  0x0041c04d
                  0x0041c05a
                  0x0041c05c
                  0x0041c05e
                  0x0041c05e
                  0x0041c062
                  0x0041c065
                  0x0041c067
                  0x0041c071
                  0x0041c074
                  0x0041c07c
                  0x0041c07f
                  0x0041c08c
                  0x0041c091
                  0x0041c092
                  0x0041c09b
                  0x0041c09e
                  0x0041c0a2
                  0x0041c0a5
                  0x0041c0ab
                  0x0041c0b0
                  0x0041c0b3
                  0x0041c0b5
                  0x0041c0b8
                  0x0041c0b8
                  0x0041c0bd
                  0x0041c0c2

                  APIs
                  • lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                  • GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                  • GlobalReAlloc.KERNEL32 ref: 0041C074
                  • GlobalLock.KERNEL32 ref: 0041C095
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlocklstrlen
                  • String ID: $G
                  • API String ID: 1193986054-195990108
                  • Opcode ID: d1ba55372e4d4a584c29bd95be6dfa892a82c033d9f715793612bc238b335498
                  • Instruction ID: 86848620a02905628978c4322f41490f0c5417c04306446d91f9f9474cd8ae65
                  • Opcode Fuzzy Hash: d1ba55372e4d4a584c29bd95be6dfa892a82c033d9f715793612bc238b335498
                  • Instruction Fuzzy Hash: 9B016D31644701CFC721AF65CD4865BBBE6BF98300B14882EE19983221DB75D841CB24
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BC79, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BC79(intOrPtr* __ecx) {
				intOrPtr _t9;
				char* _t11;
				signed int _t13;
				intOrPtr* _t20;
				void* _t23;
				void* _t24;
				intOrPtr* _t25;

				_t25 = __ecx;
				_t1 = _t25 + 0x158; // 0x0
				_t9 =  *_t1;
				if(_t9 != 0) {
					EnableWindow( *(_t9 + 4), 0);
				}
				_t20 = 0x47e700;
				if( *0x47e700 <= 0) {
					_t20 = 0x47e850;
				}
				_t23 = E0041CD1E(_t20);
				if( *0x47e918 <= 0) {
					_t11 = "Do your really want to exit setup?";
				} else {
					_t11 = E0041CD1E(0x47e918);
				}
				_t24 = E0041B2CC(_t25,  *_t25, _t11, _t23, 4);
				_t3 = _t25 + 0x158; // 0x0
				_t13 =  *_t3;
				if(_t13 != 0) {
					EnableWindow( *(_t13 + 4), 1);
					_t5 = _t25 + 0x158; // 0x0
					_t13 = SetForegroundWindow( *( *_t5 + 4));
				}
				return _t13 & 0xffffff00 | _t24 != 0x00000007;
			}










                  0x0041bc81
                  0x0041bc84
                  0x0041bc84
                  0x0041bc8c
                  0x0041bc93
                  0x0041bc93
                  0x0041bc9c
                  0x0041bca1
                  0x0041bca3
                  0x0041bca3
                  0x0041bcb4
                  0x0041bcb6
                  0x0041bcc4
                  0x0041bcb8
                  0x0041bcbd
                  0x0041bcbd
                  0x0041bcd6
                  0x0041bcd8
                  0x0041bcd8
                  0x0041bce0
                  0x0041bce7
                  0x0041bce9
                  0x0041bcf2
                  0x0041bcf2
                  0x0041bd01

                  APIs
                  • EnableWindow.USER32(?,00000000), ref: 0041BC93
                  • EnableWindow.USER32(?,00000001), ref: 0041BCE7
                  • SetForegroundWindow.USER32(?), ref: 0041BCF2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$Enable$Foreground
                  • String ID: Do your really want to exit setup?$PG
                  • API String ID: 2644897057-2931071296
                  • Opcode ID: bee443d1fbdd976699502f7e30580af2992c2cefda8e58a12d92eb193de696a4
                  • Instruction ID: ac9d4f32d2ea49032055976a08762f19bec1a0615ae6cab58999680f0bfc9b05
                  • Opcode Fuzzy Hash: bee443d1fbdd976699502f7e30580af2992c2cefda8e58a12d92eb193de696a4
                  • Instruction Fuzzy Hash: 81018F713001009BE720AB66DC89BCBBBD6DB84755F15847EE2099B3A1DF799C80D79C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004060B6, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004060B6(void* __ecx, intOrPtr _a4, void* _a8) {
				void* _t11;
				long _t22;
				void* _t23;

				_t23 = __ecx;
				 *((intOrPtr*)(__ecx + 0xc)) = _a4;
				_t22 = ImageList_Create(0xd, 0xd, 4, 4, 4);
				if(_t22 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				if(ImageList_Add(_t22, _a8, 0) == 0xffffffff) {
					E0041D881(E0041CD1E(0x47e924));
				}
				DeleteObject(_a8);
				SendMessageA( *(_t23 + 0xc), 0x1109, 0, _t22);
				_t11 = 1;
				return _t11;
			}






                  0x004060c1
                  0x004060c9
                  0x004060d2
                  0x004060db
                  0x004060e5
                  0x004060ea
                  0x004060fb
                  0x00406105
                  0x0040610a
                  0x0040610f
                  0x00406120
                  0x00406128
                  0x0040612c

                  APIs
                  • ImageList_Create.COMCTL32(0000000D,0000000D,00000004,00000004,00000004,?,?,770B48C0,0040C141,00000000), ref: 004060CC
                  • ImageList_Add.COMCTL32(00000000,770B48C0,00000000,?,?,770B48C0,0040C141,00000000), ref: 004060F2
                  • DeleteObject.GDI32(0040C141), ref: 0040610F
                  • SendMessageA.USER32(?,00001109,00000000,00000000), ref: 00406120
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$ImageList_$AllocCreateDeleteLockMessageObjectSendUnlock
                  • String ID: $G
                  • API String ID: 3198803340-195990108
                  • Opcode ID: e47f47b44f5be8c8198a84e49064f1da869e1903cbbfc8fffeec7cb84f866b49
                  • Instruction ID: 6791099ba6acc7eb50aa9d2fe7bafcb2aff3b1712aa492df654a4519af5c33ea
                  • Opcode Fuzzy Hash: e47f47b44f5be8c8198a84e49064f1da869e1903cbbfc8fffeec7cb84f866b49
                  • Instruction Fuzzy Hash: A1F0F4727803007BE6206B61AC8EF5F3A55EB80B61F10453FF312991D2CEB998428718
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BF12, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41memorystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BF12(long* __ecx, CHAR* _a4) {
				long _t12;
				void* _t14;
				CHAR* _t23;
				long* _t24;

				_t24 = __ecx;
				_t1 =  &(_t24[1]); // 0x221020c
				GlobalUnlock( *_t1);
				_t23 = _a4;
				if(_t23 != 0) {
					 *_t24 = lstrlenA(_t23);
				} else {
					 *_t24 =  *_t24 & _t23;
				}
				_t3 =  &(_t24[1]); // 0x221020c
				_t12 = GlobalReAlloc( *_t3,  *_t24, 0x42);
				_t24[1] = _t12;
				if(_t12 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t5 =  &(_t24[1]); // 0x221020c
				_t24[2] = GlobalLock( *_t5);
				_t14 = 0;
				if( *_t24 > 0) {
					do {
						_t7 =  &(_t24[2]); // 0x6e5760
						 *((char*)( *_t7 + _t14)) =  *((intOrPtr*)(_t14 + _t23));
						_t14 = _t14 + 1;
					} while (_t14 <  *_t24);
				}
				return _t24;
			}







                  0x0041bf13
                  0x0041bf16
                  0x0041bf19
                  0x0041bf1f
                  0x0041bf25
                  0x0041bf32
                  0x0041bf27
                  0x0041bf27
                  0x0041bf27
                  0x0041bf38
                  0x0041bf3b
                  0x0041bf43
                  0x0041bf46
                  0x0041bf53
                  0x0041bf58
                  0x0041bf59
                  0x0041bf62
                  0x0041bf65
                  0x0041bf69
                  0x0041bf6b
                  0x0041bf6b
                  0x0041bf71
                  0x0041bf74
                  0x0041bf75
                  0x0041bf6b
                  0x0041bf7d

                  APIs
                  • GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0047DFB8), ref: 0041BF2C
                  • GlobalReAlloc.KERNEL32 ref: 0041BF3B
                  • GlobalLock.KERNEL32 ref: 0041BF5C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlocklstrlen
                  • String ID: $G
                  • API String ID: 1193986054-195990108
                  • Opcode ID: f4168bbc14b58ece5299c2a09c70ce466236e7760992961e786b482267182a23
                  • Instruction ID: d030bc0b615e75949c7210a2cdcfd6d568315ba4b24ded64fab219e1162ce76e
                  • Opcode Fuzzy Hash: f4168bbc14b58ece5299c2a09c70ce466236e7760992961e786b482267182a23
                  • Instruction Fuzzy Hash: F601AD75205B02DFC3316F21DD4986ABBE5EF95751320887EE4DAC3221DB389882CF68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00414C1B, Relevance: 7.7, APIs: 5, Instructions: 193windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 67%
                  			E00414C1B(void* __edx, void* __edi, void* __ebp, signed int _a4, intOrPtr _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				void* __ecx;
				void* _t25;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				intOrPtr _t31;
				signed int _t32;
				signed int _t34;
				signed int _t35;
				signed int _t43;
				void* _t44;
				signed int _t54;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t60;
				signed int _t62;
				void* _t63;
				signed int _t64;
				signed int _t66;
				void* _t67;
				intOrPtr _t68;
				signed int _t69;
				struct HDC__* _t71;
				void* _t73;
				void* _t74;
				signed int _t75;
				intOrPtr _t77;
				void* _t78;
				void* _t80;
				void* _t86;
				void* _t90;

				_t74 = __ebp;
				_t63 = __edi;
				_t60 = __edx;
				_t77 =  *0x47f27c; // 0x1
				if(_t77 != 0) {
					L42:
					return _t25;
				} else {
					_t68 =  *0x47e658; // 0x8
					_t78 =  *0x42c090 - _t68; // 0xffffffff
					if(_t78 != 0) {
						 *0x42c08c =  *0x42c08c | 0xffffffff;
						 *0x42c090 = _t68;
					}
					_t26 = _a4;
					_t80 = _t26 -  *0x42c08c; // 0xffffffff
					if(_t80 > 0) {
						_t59 =  *0x47f280; // 0x0
						 *0x42c08c = _t26;
						if(_t59 != 0) {
							E0041EE7E(_t59, _t26);
							_t68 =  *0x47e658; // 0x8
						}
					}
					_push(_t74);
					_t75 =  *0x47e6a8; // 0x207a58a
					_push(_t63);
					_t64 =  *0x47e6ac; // 0x0
					_v8 = _t75;
					_v4 = _t64;
					if((_t75 | _t64) == 0) {
						_v8 = 1;
						_v4 = 0;
					}
					_t29 =  *0x47e18c; // 0x0
					_t30 = _t29 & 0x00000002;
					_a4 = _t30;
					if(_t30 != 0) {
						_v24 = _v24 + E004252C0( *0x47e6a0,  *0x47e6a4, 0x1d, 0);
						asm("adc [esp+0x14], edx");
					}
					if(( *0x47e18c & 0x00000004) != 0) {
						_v24 = _v24 + E004252C0( *0x47e698,  *0x47e69c, 0x14, 0);
						asm("adc [esp+0x14], edx");
					}
					_t31 = _a8;
					if(_t68 != 1) {
						__eflags = _t68 - 2;
						if(_t68 != 2) {
							__eflags = _t68 - 3;
							if(_t68 != 3) {
								__eflags = _t68 - 4;
								if(__eflags != 0) {
									__eflags = _t68 - 5;
									if(__eflags == 0) {
										goto L23;
									}
									__eflags = _t68 - 6;
									if(__eflags == 0) {
										goto L23;
									}
									__eflags = _t68 - 7;
									if(__eflags != 0) {
										__eflags = _t68 - 8;
										_t43 = (0 | _t68 != 0x00000008) + 0x63;
										__eflags = _t43;
										goto L30;
									}
									_push(0x61);
									L28:
									_pop(_t69);
									goto L31;
								}
								L23:
								_push(0x60);
								goto L28;
							}
							_t44 = E004252C0(_t31, 0, 0x14, 0);
							_t67 = _t60;
							_t73 = _t44 + _t75;
							asm("adc edi, [0x47e6ac]");
							__eflags = _v12;
							if(_v12 != 0) {
								_t73 = _t73 + E004252C0( *0x47e6a0,  *0x47e6a4, 0x1d, 0);
								asm("adc edi, edx");
							}
							_push(0);
							_push(0x64);
							_push(_t67);
							_push(_t73);
							goto L21;
						}
						_t31 = E004252C0(_t31, 0, 0x1d, 0) + _t75;
						_push(0);
						asm("adc edx, edi");
						_push(0x64);
						_push(_t60);
						goto L14;
					} else {
						_push(0);
						_push(0x64);
						_push(0);
						L14:
						_push(_t31);
						L21:
						_t43 = E00425250(E004252C0(E00425250(E004252C0(), _t60, _v24, _v20), _t60, 0x5f, 0), _t60, 0x64, 0);
						L30:
						_t69 = _t43;
						L31:
						_t86 = _t69 -  *0x42c094; // 0xffffffff
						if(_t86 > 0) {
							_t58 =  *0x47f284; // 0x0
							 *0x42c094 = _t69;
							if(_t58 != 0) {
								E0041EE7E(_t58, _t69);
							}
						}
						_t54 =  *0x47e784; // 0x0
						if(_t54 > 0 && _t54 < 0x65) {
							_t32 = 0x64;
							asm("cdq");
							_t66 = _t32 / _t54;
							_t34 = _t69;
							asm("cdq");
							_t35 = _t34 / _t66;
							_t62 = _t34 % _t66;
							_t90 = _t35 -  *0x42c098; // 0xffffffff
							if(_t90 > 0) {
								_t91 = _t35 - _t54;
								if(_t35 < _t54) {
									 *0x42c098 = _t35;
									E0040F33B(0x47f208, _t62, _t91, _t35);
									_t71 = GetDC( *0x47e178);
									BitBlt(_t71, 0, 0,  *0x47e170,  *0x47e174,  *0x47e184, 0, 0, 0xcc0020);
									ReleaseDC( *0x47e178, _t71);
								}
							}
						}
						_t25 = E0041A207();
						while(_t25 == 1) {
							_t25 = E0041A207();
						}
						goto L42;
					}
				}
			}







































                  0x00414c1b
                  0x00414c1b
                  0x00414c1b
                  0x00414c20
                  0x00414c27
                  0x00414e54
                  0x00414e54
                  0x00414c2d
                  0x00414c2d
                  0x00414c33
                  0x00414c39
                  0x00414c3b
                  0x00414c42
                  0x00414c42
                  0x00414c48
                  0x00414c4c
                  0x00414c52
                  0x00414c54
                  0x00414c5a
                  0x00414c61
                  0x00414c64
                  0x00414c69
                  0x00414c69
                  0x00414c61
                  0x00414c6f
                  0x00414c70
                  0x00414c76
                  0x00414c77
                  0x00414c7f
                  0x00414c85
                  0x00414c89
                  0x00414c8b
                  0x00414c93
                  0x00414c93
                  0x00414c97
                  0x00414c9c
                  0x00414c9f
                  0x00414ca3
                  0x00414cb9
                  0x00414cbd
                  0x00414cbd
                  0x00414cc8
                  0x00414cde
                  0x00414ce2
                  0x00414ce2
                  0x00414ce6
                  0x00414ced
                  0x00414cf6
                  0x00414cf9
                  0x00414d0f
                  0x00414d12
                  0x00414d77
                  0x00414d7a
                  0x00414d80
                  0x00414d83
                  0x00000000
                  0x00000000
                  0x00414d85
                  0x00414d88
                  0x00000000
                  0x00000000
                  0x00414d8a
                  0x00414d8d
                  0x00414d96
                  0x00414d9c
                  0x00414d9c
                  0x00000000
                  0x00414d9c
                  0x00414d8f
                  0x00414d91
                  0x00414d91
                  0x00000000
                  0x00414d91
                  0x00414d7c
                  0x00414d7c
                  0x00000000
                  0x00414d7c
                  0x00414d19
                  0x00414d20
                  0x00414d22
                  0x00414d24
                  0x00414d2a
                  0x00414d2e
                  0x00414d44
                  0x00414d46
                  0x00414d46
                  0x00414d48
                  0x00414d49
                  0x00414d4b
                  0x00414d4c
                  0x00000000
                  0x00414d4c
                  0x00414d05
                  0x00414d07
                  0x00414d08
                  0x00414d0a
                  0x00414d0c
                  0x00000000
                  0x00414cef
                  0x00414cef
                  0x00414cf0
                  0x00414cf2
                  0x00414cf3
                  0x00414cf3
                  0x00414d4d
                  0x00414d70
                  0x00414d9f
                  0x00414d9f
                  0x00414da1
                  0x00414da1
                  0x00414da7
                  0x00414da9
                  0x00414daf
                  0x00414db7
                  0x00414dba
                  0x00414dba
                  0x00414db7
                  0x00414dbf
                  0x00414dc7
                  0x00414dd0
                  0x00414dd1
                  0x00414dd4
                  0x00414dd6
                  0x00414dd8
                  0x00414dd9
                  0x00414dd9
                  0x00414ddb
                  0x00414de1
                  0x00414de3
                  0x00414de5
                  0x00414ded
                  0x00414df2
                  0x00414e0a
                  0x00414e21
                  0x00414e2e
                  0x00414e2e
                  0x00414de5
                  0x00414de1
                  0x00414e3b
                  0x00414e42
                  0x00414e49
                  0x00414e49
                  0x00000000
                  0x00414e42
                  0x00414ced

                  APIs
                  • __aulldiv.LIBCMT ref: 00414D5C
                  • __aulldiv.LIBCMT ref: 00414D70
                  • GetDC.USER32(00000060), ref: 00414DFD
                  • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00CC0020,?,0207A58A,-00000001), ref: 00414E21
                  • ReleaseDC.USER32 ref: 00414E2E
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: __aulldiv$Release
                  • String ID:
                  • API String ID: 3493685692-0
                  • Opcode ID: c829be2c0b2fef8037b4d98ece4fb16d813a1104892517bff0df9b681447dd76
                  • Instruction ID: a9d97e3be5756bfe4d35d353e42b65620ab82c9c544829cce164ddad8ecaccd7
                  • Opcode Fuzzy Hash: c829be2c0b2fef8037b4d98ece4fb16d813a1104892517bff0df9b681447dd76
                  • Instruction Fuzzy Hash: 7C51FA71A01310AFDB209B65AC81EAF76A9E7D8718F85057FF508A7261C3394CC18B6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426871, Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00426871() {
				signed int* _t35;
				signed int* _t37;
				long _t42;
				signed int _t44;
				signed int _t45;
				int _t46;
				void* _t48;
				void** _t52;
				int _t53;
				int _t54;
				signed int* _t55;
				int _t57;
				void** _t58;
				signed char _t60;
				signed int _t62;
				void* _t66;
				void* _t69;
				signed int _t70;
				int* _t71;
				signed int* _t72;
				void** _t73;
				int _t74;
				intOrPtr* _t75;
				void* _t76;

				_t72 = E00424B9C(0x100);
				if(_t72 == 0) {
					E004254C0(0x1b);
				}
				 *0x47f720 = _t72;
				 *0x47f820 = 0x20;
				_t1 =  &(_t72[0x40]); // 0x100
				_t35 = _t1;
				while(_t72 < _t35) {
					_t72[1] = _t72[1] & 0x00000000;
					 *_t72 =  *_t72 | 0xffffffff;
					_t72[1] = 0xa;
					_t55 =  *0x47f720; // 0x22d0ef0
					_t72 =  &(_t72[2]);
					_t35 =  &(_t55[0x40]);
				}
				GetStartupInfoA(_t76 + 0x10);
				__eflags =  *((short*)(_t76 + 0x42));
				if( *((short*)(_t76 + 0x42)) == 0) {
					L25:
					_t57 = 0;
					__eflags = 0;
					do {
						_t37 =  *0x47f720; // 0x22d0ef0
						__eflags =  *(_t37 + _t57 * 8) - 0xffffffff;
						_t73 = _t37 + _t57 * 8;
						if( *(_t37 + _t57 * 8) != 0xffffffff) {
							_t32 =  &(_t73[1]);
							 *_t32 = _t73[1] | 0x00000080;
							__eflags =  *_t32;
							goto L37;
						}
						__eflags = _t57;
						_t73[1] = 0x81;
						if(_t57 != 0) {
							asm("sbb eax, eax");
							_t42 =  ~(_t57 - 1) + 0xfffffff5;
							__eflags = _t42;
						} else {
							_t42 = 0xfffffff6;
						}
						_t69 = GetStdHandle(_t42);
						__eflags = _t69 - 0xffffffff;
						if(_t69 == 0xffffffff) {
							L33:
							_t73[1] = _t73[1] | 0x00000040;
						} else {
							_t44 = GetFileType(_t69);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L33;
							}
							_t45 = _t44 & 0x000000ff;
							 *_t73 = _t69;
							__eflags = _t45 - 2;
							if(_t45 != 2) {
								__eflags = _t45 - 3;
								if(_t45 == 3) {
									_t73[1] = _t73[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t57 = _t57 + 1;
						__eflags = _t57 - 3;
					} while (_t57 < 3);
					return SetHandleCount( *0x47f820);
				}
				_t46 =  *(_t76 + 0x44);
				__eflags = _t46;
				if(_t46 == 0) {
					goto L25;
				}
				_t74 =  *_t46;
				_t75 = _t46 + 4;
				__eflags = _t74 - 0x800;
				_t58 = _t74 + _t75;
				if(_t74 >= 0x800) {
					_t74 = 0x800;
				}
				__eflags =  *0x47f820 - _t74; // 0x20
				if(__eflags >= 0) {
					L18:
					_t70 = 0;
					__eflags = _t74;
					if(_t74 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t48 =  *_t58;
						__eflags = _t48 - 0xffffffff;
						if(_t48 == 0xffffffff) {
							goto L24;
						}
						_t60 =  *_t75;
						__eflags = _t60 & 0x00000001;
						if((_t60 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t60 & 0x00000008;
						if((_t60 & 0x00000008) != 0) {
							L23:
							_t62 = _t70 & 0x0000001f;
							__eflags = _t62;
							_t52 = 0x47f720[_t70 >> 5] + _t62 * 8;
							 *_t52 =  *_t58;
							_t52[1] =  *_t75;
							goto L24;
						}
						_t53 = GetFileType(_t48);
						__eflags = _t53;
						if(_t53 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_t70 = _t70 + 1;
						_t75 = _t75 + 1;
						_t58 =  &(_t58[1]);
						__eflags = _t70 - _t74;
					} while (_t70 < _t74);
					goto L25;
				} else {
					_t71 = 0x47f724;
					while(1) {
						_t54 = E00424B9C(0x100);
						__eflags = _t54;
						if(_t54 == 0) {
							break;
						}
						 *0x47f820 =  *0x47f820 + 0x20;
						__eflags =  *0x47f820;
						 *_t71 = _t54;
						_t10 = _t54 + 0x100; // 0x100
						_t66 = _t10;
						while(1) {
							__eflags = _t54 - _t66;
							if(_t54 >= _t66) {
								break;
							}
							 *(_t54 + 4) =  *(_t54 + 4) & 0x00000000;
							 *_t54 =  *_t54 | 0xffffffff;
							 *((char*)(_t54 + 5)) = 0xa;
							_t54 = _t54 + 8;
							_t66 =  *_t71 + 0x100;
						}
						_t71 =  &(_t71[1]);
						__eflags =  *0x47f820 - _t74; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t74 =  *0x47f820; // 0x20
					goto L18;
				}
			}



























                  0x00426882
                  0x00426887
                  0x0042688b
                  0x00426890
                  0x00426891
                  0x00426897
                  0x004268a1
                  0x004268a1
                  0x004268a7
                  0x004268ab
                  0x004268af
                  0x004268b2
                  0x004268b6
                  0x004268bb
                  0x004268be
                  0x004268be
                  0x004268ca
                  0x004268d0
                  0x004268d6
                  0x004269a1
                  0x004269a1
                  0x004269a1
                  0x004269a3
                  0x004269a3
                  0x004269a8
                  0x004269ac
                  0x004269af
                  0x004269fe
                  0x004269fe
                  0x004269fe
                  0x00000000
                  0x004269fe
                  0x004269b1
                  0x004269b3
                  0x004269b7
                  0x004269c3
                  0x004269c5
                  0x004269c5
                  0x004269b9
                  0x004269bb
                  0x004269bb
                  0x004269cf
                  0x004269d1
                  0x004269d4
                  0x004269ed
                  0x004269ed
                  0x004269d6
                  0x004269d7
                  0x004269dd
                  0x004269df
                  0x00000000
                  0x00000000
                  0x004269e1
                  0x004269e6
                  0x004269e8
                  0x004269eb
                  0x004269f3
                  0x004269f6
                  0x004269f8
                  0x004269f8
                  0x00000000
                  0x004269f6
                  0x00000000
                  0x004269eb
                  0x00426a02
                  0x00426a02
                  0x00426a03
                  0x00426a03
                  0x00426a1b
                  0x00426a1b
                  0x004268dc
                  0x004268e0
                  0x004268e2
                  0x00000000
                  0x00000000
                  0x004268e8
                  0x004268ea
                  0x004268f2
                  0x004268f4
                  0x004268f7
                  0x004268f9
                  0x004268f9
                  0x004268fb
                  0x00426901
                  0x00426955
                  0x00426955
                  0x00426957
                  0x00426959
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042695b
                  0x0042695b
                  0x0042695b
                  0x0042695d
                  0x00426960
                  0x00000000
                  0x00000000
                  0x00426962
                  0x00426965
                  0x00426968
                  0x00000000
                  0x00000000
                  0x0042696a
                  0x0042696d
                  0x0042697a
                  0x00426981
                  0x00426981
                  0x0042698b
                  0x00426990
                  0x00426995
                  0x00000000
                  0x00426995
                  0x00426970
                  0x00426976
                  0x00426978
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00426998
                  0x00426998
                  0x00426999
                  0x0042699a
                  0x0042699d
                  0x0042699d
                  0x00000000
                  0x00426903
                  0x00426903
                  0x00426908
                  0x0042690d
                  0x00426912
                  0x00426915
                  0x00000000
                  0x00000000
                  0x00426917
                  0x00426917
                  0x0042691e
                  0x00426920
                  0x00426920
                  0x00426926
                  0x00426926
                  0x00426928
                  0x00000000
                  0x00000000
                  0x0042692a
                  0x0042692e
                  0x00426931
                  0x00426937
                  0x0042693a
                  0x0042693a
                  0x00426942
                  0x00426945
                  0x0042694b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042694d
                  0x0042694f
                  0x00000000
                  0x0042694f

                  APIs
                  • GetStartupInfoA.KERNEL32(?), ref: 004268CA
                  • GetFileType.KERNEL32(00000800), ref: 00426970
                  • GetStdHandle.KERNEL32(-000000F6), ref: 004269C9
                  • GetFileType.KERNEL32(00000000), ref: 004269D7
                  • SetHandleCount.KERNEL32 ref: 00426A0E
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FileHandleType$CountInfoStartup
                  • String ID:
                  • API String ID: 1710529072-0
                  • Opcode ID: fc2f99d6d75735703ef8d3f561f92466763e75c486a1a5d3e360cb6a19083e99
                  • Instruction ID: 0480248ec443beef7d494d037e8a8200b04a5f20b88e5398d1804388355726b4
                  • Opcode Fuzzy Hash: fc2f99d6d75735703ef8d3f561f92466763e75c486a1a5d3e360cb6a19083e99
                  • Instruction Fuzzy Hash: 555129B17043218BD7209B28ED447667BE0EB05360F97463ED4AAC73E1DB389889875D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408121, Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E00408121(void* __ecx, int _a4) {
				int _v52;
				int _v108;
				int _v164;
				void* _t26;
				long _t27;
				signed int _t28;
				int _t33;
				CHAR* _t34;
				CHAR* _t49;
				long _t52;
				struct HFONT__* _t53;
				void* _t54;
				void* _t55;
				void* _t76;

				_push(_a4);
				_t76 = __ecx;
				if(E00407FD5() == 0xffffffff) {
					_t55 = 0xfffffffc;
					return _t55;
				}
				_t26 = E0041E860(0x47e50c, _t25);
				_t2 = _t76 + 0x70; // 0x70
				_t3 = _t76 + 8; // 0x8
				_t27 = E00408256(__eflags, _t26, _t3, _t2, 1);
				__eflags = _t27;
				if(_t27 >= 0) {
					_t28 =  *0x42b91c; // 0x3e8
					asm("cdq");
					_t33 = MulDiv( *(_t76 + 0x44) & 0x0000ffff, (_t28 + _t28 * 2 << 5) / 0x3e8, 0x48);
					_t12 = _t76 + 0x38; // 0x38
					_t78 = _t12;
					_a4 = _t33;
					_t34 = E0041CD1E(_t12);
					asm("sbb ebx, ebx");
					 *((intOrPtr*)(_t76 + 0x48)) = CreateFontA(_a4, 0, 0, 0, ( ~( *(_t76 + 0x46) & 0x00000001) & 0x0000012c) + 0x190,  *(_t76 + 0x46) >> 0x00000001 & 0x00000001, 0, 0, 0, 0, 0, 0, 0, _t34);
					 *((intOrPtr*)(_t76 + 0x4c)) = CreateFontA(_v52, 0, 0, 0, 0x2bc,  *(_t76 + 0x46) >> 0x00000001 & 0x00000001, 0, 0, 0, 0, 0, 0, 0, E0041CD1E(_t12));
					 *((intOrPtr*)(_t76 + 0x50)) = CreateFontA(_v108, 0, 0, 0, 0x190,  *(_t76 + 0x46) >> 0x00000001 & 0x00000001, 1, 0, 0, 0, 0, 0, 0, E0041CD1E(_t12));
					_t49 = E0041CD1E(_t78);
					_t52 =  *(_t76 + 0x46) >> 0x00000001 & 0x00000001;
					__eflags = _t52;
					_t53 = CreateFontA(_v164, 0, 0, 0, 0x2bc, _t52, 1, 0, 0, 0, 0, 0, 0, _t49);
					 *(_t76 + 0x54) = _t53;
					_t54 = 1;
					return _t54;
				}
				return _t27;
			}

















                  0x00408123
                  0x00408127
                  0x00408132
                  0x00408136
                  0x00000000
                  0x00408136
                  0x00408142
                  0x00408147
                  0x0040814d
                  0x00408152
                  0x0040815c
                  0x0040815e
                  0x00408164
                  0x00408178
                  0x00408181
                  0x0040818b
                  0x0040818b
                  0x00408190
                  0x00408194
                  0x004081aa
                  0x004081ce
                  0x004081f7
                  0x00408221
                  0x00408224
                  0x00408235
                  0x00408235
                  0x00408247
                  0x0040824b
                  0x0040824e
                  0x00000000
                  0x00408250
                  0x00408253

                  APIs
                  • MulDiv.KERNEL32(?,000003E8,00000048), ref: 00408181
                  • CreateFontA.GDI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004081CA
                  • CreateFontA.GDI32(?,00000000,00000000,00000000,000002BC,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004081F3
                  • CreateFontA.GDI32(?,00000000,00000000,00000000,00000190,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040821D
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CreateFont
                  • String ID:
                  • API String ID: 1830492434-0
                  • Opcode ID: a0dc7068cd27009a1279465c43ead3e4ef2f7f57a47b585927daa53c3fb0ce14
                  • Instruction ID: 91811af97634840e8ceefda5567941c751d6f7838c551a2ad01c93e1cb071a82
                  • Opcode Fuzzy Hash: a0dc7068cd27009a1279465c43ead3e4ef2f7f57a47b585927daa53c3fb0ce14
                  • Instruction Fuzzy Hash: 5331C5711407807DDB309A6B9C89EAB7FBDDBCBF10F00082DB295926D1CA66A441C634
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041EB0F, Relevance: 7.6, APIs: 5, Instructions: 63stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0041EB0F(void* __ecx, void* __edx) {
				struct tagSIZE _v12;
				char _v28;
				signed int _t32;
				void* _t36;
				void* _t39;
				void* _t45;

				_t39 = __edx;
				_t45 = __ecx;
				E00427836( *((intOrPtr*)(__ecx + 0x10)),  &_v28, 0xa);
				lstrcatA( &_v28, " %");
				if(GetTextExtentPoint32A( *(_t45 + 4),  &_v28, lstrlenA( &_v28),  &_v12) != 0) {
					asm("cdq");
					asm("cdq");
					_t32 = TextOutA( *(_t45 + 4), ( *((intOrPtr*)(_t45 + 0x1c)) -  *((intOrPtr*)(_t45 + 0x14)) - _t39 >> 1) - (_v12.cx - _t39 >> 1), 2,  &_v28, lstrlenA( &_v28));
					asm("sbb eax, eax");
					return ( ~_t32 & 0x0000000c) + 0xfffffff5;
				}
				_t36 = 0xfffffff6;
				return _t36;
			}









                  0x0041eb0f
                  0x0041eb1a
                  0x0041eb22
                  0x0041eb33
                  0x0041eb59
                  0x0041eb67
                  0x0041eb6f
                  0x0041eb89
                  0x0041eb91
                  0x00000000
                  0x0041eb97
                  0x0041eb5d
                  0x00000000

                  APIs
                  • lstrcatA.KERNEL32(?,0042D698,?,00000000,770BFB30,?,?,?,?,?,?,?,0041EE10,?,004051FC,0045AA60), ref: 0041EB33
                  • lstrlenA.KERNEL32(?,?,?,00000000,770BFB30,?,?,?,?,?,?,?,0041EE10,?,004051FC,0045AA60), ref: 0041EB47
                  • GetTextExtentPoint32A.GDI32(?,?,00000000), ref: 0041EB51
                  • lstrlenA.KERNEL32(?,?,?,00000000,770BFB30,?,?,?,?,?,?,?,0041EE10,?,004051FC,0045AA60), ref: 0041EB7C
                  • TextOutA.GDI32(?,?,00000002,?,00000000), ref: 0041EB89
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Textlstrlen$ExtentPoint32lstrcat
                  • String ID:
                  • API String ID: 3780604614-0
                  • Opcode ID: f1f3a101613beeb1aa5f5ee0721c5e0b67aed8fbfa80b47b83a423e2ebd76357
                  • Instruction ID: b5ccb3afcf26193c53e81dcc7e7fa64a1b5680322ebb231c090800a54c7e9584
                  • Opcode Fuzzy Hash: f1f3a101613beeb1aa5f5ee0721c5e0b67aed8fbfa80b47b83a423e2ebd76357
                  • Instruction Fuzzy Hash: EB116973A04609AFDB20DBB8DC4ADDF7BBCEB44711F444726F602D2190EA30E94587A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040FC45, Relevance: 7.5, APIs: 5, Instructions: 29windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040FC45(int* __ecx) {
				struct HDC__* _t9;
				void* _t11;
				int _t14;
				int* _t16;

				_t16 = __ecx;
				_t1 = _t16 + 0x10; // 0x0
				_t9 =  *_t1;
				if(_t9 != 0) {
					_t2 = _t16 + 4; // 0x0
					_t3 = _t16 + 0xc; // 0x0
					_t4 = _t16 + 8; // 0x0
					BitBlt( *0x47e184,  *_t4,  *_t3,  *__ecx,  *_t2, _t9, 0, 0, 0xcc0020);
					_t11 = CreateCompatibleBitmap( *0x47e184, 1, 1);
					_t5 = _t16 + 0x10; // 0x0
					DeleteObject(SelectObject( *_t5, _t11));
					_t6 = _t16 + 0x10; // 0x0
					_t14 = DeleteDC( *_t6);
					__ecx[4] = __ecx[4] & 0x00000000;
					return _t14;
				}
				return _t9;
			}







                  0x0040fc46
                  0x0040fc48
                  0x0040fc48
                  0x0040fc4d
                  0x0040fc59
                  0x0040fc5e
                  0x0040fc61
                  0x0040fc6a
                  0x0040fc7a
                  0x0040fc81
                  0x0040fc8b
                  0x0040fc91
                  0x0040fc94
                  0x0040fc9a
                  0x00000000
                  0x0040fc9a
                  0x0040fc9f

                  APIs
                  • BitBlt.GDI32(00000000,00000000,0047F208,00000000,00000000,00000000,00000000,00CC0020,00000000), ref: 0040FC6A
                  • CreateCompatibleBitmap.GDI32(00000001,00000001), ref: 0040FC7A
                  • SelectObject.GDI32(00000000,00000000), ref: 0040FC84
                  • DeleteObject.GDI32(00000000), ref: 0040FC8B
                  • DeleteDC.GDI32(00000000), ref: 0040FC94
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DeleteObject$BitmapCompatibleCreateSelect
                  • String ID:
                  • API String ID: 1708838939-0
                  • Opcode ID: 4fce775da680b68cfbaf63d319c26e888dfe94671b2c622037a7a18372212f81
                  • Instruction ID: 4c0b358634b2dcbc37ace0c2ae9a94ec987f1bb4a940835be0c4d5214cf889df
                  • Opcode Fuzzy Hash: 4fce775da680b68cfbaf63d319c26e888dfe94671b2c622037a7a18372212f81
                  • Instruction Fuzzy Hash: F7F0D432211700FFEB311F60ED0AF5A7BB6FB08711F42493CB656954B0CBB2A8599B18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E5E3, Relevance: 7.5, APIs: 5, Instructions: 21COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041E5E3(void* __ebx) {
				int _t11;
				void* _t13;
				void* _t14;

				_t13 = __ebx;
				if( *(_t14 - 0x1c) != __ebx) {
					_t11 = LocalFree( *(_t14 - 0x1c));
				}
				if( *(_t14 - 0x6c) != _t13) {
					_t11 = LocalFree( *(_t14 - 0x6c));
				}
				if( *(_t14 - 0x64) != _t13) {
					_t11 = FreeSid( *(_t14 - 0x64));
				}
				if( *(_t14 - 0x44) != _t13) {
					_t11 = CloseHandle( *(_t14 - 0x44));
				}
				if( *(_t14 - 0x74) != _t13) {
					return CloseHandle( *(_t14 - 0x74));
				}
				return _t11;
			}






                  0x0041e5e3
                  0x0041e5e6
                  0x0041e5eb
                  0x0041e5eb
                  0x0041e5f4
                  0x0041e5f9
                  0x0041e5f9
                  0x0041e602
                  0x0041e607
                  0x0041e607
                  0x0041e610
                  0x0041e615
                  0x0041e615
                  0x0041e61e
                  0x00000000
                  0x0041e623
                  0x0041e629

                  APIs
                  • LocalFree.KERNEL32(000000FF,0041E5CA), ref: 0041E5EB
                  • LocalFree.KERNEL32(0041E5CA,0041E5CA), ref: 0041E5F9
                  • FreeSid.ADVAPI32(?,0041E5CA), ref: 0041E607
                  • CloseHandle.KERNEL32(?,0041E5CA), ref: 0041E615
                  • CloseHandle.KERNEL32(?,0041E5CA), ref: 0041E623
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Free$CloseHandleLocal
                  • String ID:
                  • API String ID: 705109652-0
                  • Opcode ID: 511d6d9563a7b1ffc5c92be43f58a519d922bcec561c93a000fc30fed3c9634a
                  • Instruction ID: 73678e22deb19cee6ac9eaf631a966f4da86afaf54b79670e03dbd25b55c7706
                  • Opcode Fuzzy Hash: 511d6d9563a7b1ffc5c92be43f58a519d922bcec561c93a000fc30fed3c9634a
                  • Instruction Fuzzy Hash: A6F04535D0225ADBCF619FD2DA494ADBBB2EB10302BA4803EE51566131CB350E92DF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040F1B2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E0040F1B2(signed int _a4, char _a7, signed int _a8, char _a11, intOrPtr _a12, signed int _a16, char _a19, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				void* _v64;
				signed int _v68;
				intOrPtr _t114;
				signed int _t116;
				signed int _t120;
				signed int _t121;
				intOrPtr _t134;
				unsigned int _t156;
				signed int _t159;
				intOrPtr _t160;
				unsigned int _t161;
				signed int _t163;
				signed int _t175;
				signed int _t177;

				_t161 = _a4;
				_t114 =  *0x47e170; // 0x0
				_t156 = _a8;
				_t175 = _t161 & 0x000000ff;
				_t177 = _a16;
				_v60 = _t114;
				_v68 = _v68 & 0x00000000;
				_t116 = _t175 - (_t156 & 0x000000ff);
				_v20 = _t175;
				_a4 = _t116;
				asm("cdq");
				_v32 = _t116 / _t177;
				_t120 = _t161 & 0x000000ff;
				_a16 = _t120;
				_t121 = _t120 - (_t156 & 0x000000ff);
				_a8 = _t121;
				asm("cdq");
				_t163 = _t161 >> 0x00000010 & 0x000000ff;
				_v28 = _t163;
				_v36 = _t121 / _t177;
				_t159 = _t163 - (_t156 >> 0x00000010 & 0x000000ff);
				asm("cdq");
				_v40 = _t159 / _t177;
				asm("cdq");
				_v44 = _a4 % _t177;
				asm("cdq");
				_v48 = _a8 % _t177;
				asm("cdq");
				_v24 = _a16;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_a7 = _a4 > 0;
				_a11 = _a8 > 0;
				_t134 = _a20;
				_a19 = _t159 > 0;
				_v52 = _t159 % _t177;
				while(_t134 < _a12) {
					if(_a11 == 0) {
						if(_v12 <=  ~_t177) {
							_v12 = _v12 + _t177;
							_v24 = _v24 + 1;
						}
					} else {
						if(_v12 >= _t177) {
							_v12 = _v12 - _t177;
							_v24 = _v24 - 1;
						}
					}
					if(_a19 == 0) {
						if(_v16 <=  ~_t177) {
							_v16 = _v16 + _t177;
							_v28 = _v28 + 1;
						}
					} else {
						if(_v16 >= _t177) {
							_v16 = _v16 - _t177;
							_v28 = _v28 - 1;
						}
					}
					_t134 = _t160;
				}
				return _t134;
			}































                  0x0040f1b8
                  0x0040f1bb
                  0x0040f1c1
                  0x0040f1c6
                  0x0040f1cc
                  0x0040f1cf
                  0x0040f1d4
                  0x0040f1d8
                  0x0040f1da
                  0x0040f1dd
                  0x0040f1e0
                  0x0040f1ed
                  0x0040f1f4
                  0x0040f1f7
                  0x0040f1fa
                  0x0040f1fc
                  0x0040f1ff
                  0x0040f205
                  0x0040f208
                  0x0040f20b
                  0x0040f213
                  0x0040f217
                  0x0040f21a
                  0x0040f220
                  0x0040f226
                  0x0040f229
                  0x0040f22e
                  0x0040f231
                  0x0040f237
                  0x0040f23f
                  0x0040f242
                  0x0040f245
                  0x0040f248
                  0x0040f24f
                  0x0040f255
                  0x0040f258
                  0x0040f25c
                  0x0040f25f
                  0x0040f2ed
                  0x0040f303
                  0x0040f305
                  0x0040f308
                  0x0040f308
                  0x0040f2ef
                  0x0040f2f2
                  0x0040f2f4
                  0x0040f2f7
                  0x0040f2f7
                  0x0040f2f2
                  0x0040f30f
                  0x0040f325
                  0x0040f327
                  0x0040f32a
                  0x0040f32a
                  0x0040f311
                  0x0040f314
                  0x0040f316
                  0x0040f319
                  0x0040f319
                  0x0040f314
                  0x0040f32d
                  0x0040f32d
                  0x0040f338

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: BrushCreateDeleteFillObjectRectSolid
                  • String ID: g@22
                  • API String ID: 2123768370-484279793
                  • Opcode ID: 32db67808970f7d40a01b2fbc38824db2168226f8f331c16745f0a183be6d3bf
                  • Instruction ID: 9399de27422c3eafa2a9f271622b1fa8dcba86be0284eb149c6f32b38e448122
                  • Opcode Fuzzy Hash: 32db67808970f7d40a01b2fbc38824db2168226f8f331c16745f0a183be6d3bf
                  • Instruction Fuzzy Hash: 4E51E5B1D01229DFCB50CFA9D8845EEBBF1BB48311F1480BBE815E2241D3349A85DFA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004063D6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004063D6(void* __ecx, void* __eflags, long _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed int _v8;
				long _v12;
				signed int _v16;
				int _v28;
				int _v32;
				long _v52;
				char _v56;
				long _t55;
				long _t56;
				long _t60;
				intOrPtr _t63;
				intOrPtr* _t64;
				int _t66;
				int _t67;
				int _t68;
				long _t72;
				long _t74;
				int _t78;
				signed int _t81;
				void* _t85;

				_t74 = _a4;
				_t85 = __ecx;
				_t55 = E00406060(__ecx, E0040607A(__ecx, _t74));
				_v8 = _v8 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_a4 = _t55;
				_t56 = SendMessageA( *(__ecx + 0xc), 0x110a, 4, _t74);
				_t78 = 0;
				_v12 = _t56;
				_t91 = _t56;
				if(_t56 == 0) {
					L3:
					 *_a8 =  *_a8 + _v8;
					_t81 = _v16;
					 *_a12 =  *_a12 + _t81;
					if(_v8 == _t78) {
						__eflags = _t81 - _t78;
						if(_t81 != _t78) {
							_v56 = 0x32;
							_v28 = _t78;
							_v32 = _t78;
							 *((intOrPtr*)(_a4 + 8)) = _t78;
							_v52 = _t74;
							_t60 =  &_v56;
							L11:
							SendMessageA( *(_t85 + 0xc), 0x110d, _t78, _t60);
							_t63 =  *((intOrPtr*)(_a4 + 8));
							if(_t63 != 0) {
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									L15:
									_t64 = _a8;
									L16:
									 *_t64 =  *_t64 + 1;
									return _t64;
								}
								__eflags = _t63 - 2;
								if(_t63 != 2) {
									return _t63;
								}
								goto L15;
							}
							_t64 = _a12;
							goto L16;
						}
						L7:
						__eflags = _v8 - _t78;
						if(_v8 == _t78) {
							_v56 = 0x32;
							_v52 = _t74;
							_t66 =  *((intOrPtr*)(_a4 + 8));
							_v28 = _t66;
							_v32 = _t66;
							_t60 =  &_v56;
						} else {
							_t67 = 1;
							_v56 = 0x32;
							 *((intOrPtr*)(_a4 + 8)) = _t67;
							_v28 = _t67;
							_v32 = _t67;
							_v52 = _t74;
							_t60 =  &_v56;
						}
						goto L11;
					}
					if(_t81 == _t78) {
						goto L7;
					}
					_t68 = 3;
					_v56 = 0x32;
					 *(_a4 + 8) = _t68;
					_v28 = _t68;
					_v32 = _t68;
					_v52 = _t74;
					_t60 =  &_v56;
					goto L11;
				} else {
					goto L1;
				}
				do {
					L1:
					E004063D6(_t85, _t91, _v12,  &_v8,  &_v16);
					_t72 = SendMessageA( *(_t85 + 0xc), 0x110a, 1, _v12);
					_v12 = _t72;
				} while (_t72 != 0);
				_t78 = 0;
				goto L3;
			}























                  0x004063dd
                  0x004063e2
                  0x004063ed
                  0x004063f8
                  0x004063fc
                  0x0040640b
                  0x0040640e
                  0x00406410
                  0x00406412
                  0x00406415
                  0x00406417
                  0x00406443
                  0x00406449
                  0x0040644e
                  0x00406451
                  0x00406456
                  0x0040647a
                  0x0040647c
                  0x004064a4
                  0x004064ab
                  0x004064ae
                  0x004064b1
                  0x004064b4
                  0x004064b7
                  0x004064d5
                  0x004064df
                  0x004064e7
                  0x004064ec
                  0x004064f3
                  0x004064f6
                  0x004064fd
                  0x004064fd
                  0x00406500
                  0x00406500
                  0x00000000
                  0x00406500
                  0x004064f8
                  0x004064fb
                  0x00406503
                  0x00406503
                  0x00000000
                  0x004064fb
                  0x004064ee
                  0x00000000
                  0x004064ee
                  0x0040647e
                  0x0040647e
                  0x00406481
                  0x004064bf
                  0x004064c6
                  0x004064c9
                  0x004064cc
                  0x004064cf
                  0x004064d2
                  0x00406483
                  0x00406488
                  0x00406489
                  0x00406490
                  0x00406493
                  0x00406496
                  0x00406499
                  0x0040649c
                  0x0040649c
                  0x00000000
                  0x00406481
                  0x0040645a
                  0x00000000
                  0x00000000
                  0x00406461
                  0x00406462
                  0x00406469
                  0x0040646c
                  0x0040646f
                  0x00406472
                  0x00406475
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406419
                  0x00406419
                  0x00406426
                  0x00406438
                  0x0040643c
                  0x0040643c
                  0x00406441
                  0x00000000

                  APIs
                  • SendMessageA.USER32(?,0000110A,00000004,?), ref: 0040640E
                  • SendMessageA.USER32(?,0000110D,00000000,00000032), ref: 004064DF
                    • Part of subcall function 004063D6: SendMessageA.USER32(?,0000110A,00000001,?), ref: 00406438
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID: 2
                  • API String ID: 3850602802-450215437
                  • Opcode ID: 0d697fa6cfd22ce5255ca20625cc7f0cb5f0048a09a495801416c6ff532affda
                  • Instruction ID: cbb0343fe3eedb3d421d54385876156e88e43829525f595412eb2063aa438078
                  • Opcode Fuzzy Hash: 0d697fa6cfd22ce5255ca20625cc7f0cb5f0048a09a495801416c6ff532affda
                  • Instruction Fuzzy Hash: 7A41D670E01209EFDF15CF98D881A9EBBB5FF08315F21816BE506EB290D7749A518F88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408006, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00408006(signed char* _a4) {
				signed int _t21;
				signed char _t24;
				intOrPtr* _t25;
				struct HICON__* _t27;
				signed char* _t36;
				void* _t37;
				signed int* _t38;
				signed int _t39;
				signed char* _t40;

				_t40 = _a4;
				_t2 =  &(_t40[8]); // 0xd44d8d00
				_t21 =  *_t2;
				if(_t21 != 1) {
					L24:
					__eflags = _t21 - 2;
					if(_t21 != 2) {
						L28:
						return _t21;
					}
					__eflags =  *_t40 & 0x00000080;
					if(( *_t40 & 0x00000080) == 0) {
						goto L28;
					}
					__eflags = 0;
					_t18 =  &(_t40[0x58]); // 0x407864
					_t36 = _t18;
					_t19 =  &(_t40[0x34]); // 0x44c60575
					E0040FEB9(0x47f208, _t36,  *_t19, 0, 0);
					_push( *_t36);
					_push(0);
					_push(0xf7);
					L27:
					_t20 =  &(_t40[0x50]); // 0x6ffee858
					return SendMessageA( *_t20, ??, ??, ??);
				}
				if(_t40[0xc] != 4) {
					__eflags = _t21 - 1;
					if(_t21 != 1) {
						goto L24;
					}
					__eflags = _t40[0xc] - 3;
					if(_t40[0xc] != 3) {
						goto L24;
					}
					_t10 =  &(_t40[0x34]); // 0x44c60575
					_t24 =  *_t10;
					__eflags = _t24 - 0xffffffff;
					if(_t24 != 0xffffffff) {
						__eflags = _t24 - 0xfffffffe;
						if(_t24 != 0xfffffffe) {
							_t37 = 0;
							__eflags =  *0x47e52c; // 0x0
							if(__eflags <= 0) {
								L21:
								_t15 =  &(_t40[0x58]); // 0x76ffcd8b
								_t21 =  *_t15;
								__eflags = _t21;
								if(_t21 == 0) {
									goto L28;
								}
								_push(_t21);
								_push(1);
								L23:
								_push(0x172);
								goto L27;
							} else {
								goto L16;
							}
							while(1) {
								L16:
								_t25 = E0041E860(0x47e520, _t37);
								_t12 =  &(_t40[0x34]); // 0x44c60575
								__eflags =  *_t25 -  *_t12;
								if( *_t25 ==  *_t12) {
									break;
								}
								_t37 = _t37 + 1;
								__eflags = _t37 -  *0x47e52c; // 0x0
								if(__eflags < 0) {
									continue;
								}
								goto L21;
							}
							_t13 = _t25 + 4; // 0x4
							_t27 = LoadImageA( *0x47e17c, E0041CD1E(_t13), 1, 0, 0, 0x10);
							L20:
							_t40[0x58] = _t27;
							goto L21;
						}
						_t40[0x58] = 0;
						goto L21;
					}
					_t27 = LoadIconA( *0x47e17c, 0x65);
					goto L20;
				}
				_t4 =  &(_t40[0x34]); // 0x44c60575
				_t21 =  *_t4;
				if(_t21 != 0xffffffff) {
					__eflags = _t21 - 0xfffffffe;
					_t6 =  &(_t40[0x58]); // 0x407864
					_t38 = _t6;
					if(_t21 != 0xfffffffe) {
						_t7 =  &(_t40[0x20]); // 0xdb33e98b
						_t8 =  &(_t40[0x1c]); // 0x555328ec
						_t21 = E0040FEB9(0x47f208, _t38, _t21,  *_t8,  *_t7);
					} else {
						 *_t38 = 0;
					}
				} else {
					_t21 =  *0x47e180; // 0x0
					_t5 =  &(_t40[0x58]); // 0x407864
					_t38 = _t5;
					 *_t38 = _t21;
				}
				_t39 =  *_t38;
				if(_t39 == 0) {
					goto L28;
				} else {
					_push(_t39);
					_push(0);
					goto L23;
				}
			}












                  0x00408008
                  0x0040800d
                  0x0040800d
                  0x00408013
                  0x004080ed
                  0x004080ed
                  0x004080f0
                  0x00408120
                  0x00408120
                  0x00408120
                  0x004080f2
                  0x004080f5
                  0x00000000
                  0x00000000
                  0x004080f7
                  0x004080f9
                  0x004080f9
                  0x004080fe
                  0x00408107
                  0x0040810c
                  0x0040810e
                  0x0040810f
                  0x00408114
                  0x00408114
                  0x00000000
                  0x00408117
                  0x0040801d
                  0x00408064
                  0x00408067
                  0x00000000
                  0x00000000
                  0x0040806d
                  0x00408071
                  0x00000000
                  0x00000000
                  0x00408073
                  0x00408073
                  0x00408078
                  0x0040807b
                  0x0040808d
                  0x00408090
                  0x00408097
                  0x00408099
                  0x0040809f
                  0x004080dc
                  0x004080dc
                  0x004080dc
                  0x004080df
                  0x004080e1
                  0x00000000
                  0x00000000
                  0x004080e3
                  0x004080e4
                  0x004080e6
                  0x004080e6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004080a1
                  0x004080a1
                  0x004080a7
                  0x004080ae
                  0x004080ae
                  0x004080b1
                  0x00000000
                  0x00000000
                  0x004080b3
                  0x004080b4
                  0x004080ba
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004080bc
                  0x004080c4
                  0x004080d3
                  0x004080d9
                  0x004080d9
                  0x00000000
                  0x004080d9
                  0x00408092
                  0x00000000
                  0x00408092
                  0x00408085
                  0x00000000
                  0x00408085
                  0x0040801f
                  0x0040801f
                  0x00408027
                  0x00408035
                  0x00408038
                  0x00408038
                  0x0040803b
                  0x00408041
                  0x00408049
                  0x0040804e
                  0x0040803d
                  0x0040803d
                  0x0040803d
                  0x00408029
                  0x00408029
                  0x0040802e
                  0x0040802e
                  0x00408031
                  0x00408031
                  0x00408053
                  0x00408057
                  0x00000000
                  0x0040805d
                  0x0040805d
                  0x0040805e
                  0x00000000
                  0x0040805e

                  APIs
                  • LoadIconA.USER32(00000065,770BB980), ref: 00408085
                  • SendMessageA.USER32(6FFEE858,000000F7,00000000,00407864), ref: 00408117
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: IconLoadMessageSend
                  • String ID: G
                  • API String ID: 3419944811-4264440988
                  • Opcode ID: 855e07b435fa39fb14fa5a0f8baf01adcb0fae204b3cce904ce901f2b8418828
                  • Instruction ID: 54e56afa20d57626c761f8bd5286ead796f30a47e0c4695bdc08836978fd8330
                  • Opcode Fuzzy Hash: 855e07b435fa39fb14fa5a0f8baf01adcb0fae204b3cce904ce901f2b8418828
                  • Instruction Fuzzy Hash: 3731E631100301EFC7304B25CE8086777A9EB45728B514A3FF5D2A66E2CB79AC8ADF19
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408F3D, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00408F3D(intOrPtr __ecx, signed short _a4) {
				void* __edi;
				void* __esi;
				signed int _t9;
				signed int _t15;
				signed int _t24;
				signed int _t27;
				void* _t35;
				void* _t42;

				_t46 = __ecx;
				if(_a4 >> 0x10 != 0) {
					return 0;
				}
				_t9 = _a4 & 0x0000ffff;
				__eflags = _t9 - 2;
				if(_t9 != 2) {
					__eflags = _t9 - 1;
					if(_t9 != 1) {
						__eflags = _t9 - 3;
						if(_t9 == 3) {
							E00407827(__ecx, _t42, __ecx, 0);
							E00417D26(0x47dfb8, 0);
						}
					} else {
						_t27 = SendDlgItemMessageA( *(__ecx + 4), 0xa, 0x188, 0, 0);
						__eflags = _t27;
						if(_t27 >= 0) {
							__eflags = _t27 - SendDlgItemMessageA( *(_t46 + 4), 0xa, 0x18b, 0, 0);
							if(__eflags <= 0) {
								_t15 = E004153F8(0x47dfb8, __eflags, _t27);
								__eflags = _t15;
								if(_t15 != 0) {
									E0041BF12(0x47e700, 0x42e0c8);
									__eflags =  *0x47e18c & 0x00000040;
									if(( *0x47e18c & 0x00000040) == 0) {
										_push(E0041CD1E(0x47e350));
										_t35 = 0x47e900;
									} else {
										_push(E0041CD1E(0x47e350));
										_t35 = 0x47e90c;
									}
									E0041C467(0x47e700, E0041CD1E(_t35));
									E00407827(_t46, 0x47dfb8, _t46, 0);
									E00417EA6(0x47dfb8, 0);
								} else {
									E0041B2A8( *(_t46 + 4), "Couldn\'t load language set!", 0);
								}
							}
						}
					}
				} else {
					_t24 = E0041BC79(0x47dfb8);
					__eflags = _t24;
					if(_t24 != 0) {
						E00407827(_t46, 0x47dfb8, _t46, 0);
						E0041A1B5(1);
					}
				}
				return 1;
			}











                  0x00408f4b
                  0x00408f4d
                  0x00000000
                  0x00408f4f
                  0x00408f56
                  0x00408f5b
                  0x00408f5e
                  0x00408f79
                  0x00408f7c
                  0x00409036
                  0x00409039
                  0x00409040
                  0x0040904b
                  0x0040904b
                  0x00408f82
                  0x00408f98
                  0x00408f9a
                  0x00408f9c
                  0x00408fb0
                  0x00408fb2
                  0x00408fc0
                  0x00408fc5
                  0x00408fc7
                  0x00408fea
                  0x00408fef
                  0x00408ffb
                  0x0040900f
                  0x00409010
                  0x00408ffd
                  0x00409002
                  0x00409003
                  0x00409003
                  0x0040901c
                  0x00409027
                  0x0040902f
                  0x00408fc9
                  0x00408fd4
                  0x00408fd4
                  0x00408fc7
                  0x00408fb2
                  0x00408f9c
                  0x00408f60
                  0x00408f67
                  0x00408f6c
                  0x00408f6e
                  0x00409056
                  0x0040905f
                  0x0040905f
                  0x00408f6e
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID:
                  • String ID: Couldn't load language set!$PG
                  • API String ID: 0-2579099614
                  • Opcode ID: 42a7c8d168349ac970808f6448ea46a28237ef3dfabdb2de91d1ed100cc331f8
                  • Instruction ID: 77cd5b422e5052c0ad46dc8d68f147adf1f3548e2e93d8bac81c3ea856fbdb18
                  • Opcode Fuzzy Hash: 42a7c8d168349ac970808f6448ea46a28237ef3dfabdb2de91d1ed100cc331f8
                  • Instruction Fuzzy Hash: 5321A02030430862CA1432735C96ABF764E8F85B59F54843FF60A762D2CF6E6C42626E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041DE38, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0041DE38(signed int _a4, signed int _a8, CHAR* _a12) {
				signed int _v5;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t50;
				void* _t60;
				signed int _t64;
				char _t66;
				void* _t67;
				signed int _t72;
				char* _t74;

				_t72 = _a8;
				if((_a4 | _t72) != 0) {
					_t74 = _a12;
					_t66 = 0;
					_v5 = _v5 & 0;
					_v12 = 0;
					__eflags = _t72 & 0x80000000;
					if((_t72 & 0x80000000) == 0) {
						L8:
						_v20 = 0xa7640000;
						_v16 = 0xde0b6b3;
						_a12 = 0x13;
						do {
							__eflags = _t72 - _v16;
							if(__eflags < 0) {
								L13:
								__eflags = _v12 - _t66;
								if(_v12 != _t66) {
									_t33 =  &_v12;
									 *_t33 = _v12 + 1;
									__eflags =  *_t33;
									 *((char*)((_v5 & 0x000000ff) + _v12 + _t74)) = 0x30;
								}
								goto L15;
							}
							if(__eflags > 0) {
								L12:
								_t67 = E00425320(_a4, _t72, _v20, _v16);
								asm("cdq");
								_a4 = _a4 - E004252C0(_t67, 0x80000000, _v20, _v16);
								asm("sbb edi, edx");
								_v12 = _v12 + 1;
								 *((char*)((_v5 & 0x000000ff) + _v12 + _t74)) = _t67 + 0x30;
								_t66 = 0;
								goto L15;
							}
							__eflags = _a4 - _v20;
							if(_a4 < _v20) {
								goto L13;
							}
							goto L12;
							L15:
							_t50 = E00425320(_v20, _v16, 0xa, _t66);
							_t38 =  &_a12;
							 *_t38 = _a12 - 1;
							__eflags =  *_t38;
							_v20 = _t50;
							_v16 = 0x80000000;
						} while ( *_t38 != 0);
						_t60 = (_v5 & 0x000000ff) + _v12;
						_t44 = _t60 + _t74;
						 *_t44 =  *(_t60 + _t74) & 0x00000000;
						__eflags =  *_t44;
						return _t74;
					}
					__eflags = _a4;
					if(_a4 != 0) {
						L7:
						 *_t74 = 0x2d;
						_t72 =  !_t72 & 0x0fffffff;
						_t64 =  !_a4 + 1;
						__eflags = _t64;
						asm("adc edi, ebx");
						_a4 = _t64;
						_v5 = 1;
						goto L8;
					}
					__eflags = _t72 - 0x80000000;
					if(_t72 != 0x80000000) {
						goto L7;
					}
					_push("-9223372036854775808");
					L6:
					return lstrcpyA(_a12, ??);
				}
				_push("0");
				goto L6;
			}














                  0x0041de44
                  0x0041de49
                  0x0041de52
                  0x0041de5c
                  0x0041de5e
                  0x0041de65
                  0x0041de68
                  0x0041de6a
                  0x0041dea4
                  0x0041dea4
                  0x0041deab
                  0x0041deb2
                  0x0041deb9
                  0x0041deb9
                  0x0041debc
                  0x0041df03
                  0x0041df03
                  0x0041df06
                  0x0041df0f
                  0x0041df0f
                  0x0041df0f
                  0x0041df12
                  0x0041df12
                  0x00000000
                  0x0041df06
                  0x0041debe
                  0x0041dec8
                  0x0041deda
                  0x0041dee2
                  0x0041deea
                  0x0041def1
                  0x0041def9
                  0x0041defc
                  0x0041deff
                  0x00000000
                  0x0041deff
                  0x0041dec3
                  0x0041dec6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041df16
                  0x0041df1f
                  0x0041df24
                  0x0041df24
                  0x0041df24
                  0x0041df27
                  0x0041df2a
                  0x0041df2a
                  0x0041df33
                  0x0041df36
                  0x0041df36
                  0x0041df36
                  0x00000000
                  0x0041df3a
                  0x0041de6c
                  0x0041de6f
                  0x0041de88
                  0x0041de8b
                  0x0041de92
                  0x0041de98
                  0x0041de98
                  0x0041de9b
                  0x0041de9d
                  0x0041dea0
                  0x00000000
                  0x0041dea0
                  0x0041de71
                  0x0041de73
                  0x00000000
                  0x00000000
                  0x0041de75
                  0x0041de7a
                  0x00000000
                  0x0041de7d
                  0x0041de4b
                  0x00000000

                  APIs
                  • lstrcpyA.KERNEL32(0040CA7F,-9223372036854775808,00000000,?,00000000,0040CA7F,00000000,?,00000000,770B3BB0,?,00000000,00000000,00000000,000000B4,00000000), ref: 0041DE7D
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DED2
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DF1F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$lstrcpy
                  • String ID: -9223372036854775808
                  • API String ID: 191136725-2871333643
                  • Opcode ID: 1da013a00ed4f888c4f4e2d40d23857b28de4f724200c88ab0ce9d1520ac8055
                  • Instruction ID: 9bd6ed5f5e092b7878f430b8e576e8865948b3051bf6daf1064d560ea88b1c8a
                  • Opcode Fuzzy Hash: 1da013a00ed4f888c4f4e2d40d23857b28de4f724200c88ab0ce9d1520ac8055
                  • Instruction Fuzzy Hash: 3731A2B1E04659BFCF118F95DC817EEBFB1FF50345F54809AE810A6241C7798A81CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00423C00, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E00423C00() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				CHAR* _t39;
				signed int _t40;
				signed int _t41;
				intOrPtr _t44;
				intOrPtr _t47;

				_push(0xffffffff);
				_push(0x428708);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				_push(_t40);
				_push(_t36);
				_v28 = _t44 - 0x18;
				_t41 = _t40 | 0xffffffff;
				_t47 =  *0x47f244; // 0x0
				if(_t47 != 0) {
					E00407B45(0, _t36, _t41, 1);
					_t39 = E00424DD9(0x104);
					_v40 = _t39;
					if(_t39 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t39, 0, 0x104);
					lstrcatA(_t39, E0041CD1E(0x47e338));
					_v8 = 0;
					_t41 =  *0x47f244( *0x47e178, _t39, 0x104);
					_v32 = _t41;
					_v8 = _v8 | 0xffffffff;
					E0041BF12(0x47e338, _t39);
					E00424DCE(_t39);
					if(_t41 == 1) {
						if(_t41 != 2) {
							goto L10;
						} else {
							goto L8;
						}
					} else {
						if(_t41 == 2) {
							L8:
							if( *0x42bf98 == 0xffffffff) {
								L10:
								_t41 = 0;
							} else {
								_t41 = 1;
							}
						} else {
							E0041A1B5(1);
						}
					}
				}
				if(_t41 <= 0) {
					E004145F6(0x47e880, 7);
					E004112B1(7);
				}
				 *[fs:0x0] = _v20;
				return _t41;
			}

















                  0x00423c03
                  0x00423c05
                  0x00423c0a
                  0x00423c15
                  0x00423c16
                  0x00423c21
                  0x00423c22
                  0x00423c23
                  0x00423c26
                  0x00423c2b
                  0x00423c31
                  0x00423c39
                  0x00423c4b
                  0x00423c4d
                  0x00423c52
                  0x00423c5f
                  0x00423c64
                  0x00423c68
                  0x00423c7c
                  0x00423c82
                  0x00423c93
                  0x00423c95
                  0x00423c98
                  0x00423cb5
                  0x00423cbb
                  0x00423cc4
                  0x00423cdc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423cc6
                  0x00423cc9
                  0x00423cde
                  0x00423ce5
                  0x00423cec
                  0x00423cec
                  0x00423ce7
                  0x00423ce9
                  0x00423ce9
                  0x00423ccb
                  0x00423cd2
                  0x00423cd2
                  0x00423cc9
                  0x00423cc4
                  0x00423cf0
                  0x00423cfb
                  0x00423d04
                  0x00423d04
                  0x00423d0e
                  0x00423d19

                  APIs
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407B99
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407BA9
                    • Part of subcall function 00407B45: DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C0B
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C22
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C39
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C50
                  • lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423C7C
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DeleteObject$Global$AllocDestroyLockUnlockWindowlstrcat
                  • String ID: $G$8G$8G
                  • API String ID: 2522731524-374341317
                  • Opcode ID: 7185a05e51b1de32318d534e3b6fcfef408e179e28108a3ef9f92a30f156077d
                  • Instruction ID: 8115a7386252ee14b040bfa3dfd6a380e7d671b64f282384a0dcfaf0cb5d2036
                  • Opcode Fuzzy Hash: 7185a05e51b1de32318d534e3b6fcfef408e179e28108a3ef9f92a30f156077d
                  • Instruction Fuzzy Hash: 98212B72F00230ABC3206B6A7D42AAE7579DB80B69F60023FF515772D1CA7D0D82859D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00423D1A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 91stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E00423D1A() {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t36;
				CHAR* _t39;
				signed int _t40;
				signed int _t41;
				intOrPtr _t44;
				intOrPtr _t47;

				_push(0xffffffff);
				_push(0x428718);
				_push(E00424EE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				_push(_t40);
				_push(_t36);
				_v28 = _t44 - 0x18;
				_t41 = _t40 | 0xffffffff;
				_t47 =  *0x47f248; // 0x0
				if(_t47 != 0) {
					E00407B45(0, _t36, _t41, 1);
					_t39 = E00424DD9(0x104);
					_v40 = _t39;
					if(_t39 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					E00424500(_t39, 0, 0x104);
					lstrcatA(_t39, E0041CD1E(0x47e344));
					_v8 = 0;
					_t41 =  *0x47f248( *0x47e178, _t39, 0x104);
					_v32 = _t41;
					_v8 = _v8 | 0xffffffff;
					E0041BF12(0x47e344, _t39);
					E00424DCE(_t39);
					if(_t41 == 1) {
						if(_t41 != 2) {
							goto L10;
						} else {
							goto L8;
						}
					} else {
						if(_t41 == 2) {
							L8:
							if( *0x42bf98 == 0xffffffff) {
								L10:
								_t41 = 0;
							} else {
								_t41 = 1;
							}
						} else {
							E0041A1B5(1);
						}
					}
				}
				if(_t41 <= 0) {
					E004145F6(0x47e880, 8);
					E004112B1(8);
				}
				 *[fs:0x0] = _v20;
				return _t41;
			}

















                  0x00423d1d
                  0x00423d1f
                  0x00423d24
                  0x00423d2f
                  0x00423d30
                  0x00423d3b
                  0x00423d3c
                  0x00423d3d
                  0x00423d40
                  0x00423d45
                  0x00423d4b
                  0x00423d53
                  0x00423d65
                  0x00423d67
                  0x00423d6c
                  0x00423d79
                  0x00423d7e
                  0x00423d82
                  0x00423d96
                  0x00423d9c
                  0x00423dad
                  0x00423daf
                  0x00423db2
                  0x00423dcf
                  0x00423dd5
                  0x00423dde
                  0x00423df6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423de0
                  0x00423de3
                  0x00423df8
                  0x00423dff
                  0x00423e06
                  0x00423e06
                  0x00423e01
                  0x00423e03
                  0x00423e03
                  0x00423de5
                  0x00423dec
                  0x00423dec
                  0x00423de3
                  0x00423dde
                  0x00423e0a
                  0x00423e15
                  0x00423e1e
                  0x00423e1e
                  0x00423e28
                  0x00423e33

                  APIs
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407B99
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407BA9
                    • Part of subcall function 00407B45: DestroyWindow.USER32(?,00000000,0047DFB8,00000094,?,0041A1BF,00000001,0047DFB8,0041A044,00000001,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 00407BE2
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C0B
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C22
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C39
                    • Part of subcall function 00407B45: DeleteObject.GDI32(?), ref: 00407C50
                  • lstrcatA.KERNEL32(00000000,00000000,0047E50C,00000000,00000000,00415294,00000000,?,?,00000000), ref: 00423D96
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: DeleteObject$Global$AllocDestroyLockUnlockWindowlstrcat
                  • String ID: $G$DG$DG
                  • API String ID: 2522731524-3730125631
                  • Opcode ID: 2f2b418b8ba34d6e3d4374114826b12d4a2e3f29efaab3276254b25a5f94b08d
                  • Instruction ID: a2bfef0010f8ebc192bdd9e60e8a526ad02d01d20727c96312a57d634a3b970f
                  • Opcode Fuzzy Hash: 2f2b418b8ba34d6e3d4374114826b12d4a2e3f29efaab3276254b25a5f94b08d
                  • Instruction Fuzzy Hash: 5421E972B40130ABD3206B657C82ABE7975DB81765F61023FF515662D1CA7C0D8246EE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405311, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00405311(void* __edi, void* __esi, void* __eflags) {
				char _v16;
				char _v28;
				void _v539;
				char _v540;
				void* _t26;
				void* _t27;
				signed int _t50;
				long _t59;
				void* _t61;
				void* _t62;

				_t59 = GetLastError();
				E00401A5C();
				E0041BDC5( &_v16);
				_push(E0041CD1E(0x47f02c));
				E0041C467( &_v16, E0041CD1E(0x47efd8));
				_t62 = _t61 + 0xc;
				E0041BDC5( &_v28);
				if(_t59 == 0) {
					E0041BF80( &_v28,  &_v16);
				} else {
					_t50 = 0x7f;
					_v540 = 0;
					memset( &_v539, 0, _t50 << 2);
					asm("stosw");
					asm("stosb");
					FormatMessageA(0x1000, 0, _t59, 0x400,  &_v540, 0x200, 0);
					_push( &_v540);
					_push(E0041CD1E( &_v16));
					E0041C467( &_v28, "%s (%s)");
					_t62 = _t62 + 0x1c;
				}
				_t26 = E0041CD1E(0x47e700);
				_t27 = E0041CD1E( &_v28);
				if(E0041D0E2(GetActiveWindow(), _t27, _t26, 4) == 7) {
					E0041D0D5(_t29);
				}
				E0041BEFB( &_v28);
				return E0041BEFB( &_v16);
			}













                  0x00405321
                  0x00405323
                  0x0040532b
                  0x0040533a
                  0x0040534a
                  0x0040534f
                  0x00405355
                  0x0040535e
                  0x004053c1
                  0x00405360
                  0x00405363
                  0x0040536c
                  0x00405372
                  0x00405374
                  0x00405376
                  0x00405390
                  0x0040539f
                  0x004053a5
                  0x004053af
                  0x004053b4
                  0x004053b7
                  0x004053cd
                  0x004053d6
                  0x004053ef
                  0x004053f1
                  0x004053f1
                  0x004053f9
                  0x00405407

                  APIs
                  • GetLastError.KERNEL32(00000000), ref: 0040531B
                    • Part of subcall function 00401A5C: CloseHandle.KERNEL32(00000000,00405328), ref: 00401A72
                    • Part of subcall function 00401A5C: CloseHandle.KERNEL32 ref: 00401A7A
                    • Part of subcall function 00401A5C: DeleteFileA.KERNEL32(C:\ztg\fillProxy\spy++\spyxxhk.dll), ref: 00401A81
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  • FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000200,00000000,00000000), ref: 00405390
                  • GetActiveWindow.USER32 ref: 004053DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$lstrlen$AllocCloseHandleLock$ActiveDeleteErrorFileFormatLastMessageUnlockWindow
                  • String ID: %s (%s)
                  • API String ID: 2124624523-1363028141
                  • Opcode ID: 974608c8354438f0f6330fc2255bd5c4ab50c069cb72252345656e87d0d041e2
                  • Instruction ID: 1a99f7a09a3374408a4759d62bf33a5c9ae644328a98e511fed88348be1b81f5
                  • Opcode Fuzzy Hash: 974608c8354438f0f6330fc2255bd5c4ab50c069cb72252345656e87d0d041e2
                  • Instruction Fuzzy Hash: 6221B3B1D40109A6CB14F7B1DC8ADEF772CDF14348F5041BEF605A21C2EF7856858AA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041021E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73filestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0041021E(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				int _t29;
				CHAR* _t57;

				E0041BE99( &_v16, 0x47e338);
				if(E0041BFE3( &_v16, _v16 - 1) != 0x5c) {
					E0041BFF8( &_v16, 0x5c);
				}
				E0041C047( &_v16, "Backup\\", 0);
				E0040DC10(E0041CD1E( &_v16), 1);
				_t57 = _a4;
				_t29 = lstrlenA(_t57);
				while(1) {
					_t29 = _t29 - 1;
					if(_t29 <= 0) {
						break;
					}
					if(_t57[_t29] != 0x5c) {
						continue;
					} else {
						E0041C047( &_v16,  &(( &(_t57[1]))[_t29]), 0);
					}
					break;
				}
				CopyFileA(_t57, E0041CD1E( &_v16), 0);
				E0041BFF8( &_v16, 9);
				E0041C047( &_v16, _t57, 0);
				_push(_a16);
				_push(_a20);
				_push(_a12);
				_push(_a8);
				E0041C467( &_v16, "\t%d\t%d\t%d\t%d");
				E00421D22(0x47e788, E0041CD1E( &_v16));
				return E0041BEFB( &_v16);
			}






                  0x0041022c
                  0x00410240
                  0x00410247
                  0x00410247
                  0x00410257
                  0x00410267
                  0x0041026c
                  0x00410272
                  0x00410278
                  0x00410278
                  0x0041027b
                  0x00000000
                  0x00000000
                  0x00410281
                  0x00000000
                  0x00410283
                  0x0041028d
                  0x0041028d
                  0x00000000
                  0x00410281
                  0x0041029e
                  0x004102a9
                  0x004102b4
                  0x004102b9
                  0x004102bf
                  0x004102c2
                  0x004102c5
                  0x004102ce
                  0x004102e4
                  0x004102f3

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                  • lstrlenA.KERNEL32(00000000,Backup\,00000000,00000000,-00000001,0047E338,00000000,00000000,00000034,?,?,?,0047EB1C,0042BC40,00000000), ref: 00410272
                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041029E
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$CopyFileUnlocklstrlen
                  • String ID: %d%d%d%d$Backup\
                  • API String ID: 1237974043-2132705745
                  • Opcode ID: 976619ff1f6ac7e304c3716991ac40e53723da516e64e13083b91b345daaa296
                  • Instruction ID: ad85fda3904b5a867add6e6e5d2a9896b3e047cb0076d11bc5066a6bb4e0c6a8
                  • Opcode Fuzzy Hash: 976619ff1f6ac7e304c3716991ac40e53723da516e64e13083b91b345daaa296
                  • Instruction Fuzzy Hash: 61217F31940209BADB14FBA5EC86FEE3728DF14304F50405EB511A60D2EF78AA85CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041CF4B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041CF4B(void** __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t26;
				void* _t27;
				void* _t30;
				signed int _t31;
				void* _t46;
				void** _t55;

				_t55 = __ecx;
				__ecx[4] = 1;
				GlobalUnlock( *__ecx);
				_t26 = GlobalReAlloc( *_t55, (_a8 + _t55[1]) * _t55[3], 0x42);
				 *_t55 = _t26;
				_t27 = GlobalLock(_t26);
				_t49 = 0;
				 *(_t55[2]) = _t27;
				if( *(_t55[2]) != 0) {
					if(_a8 <= 0) {
						L8:
						_t55[1] = _t55[1] + _a8;
						_t55[4] = _t55[4] & 0x00000000;
						_t30 = 1;
						return _t30;
					}
					do {
						_t31 = _t55[3];
						_t46 = 0;
						if(_t31 <= 0) {
							goto L6;
						} else {
							goto L5;
						}
						do {
							L5:
							 *((char*)((_t55[1] + _t49) * _t31 +  *(_t55[2]) + _t46)) =  *((intOrPtr*)(_t31 * _t49 + _t46 + _a4));
							_t31 = _t55[3];
							_t46 = _t46 + 1;
						} while (_t46 < _t31);
						L6:
						_t49 = _t49 + 1;
					} while (_t49 < _a8);
					goto L8;
				}
				_t55[4] = 0;
				return E0041D881(E0041CD1E(0x47e924)) | 0xffffffff;
			}









                  0x0041cf4f
                  0x0041cf53
                  0x0041cf57
                  0x0041cf6c
                  0x0041cf73
                  0x0041cf75
                  0x0041cf7e
                  0x0041cf80
                  0x0041cf87
                  0x0041cfa5
                  0x0041cfdf
                  0x0041cfe4
                  0x0041cfe7
                  0x0041cfeb
                  0x00000000
                  0x0041cfeb
                  0x0041cfa9
                  0x0041cfa9
                  0x0041cfac
                  0x0041cfb0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041cfb2
                  0x0041cfb2
                  0x0041cfcc
                  0x0041cfcf
                  0x0041cfd2
                  0x0041cfd3
                  0x0041cfd7
                  0x0041cfd7
                  0x0041cfd8
                  0x00000000
                  0x0041cfde
                  0x0041cf8e
                  0x00000000

                  APIs
                  • GlobalUnlock.KERNEL32(?,?,?,00421D0E,00000001,00000001,?,00411457,00000000,0047E794), ref: 0041CF57
                  • GlobalReAlloc.KERNEL32 ref: 0041CF6C
                  • GlobalLock.KERNEL32 ref: 0041CF75
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 50ea70f0800864770253a9ffb9ffb59fa3bc52ba0c8d08bfe82d6428a90440b9
                  • Instruction ID: 30d634e0afc79d46ac79a2021f3955f9af89963e9248311a26e3a657e5a0657f
                  • Opcode Fuzzy Hash: 50ea70f0800864770253a9ffb9ffb59fa3bc52ba0c8d08bfe82d6428a90440b9
                  • Instruction Fuzzy Hash: CB21A435240B419FC724CF69C981996B7E9EF59320710C52EE19ACB7A1D778E881CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D883, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0040D883(char* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				void* _v8;
				int _v12;
				int _v16;
				signed int _t15;
				void* _t21;
				void* _t36;
				int _t38;
				void* _t39;

				_t15 = GetFileVersionInfoSizeA(_a4,  &_v12);
				_t38 = _t15;
				if(_t38 != 0) {
					_t36 = E00424DD9(_t38);
					if(_t36 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					if(GetFileVersionInfoA(_a4, _v12, _t38, _t36) != 0) {
						_v8 = _v8 & 0x00000000;
						if(VerQueryValueA(_t36, "\\",  &_v8,  &_v16) != 0) {
							_t21 = _v8;
							_push(1);
							 *_a8 =  *((intOrPtr*)(_t21 + 8));
							 *_a12 =  *((intOrPtr*)(_t21 + 0xc));
						} else {
							_push(0xfffffffc);
						}
					} else {
						_push(0xfffffffd);
					}
					_pop(_t39);
					E00424DCE(_t36);
					return _t39;
				}
				return _t15 | 0xffffffff;
			}











                  0x0040d891
                  0x0040d896
                  0x0040d89a
                  0x0040d8a8
                  0x0040d8ad
                  0x0040d8ba
                  0x0040d8bf
                  0x0040d8cf
                  0x0040d8d5
                  0x0040d8ee
                  0x0040d8f4
                  0x0040d8fa
                  0x0040d8ff
                  0x0040d907
                  0x0040d8f0
                  0x0040d8f0
                  0x0040d8f0
                  0x0040d8d1
                  0x0040d8d1
                  0x0040d8d1
                  0x0040d909
                  0x0040d90b
                  0x00000000
                  0x0040d913
                  0x00000000

                  APIs
                  • GetFileVersionInfoSizeA.VERSION(00000000,00000000,00000000,?,00000000,00000000), ref: 0040D891
                  • GetFileVersionInfoA.VERSION(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040D8C8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FileInfoVersion$Size
                  • String ID: $G
                  • API String ID: 2104008232-195990108
                  • Opcode ID: 624c5718af41c2b79abd81fd6ec22ab6704b1926903904cabe6d26171faf070a
                  • Instruction ID: 6ec1859e884c135b30265ee31449acefa2f538f76d71efcc8004e3bba50e2383
                  • Opcode Fuzzy Hash: 624c5718af41c2b79abd81fd6ec22ab6704b1926903904cabe6d26171faf070a
                  • Instruction Fuzzy Hash: 08110D76A00114BBCB11BA95EC04DEF3B68DF85374B20427BF810E72C1DB389905D795
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E9EA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041E9EA(char* __ecx, intOrPtr _a4) {
				signed int _t19;
				signed int _t20;
				void* _t25;
				void* _t26;
				signed int _t30;
				intOrPtr* _t33;
				char* _t38;

				_t38 = __ecx;
				_t30 = 0;
				_t19 =  *(__ecx + 0xc);
				if(_t19 <= 0) {
					L4:
					_t20 = _t19 | 0xffffffff;
				} else {
					_t33 =  *((intOrPtr*)(__ecx + 8));
					while( *_t33 != _a4) {
						_t30 = _t30 + 1;
						_t33 = _t33 + 4;
						if(_t30 < _t19) {
							continue;
						} else {
							goto L4;
						}
						goto L5;
					}
					 *_t38 = 1;
					while(_t30 < _t19 - 1) {
						 *((intOrPtr*)( *(_t38 + 8) + _t30 * 4)) =  *((intOrPtr*)( *(_t38 + 8) + 4 + _t30 * 4));
						_t19 =  *(_t38 + 0xc);
						_t30 = _t30 + 1;
					}
					 *(_t38 + 0xc) =  *(_t38 + 0xc) - 1;
					GlobalUnlock( *(_t38 + 4));
					_t25 = GlobalReAlloc( *(_t38 + 4),  *(_t38 + 0xc) << 2, 0x42);
					 *(_t38 + 4) = _t25;
					_t26 = GlobalLock(_t25);
					 *(_t38 + 8) = _t26;
					if(_t26 != 0 ||  *(_t38 + 0xc) <= _t26) {
						_t20 = 1;
					} else {
						_t19 = E0041D881(E0041CD1E(0x47e924));
						goto L4;
					}
				}
				L5:
				return _t20;
			}










                  0x0041e9eb
                  0x0041e9ed
                  0x0041e9f0
                  0x0041e9f5
                  0x0041ea0a
                  0x0041ea0a
                  0x0041e9f7
                  0x0041e9f7
                  0x0041e9fa
                  0x0041ea02
                  0x0041ea03
                  0x0041ea08
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041ea08
                  0x0041ea12
                  0x0041ea15
                  0x0041ea21
                  0x0041ea24
                  0x0041ea27
                  0x0041ea27
                  0x0041ea2d
                  0x0041ea30
                  0x0041ea42
                  0x0041ea49
                  0x0041ea4c
                  0x0041ea54
                  0x0041ea57
                  0x0041ea73
                  0x0041ea5e
                  0x0041ea69
                  0x00000000
                  0x0041ea6e
                  0x0041ea57
                  0x0041ea0d
                  0x0041ea0f

                  APIs
                  • GlobalUnlock.KERNEL32(?,?,?,00415BF8,00000000,?), ref: 0041EA30
                  • GlobalReAlloc.KERNEL32 ref: 0041EA42
                  • GlobalLock.KERNEL32 ref: 0041EA4C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 2c14db1d8af75b99250c197fbadac50f9c6fd3ff559b8cc28addc30c0ae6fbaa
                  • Instruction ID: c5794519439faa4e23426753201981bf120af7aabff434d8043eab4aea142066
                  • Opcode Fuzzy Hash: 2c14db1d8af75b99250c197fbadac50f9c6fd3ff559b8cc28addc30c0ae6fbaa
                  • Instruction Fuzzy Hash: 0A11A075700A028FC7249F2AD85596BB7E5FF443A0710C92EE89BC7761DB78F8828B14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041CEC4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041CEC4(void** __ecx, intOrPtr _a4) {
				void* _t20;
				void* _t23;
				void* _t24;
				signed int _t30;
				void** _t43;

				_t43 = __ecx;
				__ecx[4] = 1;
				GlobalUnlock( *__ecx);
				_t43[1] = _t43[1] + 1;
				_t20 = GlobalReAlloc( *_t43, _t43[1] * _t43[3], 0x42);
				 *_t43 = _t20;
				 *(_t43[2]) = GlobalLock(_t20);
				if( *(_t43[2]) != 0) {
					_t30 = _t43[3];
					_t23 = 0;
					if(_t30 <= 0) {
						L6:
						_t43[4] = 0;
						_t24 = 1;
						return _t24;
					}
					do {
						 *((char*)((_t43[1] - 1) * _t30 +  *(_t43[2]) + _t23)) =  *((intOrPtr*)(_t23 + _a4));
						_t30 = _t43[3];
						_t23 = _t23 + 1;
					} while (_t23 < _t30);
					goto L6;
				}
				_t43[4] = 0;
				return E0041D881(E0041CD1E(0x47e924)) | 0xffffffff;
			}








                  0x0041cec5
                  0x0041cec9
                  0x0041cecd
                  0x0041ced3
                  0x0041cee2
                  0x0041cee9
                  0x0041cef6
                  0x0041cefd
                  0x0041cf18
                  0x0041cf1b
                  0x0041cf1f
                  0x0041cf41
                  0x0041cf43
                  0x0041cf46
                  0x00000000
                  0x0041cf46
                  0x0041cf22
                  0x0041cf35
                  0x0041cf38
                  0x0041cf3b
                  0x0041cf3c
                  0x00000000
                  0x0041cf40
                  0x0041cf04
                  0x00000000

                  APIs
                  • GlobalUnlock.KERNEL32(?,?,00421D1D,00000000), ref: 0041CECD
                  • GlobalReAlloc.KERNEL32 ref: 0041CEE2
                  • GlobalLock.KERNEL32 ref: 0041CEEB
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: b0a6c556769eefa18d5e04f9020e956f96c5b50801f3da1a30941deeb5b5b08f
                  • Instruction ID: 0870221ce2071d048dde4c69390beb3818ff02ef434fcd04cf7f89a3ced6e25b
                  • Opcode Fuzzy Hash: b0a6c556769eefa18d5e04f9020e956f96c5b50801f3da1a30941deeb5b5b08f
                  • Instruction Fuzzy Hash: D611A075244B41CFC339DB28D984956BBE6EF993107108D6EE0EAC76A1CB74A881CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E87A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041E87A(char* __ecx, intOrPtr _a4, intOrPtr _a8) {
				void* _t21;
				void* _t22;
				void* _t24;
				signed int _t28;
				intOrPtr _t35;
				char* _t36;

				_t36 = __ecx;
				_t35 = _a4;
				if( *((char*)(__ecx + 0x10)) != 0) {
					L2:
					_t3 = _t36 + 4; // 0x22100ac
					 *_t36 = 1;
					GlobalUnlock( *_t3);
					 *(_t36 + 0xc) =  *(_t36 + 0xc) + 1;
					_t6 = _t36 + 0xc; // 0x8
					_t7 = _t36 + 4; // 0x22100ac
					_t21 = GlobalReAlloc( *_t7,  *_t6 << 2, 0x42);
					 *(_t36 + 4) = _t21;
					_t22 = GlobalLock(_t21);
					 *(_t36 + 8) = _t22;
					if(_t22 != 0) {
						_t10 = _t36 + 0xc; // 0x8
						 *((intOrPtr*)(_t22 +  *_t10 * 4 - 4)) = _t35;
						_t14 = _t36 + 0xc; // 0x8
						_t23 =  *_t14;
						if(_a8 <  *_t14 && _a8 >= 0) {
							E0041E974(_t36, _t23 - 1, _a8);
						}
						_t24 = 1;
						return _t24;
					}
					_t28 = E0041D881(E0041CD1E(0x47e924));
					L4:
					return _t28 | 0xffffffff;
				}
				_t28 = E0041E950(__ecx, _t35);
				if(_t28 != 0xffffffff) {
					goto L4;
				}
				goto L2;
			}









                  0x0041e87b
                  0x0041e87e
                  0x0041e886
                  0x0041e893
                  0x0041e893
                  0x0041e896
                  0x0041e899
                  0x0041e89f
                  0x0041e8a2
                  0x0041e8ab
                  0x0041e8ae
                  0x0041e8b5
                  0x0041e8b8
                  0x0041e8c0
                  0x0041e8c3
                  0x0041e8db
                  0x0041e8de
                  0x0041e8e2
                  0x0041e8e2
                  0x0041e8e9
                  0x0041e8fa
                  0x0041e8fa
                  0x0041e901
                  0x00000000
                  0x0041e901
                  0x0041e8d0
                  0x0041e8d6
                  0x00000000
                  0x0041e8d6
                  0x0041e889
                  0x0041e891
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GlobalUnlock.KERNEL32(022100AC,00000000,0047E4D0,00407A66,00000000,000000FF), ref: 0041E899
                  • GlobalReAlloc.KERNEL32 ref: 0041E8AE
                  • GlobalLock.KERNEL32 ref: 0041E8B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 74d9ac9f50b49838fe07b5fd0cd885ac76f5d1e4ede386879f54f980973285f0
                  • Instruction ID: 677c5236bdc69a88a765f96c0d8c279930d7b857a0512f7c879e7915f268e9bb
                  • Opcode Fuzzy Hash: 74d9ac9f50b49838fe07b5fd0cd885ac76f5d1e4ede386879f54f980973285f0
                  • Instruction Fuzzy Hash: 311182745047019FC770AF269804A9BB7E8EF80324F108E2FF4AAC3591CB78D8858715
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C0C5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041C0C5(long* __ecx, void* __eflags, intOrPtr* _a4) {
				long _t13;
				void* _t15;
				void* _t19;
				intOrPtr _t22;
				intOrPtr* _t29;
				long* _t30;

				_t29 = _a4;
				_t30 = __ecx;
				_t19 = E0041CD1E(_t29);
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) +  *_t29;
				GlobalUnlock( *(__ecx + 4));
				_t13 = GlobalReAlloc(_t30[1],  *_t30, 0x42);
				_t30[1] = _t13;
				if(_t13 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t30[2] = GlobalLock(_t30[1]);
				_t22 =  *_t29;
				_t15 = 0;
				if(_t22 > 0) {
					do {
						 *((char*)(_t30[2] - _t22 +  *_t30 + _t15)) =  *((intOrPtr*)(_t15 + _t19));
						_t22 =  *_t29;
						_t15 = _t15 + 1;
					} while (_t15 < _t22);
				}
				return _t30;
			}









                  0x0041c0c8
                  0x0041c0cc
                  0x0041c0d8
                  0x0041c0dc
                  0x0041c0de
                  0x0041c0eb
                  0x0041c0f3
                  0x0041c0f6
                  0x0041c103
                  0x0041c108
                  0x0041c112
                  0x0041c115
                  0x0041c117
                  0x0041c11b
                  0x0041c11d
                  0x0041c127
                  0x0041c12a
                  0x0041c12c
                  0x0041c12d
                  0x0041c11d
                  0x0041c136

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • GlobalUnlock.KERNEL32(?,00000000,0047E380,?,00421CA7,00000004,?,00000000,00000000,00000000,0047E490,0047E788,0047E380,0047E788,?,00422453), ref: 0041C0DE
                  • GlobalReAlloc.KERNEL32 ref: 0041C0EB
                  • GlobalLock.KERNEL32 ref: 0041C10C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 8b189ad3345f8380a8df0d55fc6743b7dca6120ea45f8771dcbff30577c797eb
                  • Instruction ID: 49bf8d3a54a78856bda07e556bf62412b24030ed4f2420b63ffce69e27d2bfe6
                  • Opcode Fuzzy Hash: 8b189ad3345f8380a8df0d55fc6743b7dca6120ea45f8771dcbff30577c797eb
                  • Instruction Fuzzy Hash: F10184717417029FC7259F69DD8495ABBE6EF98341320887EE196C3212DB34A851CF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C3A9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041C3A9(long* __ecx, intOrPtr _a4, intOrPtr _a8) {
				long _t11;
				void* _t15;
				char* _t20;
				intOrPtr _t22;
				intOrPtr _t28;
				long* _t30;

				_t30 = __ecx;
				_t22 = _a8;
				_t28 = _a4;
				_t11 =  *__ecx;
				if(_t28 + _t22 <= _t11) {
					while(_t28 < _t11 - _t22) {
						_t20 = _t30[2] + _t28;
						_t28 = _t28 + 1;
						 *_t20 =  *((intOrPtr*)(_t20 + _t22));
						_t11 =  *_t30;
					}
					 *_t30 =  *_t30 - _t22;
					GlobalUnlock(_t30[1]);
					_t15 = GlobalReAlloc(_t30[1],  *_t30, 0x42);
					_t30[1] = _t15;
					if(_t15 == 0) {
						E0041D881(E0041CD1E(0x47e924));
					}
					_t30[2] = GlobalLock(_t30[1]);
				}
				return _t30;
			}









                  0x0041c3aa
                  0x0041c3ac
                  0x0041c3b1
                  0x0041c3b5
                  0x0041c3bc
                  0x0041c3be
                  0x0041c3c7
                  0x0041c3c9
                  0x0041c3cd
                  0x0041c3cf
                  0x0041c3cf
                  0x0041c3d6
                  0x0041c3d8
                  0x0041c3e5
                  0x0041c3ed
                  0x0041c3f0
                  0x0041c3fd
                  0x0041c402
                  0x0041c40c
                  0x0041c40c
                  0x0041c413

                  APIs
                  • GlobalUnlock.KERNEL32(?,00000000,00000000,00421A09,00000000,00000001,0000005C,00000000,00000000,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C3D8
                  • GlobalReAlloc.KERNEL32 ref: 0041C3E5
                  • GlobalLock.KERNEL32 ref: 0041C406
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: ce94d3d2ed04f124d8b86c6096b51262ffcacc8fad0a292b7f1391668019940f
                  • Instruction ID: 4101d6855ea1f152fbb9774533b33507be4d6942b6c24dae346219f2524f0346
                  • Opcode Fuzzy Hash: ce94d3d2ed04f124d8b86c6096b51262ffcacc8fad0a292b7f1391668019940f
                  • Instruction Fuzzy Hash: 790162327486029FC7349F29DD8499AFBE6EF95740310C87EE5D5C3221DB74A891CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041CDAE, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041CDAE(long* __ecx) {
				void* _t9;
				void* _t12;
				intOrPtr _t20;
				long _t21;
				long* _t22;

				_t22 = __ecx;
				_t9 =  *((intOrPtr*)(__ecx)) - 1;
				if(_t9 >= 0) {
					_t1 =  &(_t22[2]); // 0x6dfdd8
					_t21 =  *_t1;
					while(1) {
						_t20 =  *((intOrPtr*)(_t21 + _t9));
						if(_t20 != 0 && _t20 != 0x5c && _t20 != 0x20) {
							goto L6;
						}
						_t9 = _t9 - 1;
						if(_t9 >= 0) {
							continue;
						}
						goto L6;
					}
				}
				L6:
				_t3 =  &(_t22[1]); // 0x2210004
				 *_t22 = _t9 + 1;
				GlobalUnlock( *_t3);
				_t4 =  &(_t22[1]); // 0x2210004
				_t12 = GlobalReAlloc( *_t4,  *_t22, 0x42);
				_t22[1] = _t12;
				if(_t12 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t6 =  &(_t22[1]); // 0x2210004
				_t22[2] = GlobalLock( *_t6);
				return _t22;
			}








                  0x0041cdaf
                  0x0041cdb3
                  0x0041cdb4
                  0x0041cdb6
                  0x0041cdb6
                  0x0041cdb9
                  0x0041cdb9
                  0x0041cdbe
                  0x00000000
                  0x00000000
                  0x0041cdca
                  0x0041cdcb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041cdcb
                  0x0041cdb9
                  0x0041cdcd
                  0x0041cdcd
                  0x0041cdd1
                  0x0041cdd3
                  0x0041cddd
                  0x0041cde0
                  0x0041cde8
                  0x0041cdeb
                  0x0041cdf8
                  0x0041cdfd
                  0x0041cdfe
                  0x0041ce07
                  0x0041ce0d

                  APIs
                  • GlobalUnlock.KERNEL32(02210004,0047E338,0040B1E0,?,?,?), ref: 0041CDD3
                  • GlobalReAlloc.KERNEL32 ref: 0041CDE0
                  • GlobalLock.KERNEL32 ref: 0041CE01
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 8de8414d1a52eac36a64e7fca60370f33a9269afa838c04ced9cdb7dda55fbdf
                  • Instruction ID: 01e44200846436256941e548dcc22a4f605205465bad4b6a47175318308e68d3
                  • Opcode Fuzzy Hash: 8de8414d1a52eac36a64e7fca60370f33a9269afa838c04ced9cdb7dda55fbdf
                  • Instruction Fuzzy Hash: FBF06D71640B128FCB745F24ED89797BFE5AF04740B50887FE1DAC2661DB38A8818B5D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BE35, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37memorystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BE35(signed int* __ecx, CHAR* _a4) {
				long _t12;
				void* _t13;
				void* _t15;
				CHAR* _t24;
				long* _t25;

				_t24 = _a4;
				_t25 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				__ecx[1] = __ecx[1] & 0x00000000;
				__ecx[2] = __ecx[2] & 0x00000000;
				_t12 = lstrlenA(_t24);
				 *_t25 = _t12;
				_t13 = GlobalAlloc(0x42, _t12);
				_t25[1] = _t13;
				if(_t13 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t7 =  &(_t25[1]); // 0x0
				_t25[2] = GlobalLock( *_t7);
				_t15 = 0;
				if( *_t25 > 0) {
					do {
						_t9 =  &(_t25[2]); // 0x0
						 *((char*)( *_t9 + _t15)) =  *((intOrPtr*)(_t15 + _t24));
						_t15 = _t15 + 1;
					} while (_t15 <  *_t25);
				}
				return _t25;
			}








                  0x0041be37
                  0x0041be3b
                  0x0041be3e
                  0x0041be41
                  0x0041be45
                  0x0041be49
                  0x0041be52
                  0x0041be54
                  0x0041be5c
                  0x0041be5f
                  0x0041be6c
                  0x0041be71
                  0x0041be72
                  0x0041be7b
                  0x0041be7e
                  0x0041be82
                  0x0041be84
                  0x0041be84
                  0x0041be8a
                  0x0041be8d
                  0x0041be8e
                  0x0041be84
                  0x0041be96

                  APIs
                  • lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                  • GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                  • GlobalLock.KERNEL32 ref: 0041BE75
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$Unlocklstrlen
                  • String ID: $G
                  • API String ID: 2268361814-195990108
                  • Opcode ID: a54ba253c70fa0cd4d2e56b280490d55e97e6a57c0a02e50faa441c33bfdb720
                  • Instruction ID: 666aed2cee0ee7ac947090af6697bf4a0c856acb48d457316b65e62b34adf051
                  • Opcode Fuzzy Hash: a54ba253c70fa0cd4d2e56b280490d55e97e6a57c0a02e50faa441c33bfdb720
                  • Instruction Fuzzy Hash: F4018C71605B129FD320AF21D8487AABBE4EF55726F108C7EE1D6C3611DB74A881CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BF80, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BF80(long* __ecx, long* _a4) {
				long _t12;
				void* _t13;
				void* _t15;
				long* _t25;
				long* _t26;

				_t26 = __ecx;
				GlobalUnlock( *(__ecx + 4));
				_t25 = _a4;
				_t12 =  *_t25;
				 *_t26 = _t12;
				_t13 = GlobalReAlloc(_t26[1], _t12, 0x42);
				_t26[1] = _t13;
				if(_t13 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t26[2] = GlobalLock(_t26[1]);
				_t15 = 0;
				if( *_t26 > 0) {
					do {
						 *((char*)(_t15 + _t26[2])) =  *((intOrPtr*)(_t25[2] + _t15));
						_t15 = _t15 + 1;
					} while (_t15 <  *_t26);
				}
				return _t26;
			}








                  0x0041bf81
                  0x0041bf87
                  0x0041bf8d
                  0x0041bf93
                  0x0041bf96
                  0x0041bf9b
                  0x0041bfa3
                  0x0041bfa6
                  0x0041bfb3
                  0x0041bfb8
                  0x0041bfc2
                  0x0041bfc5
                  0x0041bfc9
                  0x0041bfcb
                  0x0041bfd4
                  0x0041bfd7
                  0x0041bfd8
                  0x0041bfcb
                  0x0041bfe0

                  APIs
                  • GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
                  • GlobalReAlloc.KERNEL32 ref: 0041BF9B
                  • GlobalLock.KERNEL32 ref: 0041BFBC
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 59f63f12cdc820c50a35a72d2ac7230724f5bcf63de1468a8ccc27b5790c422b
                  • Instruction ID: 44c6a60f1433e036eaff595bc2cd982a3a6f2c3680db31fcf9d68199b728413a
                  • Opcode Fuzzy Hash: 59f63f12cdc820c50a35a72d2ac7230724f5bcf63de1468a8ccc27b5790c422b
                  • Instruction Fuzzy Hash: 46F06975200A12DFC320AF25D94885ABBE5EF48710310887EE1DAC3621DB34A882CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041DBA4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041DBA4(struct HWND__* _a4, int _a8, CHAR** _a12) {
				CHAR* _t6;
				struct HWND__* _t12;
				CHAR** _t16;
				int _t18;

				_t12 = GetDlgItem(_a4, _a8);
				_t18 = GetWindowTextLengthA(_t12) + 1;
				_t6 = E00424DD9(_t18);
				_t16 = _a12;
				 *_t16 = _t6;
				if(_t6 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				if(_t18 != 1) {
					GetWindowTextA(_t12,  *_t16, _t18);
				} else {
					 *( *_t16) =  *( *_t16) & 0x00000000;
				}
				return  *_t16;
			}







                  0x0041dbb5
                  0x0041dbc0
                  0x0041dbc2
                  0x0041dbc7
                  0x0041dbce
                  0x0041dbd0
                  0x0041dbdd
                  0x0041dbe2
                  0x0041dbe6
                  0x0041dbf3
                  0x0041dbe8
                  0x0041dbea
                  0x0041dbea
                  0x0041dbfe

                  APIs
                  • GetDlgItem.USER32 ref: 0041DBAF
                  • GetWindowTextLengthA.USER32(00000000), ref: 0041DBB8
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • GetWindowTextA.USER32 ref: 0041DBF3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$TextWindow$AllocItemLengthLockUnlock
                  • String ID: $G
                  • API String ID: 3259721826-195990108
                  • Opcode ID: 231bd6963203158d56c21cf6dda77177e467fd13823651f79f9084ab0eeaff42
                  • Instruction ID: f596d6819808e543455ba3198ff04e609fd8c282cc4ed5f74eb635775b3554cc
                  • Opcode Fuzzy Hash: 231bd6963203158d56c21cf6dda77177e467fd13823651f79f9084ab0eeaff42
                  • Instruction Fuzzy Hash: 29F0E9B6A09112DFC710AB61EC8899FBF9CEF49361B10003BF80287211DB399C52D769
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041C65C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041C65C(long* __ecx, intOrPtr _a4) {
				long _t8;
				long _t16;
				intOrPtr _t19;
				long* _t20;

				_t20 = __ecx;
				_t19 = _a4;
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) + _t19;
				GlobalUnlock( *(__ecx + 4));
				_t8 = GlobalReAlloc(_t20[1],  *_t20, 0x42);
				_t20[1] = _t8;
				if(_t8 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t16 = GlobalLock(_t20[1]);
				_t20[2] = _t16;
				return  *_t20 - _t19 + _t16;
			}







                  0x0041c65d
                  0x0041c660
                  0x0041c667
                  0x0041c669
                  0x0041c676
                  0x0041c67e
                  0x0041c681
                  0x0041c68e
                  0x0041c693
                  0x0041c69d
                  0x0041c6a3
                  0x0041c6aa

                  APIs
                  • GlobalUnlock.KERNEL32(?,00000000,00000000,00422571,00422D86,?,00422691,00000000,00422D86,0047E490,00000000,0042DBB4,0047E788,0047E33C), ref: 0041C669
                  • GlobalReAlloc.KERNEL32 ref: 0041C676
                  • GlobalLock.KERNEL32 ref: 0041C697
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 4f5ece7ec2e95d7afc40c57851927f66563dbfb55d93eb9d1c14b3bf9a5f1804
                  • Instruction ID: a348731c2379111fd9940010399183ac0525806b12e232145e0d7a813987a14c
                  • Opcode Fuzzy Hash: 4f5ece7ec2e95d7afc40c57851927f66563dbfb55d93eb9d1c14b3bf9a5f1804
                  • Instruction Fuzzy Hash: 76F08CB27047019FC7645F69DD0AA5ABBE9EF94710310883EF19AC2620DB78A8418B18
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041CD1E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041CD1E(intOrPtr* __ecx) {
				void* _t12;
				void* _t13;
				intOrPtr* _t21;

				_t21 = __ecx;
				_t1 = _t21 + 4; // 0x22103e4
				GlobalUnlock( *_t1);
				_t2 = _t21 + 4; // 0x22103e4
				_t12 = GlobalReAlloc( *_t2,  *_t21 + 1, 0x42);
				 *(_t21 + 4) = _t12;
				if(_t12 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t4 = _t21 + 4; // 0x22103e4
				_t13 = GlobalLock( *_t4);
				_t18 =  *_t21;
				 *(_t21 + 8) = _t13;
				 *(_t18 + _t13) =  *( *_t21 + _t13) & 0x00000000;
				_t8 = _t21 + 8; // 0x0
				return  *_t8;
			}






                  0x0041cd1f
                  0x0041cd21
                  0x0041cd24
                  0x0041cd30
                  0x0041cd33
                  0x0041cd3b
                  0x0041cd3e
                  0x0041cd4b
                  0x0041cd50
                  0x0041cd51
                  0x0041cd54
                  0x0041cd5a
                  0x0041cd5c
                  0x0041cd5f
                  0x0041cd63
                  0x0041cd67

                  APIs
                  • GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                  • GlobalReAlloc.KERNEL32 ref: 0041CD33
                  • GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 4c04066e2957ffe463fa4d1aa61e0edd956c59a5287266df2bedffe38d45fd84
                  • Instruction ID: 05689e7bf601cf7ae28db6c5b8659b178a5b11d912197ed629201878707b0977
                  • Opcode Fuzzy Hash: 4c04066e2957ffe463fa4d1aa61e0edd956c59a5287266df2bedffe38d45fd84
                  • Instruction Fuzzy Hash: BAF03070640B01DFD7345F25ED49AA67BE9EF04700710887EF49A82661DB79AC818B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BFF8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BFF8(long* __ecx, char _a4) {
				long _t10;
				long _t11;
				long* _t20;

				_t20 = __ecx;
				_t1 =  &(_t20[1]); // 0x8415ff57
				 *((intOrPtr*)(__ecx)) =  *((intOrPtr*)(__ecx)) + 1;
				GlobalUnlock( *_t1);
				_t2 =  &(_t20[1]); // 0x828415ff
				_t10 = GlobalReAlloc( *_t2,  *_t20, 0x42);
				_t20[1] = _t10;
				if(_t10 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t4 =  &(_t20[1]); // 0x828415ff
				_t11 = GlobalLock( *_t4);
				_t20[2] = _t11;
				 *((char*)( *_t20 + _t11 - 1)) = _a4;
				return _t20;
			}






                  0x0041bff9
                  0x0041bffb
                  0x0041bffe
                  0x0041c000
                  0x0041c00a
                  0x0041c00d
                  0x0041c015
                  0x0041c018
                  0x0041c025
                  0x0041c02a
                  0x0041c02b
                  0x0041c02e
                  0x0041c03a
                  0x0041c03d
                  0x0041c044

                  APIs
                  • GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                  • GlobalReAlloc.KERNEL32 ref: 0041C00D
                  • GlobalLock.KERNEL32 ref: 0041C02E
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: $G
                  • API String ID: 3972497268-195990108
                  • Opcode ID: 253567e8a581ebbe8db9d371c070114a8f7ea98805c1aae6d7df8b8c6d179442
                  • Instruction ID: e55ee8fbfd7d64683e51a792c0928d2730b2136d939b803eba4c43ccf220643e
                  • Opcode Fuzzy Hash: 253567e8a581ebbe8db9d371c070114a8f7ea98805c1aae6d7df8b8c6d179442
                  • Instruction Fuzzy Hash: 43F08CB1644B01DFC7356F64DD4959ABFE5EF18740310887EE1CA82661CB769842CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401A5C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00401A5C() {

				if( *0x47abb4 != 0) {
					CloseHandle( *0x42e1fc);
					CloseHandle( *0x436240);
					DeleteFileA("C:\\ztg\\fillProxy\\spy++\\spyxxhk.dll");
				}
				_push(0);
				return E00401A91();
			}



                  0x00401a63
                  0x00401a72
                  0x00401a7a
                  0x00401a81
                  0x00401a87
                  0x00401a88
                  0x00401a90

                  APIs
                  • CloseHandle.KERNEL32(00000000,00405328), ref: 00401A72
                  • CloseHandle.KERNEL32 ref: 00401A7A
                  • DeleteFileA.KERNEL32(C:\ztg\fillProxy\spy++\spyxxhk.dll), ref: 00401A81
                  Strings
                  • C:\ztg\fillProxy\spy++\spyxxhk.dll, xrefs: 00401A7C
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CloseHandle$DeleteFile
                  • String ID: C:\ztg\fillProxy\spy++\spyxxhk.dll
                  • API String ID: 2471952376-3488750491
                  • Opcode ID: 48ea7f2289afebfbec97439729fd254d1b1a95f8514cfacec7d849ade9fc138a
                  • Instruction ID: 011212603eeadad25b788f756fc2933f28d08ab607f4b69d847d9026e627dfcf
                  • Opcode Fuzzy Hash: 48ea7f2289afebfbec97439729fd254d1b1a95f8514cfacec7d849ade9fc138a
                  • Instruction Fuzzy Hash: A9D09E31643236EADA616756BC0979A3F11EB04365F6540B6F509120B08FB814A1DEAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040D85F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 14fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040D85F(char _a4) {
				signed char _t2;
				CHAR* _t6;

				_t1 =  &_a4; // 0x422e6c
				_t6 =  *_t1;
				_t2 = GetFileAttributesA(_t6);
				if(_t2 != 0xffffffff) {
					SetFileAttributesA(_t6, _t2 & 0x000000fe);
				}
				return DeleteFileA(_t6);
			}





                  0x0040d860
                  0x0040d860
                  0x0040d865
                  0x0040d86e
                  0x0040d874
                  0x0040d874
                  0x0040d882

                  APIs
                  • GetFileAttributesA.KERNEL32(l.B,0047E788,00422E6C,00000000), ref: 0040D865
                  • SetFileAttributesA.KERNEL32(l.B,00000000), ref: 0040D874
                  • DeleteFileA.KERNEL32(l.B), ref: 0040D87B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: File$Attributes$Delete
                  • String ID: l.B
                  • API String ID: 3735447641-760857286
                  • Opcode ID: 3bc230dc05e1e53809ba87e7aa1a09fbd0f80c40bc0a3ff18a8ee73f233b3a8c
                  • Instruction ID: 69245f053f2fe347b0f60851306233cda265d5ba250ce982434ca58f77919bec
                  • Opcode Fuzzy Hash: 3bc230dc05e1e53809ba87e7aa1a09fbd0f80c40bc0a3ff18a8ee73f233b3a8c
                  • Instruction Fuzzy Hash: B2D0C972502821AB92152764BD088DF37189E162213514655F125910A08B34594346AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413211, Relevance: 6.1, APIs: 4, Instructions: 130fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E00413211() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				char _v32;
				char _v44;
				void* __edi;
				void* __ebp;
				signed int _t35;
				void* _t40;
				void* _t47;
				void* _t50;
				CHAR* _t58;
				CHAR* _t59;
				CHAR* _t60;
				void* _t67;
				intOrPtr* _t105;
				void* _t107;
				void* _t114;

				_t35 =  *0x47e4b4; // 0x0
				_v8 = _v8 & 0x00000000;
				_v16 = _t35;
				if(_t35 > 0) {
					_v12 = 0x64;
					do {
						_t105 = E0041E860(0x47e4a8, _v8);
						_t40 = E00412BA7( *((intOrPtr*)(_t105 + 0x24)));
						_t109 = _t40;
						if(_t40 != 0) {
							E004164B1(0x47dfb8, _t109, _t105);
							_t7 = _t105 + 0xc; // 0xc
							_v20 = _t7;
							E004164B1(0x47dfb8, _t109, _t7);
							_t9 = _t105 + 0x18; // 0x18
							E004164B1(0x47dfb8, _t109, _t9);
							E0041BE99( &_v32, _t9);
							_push(1);
							_push(0);
							_push("=");
							_t47 = E0041C6D0( &_v32);
							_t74 = _t47;
							if(_t47 != 0xffffffff) {
								_t50 = E0040DF52(E0041CD1E(_t105));
								_t111 = _t50;
								if(_t50 == 0) {
									_t67 = E0041CD1E(_t105);
									_push(0x47e794);
									_push(_t67);
									E00421CE6(_t111);
									CloseHandle(CreateFileA(E0041CD1E(_t105), 0x40000000, 1, 0, 4, 0x80, 0));
								}
								E0041BE99( &_v44, E0041CC95( &_v32, 0, _t74));
								E0041BF80( &_v32, E0041CC95( &_v32, _t74 + 1, _v32 - _t74 - 1));
								_t58 = E0041CD1E(_t105);
								_t59 = E0041CD1E( &_v32);
								_t60 = E0041CD1E( &_v44);
								WritePrivateProfileStringA(E0041CD1E(_v20), _t60, _t59, _t58);
								if(_v16 > 0) {
									asm("cdq");
									E00414C1B(_v12 % _v16, 0x47dfb8, _t107, _v12 / _v16, 0);
								}
								E0041BEFB( &_v44);
							}
							E0041BEFB( &_v32);
						}
						_v8 = _v8 + 1;
						_v12 = _v12 + 0x64;
						_t114 = _v8 -  *0x47e4b4; // 0x0
					} while (_t114 < 0);
				}
				WritePrivateProfileSectionA(0, 0, 0);
				return 1;
			}






















                  0x00413217
                  0x0041321c
                  0x00413222
                  0x00413225
                  0x0041322e
                  0x0041323a
                  0x00413247
                  0x0041324c
                  0x00413251
                  0x00413254
                  0x0041325d
                  0x00413262
                  0x00413268
                  0x0041326b
                  0x00413270
                  0x00413276
                  0x0041327f
                  0x00413284
                  0x00413286
                  0x00413288
                  0x00413290
                  0x00413295
                  0x0041329a
                  0x004132a8
                  0x004132ad
                  0x004132b0
                  0x004132b4
                  0x004132b9
                  0x004132be
                  0x004132c4
                  0x004132ea
                  0x004132ea
                  0x004132ff
                  0x00413319
                  0x00413320
                  0x00413329
                  0x00413332
                  0x00413341
                  0x0041334b
                  0x00413352
                  0x0041335c
                  0x0041335c
                  0x00413364
                  0x00413364
                  0x0041336c
                  0x0041336c
                  0x00413371
                  0x00413374
                  0x0041337b
                  0x0041337b
                  0x00413389
                  0x0041338f
                  0x00413398

                  APIs
                  • WritePrivateProfileSectionA.KERNEL32(00000000,00000000,00000000), ref: 0041338F
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00413341
                    • Part of subcall function 00421CE6: lstrlenA.KERNEL32(0047DFB8,?,0047DFB8,?,00411457,00000000,0047E794), ref: 00421CFC
                  • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000004,00000080,00000000,00000000,0047E794,0042C1E4,00000000,00000001,00000018,00000018,0000000C,00000000), ref: 004132E3
                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 004132EA
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockPrivateProfileWritelstrlen$CloseCreateFileHandleSectionStringUnlock
                  • String ID:
                  • API String ID: 101153366-0
                  • Opcode ID: 8faa665165d4190c2024c48e07c2056962af170eca38d8979cd27a0261ab05fa
                  • Instruction ID: 01991a5c306ca7eb0492e891f23a91763dd5baf84a9a29fd6ac1ac7f032b0f9d
                  • Opcode Fuzzy Hash: 8faa665165d4190c2024c48e07c2056962af170eca38d8979cd27a0261ab05fa
                  • Instruction Fuzzy Hash: A0419F70A40209ABDB14ABA2DC96BEE7779EF44709F10412EF506A61C2DF3C59858A6C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407E96, Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                  Download Yara Rule
                  C-Code - Quality: 33%
                  			E00407E96(intOrPtr _a4) {
				void* _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t48;
				intOrPtr _t49;
				signed int _t56;
				signed int _t61;
				signed int _t72;
				intOrPtr _t79;

				_t79 = _a4;
				if( *(_t79 + 8) != 1 ||  *((intOrPtr*)(_t79 + 0xc)) != 2) {
					__eflags =  *((intOrPtr*)(_t79 + 0x38));
					_t6 = _t79 + 0x38; // 0x38
					_t45 = _t6;
					if(__eflags > 0) {
						E00407D91(__eflags, _t45);
					}
				} else {
					_t4 = _t79 + 0x38; // 0x38
					E0041BF12(_t4, 0x42e0c8);
				}
				_t46 =  *((intOrPtr*)(_t79 + 0x24));
				if(_t46 != 0x3000000) {
					__eflags = _t46 - 0x2000000;
					if(_t46 != 0x2000000) {
						__eflags = _t46 - 0x1000000;
						if(_t46 != 0x1000000) {
							goto L12;
						}
						_push(8);
						goto L11;
					}
					_push(5);
					goto L11;
				} else {
					_push(0xf);
					L11:
					 *((intOrPtr*)(_t79 + 0x24)) = GetSysColor();
					L12:
					_t47 =  *((intOrPtr*)(_t79 + 0x2c));
					if(_t47 != 0x3000000) {
						__eflags = _t47 - 0x2000000;
						if(_t47 != 0x2000000) {
							__eflags = _t47 - 0x1000000;
							if(_t47 != 0x1000000) {
								L19:
								_t48 =  *(_t79 + 8);
								if(_t48 != 1 ||  *((intOrPtr*)(_t79 + 0xc)) >= 3) {
									if(_t48 == 5 || _t48 == 3 || _t48 == 4 || _t48 == 9 || _t48 == 7 || _t48 == 2) {
										goto L31;
									} else {
										if(_t48 != 1 ||  *((intOrPtr*)(_t79 + 0xc)) != 3) {
											 *(_t79 + 0x54) =  *(_t79 + 0x54) & 0x00000000;
											goto L36;
										} else {
											_push( *((intOrPtr*)(_t79 + 0x2c)));
											goto L34;
										}
									}
								} else {
									L31:
									_t49 =  *((intOrPtr*)(_t79 + 0x2c));
									__eflags = _t49 - 0x4000000;
									if(_t49 != 0x4000000) {
										_push(_t49);
										L34:
										_t48 = CreateSolidBrush();
										L35:
										 *(_t79 + 0x54) = _t48;
										L36:
										if(( *0x47e192 & 0x00000004) == 0) {
											L39:
											return _t48;
										}
										_t72 =  *0x42b91c; // 0x3e8
										if(_t72 == 0x3e8) {
											goto L39;
										}
										asm("cdq");
										 *(_t79 + 0x14) =  *(_t79 + 0x14) * _t72 / 0x3e8;
										asm("cdq");
										 *(_t79 + 0x18) =  *(_t79 + 0x18) *  *0x42b91c / 0x3e8;
										_t56 =  *0x42b91c; // 0x3e8
										asm("cdq");
										 *(_t79 + 0x20) = _t56 *  *(_t79 + 0x20) / 0x3e8;
										asm("cdq");
										_t61 =  *(_t79 + 0x1c) *  *0x42b91c / 0x3e8;
										 *(_t79 + 0x1c) = _t61;
										return _t61;
									}
									_t48 = GetStockObject(5);
									goto L35;
								}
							}
							_push(8);
							L18:
							 *((intOrPtr*)(_t79 + 0x2c)) = GetSysColor();
							goto L19;
						}
						_push(5);
						goto L18;
					}
					_push(0xf);
					goto L18;
				}
			}












                  0x00407e97
                  0x00407ea0
                  0x00407eb7
                  0x00407ebb
                  0x00407ebb
                  0x00407ebe
                  0x00407ec1
                  0x00407ec6
                  0x00407ea8
                  0x00407ead
                  0x00407eb0
                  0x00407eb0
                  0x00407ec7
                  0x00407ede
                  0x00407ee4
                  0x00407ee6
                  0x00407eec
                  0x00407ef1
                  0x00000000
                  0x00000000
                  0x00407ef3
                  0x00000000
                  0x00407ef3
                  0x00407ee8
                  0x00000000
                  0x00407ee0
                  0x00407ee0
                  0x00407ef5
                  0x00407ef7
                  0x00407efa
                  0x00407efa
                  0x00407eff
                  0x00407f05
                  0x00407f07
                  0x00407f0d
                  0x00407f12
                  0x00407f1b
                  0x00407f1b
                  0x00407f23
                  0x00407f2e
                  0x00000000
                  0x00407f49
                  0x00407f4c
                  0x00407f59
                  0x00000000
                  0x00407f54
                  0x00407f54
                  0x00000000
                  0x00407f54
                  0x00407f4c
                  0x00407f5f
                  0x00407f5f
                  0x00407f5f
                  0x00407f62
                  0x00407f67
                  0x00407f73
                  0x00407f74
                  0x00407f74
                  0x00407f7a
                  0x00407f7a
                  0x00407f7d
                  0x00407f84
                  0x00407fd4
                  0x00407fd4
                  0x00407fd4
                  0x00407f86
                  0x00407f93
                  0x00000000
                  0x00000000
                  0x00407f9d
                  0x00407fa0
                  0x00407fad
                  0x00407fb0
                  0x00407fb3
                  0x00407fbc
                  0x00407fbf
                  0x00407fcc
                  0x00407fcd
                  0x00407fcf
                  0x00000000
                  0x00407fcf
                  0x00407f6b
                  0x00000000
                  0x00407f6b
                  0x00407f23
                  0x00407f14
                  0x00407f16
                  0x00407f18
                  0x00000000
                  0x00407f18
                  0x00407f09
                  0x00000000
                  0x00407f09
                  0x00407f01
                  0x00000000
                  0x00407f01

                  APIs
                  • GetSysColor.USER32(00000008), ref: 00407EF5
                  • GetSysColor.USER32(00000008), ref: 00407F16
                  • CreateSolidBrush.GDI32(?), ref: 00407F74
                    • Part of subcall function 0041BF12: GlobalUnlock.KERNEL32(0221020C,00000104,00000000,0041929A,00000000), ref: 0041BF19
                    • Part of subcall function 0041BF12: GlobalReAlloc.KERNEL32 ref: 0041BF3B
                    • Part of subcall function 0041BF12: GlobalLock.KERNEL32 ref: 0041BF5C
                  • GetStockObject.GDI32(00000005), ref: 00407F6B
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$Color$AllocBrushCreateLockObjectSolidStockUnlock
                  • String ID:
                  • API String ID: 2645381997-0
                  • Opcode ID: f72cfad292160d375b0ec810965c7e029dd39dd06a1dbcb8e3cb20bc4e58938e
                  • Instruction ID: e29085e474f895eb1c711dfb40de24dfc349578096c85eb6b47243c0d32e08ce
                  • Opcode Fuzzy Hash: f72cfad292160d375b0ec810965c7e029dd39dd06a1dbcb8e3cb20bc4e58938e
                  • Instruction Fuzzy Hash: 6C4157709097028EDB34DB15D980B27B7E5EB54310F20487BE146E6AE0C778F88ADA5F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041049E, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 101sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041C047: lstrlenA.KERNEL32(00000000,00422D86,0047E788,004221EF,103,00000000,00000000,00000000,00000000,0047E788,00000000), ref: 0041C04F
                    • Part of subcall function 0041C047: GlobalUnlock.KERNEL32(8415FF57), ref: 0041C067
                    • Part of subcall function 0041C047: GlobalReAlloc.KERNEL32 ref: 0041C074
                    • Part of subcall function 0041C047: GlobalLock.KERNEL32 ref: 0041C095
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041BF80: GlobalUnlock.KERNEL32(?,00000000,00000000,004079C1,00000000), ref: 0041BF87
                    • Part of subcall function 0041BF80: GlobalReAlloc.KERNEL32 ref: 0041BF9B
                    • Part of subcall function 0041BF80: GlobalLock.KERNEL32 ref: 0041BFBC
                    • Part of subcall function 0041A207: PeekMessageA.USER32 ref: 0041A218
                    • Part of subcall function 0041A207: GetMessageA.USER32 ref: 0041A229
                  • Sleep.KERNEL32(00000005), ref: 00410576
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$Unlock$Message$PeekSleeplstrlen
                  • String ID: .mp3$.wav$dG
                  • API String ID: 292671316-967384120
                  • Opcode ID: a7a3d227bc91022c10ba62d5cdb2729cd240ff3e2448ba0b5ab13c425b095347
                  • Instruction ID: be7cc5903273ae59eb09633fe0a367c3c1d52df3ef82d7b9a29b8b1f483c8fbb
                  • Opcode Fuzzy Hash: a7a3d227bc91022c10ba62d5cdb2729cd240ff3e2448ba0b5ab13c425b095347
                  • Instruction Fuzzy Hash: 8221E531540114BAD718B766AC9AEEF3B5DDF49348B6041BFF10A62193DF6C09C4C6AD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00407D91, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 82stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041BDC5: GlobalAlloc.KERNELBASE(00000042,00000000,00000000,0041C189,00000000,0047E4D0,00000000), ref: 0041BDD5
                    • Part of subcall function 0041BDC5: GlobalLock.KERNEL32 ref: 0041BDDF
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                    • Part of subcall function 0041C6D0: lstrlenA.KERNEL32(0047E788,00000000,0042C1D8,00000001,00000000,0000005C,00000000,00000000,0047E490,0047E788,00000000), ref: 0041C6DE
                  • lstrlenA.KERNEL32(</LangID=1>,</LangID=1>,00000000,00000001,<LangID=1>,00000000,00000001,00000000,00000000,00000001,?,0042DB90,0047E788,0042DBB4), ref: 00407E36
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Globallstrlen$AllocLock$Unlock
                  • String ID: </LangID=1>$<LangID=%d>$<LangID=1>
                  • API String ID: 3553255392-1915860067
                  • Opcode ID: da5e679e7afdfabe7abf8992c1ce1ece30b442ee123a6016c19d2f1471309018
                  • Instruction ID: 99359c2c779010847e57dc621f665969c9d849ef75cbed5dcbc5acb9726991c0
                  • Opcode Fuzzy Hash: da5e679e7afdfabe7abf8992c1ce1ece30b442ee123a6016c19d2f1471309018
                  • Instruction Fuzzy Hash: 5A21C871A401187BCB24BA79DCC5EFF772D8B81754F10027EB426A61D1EB385D8586E8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041FAAD, Relevance: 6.1, APIs: 4, Instructions: 81windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041FAAD(intOrPtr __ecx, struct HWND__* _a4) {
				int _v8;
				char _v12;
				char _v16;
				long _v20;
				intOrPtr _v24;
				char _v36;
				long _t27;
				long _t42;
				long _t43;

				_v24 = __ecx;
				if(_a4 != 0) {
					_v12 = 0;
					_v16 = 0;
					E0042417F(__ecx, _a4,  &_v12,  &_v16);
					 *0x47e2c0 =  *0x47e2c0 + _v12;
					 *0x47e2c8 =  *0x47e2c8 + _v16;
					_t27 = SendMessageA(_a4, 0x18b, 0, 0);
					_v20 = _t27;
					_v8 = 0;
					if(_t27 > 0) {
						do {
							_t43 = E00424DD9(SendMessageA(_a4, 0x18a, _v8, 0) + 1);
							if(_t43 != 0) {
								SendMessageA(_a4, 0x189, _v8, _t43);
								E0041BE35( &_v36, _t43);
								E0041EEC5(_v24,  &_v36);
								E00424DCE(_t43);
								E0041BEFB( &_v36);
							}
							_v8 = _v8 + 1;
							_t27 = _v8;
						} while (_t27 < _v20);
					}
					_t42 = _v20;
					if(_t42 > 0) {
						do {
							_t27 = SendMessageA(_a4, 0x182, 0, 0);
							_t42 = _t42 - 1;
						} while (_t42 != 0);
					}
				}
				return _t27;
			}












                  0x0041fabb
                  0x0041fabe
                  0x0041fac7
                  0x0041facf
                  0x0041fad5
                  0x0041fae0
                  0x0041faef
                  0x0041faff
                  0x0041fb03
                  0x0041fb06
                  0x0041fb09
                  0x0041fb0b
                  0x0041fb20
                  0x0041fb25
                  0x0041fb33
                  0x0041fb39
                  0x0041fb45
                  0x0041fb4b
                  0x0041fb54
                  0x0041fb54
                  0x0041fb59
                  0x0041fb5c
                  0x0041fb5f
                  0x0041fb0b
                  0x0041fb64
                  0x0041fb69
                  0x0041fb6b
                  0x0041fb75
                  0x0041fb77
                  0x0041fb77
                  0x0041fb6b
                  0x0041fb69
                  0x0041fb7e

                  APIs
                  • SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 0041FAFF
                  • SendMessageA.USER32(?,0000018A,?,00000000), ref: 0041FB17
                  • SendMessageA.USER32(?,00000189,?,00000000), ref: 0041FB33
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                    • Part of subcall function 0041BEFB: GlobalUnlock.KERNEL32(?,00000000,0041C1E9,00000000,00000010,00000000,0047E4D0,00000000), ref: 0041BF01
                    • Part of subcall function 0041BEFB: GlobalFree.KERNEL32 ref: 0041BF0A
                  • SendMessageA.USER32(?,00000182,00000000,00000000), ref: 0041FB75
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: GlobalMessageSend$AllocFreeLockUnlocklstrlen
                  • String ID:
                  • API String ID: 3880121834-0
                  • Opcode ID: 063305ad0612915f541c72bb84528224e4d185c83b860aebb46a364ef473b751
                  • Instruction ID: 7958884c9c21427cd5c2304b146da1093f297958eaa18a76e97d27b894b4699f
                  • Opcode Fuzzy Hash: 063305ad0612915f541c72bb84528224e4d185c83b860aebb46a364ef473b751
                  • Instruction Fuzzy Hash: E6213971E00218BBCF11DBA6CC81CEEBBB9FF84744B10416BF505A6161DB345A96CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00408E91, Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 45%
                  			E00408E91(void* __ecx) {
				signed int _t11;
				void* _t15;
				signed int _t17;
				signed char _t18;
				intOrPtr _t21;
				void* _t23;
				void* _t25;
				struct HWND__* _t26;

				_t25 = __ecx;
				_t11 =  *(__ecx + 0x90);
				if(_t11 != 0) {
					_t17 = 0;
					_t23 = 0;
					if(_t11 > 0) {
						do {
							_t2 = _t25 + 0x84; // 0x84
							_t15 = E0041E860(_t2, _t23);
							_t21 =  *((intOrPtr*)(_t15 + 8));
							if(_t21 == 3 || _t21 == 4) {
								_push(0);
								_push(0);
								_push(0xf0);
								goto L8;
							} else {
								if(_t21 != 5) {
									goto L9;
								} else {
									_push(0);
									_push(0);
									_push(0xe);
									L8:
									if(SendMessageA( *(_t15 + 0x50), ??, ??, ??) == 0) {
										_t17 = 1;
									} else {
										goto L9;
									}
								}
							}
							goto L12;
							L9:
							_t23 = _t23 + 1;
						} while (_t23 <  *((intOrPtr*)(_t25 + 0x90)));
					}
					L12:
					_t11 = GetDlgItem( *(_t25 + 4), 1);
					_t26 = _t11;
					if(_t26 != 0) {
						_t18 = _t17 & 0xffffff00 | _t17 == 0x00000000;
						_t11 = IsWindowEnabled(_t26) & 0xffffff00 | _t12 != 0x00000000;
						if(_t11 != _t18) {
							return EnableWindow(_t26, _t18 & 0x000000ff);
						}
					}
				}
				return _t11;
			}











                  0x00408e93
                  0x00408e95
                  0x00408e9d
                  0x00408ea5
                  0x00408ea7
                  0x00408eab
                  0x00408eb3
                  0x00408eb4
                  0x00408eba
                  0x00408ebf
                  0x00408ec5
                  0x00408ed9
                  0x00408edb
                  0x00408edd
                  0x00000000
                  0x00408ecc
                  0x00408ecf
                  0x00000000
                  0x00408ed1
                  0x00408ed1
                  0x00408ed3
                  0x00408ed5
                  0x00408ee2
                  0x00408ee9
                  0x00408ef6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00408ee9
                  0x00408ecf
                  0x00000000
                  0x00408eeb
                  0x00408eeb
                  0x00408eec
                  0x00408ef4
                  0x00408ef8
                  0x00408efd
                  0x00408f03
                  0x00408f09
                  0x00408f0e
                  0x00408f19
                  0x00408f1e
                  0x00000000
                  0x00408f25
                  0x00408f1e
                  0x00408f09
                  0x00408f2d

                  APIs
                  • SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00408EE5
                  • GetDlgItem.USER32 ref: 00408EFD
                  • IsWindowEnabled.USER32(00000000), ref: 00408F11
                  • EnableWindow.USER32(00000000,00000000), ref: 00408F25
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Window$EnableEnabledItemMessageSend
                  • String ID:
                  • API String ID: 1134289176-0
                  • Opcode ID: 9474baf0080859b85d04275841ab774ee9cdf0b3bb4a70bf898c30ac1865b368
                  • Instruction ID: 358cbe2e815a2d8044ff4469c3e51069db2ba4092bb171402a1accf79a18d433
                  • Opcode Fuzzy Hash: 9474baf0080859b85d04275841ab774ee9cdf0b3bb4a70bf898c30ac1865b368
                  • Instruction Fuzzy Hash: 8901E532281212ABE2305624DD51B6B33999B41B50F15043EF982F72E1CE799C42939C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040FCA0, Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040FCA0(void* __eflags, long _a4) {
				void _v8;
				long _v12;
				long _v16;
				signed int _t12;
				signed int _t13;
				void* _t22;
				void* _t24;

				_t12 = CreateFileA(E0041CD1E(0x47e6c8), 0x80000000, 1, 0, 3, 0x80, 0);
				_t24 = _t12;
				_t13 = _t12 | 0xffffffff;
				if(_t24 != _t13) {
					_v12 = 0;
					SetFilePointer(_t24, _a4,  &_v12, 0);
					_v8 = 0;
					ReadFile(_t24,  &_v8, 2,  &_v16, 0);
					CloseHandle(_t24);
					if(_v8 != 0xd8ff) {
						return 0 | _v8 == 0x00004d42;
					}
					_t22 = 2;
					return _t22;
				}
				return _t13;
			}










                  0x0040fcc5
                  0x0040fccb
                  0x0040fccd
                  0x0040fcd2
                  0x0040fcd9
                  0x0040fce0
                  0x0040fcf2
                  0x0040fcf5
                  0x0040fcfc
                  0x0040fd08
                  0x00000000
                  0x0040fd17
                  0x0040fd0c
                  0x00000000
                  0x0040fd0c
                  0x0040fd1d

                  APIs
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,0047E2F0,00000088,00000001,?,00000000), ref: 0040FCC5
                  • SetFilePointer.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040FCE0
                  • ReadFile.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000), ref: 0040FCF5
                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040FCFC
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FileGlobal$AllocCloseCreateHandleLockPointerReadUnlock
                  • String ID:
                  • API String ID: 776348577-0
                  • Opcode ID: 4c6470a940fc35570197cea61f5949696e028a5a4c15a106a705bfcf217e3645
                  • Instruction ID: ebe5246031743c64951fdeae7fa7b21e7573840a08ab047e73c86a926ca140f7
                  • Opcode Fuzzy Hash: 4c6470a940fc35570197cea61f5949696e028a5a4c15a106a705bfcf217e3645
                  • Instruction Fuzzy Hash: 8501D432A02118B6DB30ABA59C09FDF7F3CEF45760F10817AF202E20D0DA744645C6B4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041E362, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0041E362(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				short _v40;
				signed short _v42;
				short _v44;
				signed short _v46;
				signed short _v48;
				intOrPtr _v52;
				struct HDC__* _v56;
				void* _v60;
				void* _v64;
				intOrPtr _v68;
				struct tagPD _v72;
				int _t25;
				void* _t28;
				struct tagPD _t36;

				_t36 = 0x42;
				E00424500( &_v72, 0, _t36);
				_v48 = _v48 | 0x0000ffff;
				_v46 = _v46 | 0x0000ffff;
				_v42 = _v42 | 0x0000ffff;
				_v68 = _a4;
				_v72 = _t36;
				_v52 = 0x4010c;
				_v40 = 1;
				_v44 = 1;
				_t25 = PrintDlgA( &_v72);
				_t41 = _t25 - 1;
				if(_t25 != 1) {
					__eflags = 0;
					return 0;
				}
				_t28 = E0041E01C(_t41, _a8,  &_v72, _a12);
				GlobalFree(_v64);
				GlobalFree(_v60);
				DeleteDC(_v56);
				return _t28;
			}

















                  0x0041e36b
                  0x0041e373
                  0x0041e37b
                  0x0041e381
                  0x0041e387
                  0x0041e390
                  0x0041e396
                  0x0041e39a
                  0x0041e3a1
                  0x0041e3a7
                  0x0041e3ad
                  0x0041e3b2
                  0x0041e3b5
                  0x0041e3ea
                  0x00000000
                  0x0041e3ea
                  0x0041e3c2
                  0x0041e3d5
                  0x0041e3da
                  0x0041e3df
                  0x00000000

                  APIs
                  • PrintDlgA.COMDLG32(?), ref: 0041E3AD
                    • Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,0000006E), ref: 0041E036
                    • Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,0000006F), ref: 0041E040
                    • Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,00000058), ref: 0041E04A
                    • Part of subcall function 0041E01C: GetDeviceCaps.GDI32(?,0000005A), ref: 0041E054
                    • Part of subcall function 0041E01C: MulDiv.KERNEL32(?,000005A0,?), ref: 0041E065
                    • Part of subcall function 0041E01C: MulDiv.KERNEL32(?,000005A0,?), ref: 0041E080
                    • Part of subcall function 0041E01C: SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 0041E0E9
                    • Part of subcall function 0041E01C: SendMessageA.USER32(?,00000439,00000000,00000000), ref: 0041E0FE
                    • Part of subcall function 0041E01C: SaveDC.GDI32(?), ref: 0041E107
                    • Part of subcall function 0041E01C: SetMapMode.GDI32(?,00000001), ref: 0041E112
                    • Part of subcall function 0041E01C: GetDeviceCaps.GDI32(000000FF,00000070), ref: 0041E11D
                    • Part of subcall function 0041E01C: GetDeviceCaps.GDI32(000000FF,00000071), ref: 0041E129
                    • Part of subcall function 0041E01C: MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E134
                    • Part of subcall function 0041E01C: MulDiv.KERNEL32(000005A0,?,000005A0), ref: 0041E142
                  • GlobalFree.KERNEL32 ref: 0041E3D5
                  • GlobalFree.KERNEL32 ref: 0041E3DA
                  • DeleteDC.GDI32(?), ref: 0041E3DF
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: CapsDevice$FreeGlobalMessageSend$DeleteModePrintSave
                  • String ID:
                  • API String ID: 1547233470-0
                  • Opcode ID: 5fd8a1cfb9227a1948322716fcc1d0b75f37bac64a781435e9473d1cdbb8d31f
                  • Instruction ID: 61697338e6a914efdc9261fedabd1759ebfe30573a18d0f42110f68606127c4c
                  • Opcode Fuzzy Hash: 5fd8a1cfb9227a1948322716fcc1d0b75f37bac64a781435e9473d1cdbb8d31f
                  • Instruction Fuzzy Hash: 0F016D71D0121CABCF209F95EC458CE7FB8EF05314F200026F904A6220E7369A95CBAC
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041A207, Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041A207() {
				struct tagMSG _v32;
				signed int _t9;
				void* _t14;

				if(PeekMessageA( &_v32, 0, 0, 0, 0) == 0) {
					return 0;
				}
				_t9 = GetMessageA( &_v32, 0, 0, 0);
				if(_t9 != 0) {
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
					_t14 = 1;
					return _t14;
				}
				return _t9 | 0xffffffff;
			}






                  0x0041a220
                  0x00000000
                  0x0041a251
                  0x0041a229
                  0x0041a231
                  0x0041a23c
                  0x0041a246
                  0x0041a24e
                  0x00000000
                  0x0041a24e
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Message$DispatchPeekTranslate
                  • String ID:
                  • API String ID: 4217535847-0
                  • Opcode ID: 2f4b92e821464b19c680a6563fbc4accd91a2cde11b5bcfa6784e995e24c3316
                  • Instruction ID: 32f3f6478f1484d68ab8fc6182b3522fb0f6e550144391087ed403b437ff1102
                  • Opcode Fuzzy Hash: 2f4b92e821464b19c680a6563fbc4accd91a2cde11b5bcfa6784e995e24c3316
                  • Instruction Fuzzy Hash: 8FF08272E03229A6CB30ABF19C4CDDF3F6CEF457A0B404566B516D1150EA38E142C6B9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004211DC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E004211DC(intOrPtr __ecx) {
				char _v16;
				intOrPtr _v20;
				struct _devicemodeA _v176;
				intOrPtr _t36;
				intOrPtr _t42;
				intOrPtr _t52;
				intOrPtr _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t80;
				void* _t81;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;

				_v176.dmPanningWidth = __ecx;
				E0041BE99( &_v16, 0x47ea74);
				E0041BFF8( &_v16, 9);
				E00424500( &_v176, 0, 0x94);
				EnumDisplaySettingsA(0, 0,  &_v176);
				_t36 = 1;
				_v176.dmPanningHeight = 0;
				_push( &_v176);
				_v20 = _t36;
				_t70 = 0;
				_push(_t36);
				while(EnumDisplaySettingsA(0, ??, ??) != 0) {
					_t52 = _v176.dmPelsWidth;
					_t69 = _v176.dmPelsHeight;
					_t80 = _t52 -  *0x47e2b8; // 0x0
					if(_t80 > 0) {
						L4:
						 *0x47e2b8 = _t52;
						 *0x47e2bc = _t69;
						L5:
						_t68 = _v176.dmBitsPerPel;
						if(_t52 > _v176.dmPanningHeight || _t69 > _t70) {
							 *0x47e2b4 = _t68;
							_v176.dmPanningHeight = _t52;
							_t70 = _t69;
						} else {
							if(_t52 == _v176.dmPanningHeight || _t69 == _t70) {
								_t86 = _t68 -  *0x47e2b4; // 0x0
								if(_t86 > 0) {
									 *0x47e2b4 = _t68;
								}
							}
						}
						_t87 = _t52 -  *0x47e148; // 0x0
						if(_t87 >= 0) {
							_t88 = _t69 -  *0x47e14c; // 0x0
							if(_t88 >= 0) {
								_t89 = _t68 -  *0x47e150; // 0x8
								if(_t89 >= 0) {
									 *0x47e29a = 1;
								}
							}
						}
						_v20 = _v20 + 1;
						_push( &_v176);
						_push(_v20);
						continue;
					}
					_t81 = _t69 -  *0x47e2bc; // 0x0
					if(_t81 <= 0) {
						goto L5;
					}
					goto L4;
				}
				_push( *0x47e2b4);
				_push( *0x47e2bc);
				_push( *0x47e2b8);
				E0041C467( &_v16, "%dx%d %d ");
				E0041C0C5( &_v16, __eflags, 0x47ead4);
				E0041BFF8( &_v16, 9);
				_t42 =  *0x47e148; // 0x0
				__eflags = _t42;
				if(_t42 == 0) {
					L21:
					E0041C047( &_v16, "-\t", 0);
					L22:
					_push(0x47e8f4);
					L23:
					E0041C0C5( &_v16, __eflags);
					E0041EEC5(_v176.dmPanningWidth,  &_v16);
					return E0041BEFB( &_v16);
				}
				_t65 =  *0x47e14c; // 0x0
				__eflags = _t65;
				if(_t65 == 0) {
					goto L21;
				}
				_push( *0x47e150);
				_push(_t65);
				_push(_t42);
				E0041C467( &_v16, "%dx%d %d ");
				E0041C0C5( &_v16, __eflags, 0x47ead4);
				E0041BFF8( &_v16, 9);
				__eflags =  *0x47e29a; // 0x0
				if(__eflags != 0) {
					goto L22;
				} else {
					 *0x47e2c0 =  *0x47e2c0 + 1;
					_push(0x47e8dc);
					goto L23;
				}
			}



















                  0x004211e7
                  0x004211f3
                  0x004211fd
                  0x00421211
                  0x00421228
                  0x00421232
                  0x00421233
                  0x00421236
                  0x00421237
                  0x0042123a
                  0x0042123c
                  0x0042123d
                  0x00421248
                  0x0042124b
                  0x0042124e
                  0x00421254
                  0x0042125e
                  0x0042125e
                  0x00421263
                  0x00421269
                  0x0042126c
                  0x0042126f
                  0x0042128e
                  0x00421294
                  0x00421297
                  0x00421275
                  0x00421278
                  0x0042127e
                  0x00421284
                  0x00421286
                  0x00421286
                  0x00421284
                  0x00421278
                  0x00421299
                  0x0042129f
                  0x004212a1
                  0x004212a7
                  0x004212a9
                  0x004212af
                  0x004212b1
                  0x004212b1
                  0x004212af
                  0x004212a7
                  0x004212b8
                  0x004212c1
                  0x004212c2
                  0x00000000
                  0x004212c2
                  0x00421256
                  0x0042125c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042125c
                  0x004212ca
                  0x004212d8
                  0x004212de
                  0x004212e6
                  0x004212f7
                  0x00421301
                  0x00421306
                  0x0042130b
                  0x0042130d
                  0x00421356
                  0x0042135f
                  0x00421364
                  0x00421364
                  0x00421369
                  0x0042136c
                  0x00421378
                  0x00421389
                  0x00421389
                  0x0042130f
                  0x00421315
                  0x00421317
                  0x00000000
                  0x00000000
                  0x00421319
                  0x0042131f
                  0x00421320
                  0x00421326
                  0x00421332
                  0x0042133c
                  0x00421341
                  0x00421347
                  0x00000000
                  0x00421349
                  0x00421349
                  0x0042134f
                  0x00000000
                  0x0042134f

                  APIs
                    • Part of subcall function 0041BE99: GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                    • Part of subcall function 0041BE99: GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041BFF8: GlobalUnlock.KERNEL32(8415FF57,0047E788,004221E2,00000000,00000000,00000000,0047E788,00000000), ref: 0041C000
                    • Part of subcall function 0041BFF8: GlobalReAlloc.KERNEL32 ref: 0041C00D
                    • Part of subcall function 0041BFF8: GlobalLock.KERNEL32 ref: 0041C02E
                  • EnumDisplaySettingsA.USER32 ref: 00421228
                  • EnumDisplaySettingsA.USER32 ref: 0042123E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocDisplayEnumLockSettings$Unlock
                  • String ID: %dx%d %d
                  • API String ID: 1409221493-986776345
                  • Opcode ID: 964c2b7373515b439b1f4a16c64c3018edec216adc54284224c7fddf17fe6006
                  • Instruction ID: 52cc721ffd10832fdac61662a86abf9676243ad7a0bad42bc1d52495f049a86f
                  • Opcode Fuzzy Hash: 964c2b7373515b439b1f4a16c64c3018edec216adc54284224c7fddf17fe6006
                  • Instruction Fuzzy Hash: E2417271E00118EEDB14DF92EC81DAE7778EB19300FA042EBF519A2161E7345A84CBAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00426DE7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00426DE7(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x47f4d8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E004272C5(1,  &_v280, 0x100,  &_v1304,  *0x47f4d8,  *0x47f704, 0);
						E004275DE( *0x47f704, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x47f4d8, 0);
						E004275DE( *0x47f704, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x47f4d8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x47f500) =  *(_t55 + 0x47f500) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x47f601) =  *(_t55 + 0x47f601) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x47f500) = _t77;
								goto L16;
							}
							 *(_t55 + 0x47f601) =  *(_t55 + 0x47f601) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x47f500) =  *(_t43 + 0x47f500) & 0x00000000;
						} else {
							 *(_t43 + 0x47f601) =  *(_t43 + 0x47f601) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x47f601) =  *(_t43 + 0x47f601) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x47f500) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























                  0x00426e04
                  0x00426e0a
                  0x00426e11
                  0x00426e11
                  0x00426e18
                  0x00426e19
                  0x00426e1d
                  0x00426e20
                  0x00426e29
                  0x00426e62
                  0x00426e81
                  0x00426ea5
                  0x00426ecd
                  0x00426ed5
                  0x00426ed7
                  0x00426edd
                  0x00426edd
                  0x00426ee3
                  0x00426efe
                  0x00426f10
                  0x00000000
                  0x00426f10
                  0x00426f00
                  0x00426f07
                  0x00426ef3
                  0x00426ef3
                  0x00000000
                  0x00426ef3
                  0x00426ee5
                  0x00426eec
                  0x00000000
                  0x00426f17
                  0x00426f17
                  0x00426f19
                  0x00426f1a
                  0x00000000
                  0x00426edd
                  0x00426e2d
                  0x00426e30
                  0x00426e30
                  0x00426e33
                  0x00426e38
                  0x00426e3c
                  0x00426e43
                  0x00426e4b
                  0x00426e55
                  0x00426e55
                  0x00426e55
                  0x00426e58
                  0x00426e59
                  0x00426e5c
                  0x00000000
                  0x00426e61
                  0x00426f20
                  0x00426f27
                  0x00426f2a
                  0x00426f48
                  0x00426f5d
                  0x00426f4f
                  0x00426f4f
                  0x00426f58
                  0x00000000
                  0x00426f58
                  0x00426f31
                  0x00426f31
                  0x00426f3a
                  0x00426f3d
                  0x00426f3d
                  0x00426f3d
                  0x00426f64
                  0x00426f65
                  0x00426f6b

                  APIs
                  • GetCPInfo.KERNEL32(?,00000000), ref: 00426DFB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Info
                  • String ID: $
                  • API String ID: 1807457897-3032137957
                  • Opcode ID: 8af776f91375291814e2a28617f2dd10cab6d1612eef2abaf60376d169dff548
                  • Instruction ID: c1c7c0c3c85ba169b0968962e9275626b03637f0dd342fd722a85275e85bd415
                  • Opcode Fuzzy Hash: 8af776f91375291814e2a28617f2dd10cab6d1612eef2abaf60376d169dff548
                  • Instruction Fuzzy Hash: 87418E312042B82BEF118B24FD49BF77F99DB02700F5604F6D64DC7192D2294D58CB6A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041B2CC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0041B2CC(void* __ecx, struct HWND__* _a4, CHAR* _a8, CHAR* _a12, signed int _a16) {
				CHAR* _t13;
				signed int _t15;
				void* _t16;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t33;

				_t33 = __ecx;
				if(( *0x47f2d4 & 0x00000001) == 0) {
					 *0x47f2d4 =  *0x47f2d4 | 0x00000001;
					E0041BE35(0x47f2b8, "Astrum Installer");
					E004251DD( *0x47f2d4, E0041B3AF);
				}
				_t13 = _a12;
				if(_t13 == 0) {
					_t13 = E0041CD1E(0x47e700);
				}
				if( *_t13 == 0) {
					_t13 = E0041CD1E(0x47e850);
					if( *_t13 == 0) {
						_t13 = E0041CD1E(0x47f2b8);
					}
				}
				if( *0x47f27c != 0) {
					_t15 = _a16 & 0x0000000f;
					__eflags = _t15;
					if(_t15 == 0) {
						L19:
						_push(1);
						L24:
						_pop(_t16);
						return _t16;
					}
					__eflags = _t15 - 4;
					if(_t15 == 4) {
						L23:
						_push(6);
						goto L24;
					}
					__eflags = _t15 - 3;
					if(_t15 == 3) {
						goto L23;
					}
					__eflags = _t15 - 1;
					if(_t15 != 1) {
						__eflags = _t15 - 5;
						if(_t15 != 5) {
							__eflags = _t15 - 2;
							return (0 | _t15 != 0x00000002) + 5;
						}
						_push(2);
						goto L24;
					}
					goto L19;
				} else {
					_t25 = _a4;
					if(_t25 != 0) {
						L14:
						return MessageBoxA(_t25, _a8, _t13, _a16);
					}
					_t5 = _t33 + 0x158; // 0x0
					_t26 =  *_t5;
					if(_t26 == 0) {
						L11:
						_t27 =  *0x47df60;
						if(_t27 == 0) {
							L13:
							_t25 =  *0x47e178; // 0x0
							goto L14;
						}
						_t25 =  *(_t27 + 4);
						if(_t25 != 0) {
							goto L14;
						}
						goto L13;
					}
					_t25 =  *(_t26 + 4);
					if(_t25 != 0) {
						goto L14;
					}
					goto L11;
				}
			}










                  0x0041b2d8
                  0x0041b2df
                  0x0041b2e1
                  0x0041b2ef
                  0x0041b2f9
                  0x0041b2fe
                  0x0041b2ff
                  0x0041b304
                  0x0041b30b
                  0x0041b30b
                  0x0041b313
                  0x0041b31a
                  0x0041b322
                  0x0041b326
                  0x0041b326
                  0x0041b322
                  0x0041b332
                  0x0041b376
                  0x0041b376
                  0x0041b379
                  0x0041b38a
                  0x0041b38a
                  0x0041b3a8
                  0x0041b3a8
                  0x00000000
                  0x0041b3a8
                  0x0041b37b
                  0x0041b37e
                  0x0041b3a6
                  0x0041b3a6
                  0x00000000
                  0x0041b3a6
                  0x0041b380
                  0x0041b383
                  0x00000000
                  0x00000000
                  0x0041b385
                  0x0041b388
                  0x0041b38e
                  0x0041b391
                  0x0041b399
                  0x00000000
                  0x0041b3a2
                  0x0041b393
                  0x00000000
                  0x0041b393
                  0x00000000
                  0x0041b334
                  0x0041b334
                  0x0041b339
                  0x0041b363
                  0x00000000
                  0x0041b36b
                  0x0041b33b
                  0x0041b33b
                  0x0041b343
                  0x0041b34c
                  0x0041b34c
                  0x0041b354
                  0x0041b35d
                  0x0041b35d
                  0x00000000
                  0x0041b35d
                  0x0041b356
                  0x0041b35b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b35b
                  0x0041b345
                  0x0041b34a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041b34a

                  APIs
                  • MessageBoxA.USER32 ref: 0041B36B
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLockMessagelstrlen
                  • String ID: Astrum Installer$PG
                  • API String ID: 1540376194-1967893462
                  • Opcode ID: 4463d9b6d986ba360d0d591e675b6e9e63147af931b7266c3d6bc5fa644b97cf
                  • Instruction ID: af5c5bb72c462a79c2bc03ba79e4050386d3cf3836c42e4c6053ff0419561c8b
                  • Opcode Fuzzy Hash: 4463d9b6d986ba360d0d591e675b6e9e63147af931b7266c3d6bc5fa644b97cf
                  • Instruction Fuzzy Hash: 7621B33170820D96DF299A21A895BFF2B45DB41714F24406FEC2ADA391CB6D8CE193DE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004264F2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004264F2() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x47f848; // 0x1
				if(_t46 == 0) {
					E00426F6C();
				}
				GetModuleFileNameA(0, 0x47f390, 0x104);
				_t14 =  *0x47f840; // 0x6d3438
				 *0x47f364 = 0x47f390;
				_t37 = 0x47f390;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E0042658B(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E00424B9C(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E004254C0(8);
				}
				E0042658B(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x47f34c = _t41;
				 *0x47f348 = _t27;
				return _t27;
			}










                  0x004264f6
                  0x004264fa
                  0x00426502
                  0x00426504
                  0x00426504
                  0x00426515
                  0x0042651b
                  0x00426520
                  0x00426526
                  0x0042652a
                  0x0042652c
                  0x0042652c
                  0x00426539
                  0x0042654d
                  0x00426554
                  0x00426558
                  0x0042655d
                  0x0042656f
                  0x0042657a
                  0x0042657b
                  0x00426583
                  0x0042658a

                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe,00000104,?,00000000,?,?,?,?,00425458), ref: 00426515
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: FileModuleName
                  • String ID: 84m$C:\Users\user\Desktop\fillProxy_for_terminal_20210702_v1.0.0.exe
                  • API String ID: 514040917-1817043838
                  • Opcode ID: 6d886ae9066d3f0b48160cec1d3fbd1341a562a7244f558fd7cd3abe86f56567
                  • Instruction ID: 20b81bc090f49bfc7a3d566dfcbd66cef458fe67f3d7a1c14dbdebb2ce123ef2
                  • Opcode Fuzzy Hash: 6d886ae9066d3f0b48160cec1d3fbd1341a562a7244f558fd7cd3abe86f56567
                  • Instruction Fuzzy Hash: 6F1154B1A00218BFD711EFD5EC81CEB77ACEB44758B52007BF50997201E6749E858BA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041F355, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E0041F355(void* __ecx) {
				char _v16;
				struct _MEMORYSTATUS _v48;
				intOrPtr _t17;
				signed char _t26;
				void* _t33;

				_t33 = __ecx;
				E0041BE35( &_v16, "RAM:\t");
				_v48.dwLength = 0x20;
				GlobalMemoryStatus( &_v48);
				_t26 = _v48.dwTotalPhys >> 0x14;
				if((_t26 & 0x00000001) != 0) {
					_t26 = _t26 + 1;
				}
				_push(_t26);
				 *0x47e6f0 = _t26;
				E0041C467( &_v16, "%d MB\t");
				_t17 =  *0x47e13c; // 0x0
				_t40 = _t17;
				if(_t17 != 0) {
					_push(_t17);
					E0041C467( &_v16, "%d MB\t");
					__eflags = _t26 -  *0x47e13c; // 0x0
					if(__eflags < 0) {
						 *0x47e2c0 =  *0x47e2c0 + 1;
						__eflags =  *0x47e2c0;
						_push(0x47e8dc);
					} else {
						goto L5;
					}
				} else {
					E0041C047( &_v16, "-\t", _t17);
					L5:
					_push(0x47e8f4);
				}
				E0041C0C5( &_v16, _t40);
				E0041EEC5(_t33,  &_v16);
				 *0x47e2c4 = _t26;
				return E0041BEFB( &_v16);
			}








                  0x0041f35e
                  0x0041f368
                  0x0041f370
                  0x0041f378
                  0x0041f381
                  0x0041f387
                  0x0041f389
                  0x0041f389
                  0x0041f38f
                  0x0041f395
                  0x0041f39b
                  0x0041f3a0
                  0x0041f3a8
                  0x0041f3aa
                  0x0041f3bc
                  0x0041f3c2
                  0x0041f3ca
                  0x0041f3d0
                  0x0041f3d9
                  0x0041f3d9
                  0x0041f3df
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041f3ac
                  0x0041f3b5
                  0x0041f3d2
                  0x0041f3d2
                  0x0041f3d2
                  0x0041f3e7
                  0x0041f3f2
                  0x0041f3fa
                  0x0041f409

                  APIs
                    • Part of subcall function 0041BE35: lstrlenA.KERNEL32(00000000,0047DFB8,0047F2B8,0041B2F4,Astrum Installer,00000000,0047DFB8,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000), ref: 0041BE49
                    • Part of subcall function 0041BE35: GlobalAlloc.KERNEL32(00000042,00000000,?,0041B2C8,0041CD50,00000000,0041D88F,00000010,?,0041A03B,00000000,00000000,00000000,?,0047E924,0041D88F), ref: 0041BE54
                    • Part of subcall function 0041BE35: GlobalLock.KERNEL32 ref: 0041BE75
                  • GlobalMemoryStatus.KERNEL32 ref: 0041F378
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,00000000,?,0042DB90,0047E788), ref: 0041C489
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(00000000,0042D4D0,00000000,00000000,00000001,00000001), ref: 0041C63F
                    • Part of subcall function 0041C467: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407DB6), ref: 0041C649
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: lstrlen$Global$AllocLockMemoryStatus
                  • String ID: %d MB$RAM:
                  • API String ID: 590694599-1553691747
                  • Opcode ID: f17e7ea3f21c4c1cbe4b5afdf2ee1b002352a239595c7e885cb399aa9e76efb0
                  • Instruction ID: 956f4e3496c1c7b6b8146966e90f7d17b5a24efe081624b63e5b1255e4f6415b
                  • Opcode Fuzzy Hash: f17e7ea3f21c4c1cbe4b5afdf2ee1b002352a239595c7e885cb399aa9e76efb0
                  • Instruction Fuzzy Hash: 1B115875D002186AC700EBA7DC85DDE776CEB08714F5041BBE815A3252D7789589CA6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BE99, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BE99(long* __ecx, long* _a4) {
				long _t13;
				void* _t14;
				void* _t16;
				long* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t27 = __ecx;
				 *__ecx =  *__ecx & 0x00000000;
				__ecx[1] = __ecx[1] & 0x00000000;
				__ecx[2] = __ecx[2] & 0x00000000;
				_t13 =  *_t26;
				 *__ecx = _t13;
				_t14 = GlobalAlloc(0x42, _t13);
				 *(_t27 + 4) = _t14;
				if(_t14 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				 *((intOrPtr*)(_t27 + 8)) = GlobalLock( *(_t27 + 4));
				_t16 = 0;
				if( *_t27 > 0) {
					do {
						_t9 =  &(_t26[2]); // 0x2210094
						 *((char*)( *((intOrPtr*)(_t27 + 8)) + _t16)) =  *((intOrPtr*)( *_t9 + _t16));
						_t16 = _t16 + 1;
					} while (_t16 <  *_t27);
				}
				return _t27;
			}








                  0x0041be9b
                  0x0041be9f
                  0x0041bea1
                  0x0041bea4
                  0x0041bea8
                  0x0041beac
                  0x0041beb1
                  0x0041beb3
                  0x0041bebb
                  0x0041bebe
                  0x0041becb
                  0x0041bed0
                  0x0041beda
                  0x0041bedd
                  0x0041bee1
                  0x0041bee3
                  0x0041bee3
                  0x0041beec
                  0x0041beef
                  0x0041bef0
                  0x0041bee3
                  0x0041bef8

                  APIs
                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,0042C1D8,00421A71,00000000,00000000,00000000,0042C1D8,00000000,00000001,00000000,00000001,0000005C,00000000,00000000), ref: 0041BEB3
                  • GlobalLock.KERNEL32 ref: 0041BED4
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$Unlock
                  • String ID: $G
                  • API String ID: 3539109396-195990108
                  • Opcode ID: 77142d1ac7a35253a5c46d6b5c4036aaa2082d3adee7a4c4dc71fa2d51af2a6f
                  • Instruction ID: 9714d13ebd5381219ea0003f19ce2b82f8f169450bb3b6d00ebaf17d5743210f
                  • Opcode Fuzzy Hash: 77142d1ac7a35253a5c46d6b5c4036aaa2082d3adee7a4c4dc71fa2d51af2a6f
                  • Instruction Fuzzy Hash: 85018C71604B129FD3209F26C8487A6BBE4EF54322F20CC2EE5D6C7611D778A881CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041BDEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041BDEC(long* __ecx, intOrPtr _a4) {
				long _t9;
				void* _t10;
				void* _t11;
				long* _t19;

				_t9 = 1;
				_t19 = __ecx;
				__ecx[1] = __ecx[1] & 0x00000000;
				__ecx[2] = __ecx[2] & 0x00000000;
				 *__ecx = _t9;
				_t10 = GlobalAlloc(0x42, _t9);
				 *(_t19 + 4) = _t10;
				if(_t10 == 0) {
					E0041D881(E0041CD1E(0x47e924));
				}
				_t11 = GlobalLock( *(_t19 + 4));
				 *(_t19 + 8) = _t11;
				 *_t11 = _a4;
				return _t19;
			}







                  0x0041bdef
                  0x0041bdf0
                  0x0041bdf5
                  0x0041bdf9
                  0x0041bdfd
                  0x0041bdff
                  0x0041be07
                  0x0041be0a
                  0x0041be17
                  0x0041be1c
                  0x0041be20
                  0x0041be2a
                  0x0041be2d
                  0x0041be32

                  APIs
                  • GlobalAlloc.KERNEL32(00000042,00000001,00000000,0041B00D,?,7FFFFFFF,7FFFFFFF,7FFFFFFF,0000000D,00000000,00000000,00000000,<\0>,0042C38C,00000000,00000000), ref: 0041BDFF
                  • GlobalLock.KERNEL32 ref: 0041BE20
                    • Part of subcall function 0041CD1E: GlobalUnlock.KERNEL32(022103E4,0047E6C8,0041BF52), ref: 0041CD24
                    • Part of subcall function 0041CD1E: GlobalReAlloc.KERNEL32 ref: 0041CD33
                    • Part of subcall function 0041CD1E: GlobalLock.KERNEL32 ref: 0041CD54
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.625042953.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.625036424.0000000000400000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625065178.0000000000428000.00000002.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625071727.000000000042B000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625081875.000000000042C000.00000008.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625088149.000000000042D000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625098466.000000000045A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625108974.0000000000462000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625118831.000000000046A000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625128179.000000000047E000.00000004.00020000.sdmp Download File
                  • Associated: 00000000.00000002.625136379.0000000000480000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_fillProxy_for_terminal_20210702_v1.jbxd
                  Similarity
                  • API ID: Global$AllocLock$Unlock
                  • String ID: $G
                  • API String ID: 3539109396-195990108
                  • Opcode ID: 0e0301fbd6dc2532e90e789fb0e47dd771507ade9c2427d8e102f8080f848ce2
                  • Instruction ID: d82badc86695a26f39644d466923ba77f379b8d0b1b1a0a45fb16c5613b72c60
                  • Opcode Fuzzy Hash: 0e0301fbd6dc2532e90e789fb0e47dd771507ade9c2427d8e102f8080f848ce2
                  • Instruction Fuzzy Hash: A9F0A0B1A047119FD3605B21D8097A77AD4EB20751F10C86EE199C7251DB789880CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: VC_redist.x86.exe PID: 1992 Parent PID: 3440 VC_redist.x86.exeCOMMON

                  Executed Functions

                  Function 003A1070, Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 77fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1224 3a1070-3a10df call 3a33d7 1227 3a10fe-3a1106 call 3a501b 1224->1227 1228 3a10e1-3a10fc CreateFileW 1224->1228 1231 3a1108-3a110d call 3a11fb 1227->1231 1232 3a110f-3a1115 call 3a1174 1227->1232 1228->1227 1236 3a111a-3a112e call 3a508d 1231->1236 1232->1236 1239 3a1130-3a1131 FindCloseChangeNotification 1236->1239 1240 3a1137-3a113b 1236->1240 1239->1240 1241 3a113d-3a1140 call 3e54ef 1240->1241 1242 3a1145-3a115d call 3cde36 1240->1242 1241->1242
                  C-Code - Quality: 100%
                  			E003A1070(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				WCHAR* _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t33;
				void* _t35;
				void* _t40;
				intOrPtr _t41;
				void* _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t47;
				signed int _t48;
				void* _t49;
				signed int _t50;

				_t45 = __edx;
				_t42 = __ecx;
				_t24 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t24 ^ _t50;
				_t41 = _a4;
				_t46 = _a12;
				_t49 = _t48 | 0xffffffff;
				_v52 = 0;
				_v48 = 0;
				_v44 = L"cabinet.dll";
				_v40 = L"msi.dll";
				_v36 = L"version.dll";
				_v32 = L"wininet.dll";
				_v28 = L"comres.dll";
				_v24 = L"clbcatq.dll";
				_v20 = L"msasn1.dll";
				_v16 = L"crypt32.dll";
				_v12 = L"feclient.dll";
				if(E003A33D7( &_v48, 0) >= 0) {
					_t40 = CreateFileW(_v48, 0x80000000, 5, 0, 3, 0x80, 0); // executed
					_t49 = _t40;
				}
				_t29 = E003A501B(_t46); // executed
				_t52 = _t29;
				if(_t29 == 0) {
					E003A1174(_t42,  &_v44, 9);
				} else {
					E003A11FB();
				}
				_t33 = E003A508D(_t42, _t45, _t52, _t41, _t49, _t46, _a16,  &_v52); // executed
				_t47 = _t33;
				if(_t49 != 0xffffffff) {
					FindCloseChangeNotification(_t49); // executed
				}
				if(_v48 != 0) {
					E003E54EF(_v48);
				}
				_t35 =  <  ? _t47 : _v52;
				return E003CDE36(_t41, _v8 ^ _t50, _t45, _t47, _t49);
			}
































                  0x003a1070
                  0x003a1070
                  0x003a1076
                  0x003a107d
                  0x003a1081
                  0x003a1088
                  0x003a108b
                  0x003a108f
                  0x003a1092
                  0x003a1099
                  0x003a10a0
                  0x003a10a7
                  0x003a10ae
                  0x003a10b5
                  0x003a10bc
                  0x003a10c3
                  0x003a10ca
                  0x003a10d1
                  0x003a10df
                  0x003a10f6
                  0x003a10fc
                  0x003a10fc
                  0x003a10ff
                  0x003a1104
                  0x003a1106
                  0x003a1115
                  0x003a1108
                  0x003a1108
                  0x003a1108
                  0x003a1124
                  0x003a1129
                  0x003a112e
                  0x003a1131
                  0x003a1131
                  0x003a113b
                  0x003a1140
                  0x003a1140
                  0x003a114d
                  0x003a115d

                  APIs
                    • Part of subcall function 003A33D7: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,003A10DD,?,00000000), ref: 003A33F8
                  • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 003A10F6
                    • Part of subcall function 003A1174: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A1185
                    • Part of subcall function 003A1174: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A1190
                    • Part of subcall function 003A1174: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003A119E
                    • Part of subcall function 003A1174: GetLastError.KERNEL32(?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A11B9
                    • Part of subcall function 003A1174: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003A11C1
                    • Part of subcall function 003A1174: GetLastError.KERNEL32(?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A11D6
                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,003EB4C0,?,cabinet.dll,00000009,?,?,00000000), ref: 003A1131
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AddressErrorFileLastModuleProc$ChangeCloseCreateFindHandleHeapInformationNameNotification
                  • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                  • API String ID: 2670336470-3151496603
                  • Opcode ID: 85e6f3a1e65973f7278ecbf748873b288a2d337e808d56c88bb1c7fee05a9d8b
                  • Instruction ID: 592f6432ad0b2a04b18eb0880447f2d85da0ad35bc4679ee0b501611252891fc
                  • Opcode Fuzzy Hash: 85e6f3a1e65973f7278ecbf748873b288a2d337e808d56c88bb1c7fee05a9d8b
                  • Instruction Fuzzy Hash: D5215E75900258ABDB13DFA68C45BEFFBB8EB45324F104219E910BA2D1D7709904CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D4812, Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003D4812(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;
				void* _t19;

				if(E003D8A73(_t14, _t15, _t17, _t18, _t19) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E003D4897(_t15, _a4);
				ExitProcess(_a4);
			}








                  0x003d481e
                  0x003d483a
                  0x003d483a
                  0x003d4843
                  0x003d484c

                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,?,003D47E8,00000000,00407CF8,0000000C,003D493F,00000000,00000002,00000000), ref: 003D4833
                  • TerminateProcess.KERNEL32(00000000,?,003D47E8,00000000,00407CF8,0000000C,003D493F,00000000,00000002,00000000), ref: 003D483A
                  • ExitProcess.KERNEL32 ref: 003D484C
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 0ed6225e2f5325f915c7dff164e7fa028381d4b47b2488506d5efd9986d25292
                  • Instruction ID: d3d13ee133064fbfbabe0d1ca64171207d46b1e46c11360bf5d3d674515250a5
                  • Opcode Fuzzy Hash: 0ed6225e2f5325f915c7dff164e7fa028381d4b47b2488506d5efd9986d25292
                  • Instruction Fuzzy Hash: B5E01A32400188ABCF136F20EC49A5A7B29AF40381F050515F9045E261CB36E841DA80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A38D4, Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E003A38D4(long _a4, signed int _a8) {
				void* _t7;

				asm("sbb eax, eax");
				_t7 = RtlAllocateHeap(GetProcessHeap(),  ~_a8 & 0x00000008, _a4); // executed
				return _t7;
			}




                  0x003a38df
                  0x003a38ec
                  0x003a38f3

                  APIs
                  • GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                  • RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID:
                  • API String ID: 1357844191-0
                  • Opcode ID: 65bd4677177c56ccb8ebb4e3f3427398196ef967af032c59b18c89ea5d8a97a2
                  • Instruction ID: ccbc23f35e2195c49dddb2d1aa102a1888fcded92951c1a4caf2da77c9a52221
                  • Opcode Fuzzy Hash: 65bd4677177c56ccb8ebb4e3f3427398196ef967af032c59b18c89ea5d8a97a2
                  • Instruction Fuzzy Hash: 47C01232190208A7CF025FF4DC4DC5A779CA714712B008500B505C6160C73CE0148760
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CE773, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003CE773() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E003CE77F); // executed
				return _t1;
			}




                  0x003ce778
                  0x003ce77e

                  APIs
                  • SetUnhandledExceptionFilter.KERNELBASE(Function_0002E77F,003CDEF8), ref: 003CE778
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 0173c09e3e49a217e77666dd2dffa49034e41cb53881620cab56019c97d80197
                  • Instruction ID: a77ac2dad43c8b6e590b815672c7ebaaf08bbc10a87ac237689d4e7895140cb5
                  • Opcode Fuzzy Hash: 0173c09e3e49a217e77666dd2dffa49034e41cb53881620cab56019c97d80197
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003ADE25, Relevance: 126.6, APIs: 11, Strings: 61, Instructions: 646COMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E003ADE25(void* __ebx, void* __edi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				short** _v40;
				intOrPtr* _t208;
				intOrPtr* _t213;
				intOrPtr _t223;
				signed int _t224;
				int _t235;
				signed int _t238;
				int _t262;
				signed int _t268;
				intOrPtr _t271;
				intOrPtr _t275;
				signed int _t279;
				intOrPtr _t280;
				intOrPtr _t302;
				signed int _t303;
				intOrPtr* _t318;
				short** _t320;
				intOrPtr* _t322;
				intOrPtr* _t324;
				intOrPtr* _t325;
				signed int _t328;
				signed int _t329;
				intOrPtr* _t330;
				signed int _t336;
				void* _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				short** _t358;
				void* _t360;

				_v20 = _v20 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_t351 = E003E3803(_a12, L"RollbackBoundary",  &_v20);
				if(_t351 >= 0) {
					_t208 = _v20;
					_t321 =  *_t208;
					_t351 =  *((intOrPtr*)( *_t208 + 0x20))(_t208,  &_v24);
					if(_t351 >= 0) {
						_t210 = _v24;
						_push(__ebx);
						_t318 = _a4;
						if(_v24 == 0) {
							L17:
							_t322 = _v20;
							if(_t322 != 0) {
								 *((intOrPtr*)( *_t322 + 8))(_t322);
								_v20 = _v20 & 0x00000000;
							}
							if(E003E3803(_a12, L"Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage",  &_v20) >= 0) {
								_t213 = _v20;
								_t340 =  &_v24;
								_push( &_v24);
								_push(_t213);
								if( *((intOrPtr*)( *_t213 + 0x20))() >= 0) {
									_t215 = _v24;
									if(_v24 == 0) {
										L123:
										_t351 = 0;
										goto L124;
									}
									_t223 = E003A38D4(_t215 * 0xe0, 1);
									 *((intOrPtr*)(_t318 + 8)) = _t223;
									if(_t223 != 0) {
										_t224 = _v24;
										_v32 = _v32 & 0x00000000;
										 *((intOrPtr*)(_t318 + 0xc)) = _t224;
										if(_t224 == 0) {
											L106:
											_t351 = E003AD87E(_t318, _a12);
											if(_t351 >= 0) {
												goto L123;
											}
											_push("Failed to parse target product codes.");
											goto L108;
										}
										_t328 = 0;
										_v36 = 0;
										while(1) {
											_t346 =  *((intOrPtr*)(_t318 + 8)) + _t328;
											_t351 = E003E3760(_t328, _v20,  &_v8,  &_v12);
											if(_t351 < 0) {
												break;
											}
											_t351 = E003E31C7(_v8, L"Id", _t346);
											if(_t351 < 0) {
												L121:
												_push("Failed to get @Id.");
												goto L108;
											}
											_t351 = E003E31C7(_v8, L"Cache",  &_v16);
											if(_t351 < 0) {
												_push("Failed to get @Cache.");
												goto L108;
											}
											if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"no", 0xffffffff) != 2) {
												if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"yes", 0xffffffff) != 2) {
													_t235 = CompareStringW(0x7f, 0, _v16, 0xffffffff, L"always", 0xffffffff);
													_t328 = 2;
													if(_t235 != _t328) {
														_push(_v16);
														_t351 = 0x8000ffff;
														_push("Invalid cache type: %ls");
														L119:
														_push(_t351);
														E003E012F();
														goto L124;
													}
													 *(_t346 + 0x20) = _t328;
													L37:
													_t238 = E003E31C7(_v8, L"CacheId", _t346 + 0x24); // executed
													_t351 = _t238;
													if(_t351 < 0) {
														_push("Failed to get @CacheId.");
														goto L108;
													}
													_t351 = E003E329B(_v8, L"Size", _t346 + 0x30);
													if(_t351 < 0) {
														_push("Failed to get @Size.");
														goto L108;
													}
													_t351 = E003E329B(_v8, L"InstallSize", _t346 + 0x28);
													if(_t351 < 0) {
														_push("Failed to get @InstallSize.");
														goto L108;
													}
													_t351 = E003E33DB(_t328, _v8, L"PerMachine", _t346 + 0x14);
													if(_t351 < 0) {
														_push("Failed to get @PerMachine.");
														goto L108;
													}
													_t351 = E003E33DB(_t328, _v8, L"Permanent", _t346 + 0x18);
													if(_t351 < 0) {
														_push("Failed to get @Permanent.");
														goto L108;
													}
													 *(_t346 + 0x18) = 0 |  *(_t346 + 0x18) == 0x00000000;
													_t351 = E003E33DB(_t328, _v8, L"Vital", _t346 + 0x1c);
													if(_t351 < 0) {
														L112:
														_push("Failed to get @Vital.");
														goto L108;
													}
													_t351 = E003E31C7(_v8, L"LogPathVariable", _t346 + 4);
													if(_t351 == 0x80070490 || _t351 >= 0) {
														_t351 = E003E31C7(_v8, L"RollbackLogPathVariable", _t346 + 8);
														if(_t351 == 0x80070490 || _t351 >= 0) {
															_t351 = E003E31C7(_v8, L"InstallCondition", _t346 + 0xc);
															if(_t351 == 0x80070490 || _t351 >= 0) {
																_t351 = E003E31C7(_v8, L"RollbackBoundaryForward",  &_v16);
																if(_t351 == 0x80070490) {
																	L52:
																	_t351 = E003E31C7(_v8, L"RollbackBoundaryBackward",  &_v16);
																	if(_t351 == 0x80070490) {
																		L55:
																		if(CompareStringW(0x7f, 0, _v12, 0xffffffff, L"ExePackage", 0xffffffff) != 2) {
																			_t262 = CompareStringW(0x7f, 0, _v12, 0xffffffff, L"MsiPackage", 0xffffffff);
																			_t329 = 2;
																			if(_t262 != _t329) {
																				if(CompareStringW(0x7f, 0, _v12, 0xffffffff, L"MspPackage", 0xffffffff) != 2) {
																					if(CompareStringW(0x7f, 0, _v12, 0xffffffff, L"MsuPackage", 0xffffffff) != 2) {
																						L66:
																						_t351 = E003AD9EE(_t318, _t346, _a8, _v8);
																						if(_t351 < 0) {
																							_push("Failed to parse payload references.");
																							goto L108;
																						}
																						_t351 = E003C7CD9(_t346, _v8);
																						if(_t351 < 0) {
																							_push("Failed to parse dependency providers.");
																							goto L108;
																						}
																						_t330 = _v8;
																						if(_t330 != 0) {
																							 *((intOrPtr*)( *_t330 + 8))(_t330);
																							_v8 = _v8 & 0x00000000;
																						}
																						if(_v12 != 0) {
																							__imp__#6(_v12);
																							_v12 = _v12 & 0x00000000;
																						}
																						_t268 = _v32 + 1;
																						_t328 = _v36 + 0xe0;
																						_v32 = _t268;
																						_v36 = _t328;
																						if(_t268 < _v24) {
																							continue;
																						} else {
																							_t356 = _v28;
																							if(_v28 == 0) {
																								goto L106;
																							}
																							_t271 = E003A38D4(_t356 << 4, 1);
																							 *((intOrPtr*)(_t318 + 0x20)) = _t271;
																							if(_t271 != 0) {
																								 *((intOrPtr*)(_t318 + 0x24)) = E003A38D4(_t356 << 2, 1);
																								if( *((intOrPtr*)(_t318 + 0x20)) != 0) {
																									_t275 = 0;
																									_a8 = 0;
																									if( *((intOrPtr*)(_t318 + 0xc)) <= 0) {
																										goto L106;
																									}
																									_t347 = 0;
																									_v28 = 0;
																									do {
																										_t358 =  *((intOrPtr*)(_t318 + 8)) + _t347;
																										_v40 = _t358;
																										if( *((intOrPtr*)(_t358 + 0x8c)) != 3) {
																											goto L105;
																										}
																										 *((intOrPtr*)( *((intOrPtr*)(_t318 + 0x20)) + ( *(_t318 + 0x28) +  *(_t318 + 0x28)) * 8)) =  *((intOrPtr*)(_t358 + 0x94));
																										 *((intOrPtr*)( *((intOrPtr*)(_t318 + 0x20)) + 4 + ( *(_t318 + 0x28) +  *(_t318 + 0x28)) * 8)) = 2;
																										 *((intOrPtr*)( *((intOrPtr*)(_t318 + 0x24)) +  *(_t318 + 0x28) * 4)) = _t358;
																										_t336 = 0;
																										 *(_t318 + 0x28) =  *(_t318 + 0x28) + 1;
																										_v36 = 0;
																										if( *((intOrPtr*)(_t318 + 0xc)) <= 0) {
																											L104:
																											_t275 = _a8;
																											goto L105;
																										}
																										_t279 = 0;
																										_v32 = 0;
																										do {
																											_t360 =  *((intOrPtr*)(_t318 + 8)) + _t279;
																											if( *((intOrPtr*)(_t360 + 0x8c)) != 2) {
																												goto L102;
																											}
																											_t348 = 0;
																											if( *((intOrPtr*)(_t360 + 0xd4)) <= 0) {
																												goto L102;
																											}
																											_t320 = _v40;
																											do {
																												_t280 =  *((intOrPtr*)(_t360 + 0xd0));
																												if( *(_t280 + _t348 * 4) != 0 && CompareStringW(0x7f, 0,  *_t320, 0xffffffff,  *(_t280 + _t348 * 4), 0xffffffff) == 2) {
																													 *( *((intOrPtr*)(_t360 + 0xcc)) + _t348 * 4) = _t320;
																													_t283 =  *((intOrPtr*)(_t360 + 0xd0));
																													if( *( *((intOrPtr*)(_t360 + 0xd0)) + _t348 * 4) != 0) {
																														E003E54EF( *((intOrPtr*)(_t283 + _t348 * 4)));
																														 *( *((intOrPtr*)(_t360 + 0xd0)) + _t348 * 4) =  *( *((intOrPtr*)(_t360 + 0xd0)) + _t348 * 4) & 0x00000000;
																													}
																												}
																												_t348 = _t348 + 1;
																											} while (_t348 <  *((intOrPtr*)(_t360 + 0xd4)));
																											_t318 = _a4;
																											_t279 = _v32;
																											_t336 = _v36;
																											L102:
																											_t336 = _t336 + 1;
																											_t279 = _t279 + 0xe0;
																											_v36 = _t336;
																											_v32 = _t279;
																										} while (_t336 <  *((intOrPtr*)(_t318 + 0xc)));
																										_t347 = _v28;
																										goto L104;
																										L105:
																										_t275 = _t275 + 1;
																										_t347 = _t347 + 0xe0;
																										_a8 = _t275;
																										_v28 = _t347;
																									} while (_t275 <  *((intOrPtr*)(_t318 + 0xc)));
																									goto L106;
																								}
																								_t349 = 0x8007000e;
																								_t351 = 0x8007000e;
																								E003A37D3(_t274, "package.cpp", 0x100, 0x8007000e);
																								_push("Failed to allocate memory for patch sequence information to package lookup.");
																								L87:
																								_push(_t349);
																								goto L109;
																							}
																							_t349 = 0x8007000e;
																							_t351 = 0x8007000e;
																							E003A37D3(_t271, "package.cpp", 0xfd, 0x8007000e);
																							_push("Failed to allocate memory for MSP patch sequence information.");
																							goto L87;
																						}
																					}
																					 *(_t346 + 0x8c) = 4;
																					_t351 = E003C6F47(_v8, _t346);
																					if(_t351 < 0) {
																						_push("Failed to parse MSU package.");
																						goto L108;
																					}
																					goto L66;
																				}
																				 *(_t346 + 0x8c) = 3;
																				_t351 = E003C643A(_t318, _v8, _t346);
																				if(_t351 < 0) {
																					_push("Failed to parse MSP package.");
																					goto L108;
																				}
																				_v28 = _v28 + 1;
																				goto L66;
																			}
																			 *(_t346 + 0x8c) = _t329;
																			_t351 = E003C4888(_t340, _v8, _t346);
																			if(_t351 >= 0) {
																				goto L66;
																			}
																			_push("Failed to parse MSI package.");
																			goto L108;
																		}
																		 *(_t346 + 0x8c) = 1;
																		_t351 = E003C25AF(_t328, _v8, _t346);
																		if(_t351 >= 0) {
																			goto L66;
																		}
																		_push("Failed to parse EXE package.");
																		goto L108;
																	}
																	if(_t351 < 0) {
																		_push("Failed to get @RollbackBoundaryBackward.");
																		goto L108;
																	}
																	_t351 = E003AD82F(_t318, _v16, _t346 + 0x3c);
																	if(_t351 < 0) {
																		_push(_v16);
																		_push("Failed to find backward transaction boundary: %ls");
																		goto L119;
																	}
																	goto L55;
																}
																if(_t351 < 0) {
																	_push("Failed to get @RollbackBoundaryForward.");
																	goto L108;
																}
																_t351 = E003AD82F(_t318, _v16, _t346 + 0x38);
																if(_t351 < 0) {
																	_push(_v16);
																	_push("Failed to find forward transaction boundary: %ls");
																	goto L119;
																}
																goto L52;
															} else {
																_push("Failed to get @InstallCondition.");
																goto L108;
															}
														} else {
															_push("Failed to get @RollbackLogPathVariable.");
															goto L108;
														}
													} else {
														_push("Failed to get @LogPathVariable.");
														goto L108;
													}
												}
												 *(_t346 + 0x20) = 1;
												goto L37;
											}
											 *(_t346 + 0x20) =  *(_t346 + 0x20) & 0x00000000;
											goto L37;
										}
										L122:
										_push("Failed to get next node.");
										goto L108;
									}
									_t349 = 0x8007000e;
									_t351 = 0x8007000e;
									E003A37D3(_t223, "package.cpp", 0x5f, 0x8007000e);
									_push("Failed to allocate memory for package structs.");
									goto L87;
								}
								_push("Failed to get package node count.");
								goto L108;
							} else {
								_push("Failed to select package nodes.");
								L108:
								_push(_t351);
								L109:
								E003E012F();
								L124:
								L125:
								_t324 = _v20;
								if(_t324 != 0) {
									 *((intOrPtr*)( *_t324 + 8))(_t324);
								}
								_t325 = _v8;
								if(_t325 != 0) {
									 *((intOrPtr*)( *_t325 + 8))(_t325);
								}
								if(_v12 != 0) {
									__imp__#6(_v12);
								}
								if(_v16 != 0) {
									E003E54EF(_v16);
								}
								return _t351;
							}
						}
						_t302 = E003A38D4(_t210 << 3, 1);
						 *_t318 = _t302;
						if(_t302 != 0) {
							_t303 = _v24;
							_t350 = 0;
							 *((intOrPtr*)(_t318 + 4)) = _t303;
							if(_t303 == 0) {
								goto L17;
							} else {
								goto L9;
							}
							while(1) {
								L9:
								_v32 =  *_t318 + _t350 * 8;
								_t351 = E003E3760(_t321, _v20,  &_v8,  &_v12);
								if(_t351 < 0) {
									goto L122;
								}
								_t351 = E003E31C7(_v8, L"Id", _v32);
								if(_t351 < 0) {
									goto L121;
								}
								_t351 = E003E33DB(_t321, _v8, L"Vital", _v32 + 4);
								if(_t351 < 0) {
									goto L112;
								}
								_t321 = _v8;
								if(_t321 != 0) {
									 *((intOrPtr*)( *_t321 + 8))(_t321);
									_v8 = _v8 & 0x00000000;
								}
								if(_v12 != 0) {
									__imp__#6(_v12);
									_v12 = _v12 & 0x00000000;
								}
								_t350 = _t350 + 1;
								if(_t350 < _v24) {
									continue;
								} else {
									goto L17;
								}
							}
							goto L122;
						}
						_t349 = 0x8007000e;
						_t351 = 0x8007000e;
						E003A37D3(_t302, "package.cpp", 0x34, 0x8007000e);
						_push("Failed to allocate memory for rollback boundary structs.");
						goto L87;
					}
					_push("Failed to get rollback bundary node count.");
					L2:
					_push(_t351);
					E003E012F();
					goto L125;
				}
				_push("Failed to select rollback boundary nodes.");
				goto L2;
			}











































                  0x003ade2b
                  0x003ade32
                  0x003ade36
                  0x003ade3a
                  0x003ade3e
                  0x003ade42
                  0x003ade55
                  0x003ade59
                  0x003ade6d
                  0x003ade75
                  0x003ade7a
                  0x003ade7e
                  0x003ade87
                  0x003ade8a
                  0x003ade8b
                  0x003ade91
                  0x003adf5e
                  0x003adf5e
                  0x003adf63
                  0x003adf68
                  0x003adf6b
                  0x003adf6b
                  0x003adf84
                  0x003adf90
                  0x003adf93
                  0x003adf96
                  0x003adf97
                  0x003adfa1
                  0x003adfad
                  0x003adfb2
                  0x003ae603
                  0x003ae603
                  0x00000000
                  0x003ae603
                  0x003adfc1
                  0x003adfc6
                  0x003adfcb
                  0x003adfeb
                  0x003adfee
                  0x003adff2
                  0x003adff7
                  0x003ae580
                  0x003ae589
                  0x003ae58d
                  0x00000000
                  0x00000000
                  0x003ae58f
                  0x00000000
                  0x003ae58f
                  0x003adffd
                  0x003adfff
                  0x003ae002
                  0x003ae00c
                  0x003ae017
                  0x003ae01b
                  0x00000000
                  0x00000000
                  0x003ae02f
                  0x003ae033
                  0x003ae5f5
                  0x003ae5f5
                  0x00000000
                  0x003ae5f5
                  0x003ae04a
                  0x003ae04e
                  0x003ae5ee
                  0x00000000
                  0x003ae5ee
                  0x003ae06f
                  0x003ae08c
                  0x003ae0a7
                  0x003ae0ab
                  0x003ae0ae
                  0x003ae5d6
                  0x003ae5d9
                  0x003ae5de
                  0x003ae5e3
                  0x003ae5e3
                  0x003ae5e4
                  0x00000000
                  0x003ae5e9
                  0x003ae0b4
                  0x003ae0b7
                  0x003ae0c3
                  0x003ae0c8
                  0x003ae0cc
                  0x003ae5cf
                  0x00000000
                  0x003ae5cf
                  0x003ae0e3
                  0x003ae0e7
                  0x003ae5c8
                  0x00000000
                  0x003ae5c8
                  0x003ae0fe
                  0x003ae102
                  0x003ae5c1
                  0x00000000
                  0x003ae5c1
                  0x003ae119
                  0x003ae11d
                  0x003ae5ba
                  0x00000000
                  0x003ae5ba
                  0x003ae134
                  0x003ae138
                  0x003ae5b3
                  0x00000000
                  0x003ae5b3
                  0x003ae146
                  0x003ae15a
                  0x003ae15e
                  0x003ae5ac
                  0x003ae5ac
                  0x00000000
                  0x003ae5ac
                  0x003ae175
                  0x003ae17d
                  0x003ae198
                  0x003ae1a0
                  0x003ae1bb
                  0x003ae1c3
                  0x003ae1de
                  0x003ae1e6
                  0x003ae207
                  0x003ae218
                  0x003ae220
                  0x003ae241
                  0x003ae25c
                  0x003ae295
                  0x003ae299
                  0x003ae29c
                  0x003ae2d2
                  0x003ae30b
                  0x003ae32a
                  0x003ae336
                  0x003ae33a
                  0x003ae5a5
                  0x00000000
                  0x003ae5a5
                  0x003ae349
                  0x003ae34d
                  0x003ae59e
                  0x00000000
                  0x003ae59e
                  0x003ae353
                  0x003ae358
                  0x003ae35d
                  0x003ae360
                  0x003ae360
                  0x003ae368
                  0x003ae36d
                  0x003ae373
                  0x003ae373
                  0x003ae37d
                  0x003ae37e
                  0x003ae384
                  0x003ae387
                  0x003ae38d
                  0x00000000
                  0x003ae393
                  0x003ae393
                  0x003ae398
                  0x00000000
                  0x00000000
                  0x003ae3a6
                  0x003ae3ab
                  0x003ae3b0
                  0x003ae448
                  0x003ae44b
                  0x003ae46f
                  0x003ae471
                  0x003ae477
                  0x00000000
                  0x00000000
                  0x003ae47d
                  0x003ae47f
                  0x003ae482
                  0x003ae485
                  0x003ae487
                  0x003ae491
                  0x00000000
                  0x00000000
                  0x003ae4a5
                  0x003ae4b0
                  0x003ae4be
                  0x003ae4c1
                  0x003ae4c3
                  0x003ae4c6
                  0x003ae4cc
                  0x003ae567
                  0x003ae567
                  0x00000000
                  0x003ae567
                  0x003ae4d2
                  0x003ae4d4
                  0x003ae4d7
                  0x003ae4da
                  0x003ae4e3
                  0x00000000
                  0x00000000
                  0x003ae4e5
                  0x003ae4ed
                  0x00000000
                  0x00000000
                  0x003ae4ef
                  0x003ae4f2
                  0x003ae4f2
                  0x003ae4fc
                  0x003ae51c
                  0x003ae51f
                  0x003ae529
                  0x003ae52e
                  0x003ae539
                  0x003ae539
                  0x003ae529
                  0x003ae53d
                  0x003ae53e
                  0x003ae546
                  0x003ae549
                  0x003ae54c
                  0x003ae54f
                  0x003ae54f
                  0x003ae550
                  0x003ae555
                  0x003ae558
                  0x003ae55b
                  0x003ae564
                  0x00000000
                  0x003ae56a
                  0x003ae56a
                  0x003ae56b
                  0x003ae571
                  0x003ae574
                  0x003ae577
                  0x00000000
                  0x003ae482
                  0x003ae44d
                  0x003ae45d
                  0x003ae45f
                  0x003ae464
                  0x003ae469
                  0x003ae469
                  0x00000000
                  0x003ae469
                  0x003ae3b6
                  0x003ae3c6
                  0x003ae3c8
                  0x003ae3cd
                  0x00000000
                  0x003ae3cd
                  0x003ae38d
                  0x003ae30e
                  0x003ae320
                  0x003ae324
                  0x003ae42d
                  0x00000000
                  0x003ae42d
                  0x00000000
                  0x003ae324
                  0x003ae2d5
                  0x003ae2e7
                  0x003ae2eb
                  0x003ae423
                  0x00000000
                  0x003ae423
                  0x003ae2f1
                  0x00000000
                  0x003ae2f1
                  0x003ae29f
                  0x003ae2ad
                  0x003ae2b1
                  0x00000000
                  0x00000000
                  0x003ae2b3
                  0x00000000
                  0x003ae2b3
                  0x003ae25f
                  0x003ae271
                  0x003ae275
                  0x00000000
                  0x00000000
                  0x003ae27b
                  0x00000000
                  0x003ae27b
                  0x003ae224
                  0x003ae419
                  0x00000000
                  0x003ae419
                  0x003ae237
                  0x003ae23b
                  0x003ae40c
                  0x003ae40f
                  0x00000000
                  0x003ae40f
                  0x00000000
                  0x003ae23b
                  0x003ae1ea
                  0x003ae402
                  0x00000000
                  0x003ae402
                  0x003ae1fd
                  0x003ae201
                  0x003ae3f5
                  0x003ae3f8
                  0x00000000
                  0x003ae3f8
                  0x00000000
                  0x003ae3eb
                  0x003ae3eb
                  0x00000000
                  0x003ae3eb
                  0x003ae3e1
                  0x003ae3e1
                  0x00000000
                  0x003ae3e1
                  0x003ae3d7
                  0x003ae3d7
                  0x00000000
                  0x003ae3d7
                  0x003ae17d
                  0x003ae08e
                  0x00000000
                  0x003ae08e
                  0x003ae071
                  0x00000000
                  0x003ae071
                  0x003ae5fc
                  0x003ae5fc
                  0x00000000
                  0x003ae5fc
                  0x003adfcd
                  0x003adfda
                  0x003adfdc
                  0x003adfe1
                  0x00000000
                  0x003adfe1
                  0x003adfa3
                  0x00000000
                  0x003adf86
                  0x003adf86
                  0x003ae594
                  0x003ae594
                  0x003ae595
                  0x003ae595
                  0x003ae605
                  0x003ae607
                  0x003ae607
                  0x003ae60c
                  0x003ae611
                  0x003ae611
                  0x003ae614
                  0x003ae619
                  0x003ae61e
                  0x003ae61e
                  0x003ae625
                  0x003ae62a
                  0x003ae62a
                  0x003ae634
                  0x003ae639
                  0x003ae639
                  0x003ae644
                  0x003ae644
                  0x003adf84
                  0x003ade9d
                  0x003adea2
                  0x003adea6
                  0x003adec6
                  0x003adec9
                  0x003adecb
                  0x003aded0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003aded6
                  0x003aded6
                  0x003adedb
                  0x003adeee
                  0x003adef2
                  0x00000000
                  0x00000000
                  0x003adf08
                  0x003adf0c
                  0x00000000
                  0x00000000
                  0x003adf26
                  0x003adf2a
                  0x00000000
                  0x00000000
                  0x003adf30
                  0x003adf35
                  0x003adf3a
                  0x003adf3d
                  0x003adf3d
                  0x003adf45
                  0x003adf4a
                  0x003adf50
                  0x003adf50
                  0x003adf54
                  0x003adf58
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003adf58
                  0x00000000
                  0x003aded6
                  0x003adea8
                  0x003adeb5
                  0x003adeb7
                  0x003adebc
                  0x00000000
                  0x003adebc
                  0x003ade80
                  0x003ade60
                  0x003ade60
                  0x003ade61
                  0x00000000
                  0x003ade67
                  0x003ade5b
                  0x00000000

                  APIs
                  • SysFreeString.OLEAUT32(00000000), ref: 003ADF4A
                  • SysFreeString.OLEAUT32(00000000), ref: 003AE62A
                    • Part of subcall function 003A38D4: GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                    • Part of subcall function 003A38D4: RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: FreeHeapString$AllocateProcess
                  • String ID: =S:$Cache$CacheId$Chain/ExePackage|Chain/MsiPackage|Chain/MspPackage|Chain/MsuPackage$ExePackage$Failed to allocate memory for MSP patch sequence information.$Failed to allocate memory for package structs.$Failed to allocate memory for patch sequence information to package lookup.$Failed to allocate memory for rollback boundary structs.$Failed to find backward transaction boundary: %ls$Failed to find forward transaction boundary: %ls$Failed to get @Cache.$Failed to get @CacheId.$Failed to get @Id.$Failed to get @InstallCondition.$Failed to get @InstallSize.$Failed to get @LogPathVariable.$Failed to get @PerMachine.$Failed to get @Permanent.$Failed to get @RollbackBoundaryBackward.$Failed to get @RollbackBoundaryForward.$Failed to get @RollbackLogPathVariable.$Failed to get @Size.$Failed to get @Vital.$Failed to get next node.$Failed to get package node count.$Failed to get rollback bundary node count.$Failed to parse EXE package.$Failed to parse MSI package.$Failed to parse MSP package.$Failed to parse MSU package.$Failed to parse dependency providers.$Failed to parse payload references.$Failed to parse target product codes.$Failed to select package nodes.$Failed to select rollback boundary nodes.$InstallCondition$InstallSize$Invalid cache type: %ls$LogPathVariable$MsiPackage$MspPackage$MsuPackage$PerMachine$Permanent$RollbackBoundary$RollbackBoundaryBackward$RollbackBoundaryForward$RollbackLogPathVariable$Size$Vital$always$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msi.dll$package.cpp$wininet.dll$yes
                  • API String ID: 336948655-2299580707
                  • Opcode ID: 9134a16f780de73da30d7a2fc5178abef0ac7d71b3b4dc235046e50490fcdc37
                  • Instruction ID: 473473ad59803db7cf34d8d4dace14a4615ab7c442d641f58e80dc1c8e104ecb
                  • Opcode Fuzzy Hash: 9134a16f780de73da30d7a2fc5178abef0ac7d71b3b4dc235046e50490fcdc37
                  • Instruction Fuzzy Hash: DB32A031D0022AABCB179B54CC46FAEBBB4EF06724F114265F915BB291D774EE00DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AF86E, Relevance: 117.7, APIs: 3, Strings: 64, Instructions: 445COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 220 3af86e-3af8a4 call 3e388a 223 3af8b8-3af8d1 call 3e31c7 220->223 224 3af8a6-3af8b3 call 3e012f 220->224 229 3af8dd-3af8f2 call 3e31c7 223->229 230 3af8d3-3af8d8 223->230 231 3afda0-3afda5 224->231 242 3af8fe-3af90b call 3ae936 229->242 243 3af8f4-3af8f9 229->243 232 3afd97-3afd9e call 3e012f 230->232 234 3afdad-3afdb2 231->234 235 3afda7-3afda9 231->235 248 3afd9f 232->248 238 3afdba-3afdbf 234->238 239 3afdb4-3afdb6 234->239 235->234 240 3afdc1-3afdc3 238->240 241 3afdc7-3afdcb 238->241 239->238 240->241 245 3afdcd-3afdd0 call 3e54ef 241->245 246 3afdd5-3afddc 241->246 251 3af90d-3af912 242->251 252 3af917-3af92c call 3e31c7 242->252 243->232 245->246 248->231 251->232 255 3af938-3af94a call 3e4b5a 252->255 256 3af92e-3af933 252->256 259 3af959-3af96e call 3e31c7 255->259 260 3af94c-3af954 255->260 256->232 265 3af97a-3af98f call 3e31c7 259->265 266 3af970-3af975 259->266 261 3afc23-3afc2c call 3e012f 260->261 261->248 270 3af99b-3af9ad call 3e33db 265->270 271 3af991-3af996 265->271 266->232 274 3af9b9-3af9cf call 3e388a 270->274 275 3af9af-3af9b4 270->275 271->232 278 3afc7e-3afc98 call 3aebb2 274->278 279 3af9d5-3af9d7 274->279 275->232 286 3afc9a-3afc9f 278->286 287 3afca4-3afcbc call 3e388a 278->287 280 3af9d9-3af9de 279->280 281 3af9e3-3af9f8 call 3e33db 279->281 280->232 288 3af9fa-3af9ff 281->288 289 3afa04-3afa19 call 3e31c7 281->289 286->232 294 3afcc2-3afcc4 287->294 295 3afd86-3afd87 call 3aefe5 287->295 288->232 297 3afa1b-3afa1d 289->297 298 3afa29-3afa3e call 3e31c7 289->298 299 3afcd0-3afcee call 3e31c7 294->299 300 3afcc6-3afccb 294->300 301 3afd8c-3afd90 295->301 297->298 302 3afa1f-3afa24 297->302 308 3afa4e-3afa63 call 3e31c7 298->308 309 3afa40-3afa42 298->309 310 3afcfa-3afd12 call 3e31c7 299->310 311 3afcf0-3afcf5 299->311 300->232 301->248 305 3afd92 301->305 302->232 305->232 319 3afa73-3afa88 call 3e31c7 308->319 320 3afa65-3afa67 308->320 309->308 314 3afa44-3afa49 309->314 317 3afd1f-3afd37 call 3e31c7 310->317 318 3afd14-3afd16 310->318 311->232 314->232 327 3afd39-3afd3b 317->327 328 3afd44-3afd5c call 3e31c7 317->328 318->317 321 3afd18-3afd1d 318->321 329 3afa8a-3afa8c 319->329 330 3afa98-3afaad call 3e31c7 319->330 320->319 322 3afa69-3afa6e 320->322 321->232 322->232 327->328 331 3afd3d-3afd42 327->331 337 3afd5e-3afd63 328->337 338 3afd65-3afd7d call 3e31c7 328->338 329->330 332 3afa8e-3afa93 329->332 339 3afaaf-3afab1 330->339 340 3afabd-3afad2 call 3e31c7 330->340 331->232 332->232 337->232 338->295 346 3afd7f-3afd84 338->346 339->340 343 3afab3-3afab8 339->343 347 3afae2-3afaf7 call 3e31c7 340->347 348 3afad4-3afad6 340->348 343->232 346->232 352 3afaf9-3afafb 347->352 353 3afb07-3afb1c call 3e31c7 347->353 348->347 349 3afad8-3afadd 348->349 349->232 352->353 354 3afafd-3afb02 352->354 357 3afb1e-3afb20 353->357 358 3afb2c-3afb44 call 3e31c7 353->358 354->232 357->358 359 3afb22-3afb27 357->359 362 3afb46-3afb48 358->362 363 3afb54-3afb6c call 3e31c7 358->363 359->232 362->363 364 3afb4a-3afb4f 362->364 367 3afb6e-3afb70 363->367 368 3afb7c-3afb91 call 3e31c7 363->368 364->232 367->368 369 3afb72-3afb77 367->369 372 3afc31-3afc33 368->372 373 3afb97-3afbb4 CompareStringW 368->373 369->232 374 3afc3e-3afc40 372->374 375 3afc35-3afc3c 372->375 376 3afbbe-3afbd3 CompareStringW 373->376 377 3afbb6-3afbbc 373->377 378 3afc4c-3afc64 call 3e33db 374->378 379 3afc42-3afc47 374->379 375->374 381 3afbe1-3afbf6 CompareStringW 376->381 382 3afbd5-3afbdf 376->382 380 3afbff-3afc04 377->380 378->278 389 3afc66-3afc68 378->389 379->232 380->374 383 3afbf8 381->383 384 3afc06-3afc1e call 3a37d3 381->384 382->380 383->380 384->261 390 3afc6a-3afc6f 389->390 391 3afc74 389->391 390->232 391->278
                  C-Code - Quality: 64%
                  			E003AF86E(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				short* _v16;
				void* _v20;
				void* _t88;
				void* _t112;
				int _t158;
				void* _t164;
				signed int _t166;
				intOrPtr* _t167;
				intOrPtr* _t168;
				intOrPtr* _t169;
				void* _t174;
				intOrPtr _t176;
				void* _t179;
				void* _t188;
				void* _t190;

				_t174 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				_t88 = E003E388A(_a8, L"Registration",  &_v12);
				_t164 = 0x80070490;
				_t179 =  ==  ? 0x80070490 : _t88;
				if(_t179 >= 0) {
					_push(__edi);
					_t176 = _a4;
					if(E003E31C7(_v12, L"Id", _t176 + 0x10) >= 0) {
						if(E003E31C7(_v12, L"Tag", _t176 + 0x14) >= 0) {
							if(E003AE936(_t176, _t176, _a8) >= 0) {
								if(E003E31C7(_v12, L"Version",  &_v16) >= 0) {
									if(E003E4B5A(_t174, _v16, 0, _t176 + 0x38) >= 0) {
										if(E003E31C7(_v12, L"ProviderKey", _t176 + 0x44) >= 0) {
											if(E003E31C7(_v12, L"ExecutableName", _t176 + 0x48) >= 0) {
												if(E003E33DB(_t166, _v12, L"PerMachine", _t176) >= 0) {
													_t188 = E003E388A(_v12, L"Arp",  &_v8);
													if(_t188 == 1) {
														L71:
														if(E003AEBB2(_v12, _t176 + 0x94, _t176 + 0x98) >= 0) {
															_t190 = E003E388A(_v12, L"Update",  &_v20);
															if(_t190 == 1) {
																L88:
																_t112 = E003AEFE5(_t166, _t176); // executed
																_t190 = _t112;
																if(_t190 >= 0) {
																	L91:
																	L92:
																	_t167 = _v12;
																	if(_t167 != 0) {
																		 *((intOrPtr*)( *_t167 + 8))(_t167);
																	}
																	_t168 = _v8;
																	if(_t168 != 0) {
																		 *((intOrPtr*)( *_t168 + 8))(_t168);
																	}
																	_t169 = _v20;
																	if(_t169 != 0) {
																		 *((intOrPtr*)( *_t169 + 8))(_t169);
																	}
																	if(_v16 != 0) {
																		E003E54EF(_v16);
																	}
																	return _t190;
																}
																_push("Failed to set registration paths.");
																L90:
																_push(_t190);
																E003E012F();
																goto L91;
															}
															if(_t190 >= 0) {
																 *((intOrPtr*)(_t176 + 0x9c)) = 1;
																_t190 = E003E31C7(_v20, L"Manufacturer", _t176 + 0xa0);
																if(_t190 >= 0) {
																	_t190 = E003E31C7(_v20, L"Department", _t176 + 0xa4);
																	if(_t190 == _t164 || _t190 >= 0) {
																		_t190 = E003E31C7(_v20, L"ProductFamily", _t176 + 0xa8);
																		if(_t190 == _t164 || _t190 >= 0) {
																			_t190 = E003E31C7(_v20, L"Name", _t176 + 0xac);
																			if(_t190 >= 0) {
																				_t190 = E003E31C7(_v20, L"Classification", _t176 + 0xb0);
																				if(_t190 >= 0) {
																					goto L88;
																				}
																				_push("Failed to get @Classification.");
																				goto L90;
																			}
																			_push("Failed to get @Name.");
																		} else {
																			_push("Failed to get @ProductFamily.");
																		}
																	} else {
																		_push("Failed to get @Department.");
																	}
																	goto L90;
																}
																_push("Failed to get @Manufacturer.");
																goto L90;
															}
															_push("Failed to select Update node.");
															goto L90;
														}
														_push("Failed to parse software tag.");
														goto L90;
													}
													if(_t188 >= 0) {
														_t190 = E003E33DB(_t166, _v8, L"Register", _t176 + 4);
														if(_t190 >= 0) {
															_t190 = E003E31C7(_v8, L"DisplayName", _t176 + 0x60);
															if(_t190 == 0x80070490 || _t190 >= 0) {
																_t190 = E003E31C7(_v8, L"DisplayVersion", _t176 + 0x64);
																if(_t190 == _t164 || _t190 >= 0) {
																	_t190 = E003E31C7(_v8, L"Publisher", _t176 + 0x68);
																	if(_t190 == _t164 || _t190 >= 0) {
																		_t190 = E003E31C7(_v8, L"HelpLink", _t176 + 0x6c);
																		if(_t190 == _t164 || _t190 >= 0) {
																			_t190 = E003E31C7(_v8, L"HelpTelephone", _t176 + 0x70);
																			if(_t190 == _t164 || _t190 >= 0) {
																				_t190 = E003E31C7(_v8, L"AboutUrl", _t176 + 0x74);
																				if(_t190 == _t164 || _t190 >= 0) {
																					_t190 = E003E31C7(_v8, L"UpdateUrl", _t176 + 0x78);
																					if(_t190 == _t164 || _t190 >= 0) {
																						_t190 = E003E31C7(_v8, L"ParentDisplayName", _t176 + 0x7c);
																						if(_t190 == _t164 || _t190 >= 0) {
																							_t190 = E003E31C7(_v8, L"Comments", _t176 + 0x80);
																							if(_t190 == _t164 || _t190 >= 0) {
																								_t190 = E003E31C7(_v8, L"Contact", _t176 + 0x84);
																								if(_t190 == _t164 || _t190 >= 0) {
																									_t190 = E003E31C7(_v8, L"DisableModify",  &_v16);
																									if(_t190 < 0) {
																										if(_t190 == _t164) {
																											 *(_t176 + 0x88) =  *(_t176 + 0x88) & 0x00000000;
																											_t190 = 0;
																										}
																										L65:
																										if(_t190 >= 0) {
																											_t190 = E003E33DB(_t166, _v8, L"DisableRemove", _t176 + 0x90);
																											if(_t190 == _t164) {
																												goto L71;
																											}
																											if(_t190 >= 0) {
																												 *(_t176 + 0x8c) = 1;
																												goto L71;
																											}
																											_push("Failed to get @DisableRemove.");
																											goto L90;
																										}
																										_push("Failed to get @DisableModify.");
																										goto L90;
																									}
																									_t158 = CompareStringW(0x7f, 0, _v16, 0xffffffff, L"button", 0xffffffff);
																									_t166 = 2;
																									if(_t158 != _t166) {
																										if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"yes", 0xffffffff) != 2) {
																											if(CompareStringW(0x7f, 0, _v16, 0xffffffff, L"no", 0xffffffff) != 2) {
																												_t190 = 0x8000ffff;
																												E003A37D3(_t160, "registration.cpp", 0xf6, 0x8000ffff);
																												_push(_v16);
																												_push("Invalid modify disabled type: %ls");
																												L62:
																												_push(_t190);
																												E003E012F();
																												goto L91;
																											}
																											 *(_t176 + 0x88) =  *(_t176 + 0x88) & 0x00000000;
																											L60:
																											_t164 = 0x80070490;
																											goto L65;
																										}
																										 *(_t176 + 0x88) = 1;
																										goto L60;
																									}
																									 *(_t176 + 0x88) = _t166;
																									goto L60;
																								} else {
																									_push("Failed to get @Contact.");
																									goto L90;
																								}
																							} else {
																								_push("Failed to get @Comments.");
																								goto L90;
																							}
																						} else {
																							_push("Failed to get @ParentDisplayName.");
																							goto L90;
																						}
																					} else {
																						_push("Failed to get @UpdateUrl.");
																						goto L90;
																					}
																				} else {
																					_push("Failed to get @AboutUrl.");
																					goto L90;
																				}
																			} else {
																				_push("Failed to get @HelpTelephone.");
																				goto L90;
																			}
																		} else {
																			_push("Failed to get @HelpLink.");
																			goto L90;
																		}
																	} else {
																		_push("Failed to get @Publisher.");
																		goto L90;
																	}
																} else {
																	_push("Failed to get @DisplayVersion.");
																	goto L90;
																}
															} else {
																_push("Failed to get @DisplayName.");
																goto L90;
															}
														}
														_push("Failed to get @Register.");
														goto L90;
													}
													_push("Failed to select ARP node.");
													goto L90;
												}
												_push("Failed to get @PerMachine.");
												goto L90;
											}
											_push("Failed to get @ExecutableName.");
											goto L90;
										}
										_push("Failed to get @ProviderKey.");
										goto L90;
									}
									_push(_v16);
									_push("Failed to parse @Version: %ls");
									goto L62;
								}
								_push("Failed to get @Version.");
								goto L90;
							}
							_push("Failed to parse related bundles");
							goto L90;
						}
						_push("Failed to get @Tag.");
						goto L90;
					}
					_push("Failed to get @Id.");
					goto L90;
				}
				_push("Failed to select registration node.");
				_push(_t179);
				E003E012F();
				goto L92;
			}




















                  0x003af86e
                  0x003af878
                  0x003af87b
                  0x003af87e
                  0x003af881
                  0x003af890
                  0x003af897
                  0x003af89f
                  0x003af8a4
                  0x003af8b8
                  0x003af8b9
                  0x003af8d1
                  0x003af8f2
                  0x003af90b
                  0x003af92c
                  0x003af94a
                  0x003af96e
                  0x003af98f
                  0x003af9ad
                  0x003af9ca
                  0x003af9cf
                  0x003afc7e
                  0x003afc98
                  0x003afcb5
                  0x003afcbc
                  0x003afd86
                  0x003afd87
                  0x003afd8c
                  0x003afd90
                  0x003afd9f
                  0x003afda0
                  0x003afda0
                  0x003afda5
                  0x003afdaa
                  0x003afdaa
                  0x003afdad
                  0x003afdb2
                  0x003afdb7
                  0x003afdb7
                  0x003afdba
                  0x003afdbf
                  0x003afdc4
                  0x003afdc4
                  0x003afdcb
                  0x003afdd0
                  0x003afdd0
                  0x003afddc
                  0x003afddc
                  0x003afd92
                  0x003afd97
                  0x003afd97
                  0x003afd98
                  0x00000000
                  0x003afd9e
                  0x003afcc4
                  0x003afcd0
                  0x003afcea
                  0x003afcee
                  0x003afd0e
                  0x003afd12
                  0x003afd33
                  0x003afd37
                  0x003afd58
                  0x003afd5c
                  0x003afd79
                  0x003afd7d
                  0x00000000
                  0x00000000
                  0x003afd7f
                  0x00000000
                  0x003afd7f
                  0x003afd5e
                  0x003afd3d
                  0x003afd3d
                  0x003afd3d
                  0x003afd18
                  0x003afd18
                  0x003afd18
                  0x00000000
                  0x003afd12
                  0x003afcf0
                  0x00000000
                  0x003afcf0
                  0x003afcc6
                  0x00000000
                  0x003afcc6
                  0x003afc9a
                  0x00000000
                  0x003afc9a
                  0x003af9d7
                  0x003af9f4
                  0x003af9f8
                  0x003afa15
                  0x003afa19
                  0x003afa3a
                  0x003afa3e
                  0x003afa5f
                  0x003afa63
                  0x003afa84
                  0x003afa88
                  0x003afaa9
                  0x003afaad
                  0x003aface
                  0x003afad2
                  0x003afaf3
                  0x003afaf7
                  0x003afb18
                  0x003afb1c
                  0x003afb40
                  0x003afb44
                  0x003afb68
                  0x003afb6c
                  0x003afb8d
                  0x003afb91
                  0x003afc33
                  0x003afc35
                  0x003afc3c
                  0x003afc3c
                  0x003afc3e
                  0x003afc40
                  0x003afc60
                  0x003afc64
                  0x00000000
                  0x00000000
                  0x003afc68
                  0x003afc74
                  0x00000000
                  0x003afc74
                  0x003afc6a
                  0x00000000
                  0x003afc6a
                  0x003afc42
                  0x00000000
                  0x003afc42
                  0x003afbad
                  0x003afbb1
                  0x003afbb4
                  0x003afbd3
                  0x003afbf6
                  0x003afc06
                  0x003afc16
                  0x003afc1b
                  0x003afc1e
                  0x003afc23
                  0x003afc23
                  0x003afc24
                  0x00000000
                  0x003afc29
                  0x003afbf8
                  0x003afbff
                  0x003afbff
                  0x00000000
                  0x003afbff
                  0x003afbd5
                  0x00000000
                  0x003afbd5
                  0x003afbb6
                  0x00000000
                  0x003afb72
                  0x003afb72
                  0x00000000
                  0x003afb72
                  0x003afb4a
                  0x003afb4a
                  0x00000000
                  0x003afb4a
                  0x003afb22
                  0x003afb22
                  0x00000000
                  0x003afb22
                  0x003afafd
                  0x003afafd
                  0x00000000
                  0x003afafd
                  0x003afad8
                  0x003afad8
                  0x00000000
                  0x003afad8
                  0x003afab3
                  0x003afab3
                  0x00000000
                  0x003afab3
                  0x003afa8e
                  0x003afa8e
                  0x00000000
                  0x003afa8e
                  0x003afa69
                  0x003afa69
                  0x00000000
                  0x003afa69
                  0x003afa44
                  0x003afa44
                  0x00000000
                  0x003afa44
                  0x003afa1f
                  0x003afa1f
                  0x00000000
                  0x003afa1f
                  0x003afa19
                  0x003af9fa
                  0x00000000
                  0x003af9fa
                  0x003af9d9
                  0x00000000
                  0x003af9d9
                  0x003af9af
                  0x00000000
                  0x003af9af
                  0x003af991
                  0x00000000
                  0x003af991
                  0x003af970
                  0x00000000
                  0x003af970
                  0x003af94c
                  0x003af94f
                  0x00000000
                  0x003af94f
                  0x003af92e
                  0x00000000
                  0x003af92e
                  0x003af90d
                  0x00000000
                  0x003af90d
                  0x003af8f4
                  0x00000000
                  0x003af8f4
                  0x003af8d3
                  0x00000000
                  0x003af8d3
                  0x003af8a6
                  0x003af8ab
                  0x003af8ac
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID:
                  • String ID: =S:$AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$clbcatq.dll$msasn1.dll$registration.cpp$yes
                  • API String ID: 0-2642624614
                  • Opcode ID: 0c1c0654e5e03c0454a03e18b1e3eac7d2a8cb8da632766417c049121199711d
                  • Instruction ID: f24c4ba16fcddf94a88599ec79f14858296e31edf1ca1fb8cd33a5fb0cf4816a
                  • Opcode Fuzzy Hash: 0c1c0654e5e03c0454a03e18b1e3eac7d2a8cb8da632766417c049121199711d
                  • Instruction Fuzzy Hash: 91E18232A4077ABECB27A6E0CC42EFDBA68EB12750F110375FA10BB691D7619D409780
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AB389, Relevance: 95.1, APIs: 24, Strings: 30, Instructions: 565fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 392 3ab389-3ab3fd call 3cf670 * 2 397 3ab3ff-3ab42a call 3a37d3 392->397 398 3ab435-3ab450 SetFilePointerEx 392->398 418 3ab42f-3ab430 397->418 399 3ab452-3ab482 call 3a37d3 398->399 400 3ab484-3ab49e ReadFile 398->400 399->418 401 3ab4a0-3ab4d0 call 3a37d3 400->401 402 3ab4d5-3ab4dc 400->402 401->418 405 3ab4e2-3ab4eb 402->405 406 3abad3-3abae7 call 3a37d3 402->406 405->406 411 3ab4f1-3ab501 SetFilePointerEx 405->411 422 3abaec 406->422 416 3ab538-3ab550 ReadFile 411->416 417 3ab503-3ab52e call 3a37d3 411->417 419 3ab552-3ab57d call 3a37d3 416->419 420 3ab587-3ab58e 416->420 417->416 423 3abaed-3abaf3 call 3e012f 418->423 419->420 424 3abab8-3abad1 call 3a37d3 420->424 425 3ab594-3ab59e 420->425 422->423 438 3abaf4-3abb06 call 3cde36 423->438 424->422 425->424 430 3ab5a4-3ab5c7 SetFilePointerEx 425->430 436 3ab5c9-3ab5f4 call 3a37d3 430->436 437 3ab5fe-3ab616 ReadFile 430->437 436->437 439 3ab618-3ab643 call 3a37d3 437->439 440 3ab64d-3ab665 ReadFile 437->440 439->440 443 3ab69c-3ab6b7 SetFilePointerEx 440->443 444 3ab667-3ab692 call 3a37d3 440->444 447 3ab6b9-3ab6e7 call 3a37d3 443->447 448 3ab6f1-3ab710 ReadFile 443->448 444->443 447->448 453 3aba79-3abaad call 3a37d3 448->453 454 3ab716-3ab718 448->454 480 3abaae-3abab6 call 3e012f 453->480 458 3ab719-3ab720 454->458 461 3ab726-3ab732 458->461 462 3aba54-3aba71 call 3a37d3 458->462 467 3ab73d-3ab746 461->467 468 3ab734-3ab73b 461->468 477 3aba76-3aba77 462->477 472 3ab74c-3ab772 ReadFile 467->472 473 3aba17-3aba2e call 3a37d3 467->473 468->467 471 3ab780-3ab787 468->471 475 3ab789-3ab7ab call 3a37d3 471->475 476 3ab7b0-3ab7c7 call 3a38d4 471->476 472->453 479 3ab778-3ab77e 472->479 488 3aba33-3aba39 call 3e012f 473->488 475->477 489 3ab7eb-3ab800 SetFilePointerEx 476->489 490 3ab7c9-3ab7e6 call 3a37d3 476->490 477->480 479->458 480->438 496 3aba3f-3aba40 488->496 494 3ab802-3ab830 call 3a37d3 489->494 495 3ab840-3ab865 ReadFile 489->495 490->423 520 3ab835-3ab83b call 3e012f 494->520 497 3ab89c-3ab8a8 495->497 498 3ab867-3ab89a call 3a37d3 495->498 500 3aba41-3aba43 496->500 501 3ab8aa-3ab8c6 call 3a37d3 497->501 502 3ab8cb-3ab8cf 497->502 498->520 500->438 504 3aba49-3aba4f call 3a3999 500->504 501->488 507 3ab90a-3ab91d call 3e48cb 502->507 508 3ab8d1-3ab905 call 3a37d3 call 3e012f 502->508 504->438 523 3ab929-3ab933 507->523 524 3ab91f-3ab924 507->524 508->500 520->496 527 3ab93d-3ab945 523->527 528 3ab935-3ab93b 523->528 524->520 530 3ab951-3ab954 527->530 531 3ab947-3ab94f 527->531 529 3ab956-3ab9b6 call 3a38d4 528->529 534 3ab9da-3ab9fb call 3cf0f0 call 3ab106 529->534 535 3ab9b8-3ab9d4 call 3a37d3 529->535 530->529 531->529 534->500 542 3ab9fd-3aba0d call 3a37d3 534->542 535->534 542->473
                  C-Code - Quality: 67%
                  			E003AB389(union _LARGE_INTEGER* __edx, void* _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				union _LARGE_INTEGER _v12;
				char _v72;
				signed short _v300;
				signed int _v314;
				void _v320;
				union _LARGE_INTEGER _v340;
				long _v344;
				void _v360;
				long _v364;
				union _LARGE_INTEGER* _v368;
				intOrPtr _v372;
				void _v376;
				void _v380;
				struct _OVERLAPPED* _v384;
				intOrPtr _v388;
				union _LARGE_INTEGER _v392;
				intOrPtr _v396;
				char _v400;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t98;
				intOrPtr _t106;
				int _t108;
				int _t117;
				int _t120;
				union _LARGE_INTEGER _t123;
				int _t124;
				int _t133;
				signed short _t137;
				intOrPtr* _t142;
				int _t151;
				intOrPtr _t160;
				signed short _t188;
				signed short _t191;
				signed short _t196;
				signed short _t199;
				signed short _t202;
				signed short _t205;
				signed short _t208;
				signed short _t211;
				signed short _t214;
				signed short _t217;
				signed short _t220;
				signed int _t224;
				void* _t226;
				intOrPtr _t237;
				void _t241;
				intOrPtr _t242;
				union _LARGE_INTEGER* _t243;
				void* _t244;
				void* _t247;
				void* _t248;
				void* _t252;
				signed int _t290;

				_t243 = __edx;
				_t98 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t98 ^ _t290;
				_t223 = _a4;
				_t3 =  &_v72; // 0x3a435c
				asm("xorps xmm0, xmm0");
				_v364 = 0;
				asm("movlpd [ebp-0x18c], xmm0");
				E003CF670(_t244, _t3, 0, 0x40);
				E003CF670(_t244,  &_v320, 0, 0xf8);
				_v376 = 0;
				_v380 = 0;
				_v368 = 0;
				_t224 = 0xa;
				memset( &_v360, 0, _t224 << 2);
				_t226 = _a8;
				 *_t223 = _t226;
				if(_t226 != 0xffffffff) {
					_t106 = _a12;
					_t247 = SetFilePointerEx;
					_push(0);
					_t107 =  ==  ? _t226 : _t106;
					 *((intOrPtr*)(_t223 + 4)) =  ==  ? _t226 : _t106;
					_t108 = SetFilePointerEx(_t226, 0, 0, 0); // executed
					if(_t108 != 0) {
						_t15 =  &_v72; // 0x3a435c
						_t111 = ReadFile( *_t223, _t15, 0x40,  &_v364, 0); // executed
						if(_t111 != 0) {
							if(_v364 < 0x40) {
								L66:
								_t247 = 0x8007000d;
								_t252 = 0x8007000d;
								E003A37D3(_t111, "section.cpp", 0x4e, 0x8007000d);
								_push("Failed to find valid DOS image header in buffer.");
								L67:
								_push(_t247);
								goto L68;
							}
							_t111 = 0x5a4d;
							_t17 =  &_v72; // 0x3a435c
							if(0x5a4d !=  *_t17) {
								goto L66;
							}
							_push(0);
							asm("cdq");
							_t117 = SetFilePointerEx( *_t223, _v12.LowPart, _t243, 0); // executed
							if(_t117 != 0) {
								_t120 = ReadFile( *_t223,  &_v320, 0x18,  &_v364, 0); // executed
								if(_t120 != 0) {
									if(_v364 < 0x18 || _v320 != 0x4550) {
										_t247 = 0x8007000d;
										_t252 = 0x8007000d;
										E003A37D3(_t120, "section.cpp", 0x64, 0x8007000d);
										_push("Failed to find valid NT image header in buffer.");
										goto L67;
									} else {
										_t24 = _v12.LowPart + 0x58; // 0x58
										_t123 = _v12.LowPart + 0x98;
										_v388 = _t24;
										_push(0);
										_v392.LowPart = _t123;
										_t124 = SetFilePointerEx( *_t223, _t123, 0, 0); // executed
										if(_t124 != 0) {
											if(ReadFile( *_t223,  &_v376, 4,  &_v364, 0) != 0) {
												if(ReadFile( *_t223,  &_v380, 4,  &_v364, 0) != 0) {
													_push(0);
													_t133 = SetFilePointerEx( *_t223, _v12 + (_v300 & 0x0000ffff) + 0x18, 0, 0); // executed
													if(_t133 != 0) {
														_t247 = 0;
														_v384 = 0;
														if(ReadFile( *_t223,  &_v360, 0x28,  &_v364, 0) == 0) {
															L63:
															_t137 = GetLastError();
															_t255 =  <=  ? _t137 : _t137 & 0x0000ffff | 0x80070000;
															_t252 =  >=  ? 0x80004005 :  <=  ? _t137 : _t137 & 0x0000ffff | 0x80070000;
															E003A37D3(0x80004005, "section.cpp", 0x8d, _t252);
															_push(_t247);
															_push("Failed to read image section header, index: %u");
															_push(_t252);
															L64:
															E003E012F();
															goto L69;
														}
														_t237 = 1;
														while(_v364 >= 0x28) {
															_t142 =  &_v360;
															if( *_t142 != 0x7869772e ||  *((intOrPtr*)(_t142 + 4)) != 0x6e727562) {
																_t143 = _v314 & 0x0000ffff;
																if(_t237 >= (_v314 & 0x0000ffff)) {
																	_t248 = 0x8007000d;
																	_t252 = 0x8007000d;
																	E003A37D3(_t143, "section.cpp", 0xa0, 0x8007000d);
																	_push("Failed to find Burn section.");
																	goto L57;
																}
																_t247 = _t247 + 1;
																_v384 = _t247;
																_v372 = _t237 + 1;
																if(ReadFile( *_t223,  &_v360, 0x28,  &_v364, 0) == 0) {
																	goto L63;
																}
																_t237 = _v372;
																continue;
															} else {
																if(_v344 >= 0x34) {
																	_t247 = E003A38D4(_v344, 1);
																	_v368 = _t247;
																	if(_t247 != 0) {
																		_push(0);
																		_t151 = SetFilePointerEx( *_t223, _v340.LowPart, 0, 0); // executed
																		if(_t151 != 0) {
																			_v372 = _v340 + 0x1c;
																			if(ReadFile( *_t223, _t247, _v344,  &_v364, 0) != 0) {
																				_t156 = _v344;
																				if(_v344 <= _v364) {
																					if( *((intOrPtr*)(_t247 + 4)) == 2) {
																						if(E003E48CB(_t237,  *((intOrPtr*)(_t223 + 4)),  &_v400) >= 0) {
																							_t243 =  *(_t247 + 0x18);
																							 *(_t223 + 8) = _t243;
																							if( *((intOrPtr*)(_t247 + 0x20)) == 0) {
																								_t241 = _v376;
																								if(_t241 == 0) {
																									_t160 =  *((intOrPtr*)(_t247 + 0x30)) + _t243;
																								} else {
																									_t160 = _v380 + _t241;
																								}
																							} else {
																								_t160 =  *((intOrPtr*)(_t247 + 0x24)) +  *((intOrPtr*)(_t247 + 0x20));
																							}
																							 *((intOrPtr*)(_t223 + 0xc)) = _t160;
																							 *((intOrPtr*)(_t223 + 0x10)) = _v400;
																							 *((intOrPtr*)(_t223 + 0x14)) = _v396;
																							 *((intOrPtr*)(_t223 + 0x18)) = _v388;
																							 *(_t223 + 0x1c) = _v392;
																							 *((intOrPtr*)(_t223 + 0x20)) = _v372;
																							 *((intOrPtr*)(_t223 + 0x24)) =  *((intOrPtr*)(_t247 + 0x1c));
																							 *((intOrPtr*)(_t223 + 0x28)) =  *((intOrPtr*)(_t247 + 0x20));
																							 *((intOrPtr*)(_t223 + 0x2c)) =  *((intOrPtr*)(_t247 + 0x24));
																							 *((intOrPtr*)(_t223 + 0x30)) =  *((intOrPtr*)(_t247 + 0x28));
																							 *(_t223 + 0x34) =  *(_t247 + 0x2c);
																							_t242 = E003A38D4( *(_t247 + 0x2c) << 2, 1);
																							 *((intOrPtr*)(_t223 + 0x38)) = _t242;
																							if(_t242 != 0) {
																								_t93 = _t247 + 0x30; // 0x30
																								E003CF0F0(_t242, _t93,  *(_t223 + 0x34) << 2);
																								_t94 = _t247 + 8; // 0x8
																								_t252 = E003AB106(_t94);
																								if(_t252 >= 0) {
																									goto L59;
																								}
																								E003A37D3(_t178, "section.cpp", 0xf5, _t252);
																								_push("PE Header from file didn\'t match PE Header in memory.");
																								L37:
																								_push(_t252);
																								goto L38;
																							} else {
																								_t223 = 0x8007000e;
																								_t252 = 0x8007000e;
																								E003A37D3(_t172, "section.cpp", 0xef, 0x8007000e);
																								_push("Failed to allocate memory for container sizes.");
																								_push(0x8007000e);
																								L38:
																								E003E012F();
																								L58:
																								L59:
																								if(_t247 != 0) {
																									E003A3999(_t247);
																								}
																								goto L69;
																							}
																						}
																						_push("Failed to get total size of bundle.");
																						goto L37;
																					}
																					_t252 = 0x8007000d;
																					E003A37D3(_t156, "section.cpp", 0xcc, 0x8007000d);
																					E003E012F(0x8007000d, "Failed to read section info, unsupported version: %08x", _v368->LowPart.HighPart);
																					_t247 = _v368;
																					goto L59;
																				}
																				_t248 = 0x8007000d;
																				_t252 = 0x8007000d;
																				E003A37D3(_t156, "section.cpp", 0xc5, 0x8007000d);
																				_push("Failed to read complete section info.");
																				L57:
																				_push(_t248);
																				E003E012F();
																				_t247 = _v368;
																				goto L58;
																			}
																			_t188 = GetLastError();
																			_t259 =  <=  ? _t188 : _t188 & 0x0000ffff | 0x80070000;
																			_t252 =  >=  ? 0x80004005 :  <=  ? _t188 : _t188 & 0x0000ffff | 0x80070000;
																			E003A37D3(0x80004005, "section.cpp", 0xc0, _t252);
																			_push("Failed to read section info.");
																			goto L37;
																		}
																		_t191 = GetLastError();
																		_t262 =  <=  ? _t191 : _t191 & 0x0000ffff | 0x80070000;
																		_t252 =  >=  ? 0x80004005 :  <=  ? _t191 : _t191 & 0x0000ffff | 0x80070000;
																		E003A37D3(0x80004005, "section.cpp", 0xb7, _t252);
																		_push("Failed to seek to section info.");
																		goto L37;
																	}
																	_t223 = 0x8007000e;
																	_t252 = 0x8007000e;
																	E003A37D3(_t149, "section.cpp", 0xb1, 0x8007000e);
																	_push("Failed to allocate buffer for section info.");
																	_push(0x8007000e);
																	goto L68;
																}
																_t247 = 0x8007000d;
																_t252 = 0x8007000d;
																E003A37D3(_t142, "section.cpp", 0xac, 0x8007000d);
																_push(_v344);
																_push("Failed to read section info, data to short: %u");
																L62:
																_push(_t247);
																goto L64;
															}
														}
														_t247 = 0x8007000d;
														_t252 = 0x8007000d;
														E003A37D3(_t136, "section.cpp", 0x92, 0x8007000d);
														_push(_v384);
														_push("Failed to read complete image section header, index: %u");
														goto L62;
													}
													_t196 = GetLastError();
													_t265 =  <=  ? _t196 : _t196 & 0x0000ffff | 0x80070000;
													_t252 =  >=  ? 0x80004005 :  <=  ? _t196 : _t196 & 0x0000ffff | 0x80070000;
													E003A37D3(0x80004005, "section.cpp", 0x84, _t252);
													_push("Failed to seek past optional headers.");
													goto L2;
												}
												_t199 = GetLastError();
												_t268 =  <=  ? _t199 : _t199 & 0x0000ffff | 0x80070000;
												_t252 =  >=  ? 0x80004005 :  <=  ? _t199 : _t199 & 0x0000ffff | 0x80070000;
												E003A37D3(0x80004005, "section.cpp", 0x79, _t252);
												_push("Failed to read signature size.");
												goto L2;
											}
											_t202 = GetLastError();
											_t271 =  <=  ? _t202 : _t202 & 0x0000ffff | 0x80070000;
											_t252 =  >=  ? 0x80004005 :  <=  ? _t202 : _t202 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "section.cpp", 0x74, _t252);
											_push("Failed to read signature offset.");
											goto L2;
										}
										_t205 = GetLastError();
										_t274 =  <=  ? _t205 : _t205 & 0x0000ffff | 0x80070000;
										_t252 =  >=  ? 0x80004005 :  <=  ? _t205 : _t205 & 0x0000ffff | 0x80070000;
										E003A37D3(0x80004005, "section.cpp", 0x6f, _t252);
										_push("Failed to seek to section info.");
										goto L2;
									}
								}
								_t208 = GetLastError();
								_t277 =  <=  ? _t208 : _t208 & 0x0000ffff | 0x80070000;
								_t252 =  >=  ? 0x80004005 :  <=  ? _t208 : _t208 & 0x0000ffff | 0x80070000;
								E003A37D3(0x80004005, "section.cpp", 0x5f, _t252);
								_push("Failed to read NT header.");
								goto L2;
							}
							_t211 = GetLastError();
							_t280 =  <=  ? _t211 : _t211 & 0x0000ffff | 0x80070000;
							_t252 =  >=  ? 0x80004005 :  <=  ? _t211 : _t211 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "section.cpp", 0x59, _t252);
							_push("Failed to seek to NT header.");
							goto L2;
						}
						_t214 = GetLastError();
						_t283 =  <=  ? _t214 : _t214 & 0x0000ffff | 0x80070000;
						_t252 =  >=  ? 0x80004005 :  <=  ? _t214 : _t214 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "section.cpp", 0x49, _t252);
						_push("Failed to read DOS header.");
						goto L2;
					}
					_t217 = GetLastError();
					_t286 =  <=  ? _t217 : _t217 & 0x0000ffff | 0x80070000;
					_t252 =  >=  ? 0x80004005 :  <=  ? _t217 : _t217 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "section.cpp", 0x43, _t252);
					_push("Failed to seek to start of file.");
					goto L2;
				} else {
					_t220 = GetLastError();
					_t289 =  <=  ? _t220 : _t220 & 0x0000ffff | 0x80070000;
					_t252 =  >=  ? 0x80004005 :  <=  ? _t220 : _t220 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "section.cpp", 0x3a, _t252);
					_push("Failed to open handle to engine process path.");
					L2:
					_push(_t252);
					L68:
					E003E012F();
					L69:
					return E003CDE36(_t223, _v8 ^ _t290, _t243, _t247, _t252);
				}
			}




























































                  0x003ab389
                  0x003ab392
                  0x003ab399
                  0x003ab39d
                  0x003ab3a0
                  0x003ab3a7
                  0x003ab3ae
                  0x003ab3b4
                  0x003ab3bc
                  0x003ab3ce
                  0x003ab3d6
                  0x003ab3de
                  0x003ab3ea
                  0x003ab3f2
                  0x003ab3f3
                  0x003ab3f5
                  0x003ab3f8
                  0x003ab3fd
                  0x003ab435
                  0x003ab43b
                  0x003ab441
                  0x003ab445
                  0x003ab449
                  0x003ab44c
                  0x003ab450
                  0x003ab494
                  0x003ab49a
                  0x003ab49e
                  0x003ab4dc
                  0x003abad3
                  0x003abad3
                  0x003abae0
                  0x003abae2
                  0x003abae7
                  0x003abaec
                  0x003abaec
                  0x00000000
                  0x003abaec
                  0x003ab4e2
                  0x003ab4e7
                  0x003ab4eb
                  0x00000000
                  0x00000000
                  0x003ab4f4
                  0x003ab4f8
                  0x003ab4fd
                  0x003ab501
                  0x003ab54c
                  0x003ab550
                  0x003ab58e
                  0x003abab8
                  0x003abac5
                  0x003abac7
                  0x003abacc
                  0x00000000
                  0x003ab5a4
                  0x003ab5a7
                  0x003ab5aa
                  0x003ab5af
                  0x003ab5b7
                  0x003ab5bd
                  0x003ab5c3
                  0x003ab5c7
                  0x003ab616
                  0x003ab665
                  0x003ab6ad
                  0x003ab6b3
                  0x003ab6b7
                  0x003ab6f1
                  0x003ab703
                  0x003ab710
                  0x003aba79
                  0x003aba79
                  0x003aba8a
                  0x003aba94
                  0x003abaa2
                  0x003abaa7
                  0x003abaa8
                  0x003abaad
                  0x003abaae
                  0x003abaae
                  0x00000000
                  0x003abab3
                  0x003ab718
                  0x003ab719
                  0x003ab726
                  0x003ab732
                  0x003ab73d
                  0x003ab746
                  0x003aba17
                  0x003aba27
                  0x003aba29
                  0x003aba2e
                  0x00000000
                  0x003aba2e
                  0x003ab754
                  0x003ab75e
                  0x003ab768
                  0x003ab772
                  0x00000000
                  0x00000000
                  0x003ab778
                  0x00000000
                  0x003ab780
                  0x003ab787
                  0x003ab7bd
                  0x003ab7bf
                  0x003ab7c7
                  0x003ab7ed
                  0x003ab7f8
                  0x003ab800
                  0x003ab84b
                  0x003ab865
                  0x003ab89c
                  0x003ab8a8
                  0x003ab8cf
                  0x003ab91d
                  0x003ab929
                  0x003ab92c
                  0x003ab933
                  0x003ab93d
                  0x003ab945
                  0x003ab954
                  0x003ab947
                  0x003ab94d
                  0x003ab94d
                  0x003ab935
                  0x003ab938
                  0x003ab938
                  0x003ab956
                  0x003ab95f
                  0x003ab968
                  0x003ab971
                  0x003ab97a
                  0x003ab983
                  0x003ab989
                  0x003ab98f
                  0x003ab995
                  0x003ab99b
                  0x003ab9a1
                  0x003ab9af
                  0x003ab9b1
                  0x003ab9b6
                  0x003ab9e1
                  0x003ab9e6
                  0x003ab9ee
                  0x003ab9f7
                  0x003ab9fb
                  0x00000000
                  0x00000000
                  0x003aba08
                  0x003aba0d
                  0x003ab835
                  0x003ab835
                  0x00000000
                  0x003ab9b8
                  0x003ab9b8
                  0x003ab9c8
                  0x003ab9ca
                  0x003ab9cf
                  0x003ab9d4
                  0x003ab836
                  0x003ab836
                  0x003aba3f
                  0x003aba41
                  0x003aba43
                  0x003aba4a
                  0x003aba4a
                  0x00000000
                  0x003aba43
                  0x003ab9b6
                  0x003ab91f
                  0x00000000
                  0x003ab91f
                  0x003ab8e1
                  0x003ab8e3
                  0x003ab8f7
                  0x003ab8fc
                  0x00000000
                  0x003ab902
                  0x003ab8aa
                  0x003ab8ba
                  0x003ab8bc
                  0x003ab8c1
                  0x003aba33
                  0x003aba33
                  0x003aba34
                  0x003aba39
                  0x00000000
                  0x003aba39
                  0x003ab867
                  0x003ab878
                  0x003ab882
                  0x003ab890
                  0x003ab895
                  0x00000000
                  0x003ab895
                  0x003ab802
                  0x003ab813
                  0x003ab81d
                  0x003ab82b
                  0x003ab830
                  0x00000000
                  0x003ab830
                  0x003ab7c9
                  0x003ab7d9
                  0x003ab7db
                  0x003ab7e0
                  0x003ab7e5
                  0x00000000
                  0x003ab7e5
                  0x003ab789
                  0x003ab799
                  0x003ab79b
                  0x003ab7a0
                  0x003ab7a6
                  0x003aba76
                  0x003aba76
                  0x00000000
                  0x003aba76
                  0x003ab732
                  0x003aba54
                  0x003aba64
                  0x003aba66
                  0x003aba6b
                  0x003aba71
                  0x00000000
                  0x003aba71
                  0x003ab6b9
                  0x003ab6ca
                  0x003ab6d4
                  0x003ab6e2
                  0x003ab6e7
                  0x00000000
                  0x003ab6e7
                  0x003ab667
                  0x003ab678
                  0x003ab682
                  0x003ab68d
                  0x003ab692
                  0x00000000
                  0x003ab692
                  0x003ab618
                  0x003ab629
                  0x003ab633
                  0x003ab63e
                  0x003ab643
                  0x00000000
                  0x003ab643
                  0x003ab5c9
                  0x003ab5da
                  0x003ab5e4
                  0x003ab5ef
                  0x003ab5f4
                  0x00000000
                  0x003ab5f4
                  0x003ab58e
                  0x003ab552
                  0x003ab563
                  0x003ab56d
                  0x003ab578
                  0x003ab57d
                  0x00000000
                  0x003ab57d
                  0x003ab503
                  0x003ab514
                  0x003ab51e
                  0x003ab529
                  0x003ab52e
                  0x00000000
                  0x003ab52e
                  0x003ab4a0
                  0x003ab4b1
                  0x003ab4bb
                  0x003ab4c6
                  0x003ab4cb
                  0x00000000
                  0x003ab4cb
                  0x003ab452
                  0x003ab463
                  0x003ab46d
                  0x003ab478
                  0x003ab47d
                  0x00000000
                  0x003ab3ff
                  0x003ab3ff
                  0x003ab410
                  0x003ab41a
                  0x003ab425
                  0x003ab42a
                  0x003ab42f
                  0x003ab42f
                  0x003abaed
                  0x003abaed
                  0x003abaf4
                  0x003abb06
                  0x003abb06

                  APIs
                  • GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 003AB3FF
                  • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB44C
                  • GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 003AB452
                  • ReadFile.KERNELBASE(00000000,\C:H,00000040,?,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB49A
                  • GetLastError.KERNEL32(?,?,?,00000000,77E49EB0,00000000), ref: 003AB4A0
                  • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB4FD
                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB503
                  • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB54C
                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB552
                  • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB5C3
                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB5C9
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$File$Pointer$Read
                  • String ID: ($.wix$4$@Mxt$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to user process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$\C:H$burn$section.cpp
                  • API String ID: 2600052162-663415820
                  • Opcode ID: 5961a1a70305c231d0932f36432d56d303a120fa54e39c4b7ac3df1b82053372
                  • Instruction ID: 7e28a3fe25253e41a89a66a7173dd113c382e6b506189e97e1e83f0311f26820
                  • Opcode Fuzzy Hash: 5961a1a70305c231d0932f36432d56d303a120fa54e39c4b7ac3df1b82053372
                  • Instruction Fuzzy Hash: 9112B071A40365EFEB239A65CC85FA7B6A8EF06740F014369FD09EB181DB719D40CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C0A77, Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 288synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 545 3c0a77-3c0a90 SetEvent 546 3c0aca-3c0ad6 WaitForSingleObject 545->546 547 3c0a92-3c0ac5 call 3a37d3 545->547 548 3c0ad8-3c0b0b call 3a37d3 546->548 549 3c0b10-3c0b1b ResetEvent 546->549 565 3c0e25-3c0e26 call 3e012f 547->565 548->565 550 3c0b1d-3c0b50 call 3a37d3 549->550 551 3c0b55-3c0b5b 549->551 550->565 553 3c0b5d-3c0b60 551->553 554 3c0b96-3c0baf call 3a21bc 551->554 558 3c0b8c-3c0b91 553->558 559 3c0b62-3c0b87 call 3a37d3 call 3e012f 553->559 569 3c0bca-3c0bd5 SetEvent 554->569 570 3c0bb1-3c0bc5 call 3e012f 554->570 566 3c0e2d-3c0e2f 558->566 579 3c0e2b-3c0e2c 559->579 565->579 574 3c0e30-3c0e40 566->574 576 3c0bd7-3c0bf6 569->576 577 3c0c00-3c0c0c WaitForSingleObject 569->577 570->566 576->577 581 3c0c0e-3c0c2d 577->581 582 3c0c37-3c0c42 ResetEvent 577->582 579->566 581->582 585 3c0c6d-3c0c74 582->585 586 3c0c44-3c0c63 582->586 587 3c0c76-3c0c79 585->587 588 3c0ce3-3c0d05 CreateFileW 585->588 586->585 593 3c0c7b-3c0c7e 587->593 594 3c0ca0-3c0ca7 call 3a38d4 587->594 591 3c0d07-3c0d38 call 3a37d3 588->591 592 3c0d42-3c0d57 SetFilePointerEx 588->592 591->592 597 3c0d59-3c0d8c call 3a37d3 592->597 598 3c0d91-3c0d9c SetEndOfFile 592->598 595 3c0c99-3c0c9b 593->595 596 3c0c80-3c0c83 593->596 602 3c0cac-3c0cb1 594->602 595->574 596->558 601 3c0c89-3c0c8f 596->601 597->565 603 3c0d9e-3c0dd1 call 3a37d3 598->603 604 3c0dd3-3c0df0 SetFilePointerEx 598->604 601->595 608 3c0cd2-3c0cde 602->608 609 3c0cb3-3c0ccd call 3a37d3 602->609 603->565 604->566 606 3c0df2-3c0e20 call 3a37d3 604->606 606->565 608->566 609->565
                  C-Code - Quality: 54%
                  			E003C0A77(void* __ecx, union _LARGE_INTEGER* __edx, intOrPtr _a4, union _LARGE_INTEGER* _a8) {
				union _LARGE_INTEGER* _v8;
				union _LARGE_INTEGER _v12;
				int _t30;
				void* _t34;
				intOrPtr _t42;
				void* _t50;
				signed short _t52;
				signed short _t56;
				signed short _t59;
				signed short _t62;
				void* _t66;
				intOrPtr _t68;
				void* _t72;
				signed short _t76;
				void* _t77;
				signed short _t79;
				void* _t80;
				signed short _t82;
				void* _t83;
				signed short _t86;
				signed short _t87;
				signed short _t88;
				signed int _t89;
				long _t90;
				signed int _t93;
				void* _t95;
				union _LARGE_INTEGER* _t98;
				intOrPtr _t100;
				signed int _t103;

				_t98 = __edx;
				_push(_t89);
				_t100 = _a4;
				_t30 = SetEvent( *(_t100 + 0x28));
				_t90 = _t89 | 0xffffffff;
				if(_t30 != 0) {
					if(WaitForSingleObject( *(_t100 + 0x24), _t90) != _t90) {
						if(ResetEvent( *(_t100 + 0x24)) != 0) {
							_t34 =  *((intOrPtr*)(_t100 + 0x2c)) - 1;
							if(_t34 == 0) {
								_t103 = E003A21BC(_t98,  *((intOrPtr*)(_t100 + 0x34)), _a8->LowPart.HighPart, 0, 0xfde9);
								if(_t103 >= 0) {
									if(SetEvent( *(_t100 + 0x28)) != 0) {
										if(WaitForSingleObject( *(_t100 + 0x24), _t90) != _t90) {
											if(ResetEvent( *(_t100 + 0x24)) != 0) {
												_t42 =  *((intOrPtr*)(_t100 + 0x2c));
												if(_t42 == 0) {
													_t95 = CreateFileW( *(_t100 + 0x38), 0x40000000, 1, 0, 2, 0x80, 0);
													 *(_t100 + 0x3c) = _t95;
													if(_t95 != _t90) {
														_push(0);
														asm("cdq");
														if(SetFilePointerEx(_t95,  *_a8, _t98, 0) != 0) {
															if(SetEndOfFile( *(_t100 + 0x3c)) != 0) {
																_push(0);
																asm("xorps xmm0, xmm0");
																asm("movlpd [ebp-0x8], xmm0");
																if(SetFilePointerEx( *(_t100 + 0x3c), _v12, _v8, 0) == 0) {
																	_t52 = GetLastError();
																	_t107 =  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
																	_t103 =  >=  ? 0x80004005 :  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
																	E003A37D3(0x80004005, "cabextract.cpp", 0x24f, _t103);
																	_push("Failed to set file pointer to beginning of file.");
																	goto L40;
																}
															} else {
																_t56 = GetLastError();
																_t110 =  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
																_t103 =  >=  ? 0x80004005 :  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
																E003A37D3(0x80004005, "cabextract.cpp", 0x249, _t103);
																_push("Failed to set end of file.");
																goto L40;
															}
														} else {
															_t59 = GetLastError();
															_t113 =  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
															_t103 =  >=  ? 0x80004005 :  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
															E003A37D3(0x80004005, "cabextract.cpp", 0x244, _t103);
															_push("Failed to set file pointer to end of file.");
															goto L40;
														}
													} else {
														_t62 = GetLastError();
														_t116 =  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
														_t103 =  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
														E003A37D3(0x80004005, "cabextract.cpp", 0x23d, _t103);
														_push( *(_t100 + 0x38));
														_push("Failed to create file: %ls");
														goto L16;
													}
													goto L42;
												} else {
													_t66 = _t42 - 1;
													if(_t66 == 0) {
														_t68 = E003A38D4( *_a8, 1); // executed
														 *((intOrPtr*)(_t100 + 0x40)) = _t68;
														if(_t68 != 0) {
															 *(_t100 + 0x48) =  *(_t100 + 0x48) & 0x00000000;
															 *(_t100 + 0x44) =  *_a8;
														} else {
															_t103 = 0x8007000e;
															E003A37D3(_t68, "cabextract.cpp", 0x257, 0x8007000e);
															_push("Failed to allocate buffer for stream.");
															goto L40;
														}
														goto L42;
													} else {
														_t72 = _t66 - 1;
														if(_t72 == 0) {
															_t50 = 0;
														} else {
															_t73 = _t72 == 1;
															if(_t72 == 1) {
																goto L13;
															} else {
																_t93 = 0x8007139f;
																_push(0x8007139f);
																_push(0x268);
																goto L12;
															}
															goto L42;
														}
													}
												}
											} else {
												_t76 = GetLastError();
												_t119 =  <=  ? _t76 : _t76 & 0x0000ffff | 0x80070000;
												_t77 = 0x80004005;
												_t103 =  >=  ? 0x80004005 :  <=  ? _t76 : _t76 & 0x0000ffff | 0x80070000;
												_push(_t103);
												_push(0x232);
												goto L8;
											}
										} else {
											_t79 = GetLastError();
											_t122 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
											_t80 = 0x80004005;
											_t103 =  >=  ? 0x80004005 :  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
											_push(_t103);
											_push(0x22d);
											goto L5;
										}
									} else {
										_t82 = GetLastError();
										_t125 =  <=  ? _t82 : _t82 & 0x0000ffff | 0x80070000;
										_t83 = 0x80004005;
										_t103 =  >=  ? 0x80004005 :  <=  ? _t82 : _t82 & 0x0000ffff | 0x80070000;
										_push(_t103);
										_push(0x227);
										goto L2;
									}
								} else {
									_push(_a8->LowPart.HighPart);
									_push("Failed to copy stream name: %ls");
									L16:
									_push(_t103);
									E003E012F();
									goto L42;
								}
							} else {
								_t73 = _t34 == 4;
								if(_t34 == 4) {
									L13:
									_t103 = 0x80004004;
								} else {
									_t93 = 0x8007139f;
									_push(0x8007139f);
									_push(0x21d);
									L12:
									_t103 = _t93;
									E003A37D3(_t73);
									E003E012F(_t93, "Invalid operation for this state.", "cabextract.cpp");
									_t90 = _t93 | 0xffffffff;
									goto L41;
								}
								goto L42;
							}
						} else {
							_t86 = GetLastError();
							_t128 =  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
							_t77 = 0x80004005;
							_t103 =  >=  ? 0x80004005 :  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
							_push(_t103);
							_push(0x20f);
							L8:
							_push("cabextract.cpp");
							E003A37D3(_t77);
							_push("Failed to reset begin operation event.");
							goto L40;
						}
					} else {
						_t87 = GetLastError();
						_t131 =  <=  ? _t87 : _t87 & 0x0000ffff | 0x80070000;
						_t80 = 0x80004005;
						_t103 =  >=  ? 0x80004005 :  <=  ? _t87 : _t87 & 0x0000ffff | 0x80070000;
						_push(_t103);
						_push(0x20a);
						L5:
						_push("cabextract.cpp");
						E003A37D3(_t80);
						_push("Failed to wait for begin operation event.");
						goto L40;
					}
				} else {
					_t88 = GetLastError();
					_t134 =  <=  ? _t88 : _t88 & 0x0000ffff | 0x80070000;
					_t83 = 0x80004005;
					_t103 =  >=  ? 0x80004005 :  <=  ? _t88 : _t88 & 0x0000ffff | 0x80070000;
					_push(_t103);
					_push(0x204);
					L2:
					_push("cabextract.cpp");
					E003A37D3(_t83);
					_push("Failed to set operation complete event.");
					L40:
					_push(_t103);
					E003E012F();
					L41:
					L42:
					_t50 = 1;
				}
				 *(_t100 + 0x30) = _t103;
				_t91 =  >=  ? _t50 : _t90;
				return  >=  ? _t50 : _t90;
			}
































                  0x003c0a77
                  0x003c0a7c
                  0x003c0a7f
                  0x003c0a85
                  0x003c0a8b
                  0x003c0a90
                  0x003c0ad6
                  0x003c0b1b
                  0x003c0b58
                  0x003c0b5b
                  0x003c0bab
                  0x003c0baf
                  0x003c0bd5
                  0x003c0c0c
                  0x003c0c42
                  0x003c0c71
                  0x003c0c74
                  0x003c0cfe
                  0x003c0d00
                  0x003c0d05
                  0x003c0d45
                  0x003c0d4b
                  0x003c0d57
                  0x003c0d9c
                  0x003c0dd3
                  0x003c0dd7
                  0x003c0dda
                  0x003c0df0
                  0x003c0df2
                  0x003c0e03
                  0x003c0e0d
                  0x003c0e1b
                  0x003c0e20
                  0x00000000
                  0x003c0e20
                  0x003c0d9e
                  0x003c0d9e
                  0x003c0daf
                  0x003c0db9
                  0x003c0dc7
                  0x003c0dcc
                  0x00000000
                  0x003c0dcc
                  0x003c0d59
                  0x003c0d59
                  0x003c0d6a
                  0x003c0d74
                  0x003c0d82
                  0x003c0d87
                  0x00000000
                  0x003c0d87
                  0x003c0d07
                  0x003c0d07
                  0x003c0d18
                  0x003c0d22
                  0x003c0d30
                  0x003c0d35
                  0x003c0d38
                  0x00000000
                  0x003c0d38
                  0x00000000
                  0x003c0c76
                  0x003c0c76
                  0x003c0c79
                  0x003c0ca7
                  0x003c0cac
                  0x003c0cb1
                  0x003c0cd7
                  0x003c0cdb
                  0x003c0cb3
                  0x003c0cb3
                  0x003c0cc3
                  0x003c0cc8
                  0x00000000
                  0x003c0cc8
                  0x00000000
                  0x003c0c7b
                  0x003c0c7b
                  0x003c0c7e
                  0x003c0c99
                  0x003c0c80
                  0x003c0c80
                  0x003c0c83
                  0x00000000
                  0x003c0c89
                  0x003c0c89
                  0x003c0c8e
                  0x003c0c8f
                  0x00000000
                  0x003c0c8f
                  0x00000000
                  0x003c0c83
                  0x003c0c7e
                  0x003c0c79
                  0x003c0c44
                  0x003c0c44
                  0x003c0c55
                  0x003c0c58
                  0x003c0c5f
                  0x003c0c62
                  0x003c0c63
                  0x00000000
                  0x003c0c63
                  0x003c0c0e
                  0x003c0c0e
                  0x003c0c1f
                  0x003c0c22
                  0x003c0c29
                  0x003c0c2c
                  0x003c0c2d
                  0x00000000
                  0x003c0c2d
                  0x003c0bd7
                  0x003c0bd7
                  0x003c0be8
                  0x003c0beb
                  0x003c0bf2
                  0x003c0bf5
                  0x003c0bf6
                  0x00000000
                  0x003c0bf6
                  0x003c0bb1
                  0x003c0bb4
                  0x003c0bb7
                  0x003c0bbc
                  0x003c0bbc
                  0x003c0bbd
                  0x00000000
                  0x003c0bc2
                  0x003c0b5d
                  0x003c0b5d
                  0x003c0b60
                  0x003c0b8c
                  0x003c0b8c
                  0x003c0b62
                  0x003c0b62
                  0x003c0b67
                  0x003c0b68
                  0x003c0b6d
                  0x003c0b72
                  0x003c0b74
                  0x003c0b7f
                  0x003c0b84
                  0x00000000
                  0x003c0b84
                  0x00000000
                  0x003c0b60
                  0x003c0b1d
                  0x003c0b1d
                  0x003c0b2e
                  0x003c0b31
                  0x003c0b38
                  0x003c0b3b
                  0x003c0b3c
                  0x003c0b41
                  0x003c0b41
                  0x003c0b46
                  0x003c0b4b
                  0x00000000
                  0x003c0b4b
                  0x003c0ad8
                  0x003c0ad8
                  0x003c0ae9
                  0x003c0aec
                  0x003c0af3
                  0x003c0af6
                  0x003c0af7
                  0x003c0afc
                  0x003c0afc
                  0x003c0b01
                  0x003c0b06
                  0x00000000
                  0x003c0b06
                  0x003c0a92
                  0x003c0a92
                  0x003c0aa3
                  0x003c0aa6
                  0x003c0aad
                  0x003c0ab0
                  0x003c0ab1
                  0x003c0ab6
                  0x003c0ab6
                  0x003c0abb
                  0x003c0ac0
                  0x003c0e25
                  0x003c0e25
                  0x003c0e26
                  0x003c0e2b
                  0x003c0e2d
                  0x003c0e2f
                  0x003c0e2f
                  0x003c0e32
                  0x003c0e36
                  0x003c0e40

                  APIs
                  • SetEvent.KERNEL32(?,?,?,?,00000000,00000000,?,003C0621,?,?), ref: 003C0A85
                  • GetLastError.KERNEL32(?,?,?,00000000,00000000,?,003C0621,?,?), ref: 003C0A92
                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,00000000,00000000,?,003C0621,?,?), ref: 003C0ACE
                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,003C0621,?,?), ref: 003C0AD8
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$EventObjectSingleWait
                  • String ID: @Mxt$Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                  • API String ID: 3600396749-2103806369
                  • Opcode ID: 887be3f600d3f717f1cd0bdde43ecaa9f49f2afbd3448a0d8fc1a2ad4434fb5e
                  • Instruction ID: 8954f466ffae0b02abd66492a1fcbfb94eff4a32ddbcf8fb00b4b7e72bafd388
                  • Opcode Fuzzy Hash: 887be3f600d3f717f1cd0bdde43ecaa9f49f2afbd3448a0d8fc1a2ad4434fb5e
                  • Instruction Fuzzy Hash: D991D272A80B61EBE7276A798D49FA775D8EF04750F024329FE09EE5A0D761EC0087D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A508D, Relevance: 45.8, APIs: 5, Strings: 21, Instructions: 322COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 621 3a508d-3a513b call 3cf670 * 2 GetModuleHandleW call 3e03f0 call 3e05a2 call 3a1209 632 3a513d 621->632 633 3a5151-3a5162 call 3a41d2 621->633 635 3a5142-3a514c call 3e012f 632->635 639 3a516b-3a5187 call 3a5525 CoInitializeEx 633->639 640 3a5164-3a5169 633->640 641 3a53cc-3a53d3 635->641 649 3a5189-3a518e 639->649 650 3a5190-3a519c call 3dfbad 639->650 640->635 643 3a53e0-3a53e2 641->643 644 3a53d5-3a53db call 3e54ef 641->644 647 3a5407-3a5425 call 3ad723 call 3ba6d0 call 3ba91e 643->647 648 3a53e4-3a53eb 643->648 644->643 671 3a5453-3a5466 call 3a4e9c 647->671 672 3a5427-3a542f 647->672 648->647 651 3a53ed-3a5402 call 3e041b 648->651 649->635 658 3a519e 650->658 659 3a51b0-3a51bf call 3e0cd1 650->659 651->647 662 3a51a3-3a51ab call 3e012f 658->662 667 3a51c8-3a51d7 call 3e29b3 659->667 668 3a51c1-3a51c6 659->668 662->641 677 3a51d9-3a51de 667->677 678 3a51e0-3a51ef call 3e343b 667->678 668->662 681 3a5468 call 3e3911 671->681 682 3a546d-3a5474 671->682 672->671 673 3a5431-3a5434 672->673 673->671 676 3a5436-3a5451 call 3b416a call 3a550f 673->676 676->671 677->662 690 3a51f8-3a5217 GetVersionExW 678->690 691 3a51f1-3a51f6 678->691 681->682 687 3a547b-3a5482 682->687 688 3a5476 call 3e2dd0 682->688 693 3a5489-3a5490 687->693 694 3a5484 call 3e1317 687->694 688->687 699 3a5219-3a524c call 3a37d3 690->699 700 3a5251-3a5296 call 3a33d7 call 3a550f 690->700 691->662 696 3a5492 call 3dfcbc 693->696 697 3a5497-3a5499 693->697 694->693 696->697 703 3a549b CoUninitialize 697->703 704 3a54a1-3a54a8 697->704 699->662 720 3a5298-3a52a3 call 3e54ef 700->720 721 3a52a9-3a52b9 call 3b7337 700->721 703->704 707 3a54aa-3a54ac 704->707 708 3a54e3-3a54ec call 3e000b 704->708 712 3a54ae-3a54b0 707->712 713 3a54b2-3a54b8 707->713 718 3a54ee call 3a44e9 708->718 719 3a54f3-3a550c call 3e06f5 call 3cde36 708->719 717 3a54ba-3a54d3 call 3b3c30 call 3a550f 712->717 713->717 717->708 739 3a54d5-3a54e2 call 3a550f 717->739 718->719 720->721 733 3a52bb 721->733 734 3a52c5-3a52ce 721->734 733->734 736 3a5396-3a53ac call 3a4c33 734->736 737 3a52d4-3a52d7 734->737 753 3a53b8-3a53ca 736->753 754 3a53ae 736->754 741 3a536e-3a538a call 3a49df 737->741 742 3a52dd-3a52e0 737->742 739->708 741->753 758 3a538c 741->758 745 3a52e2-3a52e5 742->745 746 3a5346-3a5362 call 3a47e9 742->746 750 3a531e-3a533a call 3a4982 745->750 751 3a52e7-3a52ea 745->751 746->753 760 3a5364 746->760 750->753 764 3a533c 750->764 756 3a52fb-3a5305 call 3a4b80 751->756 757 3a52ec-3a52f1 751->757 753->641 754->753 763 3a530a-3a530e 756->763 757->756 758->736 760->741 763->753 765 3a5314 763->765 764->746 765->750
                  C-Code - Quality: 69%
                  			E003A508D(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed short* _a20) {
				signed int _v8;
				signed short _v16;
				struct _OSVERSIONINFOW _v292;
				signed int _v296;
				intOrPtr _v304;
				signed short _v308;
				intOrPtr _v312;
				WCHAR* _v316;
				WCHAR* _v320;
				WCHAR* _v324;
				WCHAR* _v328;
				signed short* _v332;
				char _v340;
				char _v344;
				signed short _v420;
				intOrPtr _v576;
				intOrPtr _v1316;
				char _v1332;
				signed short _v1340;
				char _v1404;
				intOrPtr _v1532;
				intOrPtr _v1544;
				signed short _v1564;
				char _v1588;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				void* _t83;
				signed short _t85;
				signed short _t87;
				signed short _t88;
				signed short _t89;
				signed short _t90;
				signed short _t91;
				signed short _t93;
				signed short _t99;
				signed short _t101;
				intOrPtr _t124;
				signed short _t131;
				signed short _t134;
				signed short _t137;
				signed short _t142;
				signed short _t144;
				signed short _t148;
				void* _t149;
				void* _t156;
				signed short _t159;
				signed short _t162;
				signed short _t167;
				signed short _t170;
				signed int _t171;
				void* _t172;
				void* _t173;

				_t156 = __edx;
				_t149 = __ecx;
				_t70 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t70 ^ _t171;
				_t148 = 0;
				_t157 = _a8;
				_v304 = _a4;
				_v332 = _a20;
				_v312 = _a12;
				_v328 = 0;
				_v324 = 0;
				_v320 = 0;
				_v316 = 0;
				E003CF670(_a8,  &_v292, 0, 0x11c);
				_v296 = 0;
				_v308 = 0;
				E003CF670(_a8,  &_v1588, 0, 0x4e8);
				_t173 = _t172 + 0x18;
				E003E03F0(GetModuleHandleW(0));
				E003E05A2(3, 0);
				_t83 = E003A1209(_t149, _a12,  &_v344,  &_v340); // executed
				if(_t83 >= 0) {
					_t85 = E003A41D2(_t149, _t156, __eflags,  &_v1588, _t157); // executed
					_t162 = _t85;
					__eflags = _t162;
					if(_t162 >= 0) {
						_v1544 = _a16;
						_t87 = E003A5525();
						__imp__CoInitializeEx(0, 0); // executed
						_t162 = _t87;
						__eflags = _t162;
						if(_t162 >= 0) {
							_t159 = 1;
							_t88 = E003DFBAD();
							__eflags = _t88;
							if(_t88 >= 0) {
								_v328 = 1;
								_t89 = E003E0CD1();
								_t164 = _t89;
								__eflags = _t89;
								if(__eflags >= 0) {
									_v324 = 1;
									_t90 = E003E29B3(_t149, _t156, _t164, __eflags); // executed
									__eflags = _t90;
									if(_t90 >= 0) {
										_v320 = 1;
										_t91 = E003E343B(_t90);
										__eflags = _t91;
										if(_t91 >= 0) {
											_v316 = 1;
											_v292.dwOSVersionInfoSize = 0x11c;
											_t93 = GetVersionExW( &_v292);
											__eflags = _t93;
											if(_t93 != 0) {
												E003A33D7( &_v296, 0);
												_push(_v296);
												_push(_v16 & 0x0000ffff);
												_push(_v292.dwBuildNumber);
												_push(_v292.dwMinorVersion);
												_push(_v292.dwMajorVersion);
												E003A550F(2, 0x20000001, "3.10.4.4718");
												_t173 = _t173 + 0x20;
												__eflags = _v296;
												if(__eflags != 0) {
													E003E54EF(_v296);
													_t36 =  &_v296;
													 *_t36 = _v296 & 0;
													__eflags =  *_t36;
												}
												_t99 = E003B7337(_t156, __eflags,  &_v1588); // executed
												_t167 = _t99;
												__eflags = _t167;
												if(_t167 >= 0) {
													_t101 = _v420;
													__eflags = _t101;
													if(_t101 == 0) {
														_t167 = E003A4C33(_t156, _v312,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															L38:
															_t150 = _v332;
															_t148 = _v1564;
															 *_v332 = _v1340;
															goto L39;
														}
														_push("Failed to run untrusted mode.");
														goto L9;
													}
													_t131 = _t101 - 1;
													__eflags = _t131;
													if(_t131 == 0) {
														_v308 = _t159;
														_t167 = E003A49DF(_t149, _t156, _v304,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run per-user mode.");
														goto L9;
													}
													_t134 = _t131 - 1;
													__eflags = _t134;
													if(_t134 == 0) {
														_t167 = E003A47E9(_t149, _t156, _v304, _v312,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run per-machine mode.");
														goto L9;
													}
													_t137 = _t134 - 1;
													__eflags = _t137;
													if(_t137 == 0) {
														_v308 = _t159;
														_t167 = E003A4982(_t149, _t156, _v304,  &_v1588);
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run embedded mode.");
														goto L9;
													}
													__eflags = _t137 == 1;
													if(_t137 == 1) {
														_t142 = E003A4B80(_t149,  &_v1332, _a16); // executed
														_t167 = _t142;
														__eflags = _t167;
														if(_t167 >= 0) {
															goto L38;
														}
														_push("Failed to run RunOnce mode.");
														goto L9;
													}
													_t167 = 0x8000ffff;
													_push("Invalid run mode.");
													goto L9;
												} else {
													_push("Failed to initialize core.");
													L9:
													E003E012F();
													_t150 = _t167;
													goto L39;
												}
											}
											_t144 = GetLastError();
											__eflags = _t144;
											_t170 =  <=  ? _t144 : _t144 & 0x0000ffff | 0x80070000;
											__eflags = _t170;
											_t167 =  >=  ? 0x80004005 : _t170;
											E003A37D3(0x80004005, "engine.cpp", 0x95, _t167);
											_push("Failed to get OS info.");
											goto L9;
										}
										_push("Failed to initialize XML util.");
										goto L9;
									}
									_push("Failed to initialize Wiutil.");
									goto L9;
								}
								_push("Failed to initialize Regutil.");
								goto L9;
							}
							_push("Failed to initialize Cryputil.");
							goto L9;
						}
						_push("Failed to initialize COM.");
						goto L2;
					}
					_push("Failed to initialize engine state.");
					goto L2;
				} else {
					_push("Failed to parse command line.");
					L2:
					E003E012F();
					_t150 = _t162;
					_t159 = _t148;
					L39:
					if(_v296 != 0) {
						E003E54EF(_v296);
					}
					if(_t167 < 0 && _v576 == 0) {
						E003E041B(_t150, _t156, _t159, 0, L"Setup", L"_Failed", L"txt", 0, 0, 0);
					}
					E003AD723( &_v1404);
					E003BA6D0(_t150, _t156, _v1316);
					E003BA91E();
					if(_t148 != 0) {
						_t124 = _v1532;
						if(_t124 != 0 && _t124 != 6) {
							E003A550F(2, 0xa0000008, E003B416A(_t124));
							_t173 = _t173 + 0xc;
							_t167 = 0x80070bc2;
							_t148 = 0;
						}
					}
					E003A4E9C(_t148, _t150, _t159,  &_v1588);
					if(_v316 != 0) {
						E003E3911();
					}
					if(_v320 != 0) {
						E003E2DD0();
					}
					if(_v324 != 0) {
						E003E1317();
					}
					if(_v328 != 0) {
						E003DFCBC();
					}
					if(_t159 != 0) {
						__imp__CoUninitialize(); // executed
					}
					if(_v308 != 0) {
						if(_t167 >= 0) {
							_t159 =  *_v332;
						} else {
							_t159 = _t167;
						}
						_push(E003B3C30(_t148));
						E003A550F(2, 0x20000007, _t159);
						if(_t148 != 0) {
							_push(0xa0000005);
							E003A550F();
							_t150 = 2;
						}
					}
					E003E000B(_t150, _t159, 0);
					_t193 = _t148;
					if(_t148 != 0) {
						E003A44E9(_t156);
					}
					E003E06F5(_t150, _t159, _t193, 0);
					return E003CDE36(_t148, _v8 ^ _t171, _t156, _t159, _t167);
				}
			}


























































                  0x003a508d
                  0x003a508d
                  0x003a5096
                  0x003a509d
                  0x003a50a8
                  0x003a50ab
                  0x003a50ae
                  0x003a50bc
                  0x003a50ca
                  0x003a50d0
                  0x003a50d6
                  0x003a50dc
                  0x003a50e2
                  0x003a50e8
                  0x003a50f8
                  0x003a5100
                  0x003a5106
                  0x003a510b
                  0x003a5116
                  0x003a511e
                  0x003a5132
                  0x003a513b
                  0x003a5159
                  0x003a515e
                  0x003a5160
                  0x003a5162
                  0x003a516e
                  0x003a5174
                  0x003a517d
                  0x003a5183
                  0x003a5185
                  0x003a5187
                  0x003a5192
                  0x003a5193
                  0x003a519a
                  0x003a519c
                  0x003a51b0
                  0x003a51b6
                  0x003a51bb
                  0x003a51bd
                  0x003a51bf
                  0x003a51c8
                  0x003a51ce
                  0x003a51d5
                  0x003a51d7
                  0x003a51e0
                  0x003a51e6
                  0x003a51ed
                  0x003a51ef
                  0x003a51fe
                  0x003a5205
                  0x003a520f
                  0x003a5215
                  0x003a5217
                  0x003a525a
                  0x003a525f
                  0x003a5269
                  0x003a526a
                  0x003a5270
                  0x003a5276
                  0x003a5288
                  0x003a528d
                  0x003a5290
                  0x003a5296
                  0x003a529e
                  0x003a52a3
                  0x003a52a3
                  0x003a52a3
                  0x003a52a3
                  0x003a52b0
                  0x003a52b5
                  0x003a52b7
                  0x003a52b9
                  0x003a52cb
                  0x003a52cb
                  0x003a52ce
                  0x003a53a8
                  0x003a53aa
                  0x003a53ac
                  0x003a53b8
                  0x003a53b8
                  0x003a53c4
                  0x003a53ca
                  0x00000000
                  0x003a53ca
                  0x003a53ae
                  0x00000000
                  0x003a53ae
                  0x003a52d4
                  0x003a52d4
                  0x003a52d7
                  0x003a5374
                  0x003a5386
                  0x003a5388
                  0x003a538a
                  0x00000000
                  0x00000000
                  0x003a538c
                  0x00000000
                  0x003a538c
                  0x003a52dd
                  0x003a52dd
                  0x003a52e0
                  0x003a535e
                  0x003a5360
                  0x003a5362
                  0x00000000
                  0x00000000
                  0x003a5364
                  0x00000000
                  0x003a5364
                  0x003a52e2
                  0x003a52e2
                  0x003a52e5
                  0x003a5324
                  0x003a5336
                  0x003a5338
                  0x003a533a
                  0x00000000
                  0x00000000
                  0x003a533c
                  0x00000000
                  0x003a533c
                  0x003a52e7
                  0x003a52ea
                  0x003a5305
                  0x003a530a
                  0x003a530c
                  0x003a530e
                  0x00000000
                  0x00000000
                  0x003a5314
                  0x00000000
                  0x003a5314
                  0x003a52ec
                  0x003a52f1
                  0x00000000
                  0x003a52bb
                  0x003a52bb
                  0x003a51a3
                  0x003a51a4
                  0x003a51aa
                  0x00000000
                  0x003a51aa
                  0x003a52b9
                  0x003a5219
                  0x003a5228
                  0x003a522a
                  0x003a5232
                  0x003a5234
                  0x003a5242
                  0x003a5247
                  0x00000000
                  0x003a5247
                  0x003a51f1
                  0x00000000
                  0x003a51f1
                  0x003a51d9
                  0x00000000
                  0x003a51d9
                  0x003a51c1
                  0x00000000
                  0x003a51c1
                  0x003a519e
                  0x00000000
                  0x003a519e
                  0x003a5189
                  0x00000000
                  0x003a5189
                  0x003a5164
                  0x00000000
                  0x003a513d
                  0x003a513d
                  0x003a5142
                  0x003a5143
                  0x003a5149
                  0x003a514a
                  0x003a53cc
                  0x003a53d3
                  0x003a53db
                  0x003a53db
                  0x003a53e2
                  0x003a5402
                  0x003a5402
                  0x003a540e
                  0x003a5419
                  0x003a541e
                  0x003a5425
                  0x003a5427
                  0x003a542f
                  0x003a5444
                  0x003a5449
                  0x003a544c
                  0x003a5451
                  0x003a5451
                  0x003a542f
                  0x003a545a
                  0x003a5466
                  0x003a5468
                  0x003a5468
                  0x003a5474
                  0x003a5476
                  0x003a5476
                  0x003a5482
                  0x003a5484
                  0x003a5484
                  0x003a5490
                  0x003a5492
                  0x003a5492
                  0x003a5499
                  0x003a549b
                  0x003a549b
                  0x003a54a8
                  0x003a54ac
                  0x003a54b8
                  0x003a54ae
                  0x003a54ae
                  0x003a54ae
                  0x003a54c0
                  0x003a54c9
                  0x003a54d3
                  0x003a54d5
                  0x003a54dc
                  0x003a54e2
                  0x003a54e2
                  0x003a54d3
                  0x003a54e5
                  0x003a54ea
                  0x003a54ec
                  0x003a54ee
                  0x003a54ee
                  0x003a54f5
                  0x003a550c
                  0x003a550c

                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 003A510F
                    • Part of subcall function 003E03F0: InitializeCriticalSection.KERNEL32(0040B60C,?,003A511B,00000000,?,?,?,?,?,?), ref: 003E0407
                    • Part of subcall function 003A1209: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,003A5137,00000000,?), ref: 003A1247
                    • Part of subcall function 003A1209: GetLastError.KERNEL32(?,?,?,003A5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 003A1251
                  • CoInitializeEx.OLE32(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 003A517D
                    • Part of subcall function 003E0CD1: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 003E0CF2
                  • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 003A520F
                  • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 003A5219
                  • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003A549B
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                  • String ID: 3.10.4.4718$@Mxt$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize user state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$Setup$_Failed$user.cpp$txt
                  • API String ID: 3262001429-2137507744
                  • Opcode ID: 39b793e5bc13b2e1cb988d1b16325cd9b18827be350043a001192dc70ae51177
                  • Instruction ID: 02eed02fd513136ae18d52be7b35d7fffb50288de379fdc222c357d83b8e4207
                  • Opcode Fuzzy Hash: 39b793e5bc13b2e1cb988d1b16325cd9b18827be350043a001192dc70ae51177
                  • Instruction Fuzzy Hash: 2CB1A672D40A79ABDF339E658C46BFEB6A8EF45301F010195F909BA281D7709E808F90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B7337, Relevance: 35.3, APIs: 1, Strings: 19, Instructions: 277COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 871 3b7337-3b737c call 3cf670 call 3a7503 876 3b7388-3b7399 call 3ac2a1 871->876 877 3b737e-3b7383 871->877 883 3b739b-3b73a0 876->883 884 3b73a5-3b73b6 call 3ac108 876->884 878 3b7602-3b7609 call 3e012f 877->878 886 3b760a-3b760f 878->886 883->878 890 3b73b8-3b73bd 884->890 891 3b73c2-3b73d7 call 3ac362 884->891 888 3b7611-3b7612 call 3e54ef 886->888 889 3b7617-3b761b 886->889 888->889 893 3b761d-3b7620 call 3e54ef 889->893 894 3b7625-3b762a 889->894 890->878 902 3b73d9-3b73de 891->902 903 3b73e3-3b73f3 call 3cbdc9 891->903 893->894 897 3b762c-3b762d call 3e54ef 894->897 898 3b7632-3b763f call 3ac055 894->898 897->898 905 3b7649-3b764d 898->905 906 3b7641-3b7644 call 3e54ef 898->906 902->878 915 3b73ff-3b7472 call 3b5a35 903->915 916 3b73f5-3b73fa 903->916 909 3b764f-3b7652 call 3e54ef 905->909 910 3b7657-3b765b 905->910 906->905 909->910 913 3b765d-3b7660 call 3a3999 910->913 914 3b7665-3b766d 910->914 913->914 920 3b747e-3b74a6 call 3a550f GetCurrentProcess call 3e076c 915->920 921 3b7474-3b7479 915->921 916->878 925 3b74ab-3b74c2 call 3a8152 920->925 921->878 928 3b74dc-3b74e1 925->928 929 3b74c4-3b74d7 call 3e012f 925->929 931 3b753d-3b7542 928->931 932 3b74e3-3b74f5 call 3a80f6 928->932 929->886 933 3b7562-3b756b 931->933 934 3b7544-3b7556 call 3a80f6 931->934 943 3b7501-3b7511 call 3a3446 932->943 944 3b74f7-3b74fc 932->944 938 3b756d-3b7570 933->938 939 3b7577-3b758b call 3ba307 933->939 934->933 947 3b7558-3b755d 934->947 938->939 942 3b7572-3b7575 938->942 951 3b758d-3b7592 939->951 952 3b7594 939->952 942->939 948 3b759a-3b759d 942->948 955 3b751d-3b7531 call 3a80f6 943->955 956 3b7513-3b7518 943->956 944->878 947->878 953 3b759f-3b75a2 948->953 954 3b75a4-3b75ba call 3ad497 948->954 951->878 952->948 953->886 953->954 961 3b75bc-3b75c1 954->961 962 3b75c3-3b75db call 3acabe 954->962 955->931 963 3b7533-3b7538 955->963 956->878 961->878 966 3b75dd-3b75e2 962->966 967 3b75e4-3b75fb call 3ac7df 962->967 963->878 966->878 967->886 970 3b75fd 967->970 970->878
                  C-Code - Quality: 83%
                  			E003B7337(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v124;
				void* __ebx;
				void* __edi;
				void* _t70;
				intOrPtr _t73;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr _t96;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr* _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				void* _t140;
				void* _t141;
				intOrPtr _t142;
				intOrPtr _t149;
				intOrPtr _t152;

				_t140 = __edx;
				_v12 = 0;
				_v28 = 0;
				_v20 = 0;
				_v32 = 0;
				E003CF670(_t141,  &_v124, 0, 0x58);
				_t142 = _a4;
				_v36 = 0;
				_v8 = 0;
				_v16 = 0;
				_v24 = 0;
				_t11 = _t142 + 0x88; // 0x3a533d
				_t135 = _t11;
				_t70 = E003A7503(_t11); // executed
				if(_t70 >= 0) {
					_t13 = _t142 + 0x48; // 0x3a52fd
					_t73 = E003AC2A1(_t13,  &_v124); // executed
					__eflags = _t73;
					if(_t73 >= 0) {
						_t76 = E003AC108( &_v124,  &_v28);
						__eflags = _t76;
						if(_t76 >= 0) {
							__eflags = E003AC362( &_v124,  &_v20,  &_v32);
							if(__eflags >= 0) {
								_t81 = E003CBDC9(__eflags, _v20, _v32, _t142); // executed
								__eflags = _t81;
								if(_t81 >= 0) {
									_t22 = _t142 + 0x1c0; // 0x3a5475
									_t23 = _t142 + 0x4d8; // 0x3a578d
									_t24 = _t142 + 0x140; // 0x3a53f5
									_t25 = _t142 + 0x400; // 0x3a56b5
									_t26 = _t142 + 0x3fc; // 0x3a56b1
									_t27 = _t142 + 0x4d4; // 0x3a5789
									_t30 = _t142 + 0x3ec; // 0x3a56a1
									_t31 = _t142 + 0x494; // 0x3a5749
									_t32 = _t142 + 0x490; // 0x3a5745
									_t136 = _t32;
									_t33 = _t142 + 0x4b8; // 0x3a576d
									_t34 = _t142 + 0x4a0; // 0x3a5755
									_t35 = _t142 + 0x1c; // 0x3a52d1
									_t36 = _t142 + 0x4e0; // 0x485
									_t37 = _t142 + 0x4dc; // 0x48d016a
									_t96 = E003B5A35( *_t37,  *_t36, _t35, _t34, _t33, _t135, _t32, _t31, _t30,  &_v8,  &_v24, _t27, _t26, _t25, _t24, _t23, _t22,  &_v12);
									__eflags = _t96;
									if(_t96 >= 0) {
										__eflags = _v12;
										_t98 =  !=  ? _v12 : 0x3eb524;
										E003A550F(2, 0x20000009,  !=  ? _v12 : 0x3eb524);
										E003E076C(GetCurrentProcess(),  &_v36); // executed
										asm("cdq");
										_t149 = E003A8152(_t135, L"WixBundleElevated", _v36, _t140, 1);
										__eflags = _t149;
										if(_t149 >= 0) {
											_t105 = _v8;
											__eflags = _t105;
											if(_t105 == 0) {
												L21:
												_t106 = _v24;
												__eflags = _t106;
												if(_t106 == 0) {
													L24:
													_t47 = _t142 + 0x490; // 0x3a5745
													_t107 = _t47;
													__eflags =  *_t107;
													if( *_t107 == 0) {
														L27:
														_t49 = _t142 + 0x100; // 0x3a53b5
														_t109 = E003BA307(_t135, _t49, _t135, _v8);
														__eflags = _t109;
														if(_t109 >= 0) {
															_t50 = _t142 + 0x490; // 0x3a5745
															_t107 = _t50;
															goto L30;
														} else {
															_push("Failed to initialize internal cache functionality.");
															goto L38;
														}
													} else {
														__eflags =  *_t107 - 1;
														if( *_t107 == 1) {
															goto L27;
														} else {
															__eflags =  *_t107 - 3;
															if( *_t107 != 3) {
																L30:
																__eflags =  *_t107 - 1;
																if(__eflags == 0) {
																	L32:
																	_t51 = _t142 + 0xcc; // 0x3a5381
																	_t135 = _t51;
																	_t52 = _t142 + 0x110; // 0xfff9e89d
																	_t110 = E003AD497(_t136, _t140, _t142, __eflags,  *_t52, _t51);
																	__eflags = _t110;
																	if(_t110 >= 0) {
																		_t54 = _t142 + 0xbc; // 0x3a5371
																		_t152 = E003ACABE(_t54, 0,  &_v124,  *_t135);
																		__eflags = _t152;
																		if(_t152 >= 0) {
																			_t55 = _t142 + 0xbc; // 0x3a5371
																			_t56 = _t142 + 0x2b0; // 0x3a5565
																			_t152 = E003AC7DF(_t140, _t56, _t55);
																			__eflags = _t152;
																			if(_t152 < 0) {
																				_push("Failed to load catalog files.");
																				goto L38;
																			}
																		} else {
																			_push("Failed to extract bootstrapper application payloads.");
																			goto L38;
																		}
																	} else {
																		_push("Failed to get unique temporary folder for bootstrapper application.");
																		goto L38;
																	}
																} else {
																	__eflags =  *_t107 - 3;
																	if(__eflags == 0) {
																		goto L32;
																	}
																}
															} else {
																goto L27;
															}
														}
													}
												} else {
													_t152 = E003A80F6(_t135, L"WixBundleOriginalSource", _t106, 0);
													__eflags = _t152;
													if(_t152 >= 0) {
														goto L24;
													} else {
														_push("Failed to set original source variable.");
														goto L38;
													}
												}
											} else {
												_t152 = E003A80F6(_t135, L"WixBundleSourceProcessPath", _t105, 1);
												__eflags = _t152;
												if(_t152 >= 0) {
													_t152 = E003A3446(_t136, _v8,  &_v16);
													__eflags = _t152;
													if(_t152 >= 0) {
														_t152 = E003A80F6(_t135, L"WixBundleSourceProcessFolder", _v16, 1);
														__eflags = _t152;
														if(_t152 >= 0) {
															goto L21;
														} else {
															_push("Failed to set source process folder variable.");
															goto L38;
														}
													} else {
														_push("Failed to get source process folder from path.");
														goto L38;
													}
												} else {
													_push("Failed to set source process path variable.");
													goto L38;
												}
											}
										} else {
											E003E012F(_t149, "Failed to overwrite the %ls built-in variable.", L"WixBundleElevated");
										}
									} else {
										_push("Failed to parse command line.");
										goto L38;
									}
								} else {
									_push("Failed to load manifest.");
									goto L38;
								}
							} else {
								_push("Failed to get manifest stream from container.");
								goto L38;
							}
						} else {
							_push("Failed to open manifest stream.");
							goto L38;
						}
					} else {
						_push("Failed to open attached UX container.");
						goto L38;
					}
				} else {
					_push("Failed to initialize variables.");
					L38:
					_push(_t152);
					E003E012F();
				}
				_t116 = _v24;
				if(_v24 != 0) {
					E003E54EF(_t116);
				}
				if(_v16 != 0) {
					E003E54EF(_v16);
				}
				_t117 = _v8;
				if(_v8 != 0) {
					E003E54EF(_t117);
				}
				E003AC055(_t135,  &_v124);
				if(_v28 != 0) {
					E003E54EF(_v28);
				}
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				if(_v20 != 0) {
					E003A3999(_v20); // executed
				}
				return _t152;
			}





























                  0x003b7337
                  0x003b7349
                  0x003b734c
                  0x003b734f
                  0x003b7352
                  0x003b7355
                  0x003b735a
                  0x003b7360
                  0x003b7363
                  0x003b7366
                  0x003b7369
                  0x003b736c
                  0x003b736c
                  0x003b7373
                  0x003b737c
                  0x003b738c
                  0x003b7390
                  0x003b7397
                  0x003b7399
                  0x003b73ad
                  0x003b73b4
                  0x003b73b6
                  0x003b73d5
                  0x003b73d7
                  0x003b73ea
                  0x003b73f1
                  0x003b73f3
                  0x003b7403
                  0x003b740a
                  0x003b7411
                  0x003b7418
                  0x003b741f
                  0x003b7426
                  0x003b7435
                  0x003b743c
                  0x003b7443
                  0x003b7443
                  0x003b744b
                  0x003b7452
                  0x003b7459
                  0x003b745d
                  0x003b7463
                  0x003b7469
                  0x003b7470
                  0x003b7472
                  0x003b747e
                  0x003b7487
                  0x003b7493
                  0x003b74a6
                  0x003b74b0
                  0x003b74be
                  0x003b74c0
                  0x003b74c2
                  0x003b74dc
                  0x003b74df
                  0x003b74e1
                  0x003b753d
                  0x003b753d
                  0x003b7540
                  0x003b7542
                  0x003b7562
                  0x003b7562
                  0x003b7562
                  0x003b7568
                  0x003b756b
                  0x003b7577
                  0x003b757a
                  0x003b7582
                  0x003b7589
                  0x003b758b
                  0x003b7594
                  0x003b7594
                  0x00000000
                  0x003b758d
                  0x003b758d
                  0x00000000
                  0x003b758d
                  0x003b756d
                  0x003b756d
                  0x003b7570
                  0x00000000
                  0x003b7572
                  0x003b7572
                  0x003b7575
                  0x003b759a
                  0x003b759a
                  0x003b759d
                  0x003b75a4
                  0x003b75a4
                  0x003b75a4
                  0x003b75ab
                  0x003b75b1
                  0x003b75b8
                  0x003b75ba
                  0x003b75c9
                  0x003b75d7
                  0x003b75d9
                  0x003b75db
                  0x003b75e4
                  0x003b75eb
                  0x003b75f7
                  0x003b75f9
                  0x003b75fb
                  0x003b75fd
                  0x00000000
                  0x003b75fd
                  0x003b75dd
                  0x003b75dd
                  0x00000000
                  0x003b75dd
                  0x003b75bc
                  0x003b75bc
                  0x00000000
                  0x003b75bc
                  0x003b759f
                  0x003b759f
                  0x003b75a2
                  0x00000000
                  0x00000000
                  0x003b75a2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003b7575
                  0x003b7570
                  0x003b7544
                  0x003b7552
                  0x003b7554
                  0x003b7556
                  0x00000000
                  0x003b7558
                  0x003b7558
                  0x00000000
                  0x003b7558
                  0x003b7556
                  0x003b74e3
                  0x003b74f1
                  0x003b74f3
                  0x003b74f5
                  0x003b750d
                  0x003b750f
                  0x003b7511
                  0x003b752d
                  0x003b752f
                  0x003b7531
                  0x00000000
                  0x003b7533
                  0x003b7533
                  0x00000000
                  0x003b7533
                  0x003b7513
                  0x003b7513
                  0x00000000
                  0x003b7513
                  0x003b74f7
                  0x003b74f7
                  0x00000000
                  0x003b74f7
                  0x003b74f5
                  0x003b74c4
                  0x003b74cf
                  0x003b74d4
                  0x003b7474
                  0x003b7474
                  0x00000000
                  0x003b7474
                  0x003b73f5
                  0x003b73f5
                  0x00000000
                  0x003b73f5
                  0x003b73d9
                  0x003b73d9
                  0x00000000
                  0x003b73d9
                  0x003b73b8
                  0x003b73b8
                  0x00000000
                  0x003b73b8
                  0x003b739b
                  0x003b739b
                  0x00000000
                  0x003b739b
                  0x003b737e
                  0x003b737e
                  0x003b7602
                  0x003b7602
                  0x003b7603
                  0x003b7609
                  0x003b760a
                  0x003b760f
                  0x003b7612
                  0x003b7612
                  0x003b761b
                  0x003b7620
                  0x003b7620
                  0x003b7625
                  0x003b762a
                  0x003b762d
                  0x003b762d
                  0x003b7636
                  0x003b763f
                  0x003b7644
                  0x003b7644
                  0x003b764d
                  0x003b7652
                  0x003b7652
                  0x003b765b
                  0x003b7660
                  0x003b7660
                  0x003b766d

                  Strings
                  • WixBundleOriginalSource, xrefs: 003B7547
                  • Failed to initialize internal cache functionality., xrefs: 003B758D
                  • Failed to set source process folder variable., xrefs: 003B7533
                  • Failed to load manifest., xrefs: 003B73F5
                  • Failed to set source process path variable., xrefs: 003B74F7
                  • Failed to parse command line., xrefs: 003B7474
                  • Failed to open attached UX container., xrefs: 003B739B
                  • Failed to load catalog files., xrefs: 003B75FD
                  • Failed to overwrite the %ls built-in variable., xrefs: 003B74C9
                  • Failed to initialize variables., xrefs: 003B737E
                  • Failed to get source process folder from path., xrefs: 003B7513
                  • WixBundleElevated, xrefs: 003B74B3, 003B74C4
                  • Failed to get manifest stream from container., xrefs: 003B73D9
                  • Failed to set original source variable., xrefs: 003B7558
                  • Failed to open manifest stream., xrefs: 003B73B8
                  • WixBundleSourceProcessPath, xrefs: 003B74E6
                  • Failed to extract bootstrapper application payloads., xrefs: 003B75DD
                  • WixBundleSourceProcessFolder, xrefs: 003B7522
                  • Failed to get unique temporary folder for bootstrapper application., xrefs: 003B75BC
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection
                  • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath
                  • API String ID: 32694325-252221001
                  • Opcode ID: 1a18a6bd829f20d7f1e3a6c4dbee5b3ab2e23c07a83fda3c3074dfc7017d3ad6
                  • Instruction ID: ccd96dd50c15ec1fbbd16f9620441ba63557dcd7a1575b3016cb38147a36cd1c
                  • Opcode Fuzzy Hash: 1a18a6bd829f20d7f1e3a6c4dbee5b3ab2e23c07a83fda3c3074dfc7017d3ad6
                  • Instruction Fuzzy Hash: EA915472A44A19BACB239AA4CC81FEFB76CFF44704F010266F715EB541DB70AA449BD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A7503, Relevance: 33.4, APIs: 1, Strings: 21, Instructions: 378COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 971 3a7503-3a7dc0 InitializeCriticalSection 972 3a7dc3-3a7de0 call 3a5530 971->972 975 3a7ded-3a7dfb call 3e012f 972->975 976 3a7de2-3a7de9 972->976 980 3a7dfe-3a7e10 call 3cde36 975->980 976->972 978 3a7deb 976->978 978->980
                  C-Code - Quality: 100%
                  			E003A7503(struct _CRITICAL_SECTION* _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char* _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				intOrPtr _v84;
				char* _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char* _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				intOrPtr _v124;
				char* _v128;
				intOrPtr _v132;
				char _v136;
				char _v140;
				intOrPtr _v144;
				char* _v148;
				intOrPtr _v152;
				char _v156;
				char _v160;
				intOrPtr _v164;
				char* _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _v184;
				char* _v188;
				intOrPtr _v192;
				char _v196;
				char _v200;
				intOrPtr _v204;
				char* _v208;
				intOrPtr _v212;
				char _v216;
				char _v220;
				intOrPtr _v224;
				char* _v228;
				intOrPtr _v232;
				char _v236;
				char _v240;
				intOrPtr _v244;
				char* _v248;
				char _v252;
				char _v256;
				char _v260;
				intOrPtr _v264;
				char* _v268;
				char _v272;
				char _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				char* _v288;
				char _v292;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char* _v308;
				char _v312;
				char _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				char* _v328;
				char _v332;
				char _v336;
				char _v340;
				intOrPtr _v344;
				char* _v348;
				char _v352;
				char _v356;
				char _v360;
				intOrPtr _v364;
				char* _v368;
				char _v372;
				char _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				char* _v388;
				char _v392;
				char _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				char* _v408;
				char _v412;
				char _v416;
				char _v420;
				intOrPtr _v424;
				char* _v428;
				char _v432;
				char _v436;
				char _v440;
				intOrPtr _v444;
				char* _v448;
				char _v452;
				char _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				char* _v468;
				char _v472;
				char _v476;
				char _v480;
				intOrPtr _v484;
				char* _v488;
				char _v492;
				char _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				char* _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				char* _v528;
				char _v532;
				char _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				char* _v548;
				char _v552;
				char _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				char* _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char* _v588;
				char _v592;
				char _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				char* _v608;
				char _v612;
				char _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				char* _v628;
				char _v632;
				char _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				char* _v648;
				char _v652;
				char _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				char* _v668;
				char _v672;
				char _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				char* _v688;
				char _v692;
				char _v696;
				char _v700;
				intOrPtr _v704;
				char* _v708;
				char _v712;
				char _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				char* _v728;
				char _v732;
				char _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				char* _v748;
				char _v752;
				char _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				char* _v768;
				char _v772;
				char _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				char* _v788;
				char _v792;
				char _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				char* _v808;
				char _v812;
				char _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				char* _v828;
				char _v832;
				char _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				char* _v848;
				char _v852;
				char _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				char* _v868;
				char _v872;
				char _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				char* _v888;
				char _v892;
				char _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				char* _v908;
				char _v912;
				char _v916;
				char _v920;
				intOrPtr _v924;
				char* _v928;
				char _v932;
				char _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				char* _v948;
				char _v952;
				char _v956;
				char _v960;
				intOrPtr _v964;
				char* _v968;
				char _v972;
				char _v976;
				char _v980;
				intOrPtr _v984;
				char* _v988;
				char _v992;
				char _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				char* _v1008;
				char _v1012;
				char _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				char* _v1028;
				char _v1032;
				char _v1036;
				char _v1040;
				intOrPtr _v1044;
				char* _v1048;
				char _v1052;
				char _v1056;
				char _v1060;
				intOrPtr _v1064;
				char* _v1068;
				char _v1072;
				char _v1076;
				char _v1080;
				intOrPtr _v1084;
				char* _v1088;
				char _v1092;
				char _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				char* _v1108;
				char _v1112;
				char _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				char* _v1128;
				char _v1132;
				char _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				char* _v1148;
				char _v1152;
				char _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				char* _v1168;
				char _v1172;
				char _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				char* _v1188;
				char _v1192;
				char _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				char* _v1208;
				char _v1212;
				char _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				char* _v1228;
				struct _CRITICAL_SECTION* _v1232;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t317;
				struct _CRITICAL_SECTION* _t319;
				intOrPtr _t320;
				intOrPtr _t321;
				intOrPtr _t322;
				void* _t328;
				intOrPtr _t333;
				intOrPtr _t335;
				intOrPtr _t336;
				intOrPtr _t338;
				intOrPtr _t342;
				intOrPtr _t346;
				intOrPtr* _t347;
				char _t348;
				signed int _t349;

				_t317 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t317 ^ _t349;
				_t319 = _a4;
				_v1232 = _t319;
				InitializeCriticalSection(_t319);
				_t348 = 0;
				_v1228 = L"AdminToolsFolder";
				_t320 = 0x2b;
				_v1220 = 0x30;
				_v1224 = E003A5EAB;
				_v1216 = 0;
				_t335 = 6;
				_v1212 = 0;
				_v1208 = L"AppDataFolder";
				_v1204 = E003A5EAB;
				_v1200 = 0x1a;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = L"CommonAppDataFolder";
				_v1184 = E003A5EAB;
				_v1180 = 0x23;
				_v1176 = 0;
				_v1172 = 0;
				_v1168 = L"CommonFiles64Folder";
				_v1164 = E003A6418;
				_v1160 = _t320;
				_v1156 = 0;
				_v1152 = 0;
				_v1148 = L"CommonFilesFolder";
				_v1144 = E003A5EAB;
				_v1140 = _t320;
				_v1136 = 0;
				_v1132 = 0;
				_v1128 = L"CommonFiles6432Folder";
				_v1124 = E003A5D71;
				_v1120 = _t320;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = L"CompatibilityMode";
				_v1104 = E003A6184;
				_v1100 = 0xc;
				_v1096 = 0;
				_v1092 = 0;
				_v1088 = L"Date";
				_v1084 = E003A5F14;
				_v1080 = 0;
				_v1076 = 0;
				_v1072 = 0;
				_v1068 = L"ComputerName";
				_v1064 = E003A5E0B;
				_v1060 = 0;
				_v1056 = 0;
				_v1052 = 0;
				_v1048 = L"DesktopFolder";
				_v1044 = E003A5EAB;
				_v1040 = 0;
				_v1036 = 0;
				_v1032 = 0;
				_v1028 = L"FavoritesFolder";
				_v1024 = E003A5EAB;
				_v1020 = _t335;
				_v1016 = 0;
				_v1012 = 0;
				_v1008 = L"FontsFolder";
				_v1004 = E003A5EAB;
				_v1000 = 0x14;
				_v996 = 0;
				_v992 = 0;
				_v988 = L"InstallerName";
				_v984 = E003A602F;
				_v980 = 0;
				_v976 = 0;
				_v972 = 0;
				_v968 = L"InstallerVersion";
				_t321 = 5;
				_v944 = E003A5EAB;
				_v904 = E003A5EAB;
				_t333 = 7;
				_v840 = _t335;
				_t336 = 9;
				_v884 = E003A6184;
				_v864 = E003A6184;
				_v844 = E003A6184;
				_v824 = E003A6184;
				_v804 = E003A6184;
				_v784 = E003A6184;
				_v764 = E003A6184;
				_v744 = E003A6184;
				_t342 = 0xb;
				_v964 = E003A605C;
				_v960 = 0;
				_v956 = 0;
				_v952 = 0;
				_v948 = L"LocalAppDataFolder";
				_v940 = 0x1c;
				_v936 = 0;
				_v932 = 0;
				_v928 = L"LogonUser";
				_v924 = E003A60BA;
				_v920 = 0;
				_v916 = 0;
				_v912 = 0;
				_v908 = L"MyPicturesFolder";
				_v900 = 0x27;
				_v896 = 0;
				_v892 = 0;
				_v888 = L"NTProductType";
				_v880 = 4;
				_v876 = 0;
				_v872 = 0;
				_v868 = L"NTSuiteBackOffice";
				_v860 = _t321;
				_v856 = 0;
				_v852 = 0;
				_v848 = L"NTSuiteDataCenter";
				_v836 = 0;
				_v832 = 0;
				_v828 = L"NTSuiteEnterprise";
				_v820 = E003A5EAB;
				_v816 = 0;
				_v812 = 0;
				_v808 = L"NTSuitePersonal";
				_v800 = 8;
				_v796 = 0;
				_v792 = 0;
				_v788 = L"NTSuiteSmallBusiness";
				_v780 = _t336;
				_v776 = 0;
				_v772 = 0;
				_v768 = L"NTSuiteSmallBusinessRestricted";
				_v760 = 0xa;
				_v756 = 0;
				_v752 = 0;
				_v748 = L"NTSuiteWebServer";
				_v740 = E003A6184;
				_v736 = 0;
				_v732 = 0;
				_v728 = L"PersonalFolder";
				_v724 = E003A5EAB;
				_v720 = _t321;
				_v716 = 0;
				_v712 = 0;
				_v708 = L"Privileged";
				_v704 = E003A6360;
				_v700 = 0;
				_v696 = 0;
				_v692 = 0;
				_v688 = L"ProcessorArchitecture";
				_v684 = E003A65DF;
				_v680 = 0xe;
				_v676 = 0;
				_t322 = 0x26;
				_v660 = _t322;
				_v640 = _t322;
				_v620 = _t322;
				_v604 = E003A5EAB;
				_v564 = E003A5EAB;
				_v524 = E003A5EAB;
				_v504 = E003A5EAB;
				_v520 = _t342;
				_v624 = E003A5D71;
				_v560 = _t336;
				_v484 = E003A64B6;
				_v464 = E003A64B6;
				_t346 = 2;
				_v672 = 0;
				_v668 = L"ProgramFiles64Folder";
				_v664 = E003A6418;
				_v656 = 0;
				_v652 = 0;
				_v648 = L"ProgramFilesFolder";
				_v644 = E003A5EAB;
				_v636 = 0;
				_v632 = 0;
				_v628 = L"ProgramFiles6432Folder";
				_v616 = 0;
				_v612 = 0;
				_v608 = L"ProgramMenuFolder";
				_v600 = E003A5D71;
				_v596 = 0;
				_v592 = 0;
				_v588 = L"RebootPending";
				_v584 = E003A63A9;
				_v580 = 0;
				_v576 = 0;
				_v572 = 0;
				_v568 = L"SendToFolder";
				_v556 = 0;
				_v552 = 0;
				_v548 = L"ServicePackLevel";
				_v544 = E003A67E5;
				_v540 = 3;
				_v536 = 0;
				_v532 = 0;
				_v528 = L"StartMenuFolder";
				_v516 = 0;
				_v512 = 0;
				_v508 = L"StartupFolder";
				_v500 = _t333;
				_v496 = 0;
				_v492 = 0;
				_v488 = L"SystemFolder";
				_v480 = 0;
				_v476 = 0;
				_v472 = 0;
				_v468 = L"System64Folder";
				_v460 = 1;
				_v456 = 0;
				_v452 = 0;
				_v448 = L"SystemLanguageID";
				_v444 = E003A5D0D;
				_v440 = 0;
				_v436 = 0;
				_v432 = 0;
				_v428 = L"TempFolder";
				_v424 = E003A6644;
				_v420 = 0;
				_v416 = 0;
				_v412 = 0;
				_v408 = L"TemplateFolder";
				_v404 = E003A5EAB;
				_v400 = 0x15;
				_v396 = 0;
				_v392 = 0;
				_v284 = E003A5EAB;
				_v324 = E003A67E5;
				_v304 = E003A67E5;
				_t338 = E003A648B;
				_v244 = E003A6159;
				_v164 = E003A6159;
				_v144 = E003A6159;
				_v388 = L"TerminalServer";
				_v384 = E003A6184;
				_v380 = 0xd;
				_v376 = 0;
				_v372 = 0;
				_v368 = L"UserLanguageID";
				_v364 = E003A5D3F;
				_v360 = 0;
				_v356 = 0;
				_v352 = 0;
				_v348 = L"VersionMsi";
				_v344 = E003A671C;
				_v340 = 0;
				_v336 = 0;
				_v332 = 0;
				_v328 = L"VersionNT";
				_v320 = 1;
				_v316 = 0;
				_v312 = 0;
				_v308 = L"VersionNT64";
				_v300 = _t346;
				_v296 = 0;
				_v292 = 0;
				_v288 = L"WindowsFolder";
				_v280 = 0x24;
				_v276 = 0;
				_v272 = 0;
				_v268 = L"WindowsVolume";
				_v264 = E003A69B8;
				_v260 = 0;
				_v256 = 0;
				_v252 = 0;
				_v248 = L"WixBundleAction";
				_v240 = 0;
				_v236 = 0;
				_v232 = 1;
				_v228 = L"WixBundleExecutePackageCacheFolder";
				_v224 = E003A648B;
				_v220 = 0;
				_v216 = 0;
				_v212 = 1;
				_v208 = L"WixBundleExecutePackageAction";
				_v204 = E003A648B;
				_v200 = 0;
				_v196 = 0;
				_v192 = 1;
				_v188 = L"WixBundleForcedRestartPackage";
				_v184 = E003A648B;
				_v180 = 0;
				_v176 = 1;
				_v172 = 1;
				_v168 = L"WixBundleInstalled";
				_v160 = 0;
				_v156 = 0;
				_v152 = 1;
				_v148 = L"WixBundleElevated";
				_v140 = 0;
				_v136 = 0;
				_v132 = 1;
				_v128 = L"WixBundleActiveParent";
				_v124 = E003A648B;
				_v120 = 0;
				_v116 = 0;
				_v112 = 1;
				_v108 = L"WixBundleProviderKey";
				_v104 = E003A648B;
				_v100 = 0x3eb524;
				_v96 = 0;
				_v92 = 1;
				_v88 = L"WixBundleSourceProcessPath";
				_v84 = E003A648B;
				_v80 = 0;
				_v76 = 0;
				_t347 =  &_v1216;
				_v72 = 1;
				_v68 = L"WixBundleSourceProcessFolder";
				_v64 = E003A648B;
				_v60 = 0;
				_v56 = 0;
				_v52 = 1;
				_v48 = L"WixBundleTag";
				_v44 = E003A648B;
				_v40 = 0x3eb524;
				_v36 = 0;
				_v32 = 1;
				_v28 = L"WixBundleVersion";
				_v24 = E003A66F1;
				_v20 = 0;
				_v16 = 0;
				_v12 = 1;
				while(1) {
					_t328 = E003A5530(_t338, _v1232,  *((intOrPtr*)(_t347 - 0xc)),  *((intOrPtr*)(_t347 - 8)),  *((intOrPtr*)(_t347 - 4)),  *_t347,  *((intOrPtr*)(_t347 + 4))); // executed
					_t334 = _t328;
					if(_t328 < 0) {
						break;
					}
					_t348 = _t348 + 1;
					_t347 = _t347 + 0x14;
					if(_t348 < 0x3d) {
						continue;
					} else {
					}
					L5:
					return E003CDE36(_t334, _v8 ^ _t349, 1, _t347, _t348);
				}
				E003E012F(_t334, "Failed to add built-in variable: %ls.",  *((intOrPtr*)(_t347 - 0xc)));
				goto L5;
			}









































































































































































































































































































































                  0x003a750c
                  0x003a7513
                  0x003a7516
                  0x003a751d
                  0x003a7523
                  0x003a7529
                  0x003a752b
                  0x003a7537
                  0x003a753d
                  0x003a754e
                  0x003a7559
                  0x003a755f
                  0x003a7560
                  0x003a7566
                  0x003a7570
                  0x003a7576
                  0x003a7580
                  0x003a7586
                  0x003a758c
                  0x003a7596
                  0x003a759c
                  0x003a75a6
                  0x003a75ac
                  0x003a75b2
                  0x003a75bc
                  0x003a75c6
                  0x003a75cc
                  0x003a75d2
                  0x003a75d8
                  0x003a75e2
                  0x003a75e8
                  0x003a75ee
                  0x003a75f4
                  0x003a75fa
                  0x003a7604
                  0x003a760a
                  0x003a7610
                  0x003a7616
                  0x003a761c
                  0x003a7626
                  0x003a762c
                  0x003a7636
                  0x003a763c
                  0x003a7642
                  0x003a764c
                  0x003a7656
                  0x003a765c
                  0x003a7662
                  0x003a7668
                  0x003a7672
                  0x003a767c
                  0x003a7682
                  0x003a7688
                  0x003a768e
                  0x003a7698
                  0x003a769e
                  0x003a76a4
                  0x003a76aa
                  0x003a76b0
                  0x003a76ba
                  0x003a76c0
                  0x003a76c6
                  0x003a76cc
                  0x003a76d2
                  0x003a76dc
                  0x003a76e2
                  0x003a76ec
                  0x003a76f2
                  0x003a76f8
                  0x003a7702
                  0x003a770c
                  0x003a7712
                  0x003a7718
                  0x003a771e
                  0x003a772a
                  0x003a772d
                  0x003a7733
                  0x003a7739
                  0x003a773c
                  0x003a7742
                  0x003a7745
                  0x003a774b
                  0x003a7751
                  0x003a7757
                  0x003a775d
                  0x003a7763
                  0x003a7769
                  0x003a776f
                  0x003a7775
                  0x003a7776
                  0x003a7780
                  0x003a7786
                  0x003a778c
                  0x003a7792
                  0x003a779c
                  0x003a77a6
                  0x003a77ac
                  0x003a77b2
                  0x003a77bc
                  0x003a77c6
                  0x003a77cc
                  0x003a77d2
                  0x003a77d8
                  0x003a77e2
                  0x003a77ec
                  0x003a77f2
                  0x003a77f8
                  0x003a7802
                  0x003a780c
                  0x003a7812
                  0x003a7818
                  0x003a7822
                  0x003a7828
                  0x003a782e
                  0x003a7834
                  0x003a783e
                  0x003a7844
                  0x003a784a
                  0x003a7854
                  0x003a785a
                  0x003a7860
                  0x003a7866
                  0x003a7870
                  0x003a787a
                  0x003a7880
                  0x003a7886
                  0x003a7890
                  0x003a7896
                  0x003a789c
                  0x003a78a2
                  0x003a78ac
                  0x003a78b6
                  0x003a78bc
                  0x003a78c2
                  0x003a78cc
                  0x003a78d2
                  0x003a78d8
                  0x003a78de
                  0x003a78e8
                  0x003a78f2
                  0x003a78f8
                  0x003a78fe
                  0x003a7904
                  0x003a790e
                  0x003a7918
                  0x003a791e
                  0x003a7924
                  0x003a792a
                  0x003a7934
                  0x003a793e
                  0x003a7948
                  0x003a7950
                  0x003a7951
                  0x003a7957
                  0x003a795d
                  0x003a7968
                  0x003a796e
                  0x003a7974
                  0x003a797a
                  0x003a7985
                  0x003a798f
                  0x003a7996
                  0x003a79a1
                  0x003a79a7
                  0x003a79b2
                  0x003a79b3
                  0x003a79b9
                  0x003a79c3
                  0x003a79cd
                  0x003a79d3
                  0x003a79d9
                  0x003a79e3
                  0x003a79ed
                  0x003a79f3
                  0x003a79f9
                  0x003a7a03
                  0x003a7a09
                  0x003a7a0f
                  0x003a7a19
                  0x003a7a1f
                  0x003a7a25
                  0x003a7a2b
                  0x003a7a35
                  0x003a7a3f
                  0x003a7a45
                  0x003a7a4b
                  0x003a7a51
                  0x003a7a5b
                  0x003a7a61
                  0x003a7a67
                  0x003a7a71
                  0x003a7a77
                  0x003a7a81
                  0x003a7a87
                  0x003a7a8d
                  0x003a7a97
                  0x003a7a9d
                  0x003a7aa3
                  0x003a7aad
                  0x003a7ab3
                  0x003a7ab9
                  0x003a7abf
                  0x003a7ac9
                  0x003a7acf
                  0x003a7ad5
                  0x003a7adb
                  0x003a7ae5
                  0x003a7aeb
                  0x003a7af1
                  0x003a7af7
                  0x003a7b01
                  0x003a7b0b
                  0x003a7b11
                  0x003a7b17
                  0x003a7b1d
                  0x003a7b27
                  0x003a7b31
                  0x003a7b37
                  0x003a7b3d
                  0x003a7b43
                  0x003a7b4d
                  0x003a7b53
                  0x003a7b5d
                  0x003a7b63
                  0x003a7b69
                  0x003a7b74
                  0x003a7b7a
                  0x003a7b80
                  0x003a7b85
                  0x003a7b8b
                  0x003a7b91
                  0x003a7b9c
                  0x003a7ba6
                  0x003a7bb0
                  0x003a7bba
                  0x003a7bc0
                  0x003a7bc6
                  0x003a7bd0
                  0x003a7bda
                  0x003a7be0
                  0x003a7be6
                  0x003a7bec
                  0x003a7bf6
                  0x003a7c00
                  0x003a7c06
                  0x003a7c0c
                  0x003a7c12
                  0x003a7c1c
                  0x003a7c22
                  0x003a7c28
                  0x003a7c2e
                  0x003a7c38
                  0x003a7c3e
                  0x003a7c44
                  0x003a7c4a
                  0x003a7c54
                  0x003a7c5e
                  0x003a7c64
                  0x003a7c6a
                  0x003a7c74
                  0x003a7c7e
                  0x003a7c84
                  0x003a7c8a
                  0x003a7c90
                  0x003a7c9a
                  0x003a7ca0
                  0x003a7ca6
                  0x003a7cac
                  0x003a7cb6
                  0x003a7cbc
                  0x003a7cc2
                  0x003a7cc8
                  0x003a7cce
                  0x003a7cd8
                  0x003a7cde
                  0x003a7ce4
                  0x003a7cea
                  0x003a7cf0
                  0x003a7cfa
                  0x003a7d00
                  0x003a7d06
                  0x003a7d0c
                  0x003a7d12
                  0x003a7d1c
                  0x003a7d22
                  0x003a7d28
                  0x003a7d2e
                  0x003a7d38
                  0x003a7d3e
                  0x003a7d44
                  0x003a7d47
                  0x003a7d4e
                  0x003a7d51
                  0x003a7d54
                  0x003a7d57
                  0x003a7d5a
                  0x003a7d61
                  0x003a7d64
                  0x003a7d67
                  0x003a7d6a
                  0x003a7d6d
                  0x003a7d74
                  0x003a7d77
                  0x003a7d7a
                  0x003a7d7d
                  0x003a7d83
                  0x003a7d86
                  0x003a7d8d
                  0x003a7d90
                  0x003a7d93
                  0x003a7d96
                  0x003a7d99
                  0x003a7da0
                  0x003a7da3
                  0x003a7da6
                  0x003a7da9
                  0x003a7dac
                  0x003a7db3
                  0x003a7dba
                  0x003a7dbd
                  0x003a7dc0
                  0x003a7dc3
                  0x003a7dd7
                  0x003a7ddc
                  0x003a7de0
                  0x00000000
                  0x00000000
                  0x003a7de2
                  0x003a7de3
                  0x003a7de9
                  0x00000000
                  0x00000000
                  0x003a7deb
                  0x003a7dfe
                  0x003a7e10
                  0x003a7e10
                  0x003a7df6
                  0x00000000

                  APIs
                  • InitializeCriticalSection.KERNEL32(003B7378,003A52B5,00000000,003A533D), ref: 003A7523
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection
                  • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleVersion
                  • API String ID: 32694325-826827252
                  • Opcode ID: 50d02cbc4a317b66a7a27b5ad2c4d3e1b38002eadc772ccd2e4c6652fdc6d733
                  • Instruction ID: 7fbca7ac09fc9142fc59f7ff1859d4de5114241d1845dbfa78f1568a4fb9b624
                  • Opcode Fuzzy Hash: 50d02cbc4a317b66a7a27b5ad2c4d3e1b38002eadc772ccd2e4c6652fdc6d733
                  • Instruction Fuzzy Hash: 23323EB4C253798FDB66CF5A89487CDBAB8FB49704F5092DAE10CA6251D7B00B85CF84
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C0E43, Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 983 3c0e43-3c0e6f CoInitializeEx 984 3c0e71-3c0e7e call 3e012f 983->984 985 3c0e83-3c0ece call 3df364 983->985 992 3c10df-3c10f1 call 3cde36 984->992 990 3c0ef8-3c0f1a call 3df374 985->990 991 3c0ed0-3c0ef3 call 3a37d3 call 3e012f 985->991 1000 3c0f20-3c0f28 990->1000 1001 3c0fd3-3c0fde SetEvent 990->1001 1007 3c10d8-3c10d9 CoUninitialize 991->1007 1005 3c0f2e-3c0f34 1000->1005 1006 3c10d0-3c10d3 call 3df384 1000->1006 1002 3c101b-3c1029 WaitForSingleObject 1001->1002 1003 3c0fe0-3c1009 call 3a37d3 1001->1003 1008 3c105b-3c1066 ResetEvent 1002->1008 1009 3c102b-3c1059 call 3a37d3 1002->1009 1034 3c100e-3c1016 call 3e012f 1003->1034 1005->1006 1010 3c0f3a-3c0f42 1005->1010 1006->1007 1007->992 1012 3c1068-3c1096 call 3a37d3 1008->1012 1013 3c109b-3c10a1 1008->1013 1009->1034 1015 3c0fbb-3c0fce call 3e012f 1010->1015 1016 3c0f44-3c0f46 1010->1016 1012->1034 1018 3c10cb 1013->1018 1019 3c10a3-3c10a6 1013->1019 1015->1006 1021 3c0f58-3c0f5b 1016->1021 1022 3c0f48-3c0f56 1016->1022 1018->1006 1026 3c10a8-3c10c2 call 3a37d3 1019->1026 1027 3c10c7-3c10c9 1019->1027 1030 3c0f5d 1021->1030 1031 3c0fb5 1021->1031 1029 3c0fb7-3c0fb9 1022->1029 1026->1034 1027->1006 1029->1001 1029->1015 1037 3c0f9c-3c0fa1 1030->1037 1038 3c0f8e-3c0f93 1030->1038 1039 3c0f79-3c0f7e 1030->1039 1040 3c0faa-3c0faf 1030->1040 1041 3c0f6b-3c0f70 1030->1041 1042 3c0f64-3c0f69 1030->1042 1043 3c0f95-3c0f9a 1030->1043 1044 3c0f87-3c0f8c 1030->1044 1045 3c0f80-3c0f85 1030->1045 1046 3c0fb1-3c0fb3 1030->1046 1047 3c0f72-3c0f77 1030->1047 1048 3c0fa3-3c0fa8 1030->1048 1031->1029 1034->1006 1037->1015 1038->1015 1039->1015 1040->1015 1041->1015 1042->1015 1043->1015 1044->1015 1045->1015 1046->1015 1047->1015 1048->1015
                  APIs
                  • CoInitializeEx.OLE32(00000000,00000000), ref: 003C0E65
                  • CoUninitialize.OLE32 ref: 003C10D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: InitializeUninitialize
                  • String ID: <the>.cab$@Mxt$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                  • API String ID: 3442037557-57065772
                  • Opcode ID: 21f6970464b889b83caeeed0152f29fd53e93528a03a85eccb4374e977c0ed88
                  • Instruction ID: 8f6e1dc0a2e757060abaf889b15f1ddfe30b4f8ce45d6e619883644dad603598
                  • Opcode Fuzzy Hash: 21f6970464b889b83caeeed0152f29fd53e93528a03a85eccb4374e977c0ed88
                  • Instruction Fuzzy Hash: B8516A76A407B5E7C73766648C81FABB6589B41720F12032DFC06FF6C0DA559C409BD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A41D2, Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 158stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1053 3a41d2-3a4229 InitializeCriticalSection * 2 call 3b4b0e * 2 1058 3a422f 1053->1058 1059 3a434d-3a4357 call 3ab389 1053->1059 1060 3a4235-3a4242 1058->1060 1064 3a435c-3a4360 1059->1064 1062 3a4248-3a4274 lstrlenW * 2 CompareStringW 1060->1062 1063 3a4340-3a4347 1060->1063 1065 3a42c6-3a42f2 lstrlenW * 2 CompareStringW 1062->1065 1066 3a4276-3a4299 lstrlenW 1062->1066 1063->1059 1063->1060 1067 3a436f-3a4377 1064->1067 1068 3a4362-3a436e call 3e012f 1064->1068 1065->1063 1072 3a42f4-3a4317 lstrlenW 1065->1072 1069 3a429f-3a42a4 1066->1069 1070 3a4385-3a439a call 3a37d3 1066->1070 1068->1067 1069->1070 1073 3a42aa-3a42ba call 3a29dc 1069->1073 1084 3a439f-3a43a6 1070->1084 1076 3a431d-3a4322 1072->1076 1077 3a43b1-3a43cb call 3a37d3 1072->1077 1086 3a437a-3a4383 1073->1086 1087 3a42c0 1073->1087 1076->1077 1081 3a4328-3a4338 call 3a29dc 1076->1081 1077->1084 1081->1086 1090 3a433a 1081->1090 1088 3a43a7-3a43af call 3e012f 1084->1088 1086->1088 1087->1065 1088->1067 1090->1063
                  C-Code - Quality: 66%
                  			E003A41D2(void* __ecx, union _LARGE_INTEGER* __edx, void* __eflags, struct _CRITICAL_SECTION* _a4, signed int _a8) {
				char _v8;
				void* _t50;
				int _t55;
				WCHAR* _t56;
				int _t62;
				WCHAR* _t63;
				signed int _t69;
				intOrPtr* _t72;
				signed int _t76;
				struct _CRITICAL_SECTION* _t79;
				signed int _t83;
				void* _t89;
				void* _t93;
				union _LARGE_INTEGER* _t96;
				struct _CRITICAL_SECTION* _t98;
				void* _t100;
				void* _t103;

				_t96 = __edx;
				_push(__ecx);
				_a8 = _a8 | 0xffffffff;
				_t98 = _a4;
				_v8 = _a8;
				 *(_t98 + 0x498) =  *(_t98 + 0x498) | 0xffffffff;
				 *(_t98 + 0x494) = 1;
				InitializeCriticalSection(_t98);
				_t9 = _t98 + 0xd0; // 0xd0
				InitializeCriticalSection(_t9);
				_t10 = _t98 + 0x4a0; // 0x4a0
				E003B4B0E(_t10);
				_t11 = _t98 + 0x4b8; // 0x4b8
				E003B4B0E(_t11);
				_t83 = 0;
				if( *((intOrPtr*)(_t98 + 0x4dc)) <= 0) {
					L14:
					_t40 = _t98 + 0x48; // 0x48
					_t50 = E003AB389(_t96, _t40, _v8, _a8); // executed
					_t103 = _t50;
					if(_t103 < 0) {
						_push("Failed to initialize engine section.");
						_push(_t103);
						E003E012F();
					}
					L16:
					return _t103;
				}
				do {
					if( *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)))) != 0x2d) {
						goto L13;
					}
					_t55 = lstrlenW(L"burn.filehandle.attached");
					_t56 = L"burn.filehandle.attached";
					if(CompareStringW(0x7f, 1,  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 2, lstrlenW(_t56), _t56, _t55) != 2) {
						L8:
						_t62 = lstrlenW(L"burn.filehandle.self");
						_t63 = L"burn.filehandle.self";
						if(CompareStringW(0x7f, 1,  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 2, lstrlenW(_t63), _t63, _t62) != 2) {
							goto L13;
						}
						_t69 = lstrlenW(L"burn.filehandle.self");
						_t72 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 4 + _t69 * 2;
						_t89 = 0x3d;
						_a4 = _t72;
						if(_t89 !=  *((intOrPtr*)(_t72 - 2)) || 0 ==  *_t72) {
							_t100 = 0x80070057;
							E003A37D3(_t72, "engine.cpp", 0x140, 0x80070057);
							_push(L"burn.filehandle.self");
							L19:
							_push("Missing required parameter for switch: %ls");
							_t103 = _t100;
							_push(_t100);
							goto L20;
						} else {
							_t103 = E003A29DC( &_v8, _t96, _t72, 0,  &_v8);
							if(_t103 < 0) {
								L17:
								_push(_a4);
								_push("Failed to parse file handle: \'%ls\'");
								_push(_t103);
								L20:
								E003E012F();
								goto L16;
							}
							goto L13;
						}
					}
					_t76 = lstrlenW(L"burn.filehandle.attached");
					_t79 =  *((intOrPtr*)( *((intOrPtr*)(_t98 + 0x4e0)) + _t83 * 4)) + 4 + _t76 * 2;
					_t93 = 0x3d;
					_a4 = _t79;
					if(_t93 !=  *((intOrPtr*)(_t79 - 2)) || 0 ==  *_t79) {
						_t100 = 0x80070057;
						E003A37D3(_t79, "engine.cpp", 0x135, 0x80070057);
						_push(L"burn.filehandle.attached");
						goto L19;
					} else {
						_t103 = E003A29DC( &_a8, _t96, _t79, 0,  &_a8);
						if(_t103 < 0) {
							goto L17;
						}
						goto L8;
					}
					L13:
					_t83 = _t83 + 1;
				} while (_t83 <  *((intOrPtr*)(_t98 + 0x4dc)));
				goto L14;
			}




















                  0x003a41d2
                  0x003a41d5
                  0x003a41d9
                  0x003a41e6
                  0x003a41ea
                  0x003a41ed
                  0x003a41f4
                  0x003a41fe
                  0x003a4200
                  0x003a4207
                  0x003a4209
                  0x003a4210
                  0x003a4215
                  0x003a421c
                  0x003a4221
                  0x003a4229
                  0x003a434d
                  0x003a4350
                  0x003a4357
                  0x003a435c
                  0x003a4360
                  0x003a4362
                  0x003a4367
                  0x003a4368
                  0x003a436e
                  0x003a436f
                  0x003a4377
                  0x003a4377
                  0x003a4235
                  0x003a4242
                  0x00000000
                  0x00000000
                  0x003a424d
                  0x003a4250
                  0x003a4274
                  0x003a42c6
                  0x003a42cb
                  0x003a42ce
                  0x003a42f2
                  0x00000000
                  0x00000000
                  0x003a42f9
                  0x003a430d
                  0x003a430f
                  0x003a4310
                  0x003a4317
                  0x003a43b1
                  0x003a43c1
                  0x003a43c6
                  0x003a439f
                  0x003a439f
                  0x003a43a4
                  0x003a43a6
                  0x00000000
                  0x003a4328
                  0x003a4334
                  0x003a4338
                  0x003a437a
                  0x003a437a
                  0x003a437d
                  0x003a4382
                  0x003a43a7
                  0x003a43a7
                  0x00000000
                  0x003a43ac
                  0x00000000
                  0x003a433a
                  0x003a4317
                  0x003a427b
                  0x003a428f
                  0x003a4291
                  0x003a4292
                  0x003a4299
                  0x003a4385
                  0x003a4395
                  0x003a439a
                  0x00000000
                  0x003a42aa
                  0x003a42b6
                  0x003a42ba
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a42c0
                  0x003a4340
                  0x003a4340
                  0x003a4341
                  0x00000000

                  APIs
                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,003A515E,?,?,00000000,?,?), ref: 003A41FE
                  • InitializeCriticalSection.KERNEL32(000000D0,?,?,003A515E,?,?,00000000,?,?), ref: 003A4207
                  • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,003A515E,?,?,00000000,?,?), ref: 003A424D
                  • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,003A515E,?,?,00000000,?,?), ref: 003A4257
                  • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,003A515E,?,?,00000000,?,?), ref: 003A426B
                  • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,003A515E,?,?,00000000,?,?), ref: 003A427B
                  • lstrlenW.KERNEL32(burn.filehandle.self,?,?,003A515E,?,?,00000000,?,?), ref: 003A42CB
                  • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,003A515E,?,?,00000000,?,?), ref: 003A42D5
                  • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,003A515E,?,?,00000000,?,?), ref: 003A42E9
                  • lstrlenW.KERNEL32(burn.filehandle.self,?,?,003A515E,?,?,00000000,?,?), ref: 003A42F9
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: lstrlen$CompareCriticalInitializeSectionString
                  • String ID: Failed to initialize user section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$user.cpp
                  • API String ID: 3039292287-3209860532
                  • Opcode ID: cce9bc1e8106df70779da3fdf77d3e48cd8dfa61b3344ed0dfaee1fd3b9363e5
                  • Instruction ID: ac7a004429b76168144953eb55ea71349de63e5726a48ea66972caab0cc850b6
                  • Opcode Fuzzy Hash: cce9bc1e8106df70779da3fdf77d3e48cd8dfa61b3344ed0dfaee1fd3b9363e5
                  • Instruction Fuzzy Hash: D951C875A00269BFCB27DB65DC86F9BB76CEB45760F000215F618DB2D0D7B0A950C794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AC129, Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 128fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1093 3ac129-3ac15b 1094 3ac15d-3ac17b CreateFileW 1093->1094 1095 3ac1c5-3ac1e1 GetCurrentProcess * 2 DuplicateHandle 1093->1095 1096 3ac21d-3ac223 1094->1096 1097 3ac181-3ac1b2 call 3a37d3 1094->1097 1098 3ac21b 1095->1098 1099 3ac1e3-3ac219 call 3a37d3 1095->1099 1100 3ac22d 1096->1100 1101 3ac225-3ac22b 1096->1101 1114 3ac1b7-3ac1c0 call 3e012f 1097->1114 1098->1096 1099->1114 1102 3ac22f-3ac23d SetFilePointerEx 1100->1102 1101->1102 1105 3ac23f-3ac272 call 3a37d3 1102->1105 1106 3ac274-3ac27a 1102->1106 1122 3ac290-3ac297 call 3e012f 1105->1122 1110 3ac298-3ac29e 1106->1110 1111 3ac27c-3ac280 call 3c1484 1106->1111 1118 3ac285-3ac289 1111->1118 1114->1110 1118->1110 1121 3ac28b 1118->1121 1121->1122 1122->1110
                  C-Code - Quality: 54%
                  			E003AC129(HANDLE* _a4, intOrPtr _a8, void* _a12, WCHAR* _a16) {
				void* _t29;
				int _t31;
				union _LARGE_INTEGER* _t33;
				int _t34;
				long _t38;
				signed short _t40;
				signed short _t43;
				void* _t47;
				signed short _t48;
				HANDLE* _t51;
				intOrPtr _t52;
				long _t55;
				union _LARGE_INTEGER _t65;

				_t52 = _a8;
				_t51 = _a4;
				_t51[6] =  *(_t52 + 4);
				_t55 = 0;
				_t65 = 0;
				_t51[4] =  *(_t52 + 0x18);
				_t51[5] =  *(_t52 + 0x1c);
				_t51[2] =  *(_t52 + 0x40);
				_t51[3] =  *(_t52 + 0x44);
				if(_a12 != 0xffffffff) {
					_t29 = GetCurrentProcess();
					_t31 = DuplicateHandle(GetCurrentProcess(), _a12, _t29, _t51, 0, 0, 2); // executed
					if(_t31 != 0) {
						_t65 = 0;
						goto L7;
					} else {
						_t43 = GetLastError();
						_t61 =  <=  ? _t43 : _t43 & 0x0000ffff | 0x80070000;
						_t55 =  >=  ? 0x80004005 :  <=  ? _t43 : _t43 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "container.cpp", 0xec, _t55);
						_push(_a16);
						_push("Failed to duplicate handle to container: %ls");
						goto L3;
					}
				} else {
					_t47 = CreateFileW(_a16, 0x80000000, 1, 0, 3, 0x8000080, 0);
					 *_t51 = _t47;
					if(_t47 != 0xffffffff) {
						L7:
						if( *((intOrPtr*)(_a8 + 0xc)) == _t55) {
							_t33 = _t55;
						} else {
							_t65 = _t51[2];
							_t33 = _t51[3];
						}
						_push(_t55);
						_t34 = SetFilePointerEx( *_t51, _t65, _t33, _t55); // executed
						if(_t34 != 0) {
							if(_t51[6] == 1) {
								_t38 = E003C1484(_t51, _a16); // executed
								_t55 = _t38;
								if(_t55 < 0) {
									_push("Failed to open container.");
									goto L15;
								}
							}
						} else {
							_t40 = GetLastError();
							_t58 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							_t55 =  >=  ? 0x80004005 :  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "container.cpp", 0xf8, _t55);
							_push("Failed to move file pointer to container offset.");
							L15:
							_push(_t55);
							E003E012F();
						}
					} else {
						_t48 = GetLastError();
						_t64 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						_t55 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "container.cpp", 0xe6, _t55);
						_push(_a16);
						_push("Failed to open file: %ls");
						L3:
						_push(_t55);
						E003E012F();
					}
				}
				return _t55;
			}
















                  0x003ac12c
                  0x003ac130
                  0x003ac138
                  0x003ac13b
                  0x003ac141
                  0x003ac146
                  0x003ac14c
                  0x003ac152
                  0x003ac158
                  0x003ac15b
                  0x003ac1d0
                  0x003ac1d9
                  0x003ac1e1
                  0x003ac21b
                  0x00000000
                  0x003ac1e3
                  0x003ac1e3
                  0x003ac1f4
                  0x003ac1fe
                  0x003ac20c
                  0x003ac211
                  0x003ac214
                  0x00000000
                  0x003ac214
                  0x003ac15d
                  0x003ac170
                  0x003ac176
                  0x003ac17b
                  0x003ac21d
                  0x003ac223
                  0x003ac22d
                  0x003ac225
                  0x003ac225
                  0x003ac228
                  0x003ac228
                  0x003ac22f
                  0x003ac235
                  0x003ac23d
                  0x003ac27a
                  0x003ac280
                  0x003ac285
                  0x003ac289
                  0x003ac28b
                  0x00000000
                  0x003ac28b
                  0x003ac289
                  0x003ac23f
                  0x003ac23f
                  0x003ac250
                  0x003ac25a
                  0x003ac268
                  0x003ac26d
                  0x003ac290
                  0x003ac290
                  0x003ac291
                  0x003ac297
                  0x003ac181
                  0x003ac181
                  0x003ac192
                  0x003ac19c
                  0x003ac1aa
                  0x003ac1af
                  0x003ac1b2
                  0x003ac1b7
                  0x003ac1b7
                  0x003ac1b8
                  0x003ac1bd
                  0x003ac17b
                  0x003ac29e

                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,003AC319,003A52FD,?,?,003A533D), ref: 003AC170
                  • GetLastError.KERNEL32(?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003AC181
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?), ref: 003AC1D0
                  • GetCurrentProcess.KERNEL32(000000FF,00000000,?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003AC1D6
                  • DuplicateHandle.KERNELBASE(00000000,?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003AC1D9
                  • GetLastError.KERNEL32(?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003AC1E3
                  • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003AC235
                  • GetLastError.KERNEL32(?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003AC23F
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                  • String ID: @Mxt$Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp$crypt32.dll$feclient.dll
                  • API String ID: 2619879409-1216134458
                  • Opcode ID: 653571b4baf25f41b48940ad4dbc49c3d7e6b8795c736d27440072da1cae35cc
                  • Instruction ID: b35d35533c58c09676a9a938270f36f15684f9464baee047771b02fa87ab3aa1
                  • Opcode Fuzzy Hash: 653571b4baf25f41b48940ad4dbc49c3d7e6b8795c736d27440072da1cae35cc
                  • Instruction Fuzzy Hash: 8541B532240351AFEB239F6A9C85F5777E9EB86750F114229F908EF291DB71D801DB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E2F23, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 152libraryloadercomCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1125 3e2f23-3e2f47 GetModuleHandleA 1126 3e2f7c-3e2f8d GetProcAddress 1125->1126 1127 3e2f49-3e2f77 call 3a37d3 1125->1127 1128 3e2f8f-3e2fb3 GetProcAddress * 3 1126->1128 1129 3e2fd0 1126->1129 1145 3e309b-3e30a0 1127->1145 1132 3e2fcc-3e2fce 1128->1132 1133 3e2fb5-3e2fb7 1128->1133 1130 3e2fd2-3e2fef CoCreateInstance 1129->1130 1134 3e3085-3e3087 1130->1134 1135 3e2ff5-3e2ff7 1130->1135 1132->1130 1133->1132 1137 3e2fb9-3e2fbb 1133->1137 1139 3e309a 1134->1139 1140 3e3089-3e3090 1134->1140 1138 3e2ffc-3e300c 1135->1138 1137->1132 1142 3e2fbd-3e2fca 1137->1142 1143 3e300e-3e3012 1138->1143 1144 3e3016 1138->1144 1139->1145 1140->1139 1153 3e3092-3e3094 ExitProcess 1140->1153 1142->1130 1143->1138 1146 3e3014 1143->1146 1148 3e3018-3e3028 1144->1148 1149 3e30a8-3e30ad 1145->1149 1150 3e30a2-3e30a4 1145->1150 1152 3e3030 1146->1152 1154 3e303a-3e303e 1148->1154 1155 3e302a-3e302e 1148->1155 1156 3e30af-3e30b1 1149->1156 1157 3e30b5-3e30bc 1149->1157 1150->1149 1152->1154 1158 3e3069-3e307a 1154->1158 1159 3e3040-3e3053 call 3e30bf 1154->1159 1155->1148 1155->1152 1156->1157 1158->1134 1161 3e307c-3e3083 1158->1161 1159->1134 1164 3e3055-3e3067 1159->1164 1161->1134 1164->1134 1164->1158
                  C-Code - Quality: 62%
                  			E003E2F23(signed int _a4, intOrPtr* _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				char _v16;
				_Unknown_base(*)()* _v20;
				signed int _t38;
				signed int _t46;
				signed int _t53;
				signed int _t58;
				signed short _t61;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t74;
				signed int _t79;
				struct HINSTANCE__* _t81;
				signed int _t82;

				_t64 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t81 = GetModuleHandleA("kernel32.dll");
				if(_t81 != 0) {
					_t38 = GetProcAddress(_t81, "IsWow64Process");
					__eflags = _t38;
					if(_t38 == 0) {
						_t79 = 0;
						L9:
						__imp__CoCreateInstance(0x40b6c8, 0, 1, 0x3eb808,  &_v8); // executed
						_t82 = 0x40b6c8;
						__eflags = 0x40b6c8;
						if(0x40b6c8 < 0) {
							L23:
							__eflags = _t64;
							if(_t64 == 0) {
								L26:
								L27:
								_t66 = _v12;
								if(_t66 != 0) {
									 *((intOrPtr*)( *_t66 + 8))(_t66);
								}
								_t67 = _v8;
								if(_t67 != 0) {
									 *((intOrPtr*)( *_t67 + 8))(_t67);
								}
								return _t82;
							}
							_t46 =  *_t79(_v16);
							__eflags = _t46;
							if(_t46 != 0) {
								goto L26;
							}
							ExitProcess(1);
						}
						_t68 = 0;
						__eflags = 0;
						_t74 = 0x40b6c8;
						while(1) {
							__eflags =  *((intOrPtr*)(_t74 + _t68 * 4)) -  *((intOrPtr*)(0x3eb7f8 + _t68 * 4));
							_t74 = 0x40b6c8;
							if(__eflags != 0) {
								break;
							}
							_t68 = _t68 + 1;
							__eflags = _t68 - 4;
							if(_t68 != 4) {
								continue;
							}
							L17:
							 *0x40b6dc = 1;
							L18:
							__eflags = _a4;
							if(_a4 == 0) {
								L21:
								_v8 = _v8 & 0x00000000;
								 *_a8 = _v8;
								_t71 = _a12;
								__eflags = _t71;
								if(_t71 != 0) {
									_t29 =  &_v12;
									 *_t29 = _v12 & 0x00000000;
									__eflags =  *_t29;
									 *_t71 = _v12;
								}
								goto L23;
							}
							_t82 = E003E30BF( &_v12, _v8, _a4,  &_v12);
							__eflags = _t82;
							if(_t82 < 0) {
								goto L23;
							}
							_t53 = _v8;
							_t82 =  *((intOrPtr*)( *_t53 + 0x54))(_t53, _v12, 0);
							__eflags = _t82;
							if(_t82 < 0) {
								goto L23;
							}
							goto L21;
						}
						_t69 = 0;
						__eflags = 0;
						while(1) {
							__eflags =  *((intOrPtr*)(_t74 + _t69 * 4)) -  *((intOrPtr*)(0x3eb7e8 + _t69 * 4));
							_t74 = 0x40b6c8;
							if(__eflags != 0) {
								goto L18;
							}
							_t69 = _t69 + 1;
							__eflags = _t69 - 4;
							if(_t69 != 4) {
								continue;
							}
							goto L17;
						}
						goto L18;
					}
					_v20 = GetProcAddress(_t81, "Wow64DisableWow64FsRedirection");
					_t65 = GetProcAddress(_t81, "Wow64EnableWow64FsRedirection");
					_t79 = GetProcAddress(_t81, "Wow64RevertWow64FsRedirection");
					_t58 = _v20;
					__eflags = _t58;
					if(_t58 == 0) {
						L7:
						_t64 = 0;
						goto L9;
					}
					__eflags = _t65;
					if(_t65 == 0) {
						goto L7;
					}
					__eflags = _t79;
					if(_t79 == 0) {
						goto L7;
					}
					 *_t58( &_v16);
					_t64 =  *_t65(1) & 0x000000ff;
					goto L9;
				}
				_t61 = GetLastError();
				_t85 =  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
				_t82 =  >=  ? 0x80004005 :  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
				E003A37D3(0x80004005, "xmlutil.cpp", 0x85, _t82);
				goto L27;
			}























                  0x003e2f32
                  0x003e2f34
                  0x003e2f37
                  0x003e2f3a
                  0x003e2f43
                  0x003e2f47
                  0x003e2f89
                  0x003e2f8b
                  0x003e2f8d
                  0x003e2fd0
                  0x003e2fd2
                  0x003e2fe5
                  0x003e2feb
                  0x003e2fed
                  0x003e2fef
                  0x003e3085
                  0x003e3085
                  0x003e3087
                  0x003e309a
                  0x003e309b
                  0x003e309b
                  0x003e30a0
                  0x003e30a5
                  0x003e30a5
                  0x003e30a8
                  0x003e30ad
                  0x003e30b2
                  0x003e30b2
                  0x003e30bc
                  0x003e30bc
                  0x003e308c
                  0x003e308e
                  0x003e3090
                  0x00000000
                  0x00000000
                  0x003e3094
                  0x003e3094
                  0x003e2ff5
                  0x003e2ff5
                  0x003e2ff7
                  0x003e2ffc
                  0x003e3004
                  0x003e3007
                  0x003e300c
                  0x00000000
                  0x00000000
                  0x003e300e
                  0x003e300f
                  0x003e3012
                  0x00000000
                  0x00000000
                  0x003e3030
                  0x003e3030
                  0x003e303a
                  0x003e303a
                  0x003e303e
                  0x003e3069
                  0x003e306f
                  0x003e3073
                  0x003e3075
                  0x003e3078
                  0x003e307a
                  0x003e307f
                  0x003e307f
                  0x003e307f
                  0x003e3083
                  0x003e3083
                  0x00000000
                  0x003e307a
                  0x003e304f
                  0x003e3051
                  0x003e3053
                  0x00000000
                  0x00000000
                  0x003e3055
                  0x003e3063
                  0x003e3065
                  0x003e3067
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e3067
                  0x003e3016
                  0x003e3016
                  0x003e3018
                  0x003e3020
                  0x003e3023
                  0x003e3028
                  0x00000000
                  0x00000000
                  0x003e302a
                  0x003e302b
                  0x003e302e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e302e
                  0x00000000
                  0x003e3018
                  0x003e2f9d
                  0x003e2fa8
                  0x003e2fac
                  0x003e2fae
                  0x003e2fb1
                  0x003e2fb3
                  0x003e2fcc
                  0x003e2fcc
                  0x00000000
                  0x003e2fcc
                  0x003e2fb5
                  0x003e2fb7
                  0x00000000
                  0x00000000
                  0x003e2fb9
                  0x003e2fbb
                  0x00000000
                  0x00000000
                  0x003e2fc1
                  0x003e2fc7
                  0x00000000
                  0x003e2fc7
                  0x003e2f49
                  0x003e2f5a
                  0x003e2f64
                  0x003e2f72
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,003E34DF,00000000,?,00000000), ref: 003E2F3D
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,003CBDED,?,003A52FD,?,00000000,?), ref: 003E2F49
                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 003E2F89
                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 003E2F95
                  • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 003E2FA0
                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 003E2FAA
                  • CoCreateInstance.OLE32(0040B6C8,00000000,00000001,003EB808,?,?,?,?,?,?,?,?,?,?,?,003CBDED), ref: 003E2FE5
                  • ExitProcess.KERNEL32 ref: 003E3094
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                  • String ID: @Mxt$IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
                  • API String ID: 2124981135-655291709
                  • Opcode ID: c985347f64f77b891532166597b9d25bf94f79cb00107589a580ce467c7e5bc9
                  • Instruction ID: 88bca8f9bf45a4fd2e012ec49b9e1d721bb000cb21eb44e9a2e451a816a2fe48
                  • Opcode Fuzzy Hash: c985347f64f77b891532166597b9d25bf94f79cb00107589a580ce467c7e5bc9
                  • Instruction Fuzzy Hash: 5841A731A00365ABDB23DFA58848B6FB7F8EF44710F124269E902EB2D0D775DE418B94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E29B3, Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 86libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1166 3e29b3-3e29d3 call 3a37ea 1169 3e29d9-3e29e7 call 3e4932 1166->1169 1170 3e2af2-3e2af6 1166->1170 1174 3e29ec-3e2af1 GetProcAddress * 7 1169->1174 1172 3e2af8-3e2afb call 3e54ef 1170->1172 1173 3e2b00-3e2b06 1170->1173 1172->1173 1174->1170
                  C-Code - Quality: 100%
                  			E003E29B3(void* __ecx, void* __edx, void* __esi, void* __eflags) {
				signed int _v8;
				void* _t8;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t15;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				_Unknown_base(*)()* _t18;
				intOrPtr _t20;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t30;
				intOrPtr _t32;
				void* _t36;

				_v8 = _v8 & 0x00000000;
				_t8 = E003A37EA(__edx, L"Msi.dll", 0x40b680,  &_v8); // executed
				_t36 = _t8;
				if(_t36 >= 0) {
					E003E4932(_v8, 0x40b684, 0x40b688); // executed
					_t12 = GetProcAddress( *0x40b680, "MsiDeterminePatchSequenceW");
					_t20 =  *0x40b68c; // 0x6f36be10
					_t21 =  ==  ? _t12 : _t20;
					 *0x40b6a8 = _t12;
					 *0x40b68c =  ==  ? _t12 : _t20;
					_t13 = GetProcAddress( *0x40b680, "MsiDetermineApplicablePatchesW");
					_t22 =  *0x40b690; // 0x6f36a130
					_t23 =  ==  ? _t13 : _t22;
					 *0x40b6ac = _t13;
					 *0x40b690 =  ==  ? _t13 : _t22;
					_t14 = GetProcAddress( *0x40b680, "MsiEnumProductsExW");
					_t24 =  *0x40b694; // 0x6f3703d0
					_t25 =  ==  ? _t14 : _t24;
					 *0x40b6b0 = _t14;
					 *0x40b694 =  ==  ? _t14 : _t24;
					_t15 = GetProcAddress( *0x40b680, "MsiGetPatchInfoExW");
					_t26 =  *0x40b698; // 0x6f373560
					_t27 =  ==  ? _t15 : _t26;
					 *0x40b6b4 = _t15;
					 *0x40b698 =  ==  ? _t15 : _t26;
					_t16 = GetProcAddress( *0x40b680, "MsiGetProductInfoExW");
					_t28 =  *0x40b69c; // 0x6f29ac90
					_t29 =  ==  ? _t16 : _t28;
					 *0x40b6b8 = _t16;
					 *0x40b69c =  ==  ? _t16 : _t28;
					_t17 = GetProcAddress( *0x40b680, "MsiSetExternalUIRecord");
					_t30 =  *0x40b6a0; // 0x6f3771b0
					_t31 =  ==  ? _t17 : _t30;
					 *0x40b6bc = _t17;
					 *0x40b6a0 =  ==  ? _t17 : _t30;
					_t18 = GetProcAddress( *0x40b680, "MsiSourceListAddSourceExW");
					_t32 =  *0x40b6a4; // 0x6f377ec0
					 *0x40b6c0 = _t18;
					_t33 =  ==  ? _t18 : _t32;
					 *0x40b6c4 = 1;
					 *0x40b6a4 =  ==  ? _t18 : _t32;
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t36;
			}




















                  0x003e29b7
                  0x003e29ca
                  0x003e29cf
                  0x003e29d3
                  0x003e29e7
                  0x003e29fd
                  0x003e29ff
                  0x003e2a12
                  0x003e2a15
                  0x003e2a1a
                  0x003e2a20
                  0x003e2a22
                  0x003e2a35
                  0x003e2a38
                  0x003e2a3d
                  0x003e2a43
                  0x003e2a45
                  0x003e2a58
                  0x003e2a5b
                  0x003e2a60
                  0x003e2a66
                  0x003e2a68
                  0x003e2a7b
                  0x003e2a7e
                  0x003e2a83
                  0x003e2a89
                  0x003e2a8b
                  0x003e2a9e
                  0x003e2aa1
                  0x003e2aa6
                  0x003e2aac
                  0x003e2aae
                  0x003e2ac1
                  0x003e2ac4
                  0x003e2ac9
                  0x003e2acf
                  0x003e2ad1
                  0x003e2ad9
                  0x003e2ade
                  0x003e2ae1
                  0x003e2aeb
                  0x003e2af1
                  0x003e2af6
                  0x003e2afb
                  0x003e2afb
                  0x003e2b06

                  APIs
                    • Part of subcall function 003A37EA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003A3829
                    • Part of subcall function 003A37EA: GetLastError.KERNEL32 ref: 003A3833
                    • Part of subcall function 003E4932: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 003E495A
                  • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 003E29FD
                  • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 003E2A20
                  • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 003E2A43
                  • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 003E2A66
                  • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 003E2A89
                  • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 003E2AAC
                  • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 003E2ACF
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AddressProc$ErrorLast$DirectorySystem
                  • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                  • API String ID: 2510051996-1735120554
                  • Opcode ID: 2df0b3f87f3d6f9457c5a0f6c3872ef65ed6c9bbd591a3b53a0436173d6c16ca
                  • Instruction ID: e7f7104d5fb1790ae2cc0f16ef198d5b1b0d8904155148daf80bb2ca8058dc61
                  • Opcode Fuzzy Hash: 2df0b3f87f3d6f9457c5a0f6c3872ef65ed6c9bbd591a3b53a0436173d6c16ca
                  • Instruction Fuzzy Hash: 2631ED70641218AFDB19DF25EE52B293AA9F7447007514E3EE406B32A0DBB79810DF8E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C1484, Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 103COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1176 3c1484-3c14a4 call 3a21a5 1179 3c14a6-3c14ab 1176->1179 1180 3c14b0-3c14c2 CreateEventW 1176->1180 1181 3c159c-3c15a3 call 3e012f 1179->1181 1182 3c14fc-3c1508 CreateEventW 1180->1182 1183 3c14c4-3c14f7 call 3a37d3 1180->1183 1193 3c15a4-3c15aa 1181->1193 1185 3c153f-3c1554 CreateThread 1182->1185 1186 3c150a-3c153d call 3a37d3 1182->1186 1183->1181 1189 3c158b-3c1595 call 3c1224 1185->1189 1190 3c1556-3c1589 call 3a37d3 1185->1190 1186->1181 1189->1193 1200 3c1597 1189->1200 1190->1181 1200->1181
                  C-Code - Quality: 64%
                  			E003C1484(void* _a4, intOrPtr _a8) {
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t29;
				void* _t30;

				_t29 = _a4;
				 *(_t29 + 0x3c) =  *(_t29 + 0x3c) | 0xffffffff;
				_t30 = E003A21A5(_t29 + 0x1c, _a8, 0);
				if(_t30 >= 0) {
					_t11 = CreateEventW(0, 1, 0, 0);
					 *(_t29 + 0x24) = _t11;
					if(_t11 != 0) {
						_t12 = CreateEventW(0, 1, 0, 0);
						 *(_t29 + 0x28) = _t12;
						if(_t12 != 0) {
							_t13 = CreateThread(0, 0, E003C0E43, _t29, 0, 0); // executed
							 *(_t29 + 0x20) = _t13;
							if(_t13 != 0) {
								_t30 = E003C1224(_t29);
								if(_t30 < 0) {
									_push("Failed to wait for operation complete.");
									goto L10;
								}
							} else {
								_t34 =  <=  ? GetLastError() : _t17 & 0x0000ffff | 0x80070000;
								_t30 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t17 & 0x0000ffff | 0x80070000;
								E003A37D3(0x80004005, "cabextract.cpp", 0x93, _t30);
								_push("Failed to create extraction thread.");
								goto L10;
							}
						} else {
							_t37 =  <=  ? GetLastError() : _t20 & 0x0000ffff | 0x80070000;
							_t30 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t20 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "cabextract.cpp", 0x8f, _t30);
							_push("Failed to create operation complete event.");
							goto L10;
						}
					} else {
						_t40 =  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						_t30 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "cabextract.cpp", 0x8c, _t30);
						_push("Failed to create begin operation event.");
						goto L10;
					}
				} else {
					_push("Failed to copy file name.");
					L10:
					_push(_t30);
					E003E012F();
				}
				return _t30;
			}








                  0x003c148a
                  0x003c1493
                  0x003c14a0
                  0x003c14a4
                  0x003c14bb
                  0x003c14bd
                  0x003c14c2
                  0x003c1501
                  0x003c1503
                  0x003c1508
                  0x003c1549
                  0x003c154f
                  0x003c1554
                  0x003c1591
                  0x003c1595
                  0x003c1597
                  0x00000000
                  0x003c1597
                  0x003c1556
                  0x003c1567
                  0x003c1571
                  0x003c157f
                  0x003c1584
                  0x00000000
                  0x003c1584
                  0x003c150a
                  0x003c151b
                  0x003c1525
                  0x003c1533
                  0x003c1538
                  0x00000000
                  0x003c1538
                  0x003c14c4
                  0x003c14d5
                  0x003c14df
                  0x003c14ed
                  0x003c14f2
                  0x00000000
                  0x003c14f2
                  0x003c14a6
                  0x003c14a6
                  0x003c159c
                  0x003c159c
                  0x003c159d
                  0x003c15a3
                  0x003c15aa

                  APIs
                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,003AC285,?,00000000,?,003AC319), ref: 003C14BB
                  • GetLastError.KERNEL32(?,003AC285,?,00000000,?,003AC319,003A52FD,?,?,003A533D,003A533D,00000000,?,00000000), ref: 003C14C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CreateErrorEventLast
                  • String ID: @Mxt$Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp$wininet.dll
                  • API String ID: 545576003-2854212677
                  • Opcode ID: 075edb03275f4c89d5e2ca4709f35428b0518804bd05551af7a973c44f8b64fc
                  • Instruction ID: b2a7b3eefa82d1eadc45b730024d2afae68223effeb66bb8949a979e78ae24d6
                  • Opcode Fuzzy Hash: 075edb03275f4c89d5e2ca4709f35428b0518804bd05551af7a973c44f8b64fc
                  • Instruction Fuzzy Hash: 3F2108B2A40B297AF72366B94C81FB765ECEF467D0F010226FD09EB581D650DC0046E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C0627, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 103fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1203 3c0627-3c0660 CompareStringA 1204 3c06dd-3c06fb CreateFileA 1203->1204 1205 3c0662-3c067f GetCurrentProcess * 2 DuplicateHandle 1203->1205 1206 3c073c-3c074d 1204->1206 1207 3c06fd-3c0739 call 3a37d3 call 3e012f 1204->1207 1208 3c06be-3c06d4 call 3c04be 1205->1208 1209 3c0681-3c06af call 3a37d3 1205->1209 1207->1206 1208->1206 1214 3c06d6-3c06db 1208->1214 1217 3c06b4-3c06bc call 3e012f 1209->1217 1214->1217 1217->1206
                  C-Code - Quality: 72%
                  			E003C0627(void* __ecx, CHAR* _a4) {
				void* _v8;
				long _t18;
				void* _t19;
				signed short _t22;
				void* _t27;
				int _t29;
				signed short _t33;
				signed int _t36;
				int _t37;
				signed int _t40;
				void** _t44;
				void* _t47;

				_push(__ecx);
				_t40 =  *0x40aac0; // 0x0
				_push(_t36);
				_t37 = _t36 | 0xffffffff;
				_t47 = 0;
				_v8 = _t37;
				_t44 =  *( *((intOrPtr*)( *[fs:0x2c] + _t40 * 4)) + 4);
				_t18 = CompareStringA(0, 0, "<the>.cab", _t37, _a4, _t37); // executed
				if(_t18 != 2) {
					_t19 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x8000080, 0);
					_v8 = _t19;
					if(_t19 == _t37) {
						_t22 = GetLastError();
						_t51 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
						_t47 =  >=  ? 0x80004005 :  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "cabextract.cpp", 0x2d5, _t47);
						E003E012F(_t47, "Failed to open cabinet file: %hs", _a4);
					}
					L8:
					_t44[0xc] = _t47;
					_t21 =  <  ? _t37 : _v8;
					return  <  ? _t37 : _v8;
				}
				_t27 = GetCurrentProcess();
				_t29 = DuplicateHandle(GetCurrentProcess(),  *_t44, _t27,  &_v8, 0, 0, _t18); // executed
				if(_t29 != 0) {
					_t47 = E003C04BE(_t40,  &(_t44[7]), _v8, _t44[2], _t44[3]);
					if(_t47 >= 0) {
						goto L8;
					}
					_push("Failed to add virtual file pointer for cab container.");
					L3:
					_push(_t47);
					E003E012F();
					goto L8;
				}
				_t33 = GetLastError();
				_t55 =  <=  ? _t33 : _t33 & 0x0000ffff | 0x80070000;
				_t47 =  >=  ? 0x80004005 :  <=  ? _t33 : _t33 & 0x0000ffff | 0x80070000;
				E003A37D3(0x80004005, "cabextract.cpp", 0x2ca, _t47);
				_push("Failed to duplicate handle to cab container.");
				goto L3;
			}















                  0x003c062a
                  0x003c062b
                  0x003c0637
                  0x003c063d
                  0x003c0644
                  0x003c0646
                  0x003c0649
                  0x003c0657
                  0x003c0660
                  0x003c06f0
                  0x003c06f6
                  0x003c06fb
                  0x003c06fd
                  0x003c070e
                  0x003c0718
                  0x003c0726
                  0x003c0734
                  0x003c0739
                  0x003c073c
                  0x003c073c
                  0x003c0746
                  0x003c074d
                  0x003c074d
                  0x003c066f
                  0x003c0677
                  0x003c067f
                  0x003c06d0
                  0x003c06d4
                  0x00000000
                  0x00000000
                  0x003c06d6
                  0x003c06b4
                  0x003c06b4
                  0x003c06b5
                  0x00000000
                  0x003c06bb
                  0x003c0681
                  0x003c0692
                  0x003c069c
                  0x003c06aa
                  0x003c06af
                  0x00000000

                  APIs
                  • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 003C0657
                  • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 003C066F
                  • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 003C0674
                  • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 003C0677
                  • GetLastError.KERNEL32(?,?), ref: 003C0681
                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 003C06F0
                  • GetLastError.KERNEL32(?,?), ref: 003C06FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                  • String ID: <the>.cab$@Mxt$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
                  • API String ID: 3030546534-960396625
                  • Opcode ID: 3e20f8b605fc020ee7675d7a6465e438b26022f8966c4afd05034ec8b9cb5a38
                  • Instruction ID: 89fa14a4fc74611ebe83dd577875d47df5b8044421608bbac784dcb6ab08518d
                  • Opcode Fuzzy Hash: 3e20f8b605fc020ee7675d7a6465e438b26022f8966c4afd05034ec8b9cb5a38
                  • Instruction Fuzzy Hash: 9231F772A41729FBEB235B658C44F9BBAACEF04760F010215FD08FB190C7209D108BE4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E082D, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E003E082D(WCHAR* _a4, void _a8, short _a12, void** _a16) {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				void* __edi;
				int _t39;
				void* _t47;
				void* _t50;

				_v8 = 0;
				E003CF670(_t47,  &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t30 =  !=  ? _a8 : 0x3eb524;
				_push( !=  ? _a8 : 0x3eb524);
				_t50 = E003A1F20( &_v8, L"\"%ls\" %ls", _a4);
				if(_t50 >= 0) {
					_v92.cb = 0x44;
					_v92.wShowWindow = _a12;
					_t39 = CreateProcessW(_a4, _v8, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
					if(_t39 != 0) {
						_v24.hProcess = 0;
						 *_a16 = _v24.hProcess;
					} else {
						_t53 =  <=  ? GetLastError() : _t41 & 0x0000ffff | 0x80070000;
						_t50 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t41 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "procutil.cpp", 0x9e, _t50);
					}
				}
				if(_v24.hThread != 0) {
					CloseHandle(_v24.hThread);
					_v24.hThread = 0;
				}
				if(_v24.hProcess != 0) {
					CloseHandle(_v24.hProcess);
					_v24 = 0;
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t50;
			}










                  0x003e083f
                  0x003e0842
                  0x003e084f
                  0x003e0850
                  0x003e0851
                  0x003e0852
                  0x003e0858
                  0x003e085c
                  0x003e086e
                  0x003e0875
                  0x003e0882
                  0x003e0893
                  0x003e089a
                  0x003e08a2
                  0x003e08da
                  0x003e08dd
                  0x003e08a4
                  0x003e08b5
                  0x003e08bf
                  0x003e08cd
                  0x003e08cd
                  0x003e08a2
                  0x003e08e8
                  0x003e08ed
                  0x003e08ef
                  0x003e08ef
                  0x003e08f5
                  0x003e08fa
                  0x003e08fc
                  0x003e08fc
                  0x003e0902
                  0x003e0907
                  0x003e0907
                  0x003e0914

                  APIs
                  • CreateProcessW.KERNELBASE ref: 003E089A
                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 003E08A4
                  • CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 003E08ED
                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 003E08FA
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseHandle$CreateErrorLastProcess
                  • String ID: "%ls" %ls$@Mxt$D$procutil.cpp
                  • API String ID: 161867955-4195933064
                  • Opcode ID: e7239a67d22c4515f64b779e2f9ad236cc439e9c6b5ec3aa8f4792e8c019916c
                  • Instruction ID: f90ea804f9720c5a2a7f546b8681d8f3894b277592641d11a335118efcf67b80
                  • Opcode Fuzzy Hash: e7239a67d22c4515f64b779e2f9ad236cc439e9c6b5ec3aa8f4792e8c019916c
                  • Instruction Fuzzy Hash: 37213C72D0026EEFDB12DFE5CD409AFB7B9EF04354F11022AEA05BA1A1D7705E509BA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E076C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON
                  Download Yara Rule
                  C-Code - Quality: 76%
                  			E003E076C(void* _a4, signed int* _a8) {
				void* _v8;
				void _v12;
				long _v16;
				int _t20;
				signed short _t27;
				long _t31;

				_t31 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(OpenProcessToken(_a4, 8,  &_v8) != 0) {
					_t20 = GetTokenInformation(_v8, 0x14,  &_v12, 4,  &_v16); // executed
					if(_t20 == 0) {
						_t31 =  <=  ? GetLastError() : 0x80004005 & 0x0000ffff | 0x80070000;
						if(_t31 != 0x80070057) {
							if(_t31 < 0) {
								_push(_t31);
								_push(0x35);
								goto L8;
							}
						} else {
							_t31 = 0;
							 *_a8 = 0;
						}
					} else {
						 *_a8 = 0 | _v12 != 0x00000000;
					}
				} else {
					_t27 = GetLastError();
					_t36 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					_t31 =  >=  ? 0x80004005 :  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					_push(_t31);
					_push(0x21);
					L8:
					_push("procutil.cpp");
					E003A37D3(0x80004005);
				}
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return _t31;
			}









                  0x003e077f
                  0x003e0781
                  0x003e0784
                  0x003e0787
                  0x003e0792
                  0x003e07c6
                  0x003e07ce
                  0x003e07f0
                  0x003e07f9
                  0x003e0806
                  0x003e0808
                  0x003e0809
                  0x00000000
                  0x003e0809
                  0x003e07fb
                  0x003e07fe
                  0x003e0800
                  0x003e0800
                  0x003e07d0
                  0x003e07db
                  0x003e07db
                  0x003e0794
                  0x003e0794
                  0x003e07a5
                  0x003e07af
                  0x003e07b2
                  0x003e07b3
                  0x003e080b
                  0x003e080b
                  0x003e0810
                  0x003e0810
                  0x003e0818
                  0x003e081d
                  0x003e081d
                  0x003e082a

                  APIs
                  • OpenProcessToken.ADVAPI32(?,00000008,?,003A52B5,00000000,?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E078A
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E0794
                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E07C6
                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E081D
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Token$ChangeCloseErrorFindInformationLastNotificationOpenProcess
                  • String ID: @Mxt$procutil.cpp
                  • API String ID: 2387526074-3349326090
                  • Opcode ID: 393babcb00794f1645628b0794dc75798a83444b4e8239d05b2617b406cca5e4
                  • Instruction ID: 963cc8aeece9499d575f7e6b8ddf40a82998bef13e58b86ef4bf6f728123786f
                  • Opcode Fuzzy Hash: 393babcb00794f1645628b0794dc75798a83444b4e8239d05b2617b406cca5e4
                  • Instruction Fuzzy Hash: 3C219271D00268EBDB229B968C44A9FFBECEF54750F114266ED15EB190D3705E40DAD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C07E4, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E003C07E4(signed int __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				union _LARGE_INTEGER* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _t32;
				signed short _t36;
				signed short _t41;
				signed short _t42;
				void* _t46;
				union _LARGE_INTEGER _t52;
				signed int _t55;
				signed int _t56;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t64;

				_t55 =  *0x40aac0; // 0x0
				_t61 = 0;
				_v16 = 0;
				_v12 = 0;
				_t60 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t55 * 4)) + 4));
				_t32 = _a12;
				if(_t32 == 0) {
					asm("cdq");
					_t56 = __edx;
					_t52 = _a8.LowPart +  *((intOrPtr*)(_t60 + 8));
					asm("adc ecx, [edi+0xc]");
					goto L7;
				} else {
					_t46 = _t32 - 1;
					if(_t46 == 0) {
						asm("cdq");
						_t52 = _a8.LowPart;
						_t56 = __edx;
						goto L7;
					} else {
						if(_t46 == 1) {
							_t56 =  *(_t60 + 0x14);
							asm("adc ecx, [edi+0xc]");
							asm("cdq");
							_t52 =  *((intOrPtr*)(_t60 + 0x10)) +  *((intOrPtr*)(_t60 + 8)) + _a8.LowPart;
							asm("adc ecx, edx");
							L7:
							_v8 = _t56;
							_t36 = E003C11CF(__eflags, _t60 + 0x1c, _a4, _t52, _t56,  &_v16, _a12);
							__eflags = _t36;
							if(_t36 == 0) {
								L10:
								_t25 =  &_v16;
								 *_t25 = _v16 -  *((intOrPtr*)(_t60 + 8));
								__eflags =  *_t25;
							} else {
								_push(_a12);
								_t41 = SetFilePointerEx(_a4, _t52, _v8,  &_v16); // executed
								__eflags = _t41;
								if(_t41 != 0) {
									goto L10;
								} else {
									_t42 = GetLastError();
									__eflags = _t42;
									_t64 =  <=  ? _t42 : _t42 & 0x0000ffff | 0x80070000;
									__eflags = _t64;
									_t61 =  >=  ? 0x80004005 : _t64;
									E003A37D3(0x80004005, "cabextract.cpp", 0x345, _t61);
									E003E012F(_t61, "Failed to move file pointer 0x%x bytes.", _a8);
								}
							}
						} else {
							_t61 = 0x80070057;
							_push("Invalid seek type.");
							E003E012F();
							_t56 = 0x80070057;
						}
					}
				}
				 *((intOrPtr*)(_t60 + 0x30)) = _t61;
				_t39 =  <  ? _t56 | 0xffffffff : _v16;
				return  <  ? _t56 | 0xffffffff : _v16;
			}

















                  0x003c07ea
                  0x003c07fc
                  0x003c07fe
                  0x003c0801
                  0x003c0804
                  0x003c080d
                  0x003c080f
                  0x003c0855
                  0x003c0858
                  0x003c085a
                  0x003c085d
                  0x00000000
                  0x003c0811
                  0x003c0811
                  0x003c0814
                  0x003c084b
                  0x003c084c
                  0x003c084e
                  0x00000000
                  0x003c0816
                  0x003c0819
                  0x003c083b
                  0x003c083e
                  0x003c0841
                  0x003c0842
                  0x003c0844
                  0x003c0860
                  0x003c0866
                  0x003c0873
                  0x003c0878
                  0x003c087a
                  0x003c08d5
                  0x003c08d8
                  0x003c08d8
                  0x003c08d8
                  0x003c087c
                  0x003c087c
                  0x003c088a
                  0x003c0890
                  0x003c0892
                  0x00000000
                  0x003c0894
                  0x003c0894
                  0x003c08a3
                  0x003c08a5
                  0x003c08ad
                  0x003c08af
                  0x003c08bd
                  0x003c08cb
                  0x003c08d0
                  0x003c0892
                  0x003c081b
                  0x003c081b
                  0x003c0820
                  0x003c0826
                  0x003c082c
                  0x003c082c
                  0x003c0819
                  0x003c0814
                  0x003c08db
                  0x003c08e8
                  0x003c08ef

                  APIs
                  • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 003C088A
                  • GetLastError.KERNEL32(?,?,?), ref: 003C0894
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer
                  • String ID: @Mxt$Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
                  • API String ID: 2976181284-2852913336
                  • Opcode ID: 36115c08623ec717f612f9c85cea82a5029db531dd738527d897e80b4a82c2db
                  • Instruction ID: 6f0a0bdd4c0e128f8842955c91db641133460502886278e0c0a4493c315b6a98
                  • Opcode Fuzzy Hash: 36115c08623ec717f612f9c85cea82a5029db531dd738527d897e80b4a82c2db
                  • Instruction Fuzzy Hash: 19318771A0075AFFDB1ADF69CC85EAAB7A9FF04710B018219F919E7650D730AD108BD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E4932, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 94memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E003E4932(intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12) {
				void* _v8;
				char _v12;
				char _v16;
				long _t15;
				char* _t18;
				long _t25;
				intOrPtr _t28;
				void* _t31;
				int _t32;

				_t15 =  &_v8;
				_push(_t15);
				_push(_a4);
				_t32 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				L003E94F0(); // executed
				_t25 = _t15;
				if(_t25 != 0) {
					L4:
					_t16 = GlobalAlloc(0, _t25);
					_t31 = _t16;
					if(_t31 != 0) {
						_push(_t31);
						_push(_t25);
						_push(_v8);
						_push(_a4);
						L003E9500(); // executed
						if(_t16 != 0) {
							L10:
							_push( &_v16);
							_t18 =  &_v12;
							_push(_t18);
							_push("\\");
							_push(_t31);
							L003E9510();
							if(_t18 != 0) {
								L13:
								_t28 = _v12;
								 *_a8 =  *((intOrPtr*)(_t28 + 8));
								 *_a12 =  *((intOrPtr*)(_t28 + 0xc));
							} else {
								_t32 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
								if(_t32 >= 0) {
									goto L13;
								} else {
									_push(_t32);
									_push(0x122);
									goto L9;
								}
							}
						} else {
							_t32 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
							if(_t32 >= 0) {
								goto L10;
							} else {
								_push(_t32);
								_push(0x11d);
								L9:
								_push("fileutil.cpp");
								E003A37D3(_t22);
							}
						}
						GlobalFree(_t31);
					} else {
						_t32 = 0x8007000e;
						_push(0x8007000e);
						_push(0x119);
						goto L3;
					}
				} else {
					_t32 =  <=  ? GetLastError() : _t16 & 0x0000ffff | 0x80070000;
					if(_t32 >= 0) {
						goto L4;
					} else {
						_push(_t32);
						_push(0x115);
						L3:
						_push("fileutil.cpp");
						E003A37D3(_t16);
					}
				}
				return _t32;
			}












                  0x003e493b
                  0x003e4940
                  0x003e4941
                  0x003e4944
                  0x003e4946
                  0x003e4949
                  0x003e494c
                  0x003e494f
                  0x003e4954
                  0x003e4958
                  0x003e4987
                  0x003e4989
                  0x003e498f
                  0x003e4993
                  0x003e49a2
                  0x003e49a3
                  0x003e49a4
                  0x003e49a7
                  0x003e49aa
                  0x003e49b1
                  0x003e49dd
                  0x003e49e0
                  0x003e49e1
                  0x003e49e4
                  0x003e49e5
                  0x003e49ea
                  0x003e49eb
                  0x003e49f2
                  0x003e4a14
                  0x003e4a14
                  0x003e4a1d
                  0x003e4a25
                  0x003e49f4
                  0x003e4a05
                  0x003e4a0a
                  0x00000000
                  0x003e4a0c
                  0x003e4a0c
                  0x003e4a0d
                  0x00000000
                  0x003e4a0d
                  0x003e4a0a
                  0x003e49b3
                  0x003e49c4
                  0x003e49c9
                  0x00000000
                  0x003e49cb
                  0x003e49cb
                  0x003e49cc
                  0x003e49d1
                  0x003e49d1
                  0x003e49d6
                  0x003e49d6
                  0x003e49c9
                  0x003e4a28
                  0x003e4995
                  0x003e4995
                  0x003e499a
                  0x003e499b
                  0x00000000
                  0x003e499b
                  0x003e495a
                  0x003e496b
                  0x003e4970
                  0x00000000
                  0x003e4972
                  0x003e4972
                  0x003e4973
                  0x003e4978
                  0x003e4978
                  0x003e497d
                  0x003e497d
                  0x003e4970
                  0x003e4a36

                  APIs
                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 003E495A
                  • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 003E4989
                  • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 003E49B3
                  • GetLastError.KERNEL32(00000000,003EB790,?,?,?,00000000,00000000,00000000), ref: 003E49F4
                  • GlobalFree.KERNEL32 ref: 003E4A28
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$Global$AllocFree
                  • String ID: @Mxt$fileutil.cpp
                  • API String ID: 1145190524-830300176
                  • Opcode ID: e5b1d821d26b594bd48ee6ec8aab5905586c79abe0cb76cd2829a1072ff66073
                  • Instruction ID: f73c8e25dc1f454fc9464d21bdee46d3daebc6aff6481f07201c2174e0e39b1b
                  • Opcode Fuzzy Hash: e5b1d821d26b594bd48ee6ec8aab5905586c79abe0cb76cd2829a1072ff66073
                  • Instruction Fuzzy Hash: EA218875940375ABD7139B668C45AABFAACDF48360F114326FD05FB291D7308D1096A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E343B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 003E344A
                  • InterlockedIncrement.KERNEL32(0040B6D8), ref: 003E3467
                  • CLSIDFromProgID.OLE32(Msxml2.DOMDocument,0040B6C8,?,?,?,?,?,?), ref: 003E3482
                  • CLSIDFromProgID.OLE32(MSXML.DOMDocument,0040B6C8,?,?,?,?,?,?), ref: 003E348E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: FromProg$IncrementInitializeInterlocked
                  • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                  • API String ID: 2109125048-2356320334
                  • Opcode ID: 316ce689a4c58e42b6525977f9d8b84c4fcadc759fbce9d141373496b7d66a25
                  • Instruction ID: a0ade3b54eec883d3a5ed36b73a8ca62cee70238ef7e5bf238ed9ee9dc71168c
                  • Opcode Fuzzy Hash: 316ce689a4c58e42b6525977f9d8b84c4fcadc759fbce9d141373496b7d66a25
                  • Instruction Fuzzy Hash: C3F0A7207442FA66C7234B97AC4DB1B6E64DB80B54F120A35E801E72D4D37489418EB9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E31C7, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 54%
                  			E003E31C7(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v20;
				char _v28;
				intOrPtr* _t23;
				void* _t24;
				signed int _t33;
				void* _t35;
				intOrPtr* _t38;
				intOrPtr* _t39;
				void* _t43;
				void* _t44;

				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t43 = 0;
				__imp__#8( &_v28);
				_t23 = _a4;
				_t24 =  *((intOrPtr*)( *_t23 + 0x44))(_t23,  &_v8);
				_t44 = _t24;
				if(_t44 < 0) {
					L9:
					_t38 = _v8;
					if(_t38 != 0) {
						 *((intOrPtr*)( *_t38 + 8))(_t38);
					}
					_t39 = _v12;
					if(_t39 != 0) {
						 *((intOrPtr*)( *_t39 + 8))(_t39);
					}
					__imp__#9( &_v28);
					if(_t43 != 0) {
						__imp__#6(_t43);
					}
					return _t44;
				}
				__imp__#2(_a8);
				_t43 = _t24;
				if(_t43 != 0) {
					_t44 = E003E336E( &_v12, _v8, _t43,  &_v12);
					if(_t44 != 1) {
						if(_t44 < 0) {
							goto L9;
						}
						_t33 = _v12;
						_t44 =  *((intOrPtr*)( *_t33 + 0x20))(_t33,  &_v28);
						if(_t44 == 1) {
							goto L4;
						}
						if(_t44 >= 0) {
							_t35 = E003A21A5(_a12, _v20, 0); // executed
							_t44 = _t35;
						}
						goto L9;
					}
					L4:
					_t44 = 0x80070490;
					goto L9;
				}
				_t44 = 0x8007000e;
				E003A37D3(_t24, "xmlutil.cpp", 0x2a6, 0x8007000e);
				goto L9;
			}















                  0x003e31cd
                  0x003e31d4
                  0x003e31db
                  0x003e31dd
                  0x003e31e3
                  0x003e31ed
                  0x003e31f0
                  0x003e31f4
                  0x003e3262
                  0x003e3262
                  0x003e3267
                  0x003e326c
                  0x003e326c
                  0x003e326f
                  0x003e3274
                  0x003e3279
                  0x003e3279
                  0x003e3280
                  0x003e3288
                  0x003e328b
                  0x003e328b
                  0x003e3298
                  0x003e3298
                  0x003e31f9
                  0x003e31ff
                  0x003e3203
                  0x003e3229
                  0x003e322e
                  0x003e3239
                  0x00000000
                  0x00000000
                  0x003e323b
                  0x003e3248
                  0x003e324d
                  0x00000000
                  0x00000000
                  0x003e3251
                  0x003e325b
                  0x003e3260
                  0x003e3260
                  0x00000000
                  0x003e3251
                  0x003e3230
                  0x003e3230
                  0x00000000
                  0x003e3230
                  0x003e3205
                  0x003e3215
                  0x00000000

                  APIs
                  • VariantInit.OLEAUT32(?), ref: 003E31DD
                  • SysAllocString.OLEAUT32(?), ref: 003E31F9
                  • VariantClear.OLEAUT32(?), ref: 003E3280
                  • SysFreeString.OLEAUT32(00000000), ref: 003E328B
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: StringVariant$AllocClearFreeInit
                  • String ID: xmlutil.cpp
                  • API String ID: 760788290-1270936966
                  • Opcode ID: de5fbcbd8554d85337b3f7dddc8e09edd26678e207a1194a3986ab7166698949
                  • Instruction ID: e8013eec252286e2bde50c7a784d4767486683c44995aeb36c18a649e26a76df
                  • Opcode Fuzzy Hash: de5fbcbd8554d85337b3f7dddc8e09edd26678e207a1194a3986ab7166698949
                  • Instruction Fuzzy Hash: 6621AB35901269EFCB12DB99C84DEAFBBB8EF44710F154698FA45AB250C731DE00CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C074E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E003C074E(void* __ecx, void* __eflags, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t19;
				signed short _t22;
				signed int _t27;
				intOrPtr _t31;
				struct _OVERLAPPED* _t34;

				_t27 =  *0x40aac0; // 0x0
				_t34 = 0;
				_v8 = 0;
				_t31 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] + _t27 * 4)) + 4));
				E003C114F(__eflags, _t31 + 0x1c, _a4, _a12); // executed
				_t19 = ReadFile(_a4, _a8, _a12,  &_v8, 0); // executed
				if(_t19 == 0) {
					_t22 = GetLastError();
					_t38 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
					_t34 =  >=  ? 0x80004005 :  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "cabextract.cpp", 0x2ec, _t34);
					_push("Failed to read during cabinet extraction.");
					E003E012F();
					_t27 = _t34;
				}
				 *((intOrPtr*)(_t31 + 0x30)) = _t34;
				_t21 =  <  ? _t27 | 0xffffffff : _v8;
				return  <  ? _t27 | 0xffffffff : _v8;
			}









                  0x003c0752
                  0x003c0766
                  0x003c076b
                  0x003c076e
                  0x003c0778
                  0x003c078b
                  0x003c0793
                  0x003c0795
                  0x003c07a6
                  0x003c07b0
                  0x003c07be
                  0x003c07c3
                  0x003c07c9
                  0x003c07cf
                  0x003c07cf
                  0x003c07d0
                  0x003c07dc
                  0x003c07e3

                  APIs
                    • Part of subcall function 003C114F: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,003C077D,?,?,?), ref: 003C1177
                    • Part of subcall function 003C114F: GetLastError.KERNEL32(?,003C077D,?,?,?), ref: 003C1181
                  • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 003C078B
                  • GetLastError.KERNEL32 ref: 003C0795
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLast$PointerRead
                  • String ID: @Mxt$Failed to read during cabinet extraction.$cabextract.cpp
                  • API String ID: 2170121939-1356867586
                  • Opcode ID: 223eb54e7bf0841f4f3ff2888c4067563c479427e557e74a13256e318d29ab95
                  • Instruction ID: 34ec2cadbd7f0b2ac3787f0c5e992ee684b4e9ea490249abe6e55df7936c6780
                  • Opcode Fuzzy Hash: 223eb54e7bf0841f4f3ff2888c4067563c479427e557e74a13256e318d29ab95
                  • Instruction Fuzzy Hash: A601A572600664ABDB229FA9DC04E9B7BA9FF05760F010219FD08E7690D731AE109BD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C114F, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 31%
                  			E003C114F(void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				int _t11;
				void* _t19;
				long _t20;

				_t20 = 0x80070490;
				_t19 = E003C1127(_a4, _a8);
				if(_t19 != 0) {
					_t20 = 0;
					_push(0);
					_t11 = SetFilePointerEx(_a8,  *(_t19 + 8),  *(_t19 + 0xc), 0); // executed
					if(_t11 != 0) {
						 *(_t19 + 8) =  *(_t19 + 8) + _a12;
						asm("adc [edi+0xc], esi");
					} else {
						_t23 =  <=  ? GetLastError() : _t12 & 0x0000ffff | 0x80070000;
						_t20 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t12 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "cabextract.cpp", 0x37e, _t20);
						_push("Failed to move to virtual file pointer.");
						_push(_t20);
						E003E012F();
					}
				}
				return _t20;
			}






                  0x003c1157
                  0x003c1164
                  0x003c1168
                  0x003c116a
                  0x003c116c
                  0x003c1177
                  0x003c117f
                  0x003c11c1
                  0x003c11c4
                  0x003c1181
                  0x003c1192
                  0x003c119c
                  0x003c11aa
                  0x003c11af
                  0x003c11b4
                  0x003c11b5
                  0x003c11bb
                  0x003c117f
                  0x003c11cc

                  APIs
                  • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,003C077D,?,?,?), ref: 003C1177
                  • GetLastError.KERNEL32(?,003C077D,?,?,?), ref: 003C1181
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer
                  • String ID: @Mxt$Failed to move to virtual file pointer.$cabextract.cpp
                  • API String ID: 2976181284-2389127686
                  • Opcode ID: 94fc398234569f6a2247e426e456409f4e7bf56ed9d027c8609f1b6093a85186
                  • Instruction ID: 81a588fac9c432dad6512c0023cfe8016a1c5a7b0d0b59a9bd9eeb26e93c9bf9
                  • Opcode Fuzzy Hash: 94fc398234569f6a2247e426e456409f4e7bf56ed9d027c8609f1b6093a85186
                  • Instruction Fuzzy Hash: 4C012636600675BBDB231AA69C04E97FF99EF027B0B018229FE0CDA551DB359C10D7D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A37EA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003A37EA(void* __edx, intOrPtr _a4, struct HINSTANCE__** _a8, intOrPtr _a12) {
				signed int _v8;
				short _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t20;
				void* _t22;
				struct HINSTANCE__* _t26;
				signed short _t27;
				void* _t31;
				struct HINSTANCE__** _t32;
				void* _t33;
				void* _t36;
				intOrPtr _t37;
				signed int _t42;

				_t36 = __edx;
				_t15 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t15 ^ _t42;
				_t32 = _a8;
				_t37 = _a12;
				E003CF670(_t37,  &_v528, 0, 0x208);
				_t38 = 0x104;
				_t20 = GetSystemDirectoryW( &_v528, 0x104);
				if(_t20 != 0) {
					_t33 = 0x5c;
					if(_t33 ==  *((intOrPtr*)(_t42 + _t20 * 2 - 0x20e))) {
						L6:
						_t22 = E003A36B4(_t33,  &_v528, _t38, _a4);
						_t39 = _t22;
						if(_t22 < 0) {
							L10:
							return E003CDE36(_t32, _v8 ^ _t42, _t36, _t37, _t39);
						}
						_t26 = LoadLibraryW( &_v528); // executed
						 *_t32 = _t26;
						if(_t26 == 0) {
							goto L1;
						}
						if(_t37 != 0) {
							_t39 = E003A21A5(_t37,  &_v528, 0x104);
						}
						goto L10;
					}
					_t31 = E003A3665(_t33,  &_v528, 0x104, "\\", 1);
					_t39 = _t31;
					if(_t31 < 0) {
						goto L10;
					} else {
						_t38 = 0x104;
						goto L6;
					}
				}
				L1:
				_t27 = GetLastError();
				_t39 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
				if(( <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000) >= 0) {
					_t39 = 0x80004005;
				}
				goto L10;
			}




















                  0x003a37ea
                  0x003a37f3
                  0x003a37fa
                  0x003a37fe
                  0x003a3809
                  0x003a3814
                  0x003a3822
                  0x003a3829
                  0x003a3831
                  0x003a3854
                  0x003a385d
                  0x003a387e
                  0x003a3889
                  0x003a388e
                  0x003a3892
                  0x003a38bf
                  0x003a38d1
                  0x003a38d1
                  0x003a389b
                  0x003a38a1
                  0x003a38a5
                  0x00000000
                  0x00000000
                  0x003a38a9
                  0x003a38bd
                  0x003a38bd
                  0x00000000
                  0x003a38a9
                  0x003a386e
                  0x003a3873
                  0x003a3877
                  0x00000000
                  0x003a3879
                  0x003a3879
                  0x00000000
                  0x003a3879
                  0x003a3877
                  0x003a3833
                  0x003a3833
                  0x003a3844
                  0x003a3849
                  0x003a384b
                  0x003a384b
                  0x00000000

                  APIs
                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003A3829
                  • GetLastError.KERNEL32 ref: 003A3833
                  • LoadLibraryW.KERNELBASE(?,?,00000104,?), ref: 003A389B
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: DirectoryErrorLastLibraryLoadSystem
                  • String ID: @Mxt
                  • API String ID: 1230559179-1922883433
                  • Opcode ID: 4fa0b54070219ab310f8f312098772521a282b04446e75b17c4d35b6096d1e3e
                  • Instruction ID: fd91c96872f92c6ece929e13be7c4913f2b529678964d6e3b8d5b2a118172769
                  • Opcode Fuzzy Hash: 4fa0b54070219ab310f8f312098772521a282b04446e75b17c4d35b6096d1e3e
                  • Instruction Fuzzy Hash: 2F2198B2D0132967DB229F649C45F9BB76CDF05720F114176BD14EB241E634DE4887A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A3999, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003A3999(void* _a4) {
				char _t3;
				long _t6;

				_t6 = 0;
				_t3 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
				if(_t3 == 0) {
					_t6 =  <=  ? GetLastError() : _t5 & 0x0000ffff | 0x80070000;
				}
				return _t6;
			}





                  0x003a39a0
                  0x003a39aa
                  0x003a39b2
                  0x003a39c5
                  0x003a39c5
                  0x003a39cc

                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,003A3B34,00000000,?,003A1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,003A13B7), ref: 003A39A3
                  • RtlFreeHeap.NTDLL(00000000,?,003A3B34,00000000,?,003A1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,003A13B7,000001C7,00000100), ref: 003A39AA
                  • GetLastError.KERNEL32(?,003A3B34,00000000,?,003A1472,00000000,80004005,00000000,80004005,00000000,000001C7,?,003A13B7,000001C7,00000100,?), ref: 003A39B4
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$ErrorFreeLastProcess
                  • String ID: @Mxt
                  • API String ID: 406640338-1922883433
                  • Opcode ID: 7bdfe129c17eb6521d3c37b6553bcca5007f0a468bacacbd0d87cb84af13722a
                  • Instruction ID: 0b4a3642dd65043249985cc5fedd2102c169e9a65f880685201e6cd4a3d7533b
                  • Opcode Fuzzy Hash: 7bdfe129c17eb6521d3c37b6553bcca5007f0a468bacacbd0d87cb84af13722a
                  • Instruction Fuzzy Hash: E6D012326002746BC7236BFA5C0C697FE9CEF067B1B014121FD05D6150D725881086E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A4B80, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                  Download Yara Rule
                  C-Code - Quality: 66%
                  			E003A4B80(void* __ecx, intOrPtr _a4, short _a8) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _t21;
				void* _t27;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t21 = E003AF7F7(__ecx, _a4,  &_v8); // executed
				_t38 = _t21;
				if(_t38 >= 0) {
					_t38 = E003A33D7( &_v12, 0);
					if(_t38 >= 0) {
						_t26 =  >  ? _v8 : 0x3eb524;
						_t27 = E003E082D(_v12,  >  ? _v8 : 0x3eb524, _a8,  &_v16); // executed
						_t38 = _t27;
						if(_t38 < 0) {
							E003E012F(_t38, "Failed to re-launch bundle process after RunOnce: %ls", _v12);
						}
						L7:
						if(_v16 != 0) {
							CloseHandle(_v16);
							_v16 = 0;
						}
						if(_v8 != 0) {
							E003E54EF(_v8);
						}
						if(_v12 != 0) {
							E003E54EF(_v12);
						}
						return _t38;
					}
					_push("Failed to get current process path.");
					L2:
					_push(_t38);
					E003E012F();
					goto L7;
				}
				_push("Unable to get resume command line from the registry");
				goto L2;
			}









                  0x003a4b91
                  0x003a4b94
                  0x003a4b97
                  0x003a4b9a
                  0x003a4b9f
                  0x003a4ba3
                  0x003a4bbe
                  0x003a4bc2
                  0x003a4bda
                  0x003a4be2
                  0x003a4be7
                  0x003a4beb
                  0x003a4bf6
                  0x003a4bfb
                  0x003a4bfe
                  0x003a4c01
                  0x003a4c06
                  0x003a4c0c
                  0x003a4c0c
                  0x003a4c12
                  0x003a4c17
                  0x003a4c17
                  0x003a4c1f
                  0x003a4c24
                  0x003a4c24
                  0x003a4c30
                  0x003a4c30
                  0x003a4bc4
                  0x003a4baa
                  0x003a4baa
                  0x003a4bab
                  0x00000000
                  0x003a4bb1
                  0x003a4ba5
                  0x00000000

                  APIs
                    • Part of subcall function 003AF7F7: RegCloseKey.KERNELBASE(00000000,?,?,00000001,00000000,00000000,?,?,003A4B9F,?,?,00000001), ref: 003AF847
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000001,00000000,?,?,?), ref: 003A4C06
                    • Part of subcall function 003E082D: CreateProcessW.KERNELBASE ref: 003E089A
                    • Part of subcall function 003E082D: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 003E08A4
                    • Part of subcall function 003E082D: CloseHandle.KERNEL32(?,?,?,?,?,00000000,00000000,00000000), ref: 003E08ED
                    • Part of subcall function 003E082D: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 003E08FA
                  Strings
                  • Failed to get current process path., xrefs: 003A4BC4
                  • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 003A4BF0
                  • Unable to get resume command line from the registry, xrefs: 003A4BA5
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Close$Handle$CreateErrorLastProcess
                  • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                  • API String ID: 1572399834-642631345
                  • Opcode ID: dd8c2d8e00565c3ccd124519a77d7ff78ec13bd4d6650f8035ec110ce39fb7a4
                  • Instruction ID: 89fce564478d80c1e5efd73420a9d9ac26147a3fad931a985becd93ccc38a930
                  • Opcode Fuzzy Hash: dd8c2d8e00565c3ccd124519a77d7ff78ec13bd4d6650f8035ec110ce39fb7a4
                  • Instruction Fuzzy Hash: 3A115775D01568FBCF13AB95DD018EEFBB8EF85710B1042A6F904BA150D7B18E41DB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E0F6E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E003E0F6E(void* _a4, short* _a8, char** _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				void* _v20;
				signed int _t37;
				signed short _t41;
				void* _t44;
				long _t56;
				signed short _t60;
				char** _t64;
				void* _t65;
				void* _t66;

				_t64 = _a12;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				if(_t64 == 0 ||  *_t64 == 0) {
					L4:
					_v8 = 2;
					_t65 = E003A1EDE(_t64, 2);
					if(_t65 < 0) {
						goto L20;
					} else {
						_t37 = _v8;
						goto L6;
					}
				} else {
					_t65 = E003A275D( *_t64,  &_v8);
					if(_t65 < 0) {
						L20:
						if(_v20 != 0) {
							E003E54EF(_v20);
						}
						return _t65;
					}
					_t37 = _v8;
					if(_t37 >= 2) {
						L6:
						_v16 = _t37 * 2 - 2;
						_t41 = RegQueryValueExW(_a4, _a8, 0,  &_v12,  *_t64,  &_v16); // executed
						_t60 = _t41;
						if(_t60 != 0xea) {
							L9:
							_t44 =  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
							if(_t44 != 0x80070002) {
								if(_t60 == 0) {
									if(_v12 == 1 || _v12 == 2) {
										( *_t64)[_v8 * 2 - 2] = 0;
										if(_v12 == 2) {
											_t65 = E003A21A5( &_v20,  *_t64, 0);
											if(_t65 >= 0) {
												_t65 = E003A3083(_t64, _v20, 1);
											}
										}
									} else {
										_t65 = 0x8007070c;
										_push(0x8007070c);
										_push(0x1ef);
										L13:
										_push("regutil.cpp");
										E003A37D3(_t44);
									}
									goto L20;
								}
								_t66 = _t44;
								_t44 = 0x80004005;
								_t65 =  >=  ? 0x80004005 : _t66;
								_push(_t65);
								_push(0x1dc);
								goto L13;
							}
							_t65 = 0x80070002;
							goto L20;
						}
						_v8 = (_v16 >> 1) + 1;
						_t65 = E003A1EDE(_t64, (_v16 >> 1) + 1);
						if(_t65 < 0) {
							goto L20;
						}
						_t56 = RegQueryValueExW(_a4, _a8, 0,  &_v12,  *_t64,  &_v16); // executed
						_t60 = _t56;
						goto L9;
					}
					goto L4;
				}
			}















                  0x003e0f79
                  0x003e0f7c
                  0x003e0f7f
                  0x003e0f82
                  0x003e0f85
                  0x003e0f8a
                  0x003e0fad
                  0x003e0fb0
                  0x003e0fbc
                  0x003e0fc0
                  0x00000000
                  0x003e0fc6
                  0x003e0fc6
                  0x00000000
                  0x003e0fc6
                  0x003e0f90
                  0x003e0f9b
                  0x003e0f9f
                  0x003e10ad
                  0x003e10b0
                  0x003e10b5
                  0x003e10b5
                  0x003e10c2
                  0x003e10c2
                  0x003e0fa5
                  0x003e0fab
                  0x003e0fc9
                  0x003e0fd0
                  0x003e0fe4
                  0x003e0fea
                  0x003e0ff2
                  0x003e1027
                  0x003e1036
                  0x003e103b
                  0x003e1043
                  0x003e1067
                  0x003e1083
                  0x003e108c
                  0x003e109a
                  0x003e109e
                  0x003e10ab
                  0x003e10ab
                  0x003e109e
                  0x003e106f
                  0x003e106f
                  0x003e1074
                  0x003e1075
                  0x003e1057
                  0x003e1057
                  0x003e105c
                  0x003e105c
                  0x00000000
                  0x003e1067
                  0x003e1045
                  0x003e1047
                  0x003e104e
                  0x003e1051
                  0x003e1052
                  0x00000000
                  0x003e1052
                  0x003e103d
                  0x00000000
                  0x003e103d
                  0x003e0ffc
                  0x003e1004
                  0x003e1008
                  0x00000000
                  0x00000000
                  0x003e101f
                  0x003e1025
                  0x00000000
                  0x003e1025
                  0x00000000
                  0x003e0fab

                  APIs
                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 003E0FE4
                  • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 003E101F
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: QueryValue
                  • String ID: regutil.cpp
                  • API String ID: 3660427363-955085611
                  • Opcode ID: fc8ea87d7ce1d3e0902f9fc111b4525877dfe0a37d0308da8345467f250fa062
                  • Instruction ID: 85ca410a0f058627b72b4b0fb40463718dd75b0251d8cdc04f41365155bad27f
                  • Opcode Fuzzy Hash: fc8ea87d7ce1d3e0902f9fc111b4525877dfe0a37d0308da8345467f250fa062
                  • Instruction Fuzzy Hash: 0741B231D001AAEFDF229E9AC8809AEBBB9EF45710F114269F915E7290D7318E51CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A501B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003A501B(signed short* _a4) {
				signed int _t8;
				int _t9;
				int _t12;
				signed int _t13;
				short* _t15;
				signed int _t16;
				signed short* _t17;
				int _t19;

				_t8 =  *0x40aa50; // 0x1
				_t15 = L"burn.clean.room";
				_t19 = 1;
				if((_t8 & 0x00000001) != 0) {
					_t9 =  *0x40aa4c; // 0xf
				} else {
					 *0x40aa50 = _t8 | 1;
					_t9 = lstrlenW(_t15);
					 *0x40aa4c = _t9;
				}
				_t17 = _a4;
				if(_t17 == 0) {
					L8:
					_t19 = 0;
				} else {
					_t16 =  *_t17 & 0x0000ffff;
					if(_t16 == 0x2d || _t16 == 0x2f) {
						_t12 = CompareStringW(0x7f, _t19,  &(_t17[1]), _t9, _t15, _t9); // executed
						if(_t12 != 2) {
							goto L8;
						} else {
							_t13 =  *0x40aa4c; // 0xf
							if( *((short*)(_t17 + 2 + _t13 * 2)) != 0x3d) {
								goto L8;
							}
						}
					} else {
						goto L8;
					}
				}
				return _t19;
			}











                  0x003a501e
                  0x003a5027
                  0x003a502c
                  0x003a5030
                  0x003a5047
                  0x003a5032
                  0x003a5035
                  0x003a503a
                  0x003a5040
                  0x003a5040
                  0x003a504c
                  0x003a5051
                  0x003a5082
                  0x003a5082
                  0x003a5053
                  0x003a5053
                  0x003a5059
                  0x003a506a
                  0x003a5073
                  0x00000000
                  0x003a5075
                  0x003a5075
                  0x003a5080
                  0x00000000
                  0x00000000
                  0x003a5080
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a5059
                  0x003a508a

                  APIs
                  • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,003A1104,?,?,00000000), ref: 003A503A
                  • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,003A1104,?,?,00000000), ref: 003A506A
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CompareStringlstrlen
                  • String ID: burn.clean.room
                  • API String ID: 1433953587-3055529264
                  • Opcode ID: 765a8a4e4b6cf5582cfa5d7efef79644ce341062acc9d590bc2c55cbabb8f1a6
                  • Instruction ID: f2e6fc82827f006b9b1d91f49286c1e0eb6bc1e0dbc25f0fc0de514bcd4d5b45
                  • Opcode Fuzzy Hash: 765a8a4e4b6cf5582cfa5d7efef79644ce341062acc9d590bc2c55cbabb8f1a6
                  • Instruction Fuzzy Hash: 3201F472600725AEC332CB59AD84D73FB6CFB2A7607114226F949D3A50C3709C50CBE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AF7F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003AF7F7(void* __ecx, intOrPtr _a4, char** _a8) {
				signed int _v8;
				void* _t13;
				void* _t16;
				void* _t19;

				_v8 = _v8 & 0x00000000;
				_t13 = E003E0E3F( *((intOrPtr*)(_a4 + 0x4c)),  *((intOrPtr*)(_a4 + 0x50)), 1,  &_v8); // executed
				_t19 = _t13;
				if(_t19 >= 0) {
					_t16 = E003E0F6E(_v8, L"BundleResumeCommandLine", _a8); // executed
					_t19 = _t16;
				}
				if(_t19 == 0x80070002 || _t19 == 0x80070003) {
					_t19 = 0;
				}
				if(_v8 != 0) {
					RegCloseKey(_v8); // executed
				}
				return _t19;
			}







                  0x003af7fb
                  0x003af80f
                  0x003af814
                  0x003af818
                  0x003af825
                  0x003af82a
                  0x003af82a
                  0x003af832
                  0x003af83c
                  0x003af83c
                  0x003af842
                  0x003af847
                  0x003af847
                  0x003af853

                  APIs
                    • Part of subcall function 003E0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,003E5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 003E0E52
                  • RegCloseKey.KERNELBASE(00000000,?,?,00000001,00000000,00000000,?,?,003A4B9F,?,?,00000001), ref: 003AF847
                    • Part of subcall function 003E0F6E: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 003E0FE4
                    • Part of subcall function 003E0F6E: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 003E101F
                  Strings
                  • BundleResumeCommandLine, xrefs: 003AF81D
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: QueryValue$CloseOpen
                  • String ID: BundleResumeCommandLine
                  • API String ID: 1586453840-2494792091
                  • Opcode ID: 6a3abcc20710dd701fd411d69f49dbdfe2396c6d943167a101e0e3976984a490
                  • Instruction ID: 02889201fa94f3c9a6b6d118cf92f704d4340aadde2f62c144f703698b710c0e
                  • Opcode Fuzzy Hash: 6a3abcc20710dd701fd411d69f49dbdfe2396c6d943167a101e0e3976984a490
                  • Instruction Fuzzy Hash: 57F06232811128EBCB27AAD4C805BDEBB69EB05720F114274F900AB161C7795E50D7C0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E0E3F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003E0E3F(void* _a4, short* _a8, int _a12, void** _a16) {
				signed short _t5;
				void* _t8;
				signed short _t12;
				int _t14;

				_t14 = 0;
				_t5 = RegOpenKeyExW(_a4, _a8, 0, _a12, _a16); // executed
				_t12 = _t5;
				_t8 =  <=  ? _t12 : _t12 & 0x0000ffff | 0x80070000;
				if(_t8 != 0x80070002) {
					if(_t12 != 0) {
						_t14 =  >=  ? 0x80004005 : _t8;
						E003A37D3(0x80004005, "regutil.cpp", 0xa7, _t14);
					}
				} else {
					_t14 = 0x80070002;
				}
				return _t14;
			}







                  0x003e0e46
                  0x003e0e52
                  0x003e0e58
                  0x003e0e69
                  0x003e0e6e
                  0x003e0e76
                  0x003e0e81
                  0x003e0e8f
                  0x003e0e8f
                  0x003e0e70
                  0x003e0e70
                  0x003e0e70
                  0x003e0e98

                  APIs
                  • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,003E5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 003E0E52
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Open
                  • String ID: regutil.cpp
                  • API String ID: 71445658-955085611
                  • Opcode ID: 9bf3c862182329c5a723d75f9f7d9a8d4f59d71ad21f842b345c57a367fd1b83
                  • Instruction ID: 6c5c4635e4a6aa0bb23d4e48847fb5af7344a3cfeb2f03b232cacd288ca42483
                  • Opcode Fuzzy Hash: 9bf3c862182329c5a723d75f9f7d9a8d4f59d71ad21f842b345c57a367fd1b83
                  • Instruction Fuzzy Hash: F8F027727022756BDF2949564C00BA73DC5DF447A0F118634BD89DA290D372CC1092D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DF37A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003DF37A() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E003E9814(_t3, _t5, _t7, 0x408024, 0x40a948); // executed
				goto __eax;
			}






                  0x003df353
                  0x003df354
                  0x003df35b
                  0x003df362

                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 003DF35B
                    • Part of subcall function 003E9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003E9891
                    • Part of subcall function 003E9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003E98A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID: pxds
                  • API String ID: 1269201914-3624192077
                  • Opcode ID: 21c686976eff02421d9d64def450cbb8d31ba9267bcaa3f5a0b67c8fa3bcbf3a
                  • Instruction ID: 976319751b6659bf56cc3d5cb8560bf7f2d054e1834e6f61805ab1ba6f7f21b8
                  • Opcode Fuzzy Hash: 21c686976eff02421d9d64def450cbb8d31ba9267bcaa3f5a0b67c8fa3bcbf3a
                  • Instruction Fuzzy Hash: 6CB012E63586016CB34A53162D02E36024CC1C1F20336CA3FF041D53C0E8A40C84013A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DF36A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003DF36A() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E003E9814(_t3, _t5, _t7, 0x408024, 0x40a944); // executed
				goto __eax;
			}






                  0x003df353
                  0x003df354
                  0x003df35b
                  0x003df362

                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 003DF35B
                    • Part of subcall function 003E9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003E9891
                    • Part of subcall function 003E9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003E98A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID: pxds
                  • API String ID: 1269201914-3624192077
                  • Opcode ID: b4f259dc7e2dcc8135975b0c6872afa6c03f10ba76041b054a34f63a91c44d06
                  • Instruction ID: c1717609bf6616f2f7f3d35b8da53a86ac2435d6832202468389c248cc290b1d
                  • Opcode Fuzzy Hash: b4f259dc7e2dcc8135975b0c6872afa6c03f10ba76041b054a34f63a91c44d06
                  • Instruction Fuzzy Hash: F6B012E63585016DB34A53162E03F36024CC1C1F20336C93FF041D53C0E8980C45013A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DF349, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003DF349() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E003E9814(_t3, _t5, _t7, 0x408024, 0x40a94c); // executed
				goto __eax;
			}






                  0x003df353
                  0x003df354
                  0x003df35b
                  0x003df362

                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 003DF35B
                    • Part of subcall function 003E9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003E9891
                    • Part of subcall function 003E9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003E98A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID: pxds
                  • API String ID: 1269201914-3624192077
                  • Opcode ID: 56b1a0da9553a6d3ff80d6363c81d84027037f152549fb4c55ce2a6e0e4491c1
                  • Instruction ID: c34c70e785b163cfa4ac891af26d80a4dc1627b35af388bd6494e51b9f6dd49c
                  • Opcode Fuzzy Hash: 56b1a0da9553a6d3ff80d6363c81d84027037f152549fb4c55ce2a6e0e4491c1
                  • Instruction Fuzzy Hash: 6AB012E73595017CB30A13127D02D36030CC1C1F24336C93FF541E42C0E8980D44003A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D85A5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003D85A5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E003D856E(_t19) - _t19 >> 1) + (E003D856E(_t19) - _t19 >> 1);
					_t6 = E003D5154(_t14, (E003D856E(_t19) - _t19 >> 1) + (E003D856E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E003CF0F0(_t18, _t19, _t12);
					}
					E003D511A(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                  0x003d85a5
                  0x003d85af
                  0x003d85b3
                  0x003d85c4
                  0x003d85c8
                  0x003d85cd
                  0x003d85d3
                  0x003d85d8
                  0x003d85dd
                  0x003d85e2
                  0x003d85e9
                  0x003d85b5
                  0x003d85b5
                  0x003d85b5
                  0x003d85f4

                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 003D85A9
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003D85E9
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$Free
                  • String ID:
                  • API String ID: 3328510275-0
                  • Opcode ID: 5cf21ea53da41c22d5da0ea2cdd460fb86d85c37bca1daeccfe7abf52b136a94
                  • Instruction ID: 8c831882b0e7030d485d0fbf50e52d23d98d3aad4d44c6173d8694b9e128d776
                  • Opcode Fuzzy Hash: 5cf21ea53da41c22d5da0ea2cdd460fb86d85c37bca1daeccfe7abf52b136a94
                  • Instruction Fuzzy Hash: 71E09B375059616BD52327397C8AF6F2A1EDFC37B1B260216F5088E351EF24AD0541F5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A3A72, Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E003A3A72(void* _a4, long _a8, signed int _a12) {
				void* _t8;

				asm("sbb eax, eax");
				_t8 = RtlReAllocateHeap(GetProcessHeap(),  ~_a12 & 0x00000008, _a4, _a8); // executed
				return _t8;
			}




                  0x003a3a80
                  0x003a3a8d
                  0x003a3a94

                  APIs
                  • GetProcessHeap.KERNEL32(?,000001C7,?,?,003A227D,?,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000), ref: 003A3A86
                  • RtlReAllocateHeap.NTDLL(00000000,?,003A227D,?,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3A8D
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID:
                  • API String ID: 1357844191-0
                  • Opcode ID: 9c9d71ffff92fe4be303dcd2c630994d7e93a51976f7b9f2d34892b8165b27a2
                  • Instruction ID: 94fd3a230bb595b6d6c3e1bdfe8f4498c57e1482f231e5fe81a7655c8b59e396
                  • Opcode Fuzzy Hash: 9c9d71ffff92fe4be303dcd2c630994d7e93a51976f7b9f2d34892b8165b27a2
                  • Instruction Fuzzy Hash: DCD0C932150249ABCF025FE8DC49DAE7BACEB58722B008505B915C6260C739E4609A60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E3499, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E003E3499(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v28;
				short _v30;
				void _v32;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr* _v48;
				void* _v56;
				short _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				void* _t39;
				void* _t46;
				void* _t48;
				short _t49;
				void* _t55;
				intOrPtr* _t59;
				signed int _t60;
				void* _t65;
				signed int _t74;
				void* _t75;
				void* _t76;

				_t31 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t31 ^ _t74;
				_v40 = _a4;
				_v48 = _a12;
				_t60 = 6;
				memset( &_v32, 0, _t60 << 2);
				_t76 = _t75 + 0xc;
				_v36 = 0;
				_v44 = 0;
				__imp__#8( &_v64);
				_t39 = E003E2F23(0,  &_v36, 0); // executed
				_t59 = _v36;
				_t69 = 1;
				_t71 =  ==  ? 0x80004005 : _t39;
				if(( ==  ? 0x80004005 : _t39) >= 0) {
					_t46 =  *((intOrPtr*)( *_t59 + 0x110))(_t59, 0);
					_t71 = _t46;
					if(_t46 >= 0) {
						_t48 =  *((intOrPtr*)( *_t59 + 0x118))(_t59, 0);
						_t71 = _t48;
						if(_t48 >= 0) {
							_t49 = 0x12;
							_v30 = _t49;
							_v20 = _v40;
							_v32 = 1;
							_v28 = 1;
							_v16 = _a8;
							_t69 = _t76 - 0x10;
							_v64 = 0x2011;
							_v56 =  &_v32;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd"); // executed
							_t55 =  *((intOrPtr*)( *_t59 + 0xe8))(_t59,  &_v44);
							_t71 =  ==  ? 0x8007006e : _t55;
							if(( ==  ? 0x8007006e : _t55) >= 0) {
								 *_v48 = _t59;
								_t59 = 0;
							}
						}
					}
				}
				if(_t59 != 0) {
					 *((intOrPtr*)( *_t59 + 8))(_t59);
				}
				return E003CDE36(_t59, _v8 ^ _t74, _t65, _t69, _t71);
			}































                  0x003e349f
                  0x003e34a6
                  0x003e34af
                  0x003e34bc
                  0x003e34c1
                  0x003e34c2
                  0x003e34c2
                  0x003e34c7
                  0x003e34cb
                  0x003e34ce
                  0x003e34da
                  0x003e34df
                  0x003e34e6
                  0x003e34ee
                  0x003e34f3
                  0x003e34fa
                  0x003e3500
                  0x003e3504
                  0x003e350b
                  0x003e3511
                  0x003e3515
                  0x003e3519
                  0x003e351a
                  0x003e3527
                  0x003e352d
                  0x003e3531
                  0x003e3535
                  0x003e3540
                  0x003e3542
                  0x003e3549
                  0x003e354e
                  0x003e3550
                  0x003e3551
                  0x003e3552
                  0x003e3553
                  0x003e3563
                  0x003e3568
                  0x003e356d
                  0x003e356f
                  0x003e356f
                  0x003e3568
                  0x003e3515
                  0x003e3504
                  0x003e3573
                  0x003e3578
                  0x003e3578
                  0x003e358d

                  APIs
                  • VariantInit.OLEAUT32(?), ref: 003E34CE
                    • Part of subcall function 003E2F23: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,003E34DF,00000000,?,00000000), ref: 003E2F3D
                    • Part of subcall function 003E2F23: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,003CBDED,?,003A52FD,?,00000000,?), ref: 003E2F49
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorHandleInitLastModuleVariant
                  • String ID:
                  • API String ID: 52713655-0
                  • Opcode ID: a0cb827370980f79e5bf0879af85bb4275a51b117897812d8d53c7e29b40aa21
                  • Instruction ID: 953a7018c79b826fe8476b80ff544875773426d67d66cbcb39df1a03fe9a8a4c
                  • Opcode Fuzzy Hash: a0cb827370980f79e5bf0879af85bb4275a51b117897812d8d53c7e29b40aa21
                  • Instruction Fuzzy Hash: 19311A76E006699BCB11DFA9C884ADEF7F8EF09710F01466AED15EB351D6709E048BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E5728, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E003E5728(void* __ecx, intOrPtr _a4, short* _a8, intOrPtr _a12, char** _a16) {
				void* _v8;
				void* _t13;
				char** _t24;
				void* _t27;

				_push(__ecx);
				_v8 = 0;
				_t13 = E003E5664(__ecx, _a4,  &_v8); // executed
				_t24 = _a16;
				_t27 = _t13;
				if(_t27 == 0x80070002 || _t27 == 0x80070003) {
					L5:
					_t27 = 1;
					goto L6;
				} else {
					if(_t27 < 0) {
						L6:
						if(_v8 != 0) {
							RegCloseKey(_v8);
							_v8 = 0;
						}
						if(_t27 == 1 || _t27 < 0) {
							if(_a12 != 0) {
								_t27 = E003A21A5(_t24, _a12, 0);
							} else {
								if( *_t24 != 0) {
									E003E54EF( *_t24);
									 *_t24 = 0;
								}
							}
						}
						return _t27;
					}
					_t27 = E003E0F6E(_v8, _a8, _t24);
					if(_t27 == 0x80070002 || _t27 == 0x80070003) {
						goto L5;
					} else {
						goto L6;
					}
				}
			}







                  0x003e572b
                  0x003e5738
                  0x003e573b
                  0x003e5740
                  0x003e5743
                  0x003e574b
                  0x003e5777
                  0x003e5779
                  0x00000000
                  0x003e5755
                  0x003e5757
                  0x003e577a
                  0x003e577d
                  0x003e5782
                  0x003e5788
                  0x003e5788
                  0x003e578e
                  0x003e5797
                  0x003e57b2
                  0x003e5799
                  0x003e579b
                  0x003e579f
                  0x003e57a4
                  0x003e57a4
                  0x003e579b
                  0x003e5797
                  0x003e57bc
                  0x003e57bc
                  0x003e5765
                  0x003e576d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e576d

                  APIs
                  • RegCloseKey.ADVAPI32(80070490,00000000,80070490,0040AAA0,00000000,80070490,00000000,?,003B890E,WiX\Burn,PackageCache,00000000,0040AAA0,00000000,00000000,80070490), ref: 003E5782
                    • Part of subcall function 003E0F6E: RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 003E0FE4
                    • Part of subcall function 003E0F6E: RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 003E101F
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: QueryValue$Close
                  • String ID:
                  • API String ID: 1979452859-0
                  • Opcode ID: af1a3375ce58b1d25ad5f361a1ec1ca71100ee35e837a5832b11964d6881f7e0
                  • Instruction ID: b61436584cdecb49b43992f547f3a513d5ee7adc392113451b6eb5813add84b7
                  • Opcode Fuzzy Hash: af1a3375ce58b1d25ad5f361a1ec1ca71100ee35e837a5832b11964d6881f7e0
                  • Instruction Fuzzy Hash: 1A11C6768005B9EBCF236EA6DC819AEB76AEB04329B160339FD416B150C3314DB0DAD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D5154, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E003D5154(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				void* _t8;
				long _t9;

				_t7 = __ecx;
				_t9 = _a4;
				if(_t9 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E003D3E36())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t9 == 0) {
					_t9 = _t9 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x40b5b8, 0, _t9); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E003D4A8E();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E003D4ADD(_t7, _t8, __eflags, _t9);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}








                  0x003d5154
                  0x003d515a
                  0x003d5160
                  0x003d5192
                  0x003d5197
                  0x003d519d
                  0x00000000
                  0x003d519d
                  0x003d5164
                  0x003d5166
                  0x003d5166
                  0x003d517d
                  0x003d5186
                  0x003d518e
                  0x00000000
                  0x00000000
                  0x003d516e
                  0x003d5170
                  0x00000000
                  0x00000000
                  0x003d5173
                  0x003d5178
                  0x003d5179
                  0x003d517b
                  0x00000000
                  0x00000000
                  0x003d517b
                  0x00000000

                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,003D1E90,?,0000015D,?,?,?,?,003D32E9,000000FF,00000000,?,?), ref: 003D5186
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: d850169cd5ea8d9268af2d13d86b344e87b990c61721f3d56a4db3c898524513
                  • Instruction ID: cce36264f54b3c6b44474ad4090d9c9e3f7593cefa8f3a4f9b8614f9886f0ef0
                  • Opcode Fuzzy Hash: d850169cd5ea8d9268af2d13d86b344e87b990c61721f3d56a4db3c898524513
                  • Instruction Fuzzy Hash: 60E06D67241A64A7DE332665BC00B5B764DDB417A0F164123AC7A9A7D0EB20CC008AE5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A34C5, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,003B89CA,0000001C,80070490,00000000,00000000,80070490), ref: 003A34E5
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: FolderPath
                  • String ID:
                  • API String ID: 1514166925-0
                  • Opcode ID: 9ddf2fbaefcfb38cc023beb74004655d5220c5dc2d763ca0e55352acf388b64c
                  • Instruction ID: a9e14e012d918c5ac9151ae2a2092c48c536408b5cff84df59fcd94c7ce7408d
                  • Opcode Fuzzy Hash: 9ddf2fbaefcfb38cc023beb74004655d5220c5dc2d763ca0e55352acf388b64c
                  • Instruction Fuzzy Hash: 17E012762012257BE6032E665D06DEB7B9CDF0A750B048051FE40DA000E661E91087B0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E2DD0, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003E2DD0() {
				struct HINSTANCE__* _t1;

				_t1 =  *0x40b680; // 0x0
				if(_t1 != 0) {
					_t1 = FreeLibrary(_t1); // executed
					 *0x40b680 = 0;
					 *0x40b6bc = 0;
					 *0x40b6b8 = 0;
					 *0x40b6b4 = 0;
					 *0x40b6b0 = 0;
					 *0x40b6ac = 0;
					 *0x40b6a8 = 0;
					 *0x40b6c0 = 0;
				}
				 *0x40b6c4 = 0;
				return _t1;
			}




                  0x003e2dd0
                  0x003e2dda
                  0x003e2ddd
                  0x003e2de3
                  0x003e2de9
                  0x003e2def
                  0x003e2df5
                  0x003e2dfb
                  0x003e2e01
                  0x003e2e07
                  0x003e2e0d
                  0x003e2e0d
                  0x003e2e13
                  0x003e2e1a

                  APIs
                  • FreeLibrary.KERNELBASE(00000000,00000000,003A547B,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E2DDD
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 063ea211b230dd3bbc7983ef13f1bb1f4bbcce792dcddf2d7b5bf24d640f0a2f
                  • Instruction ID: 2b6019006531b673b4cd9bc50c6ba82feb046706ebb61cfb7d9029374f5c8063
                  • Opcode Fuzzy Hash: 063ea211b230dd3bbc7983ef13f1bb1f4bbcce792dcddf2d7b5bf24d640f0a2f
                  • Instruction Fuzzy Hash: 22E0F6B5926279DACB118F59BE449527BBCF708B403110A6FF800E3260C7B644908FDE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E94F6, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003E94F6() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E003E9814(_t3, _t5, _t7, 0x4080c4, 0x40a95c); // executed
				goto __eax;
			}






                  0x003e94df
                  0x003e94e0
                  0x003e94e7
                  0x003e94ee

                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 003E94E7
                    • Part of subcall function 003E9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003E9891
                    • Part of subcall function 003E9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003E98A2
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 404ecd05c1fdba40190cbc718b5b0545650611b0d2f7b928ea435f9419c18662
                  • Instruction ID: 975b2d788c9a8b03f27f6d2a2f971907e2efc3f7dea986aa66f80cd4ff18db01
                  • Opcode Fuzzy Hash: 404ecd05c1fdba40190cbc718b5b0545650611b0d2f7b928ea435f9419c18662
                  • Instruction Fuzzy Hash: D2B09286269652ACA245A2271902A36020CC180B10332C63BB500D61C0A8540C49023A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E94D5, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003E94D5() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E003E9814(_t3, _t5, _t7, 0x4080c4, 0x40a960); // executed
				goto __eax;
			}






                  0x003e94df
                  0x003e94e0
                  0x003e94e7
                  0x003e94ee

                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 003E94E7
                    • Part of subcall function 003E9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003E9891
                    • Part of subcall function 003E9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003E98A2
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: 51a630cb6c9f3ece9a125d5941a696e4546660c31d190492d947fa40911cd2b6
                  • Instruction ID: 7f80eab48374a612e9d9d7414729808bbe26fe00467b827b6baf47101a7f647f
                  • Opcode Fuzzy Hash: 51a630cb6c9f3ece9a125d5941a696e4546660c31d190492d947fa40911cd2b6
                  • Instruction Fuzzy Hash: 73B012C6379651BCB20563271D42E36020CD5C0F10336C73FF100F54C0A8540C45023B
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E9506, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003E9506() {
				void* _t3;
				void* _t5;
				void* _t7;

				_push(_t3);
				_push(_t5);
				E003E9814(_t3, _t5, _t7, 0x4080c4, 0x40a964); // executed
				goto __eax;
			}






                  0x003e94df
                  0x003e94e0
                  0x003e94e7
                  0x003e94ee

                  APIs
                  • ___delayLoadHelper2@8.DELAYIMP ref: 003E94E7
                    • Part of subcall function 003E9814: DloadReleaseSectionWriteAccess.DELAYIMP ref: 003E9891
                    • Part of subcall function 003E9814: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 003E98A2
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                  • String ID:
                  • API String ID: 1269201914-0
                  • Opcode ID: a0df607fba84827c308d8ba630ade11148733a7342b4912d4b8362af1095bf70
                  • Instruction ID: a15cadcd802140d035c2993271da0b05eb42f00afc732164a6ba1a4ea0c79389
                  • Opcode Fuzzy Hash: a0df607fba84827c308d8ba630ade11148733a7342b4912d4b8362af1095bf70
                  • Instruction Fuzzy Hash: 78B09286269651ACA245A2672A02A36020CC5C0B10336863BB100E61C0A8580C46023A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A14B2, Relevance: 1.3, APIs: 1, Instructions: 54stringCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E003A14B2(unsigned int _a4, WCHAR* _a8, unsigned int _a12, intOrPtr _a16) {
				unsigned int _t9;
				signed int _t10;
				signed int _t13;
				signed int _t14;
				unsigned int _t15;
				void* _t16;
				unsigned int _t18;
				unsigned int _t20;
				unsigned int _t21;

				_t9 = _a4;
				_t20 = 0;
				_t14 = _t13 | 0xffffffff;
				if( *_t9 == 0) {
					L4:
					_t18 = _a12;
					if(_t18 == 0) {
						_t9 = lstrlenW(_a8);
						_t18 = _t9;
					}
					_t4 = _t18 + 1; // 0x1
					_t16 = _t4;
					_t15 =  >=  ? _t16 : _t14;
					asm("sbb eax, eax");
					_t10 = _t9 & 0x80070216;
					if(_t16 < _t18) {
						L10:
						return _t10;
					} else {
						if(_t20 >= _t15) {
							L9:
							_t10 = E003A1A6E(_t16,  *_a4, _t20, _a8, _t18, 0, 0, 0x200);
							goto L10;
						}
						_t20 = _t15;
						_t10 = E003A143C(_a4, _t15, _a16); // executed
						if(_t10 < 0) {
							goto L10;
						}
						goto L9;
					}
				}
				_t9 = E003A3B51( *_t9);
				_t21 = _t9;
				if(_t21 != _t14) {
					_t20 = _t21 >> 1;
					goto L4;
				}
				return 0x80070057;
			}












                  0x003a14b5
                  0x003a14ba
                  0x003a14bc
                  0x003a14c1
                  0x003a14d9
                  0x003a14da
                  0x003a14df
                  0x003a14e4
                  0x003a14ea
                  0x003a14ea
                  0x003a14ec
                  0x003a14ec
                  0x003a14f1
                  0x003a14f4
                  0x003a14f6
                  0x003a14fd
                  0x003a152d
                  0x00000000
                  0x003a14ff
                  0x003a1501
                  0x003a1515
                  0x003a1528
                  0x00000000
                  0x003a1528
                  0x003a1506
                  0x003a150c
                  0x003a1513
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a1513
                  0x003a14fd
                  0x003a14c5
                  0x003a14ca
                  0x003a14ce
                  0x003a14d7
                  0x00000000
                  0x003a14d7
                  0x00000000

                  APIs
                  • lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,003A21B8,?,00000000,?,00000000,?,003A38BD,00000000,?,00000104), ref: 003A14E4
                    • Part of subcall function 003A3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,003A21DC,000001C7,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3B59
                    • Part of subcall function 003A3B51: HeapSize.KERNEL32(00000000,?,003A21DC,000001C7,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3B60
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$ProcessSizelstrlen
                  • String ID:
                  • API String ID: 3492610842-0
                  • Opcode ID: 72f0ef4d5ce6f92c36f7e4b9657c2b8a05d4b6bf223396f292fd1d41b51acd75
                  • Instruction ID: 2bc01193688ff39cc43fd0bfa1afdb78df7c3747be871cc289a3501ac8e6e067
                  • Opcode Fuzzy Hash: 72f0ef4d5ce6f92c36f7e4b9657c2b8a05d4b6bf223396f292fd1d41b51acd75
                  • Instruction Fuzzy Hash: 1F012D37600218AFCF235E55CC44F9AB7AADF47760F124325F9255B160D731DC109690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 003CC0FA, Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 364COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E003CC0FA(void* __ebx, void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr* _a56, intOrPtr* _a60, intOrPtr* _a64, intOrPtr* _a68, intOrPtr* _a72, intOrPtr _a76) {
				void* _v8;
				intOrPtr _t83;
				intOrPtr* _t85;
				intOrPtr _t88;
				intOrPtr* _t90;
				intOrPtr* _t94;
				intOrPtr* _t99;
				intOrPtr* _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr* _t108;
				intOrPtr* _t111;
				intOrPtr* _t113;
				intOrPtr _t134;
				intOrPtr _t138;
				intOrPtr _t146;
				void* _t159;
				intOrPtr _t162;
				intOrPtr* _t164;
				intOrPtr* _t172;
				intOrPtr _t173;
				void* _t175;
				intOrPtr _t176;
				intOrPtr _t185;
				void* _t186;
				intOrPtr _t187;
				intOrPtr* _t189;
				intOrPtr* _t195;
				intOrPtr* _t197;
				intOrPtr _t199;
				void* _t200;

				_t186 = __edi;
				_t159 = __ebx;
				_v8 = 0;
				if(E003B7EF7(_a24) != 0) {
					E003A1F20( &_v8, L" -%ls", _t82);
					_t200 = _t200 + 0xc;
				}
				_push(_t159);
				_push(_t186);
				_t83 = E003A38D4(8, 1);
				_t187 = _a12;
				 *((intOrPtr*)(_t187 + 0x7c)) = _t83;
				if(_t83 != 0) {
					 *((intOrPtr*)(_t187 + 0x80)) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) = E003A38D4(0x58, 1);
					_t85 =  *((intOrPtr*)(_t187 + 0x7c));
					__eflags = _t85;
					if(_t85 != 0) {
						_t162 = _a44;
						 *((intOrPtr*)( *_t85 + 4)) = 3;
						_t88 =  *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c))));
						 *((intOrPtr*)(_t88 + 0x10)) = _t162;
						 *((intOrPtr*)(_t88 + 0x14)) = _a48;
						_t90 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))), _a20, 0);
						__eflags = _t90;
						if(_t90 >= 0) {
							_t94 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x18, _a32, 0);
							__eflags = _t94;
							if(_t94 >= 0) {
								_t99 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x38, _a36, 0);
								__eflags = _t99;
								if(_t99 >= 0) {
									_t100 = _a40;
									_t172 = 0;
									__eflags = _t100;
									if(_t100 == 0) {
										L18:
										__eflags = _a72;
										if(_a72 == 0) {
											L22:
											_t173 = _a28;
											__eflags = _t173 - 4;
											if(_t173 == 4) {
												L25:
												_t185 = 1;
												_t195 = 0;
												__eflags = 0;
											} else {
												__eflags = _t173 - 3;
												if(_t173 == 3) {
													goto L25;
												} else {
													_t195 = 0;
													_t185 = 0;
												}
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)) + 4)) = _t185;
											 *((intOrPtr*)(_t187 + 0x40)) = _t173;
											 *((intOrPtr*)(_t187 + 0xa8)) = 1;
											 *((intOrPtr*)(_t187 + 0x8c)) = 1;
											 *((intOrPtr*)(_t187 + 0x14)) = _a16;
											__eflags = _t173 - 4;
											if(_t173 == 4) {
												L29:
												_t105 = 2;
											} else {
												__eflags = _t173 - 3;
												if(_t173 == 3) {
													goto L29;
												} else {
													_t105 = _t195;
												}
											}
											 *((intOrPtr*)(_t187 + 0x28)) = _t162;
											 *((intOrPtr*)(_t187 + 0x30)) = _t162;
											 *((intOrPtr*)(_t187 + 0x44)) = _t105;
											_t106 = _a48;
											 *((intOrPtr*)(_t187 + 0x2c)) = _t106;
											 *((intOrPtr*)(_t187 + 0x34)) = _t106;
											 *((intOrPtr*)(_t187 + 0x1c)) = _a52;
											_t108 = E003A21A5(_t187, _a20, 0);
											__eflags = _t108;
											if(_t108 >= 0) {
												_t52 = _t187 + 0x24; // 0x2e4
												_t197 = E003A21A5(_t52, _a20, 0);
												__eflags = _t197;
												if(_t197 >= 0) {
													__eflags = _a56;
													if(_a56 == 0) {
														L37:
														_t111 = _v8;
														__eflags = _t111;
														if(_t111 == 0) {
															L40:
															__eflags = _a60;
															if(_a60 == 0) {
																L47:
																__eflags = _a64;
																if(_a64 == 0) {
																	L54:
																	_t175 = _a4 + 0xf7530000;
																	asm("adc eax, 0xfffcfff9");
																	__eflags = _a8 - 4;
																	if(__eflags > 0) {
																		L58:
																		_t113 = 0;
																		__eflags = 0;
																	} else {
																		if(__eflags < 0) {
																			L57:
																			_t113 = 1;
																		} else {
																			__eflags = _t175 - 0x9c10000;
																			if(_t175 > 0x9c10000) {
																				goto L58;
																			} else {
																				goto L57;
																			}
																		}
																	}
																	_t164 = _a68;
																	 *((intOrPtr*)(_t187 + 0xb0)) = _t113;
																	__eflags = _t164;
																	if(_t164 != 0) {
																		_t176 = E003A38D4(0x10, 1);
																		 *((intOrPtr*)(_t187 + 0x84)) = _t176;
																		__eflags = _t176;
																		if(_t176 != 0) {
																			 *((intOrPtr*)(_t187 + 0x88)) = 1;
																			 *((intOrPtr*)(_t176 + 0xc)) =  *((intOrPtr*)(_t164 + 0xc));
																			_t197 = E003A21A5( *((intOrPtr*)(_t187 + 0x84)),  *_t164, 0);
																			__eflags = _t197;
																			if(_t197 < 0) {
																				goto L31;
																			} else {
																				_t197 = E003A21A5( *((intOrPtr*)(_t187 + 0x84)) + 4,  *((intOrPtr*)(_t164 + 4)), 0);
																				__eflags = _t197;
																				if(_t197 >= 0) {
																					_t197 = E003A21A5( *((intOrPtr*)(_t187 + 0x84)) + 8,  *((intOrPtr*)(_t164 + 8)), 0);
																					__eflags = _t197;
																					if(_t197 < 0) {
																						_push("Failed to copy display name for pseudo bundle.");
																						goto L67;
																					}
																				} else {
																					_push("Failed to copy version for pseudo bundle.");
																					goto L67;
																				}
																			}
																		} else {
																			_t189 = 0x8007000e;
																			_t197 = 0x8007000e;
																			E003A37D3(_t117, "pseudobundle.cpp", 0x86, 0x8007000e);
																			_push("Failed to allocate memory for dependency providers.");
																			goto L4;
																		}
																	}
																} else {
																	_t64 = _t187 + 0x9c; // 0x35c
																	_t166 = _t64;
																	_t197 = E003A21A5(_t64, _a64, 0);
																	__eflags = _t197;
																	if(_t197 >= 0) {
																		_t134 = _v8;
																		__eflags = _t134;
																		if(_t134 == 0) {
																			L53:
																			 *((intOrPtr*)(_t187 + 0x18)) = 1;
																			goto L54;
																		} else {
																			_t197 = E003A1EF2(_t166, _t134, 0);
																			__eflags = _t197;
																			if(_t197 >= 0) {
																				goto L53;
																			} else {
																				_push("Failed to append relation type to uninstall arguments for related bundle package");
																				goto L67;
																			}
																		}
																	} else {
																		_push("Failed to copy uninstall arguments for related bundle package");
																		goto L67;
																	}
																}
															} else {
																_t59 = _t187 + 0x98; // 0x358
																_t167 = _t59;
																_t197 = E003A21A5(_t59, _a60, 0);
																__eflags = _t197;
																if(_t197 >= 0) {
																	_t138 = _v8;
																	__eflags = _t138;
																	if(_t138 == 0) {
																		L46:
																		 *((intOrPtr*)(_t187 + 0xac)) = 1;
																		goto L47;
																	} else {
																		_t197 = E003A1EF2(_t167, _t138, 0);
																		__eflags = _t197;
																		if(_t197 >= 0) {
																			goto L46;
																		} else {
																			_push("Failed to append relation type to repair arguments for related bundle package");
																			goto L67;
																		}
																	}
																} else {
																	_push("Failed to copy repair arguments for related bundle package");
																	goto L67;
																}
															}
														} else {
															_t57 = _t187 + 0x94; // 0x354
															_t197 = E003A1EF2(_t57, _t111, 0);
															__eflags = _t197;
															if(_t197 >= 0) {
																goto L40;
															} else {
																_push("Failed to append relation type to install arguments for related bundle package");
																goto L67;
															}
														}
													} else {
														_t55 = _t187 + 0x94; // 0x354
														_t197 = E003A21A5(_t55, _a56, 0);
														__eflags = _t197;
														if(_t197 >= 0) {
															goto L37;
														} else {
															_push("Failed to copy install arguments for related bundle package");
															goto L67;
														}
													}
												} else {
													_push("Failed to copy cache id for pseudo bundle.");
													goto L67;
												}
											} else {
												L31:
												_push("Failed to copy key for pseudo bundle.");
												goto L67;
											}
										} else {
											_t199 = _a76;
											 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x30)) = E003A38D4(_t199, _t172);
											_t146 =  *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c))));
											__eflags =  *((intOrPtr*)(_t146 + 0x30));
											if( *((intOrPtr*)(_t146 + 0x30)) != 0) {
												 *((intOrPtr*)(_t146 + 0x34)) = _t199;
												E003C1664( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x34)), _a72, _t199);
												goto L22;
											} else {
												_t189 = 0x8007000e;
												_t197 = 0x8007000e;
												E003A37D3(_t146, "pseudobundle.cpp", 0x3f, 0x8007000e);
												_push("Failed to allocate memory for pseudo bundle payload hash.");
												goto L4;
											}
										}
									} else {
										__eflags =  *_t100;
										if( *_t100 == 0) {
											goto L18;
										} else {
											_t197 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t187 + 0x7c)))) + 0x40, _t100, 0);
											__eflags = _t197;
											if(_t197 >= 0) {
												_t172 = 0;
												__eflags = 0;
												goto L18;
											} else {
												_push("Failed to copy download source for pseudo bundle.");
												goto L67;
											}
										}
									}
								} else {
									_push("Failed to copy local source path for pseudo bundle.");
									goto L67;
								}
							} else {
								_push("Failed to copy filename for pseudo bundle.");
								goto L67;
							}
						} else {
							_push("Failed to copy key for pseudo bundle payload.");
							L67:
							_push(_t197);
							goto L68;
						}
					} else {
						_t189 = 0x8007000e;
						_t197 = 0x8007000e;
						E003A37D3(_t85, "pseudobundle.cpp", 0x29, 0x8007000e);
						_push("Failed to allocate space for burn payload inside of related bundle struct");
						goto L4;
					}
				} else {
					_t189 = 0x8007000e;
					_t197 = 0x8007000e;
					E003A37D3(_t83, "pseudobundle.cpp", 0x25, 0x8007000e);
					_push("Failed to allocate space for burn package payload inside of related bundle struct");
					L4:
					_push(_t189);
					L68:
					E003E012F();
				}
				_t114 = _v8;
				if(_v8 != 0) {
					E003E54EF(_t114);
				}
				return _t197;
			}


































                  0x003cc0fa
                  0x003cc0fa
                  0x003cc104
                  0x003cc10e
                  0x003cc11a
                  0x003cc11f
                  0x003cc11f
                  0x003cc122
                  0x003cc123
                  0x003cc12a
                  0x003cc12f
                  0x003cc132
                  0x003cc137
                  0x003cc15b
                  0x003cc169
                  0x003cc16b
                  0x003cc16e
                  0x003cc170
                  0x003cc18f
                  0x003cc199
                  0x003cc1a3
                  0x003cc1a5
                  0x003cc1a8
                  0x003cc1b0
                  0x003cc1b7
                  0x003cc1b9
                  0x003cc1d4
                  0x003cc1db
                  0x003cc1dd
                  0x003cc1f8
                  0x003cc1ff
                  0x003cc201
                  0x003cc20d
                  0x003cc210
                  0x003cc212
                  0x003cc214
                  0x003cc23d
                  0x003cc23d
                  0x003cc241
                  0x003cc299
                  0x003cc299
                  0x003cc29c
                  0x003cc29f
                  0x003cc2ac
                  0x003cc2ae
                  0x003cc2af
                  0x003cc2af
                  0x003cc2a1
                  0x003cc2a1
                  0x003cc2a4
                  0x00000000
                  0x003cc2a6
                  0x003cc2a6
                  0x003cc2a8
                  0x003cc2a8
                  0x003cc2a4
                  0x003cc2b4
                  0x003cc2ba
                  0x003cc2bd
                  0x003cc2c3
                  0x003cc2cc
                  0x003cc2cf
                  0x003cc2d2
                  0x003cc2dd
                  0x003cc2df
                  0x003cc2d4
                  0x003cc2d4
                  0x003cc2d7
                  0x00000000
                  0x003cc2d9
                  0x003cc2d9
                  0x003cc2d9
                  0x003cc2d7
                  0x003cc2e0
                  0x003cc2e3
                  0x003cc2ec
                  0x003cc2ef
                  0x003cc2f2
                  0x003cc2f5
                  0x003cc2fc
                  0x003cc2ff
                  0x003cc306
                  0x003cc308
                  0x003cc318
                  0x003cc321
                  0x003cc323
                  0x003cc325
                  0x003cc331
                  0x003cc334
                  0x003cc356
                  0x003cc356
                  0x003cc359
                  0x003cc35b
                  0x003cc37b
                  0x003cc37b
                  0x003cc37e
                  0x003cc3cd
                  0x003cc3cd
                  0x003cc3d1
                  0x003cc41d
                  0x003cc423
                  0x003cc429
                  0x003cc42e
                  0x003cc431
                  0x003cc442
                  0x003cc442
                  0x003cc442
                  0x003cc433
                  0x003cc433
                  0x003cc43d
                  0x003cc43f
                  0x003cc435
                  0x003cc435
                  0x003cc43b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003cc43b
                  0x003cc433
                  0x003cc444
                  0x003cc447
                  0x003cc44d
                  0x003cc44f
                  0x003cc45e
                  0x003cc460
                  0x003cc466
                  0x003cc468
                  0x003cc48b
                  0x003cc498
                  0x003cc4ab
                  0x003cc4ad
                  0x003cc4af
                  0x00000000
                  0x003cc4b5
                  0x003cc4ca
                  0x003cc4cc
                  0x003cc4ce
                  0x003cc4ec
                  0x003cc4ee
                  0x003cc4f0
                  0x003cc4f2
                  0x00000000
                  0x003cc4f2
                  0x003cc4d0
                  0x003cc4d0
                  0x00000000
                  0x003cc4d0
                  0x003cc4ce
                  0x003cc46a
                  0x003cc46a
                  0x003cc47a
                  0x003cc47c
                  0x003cc481
                  0x00000000
                  0x003cc481
                  0x003cc468
                  0x003cc3d3
                  0x003cc3d5
                  0x003cc3d5
                  0x003cc3e5
                  0x003cc3e7
                  0x003cc3e9
                  0x003cc3f5
                  0x003cc3f8
                  0x003cc3fa
                  0x003cc416
                  0x003cc416
                  0x00000000
                  0x003cc3fc
                  0x003cc406
                  0x003cc408
                  0x003cc40a
                  0x00000000
                  0x003cc40c
                  0x003cc40c
                  0x00000000
                  0x003cc40c
                  0x003cc40a
                  0x003cc3eb
                  0x003cc3eb
                  0x00000000
                  0x003cc3eb
                  0x003cc3e9
                  0x003cc380
                  0x003cc382
                  0x003cc382
                  0x003cc392
                  0x003cc394
                  0x003cc396
                  0x003cc3a2
                  0x003cc3a5
                  0x003cc3a7
                  0x003cc3c3
                  0x003cc3c3
                  0x00000000
                  0x003cc3a9
                  0x003cc3b3
                  0x003cc3b5
                  0x003cc3b7
                  0x00000000
                  0x003cc3b9
                  0x003cc3b9
                  0x00000000
                  0x003cc3b9
                  0x003cc3b7
                  0x003cc398
                  0x003cc398
                  0x00000000
                  0x003cc398
                  0x003cc396
                  0x003cc35d
                  0x003cc35f
                  0x003cc36b
                  0x003cc36d
                  0x003cc36f
                  0x00000000
                  0x003cc371
                  0x003cc371
                  0x00000000
                  0x003cc371
                  0x003cc36f
                  0x003cc336
                  0x003cc33a
                  0x003cc346
                  0x003cc348
                  0x003cc34a
                  0x00000000
                  0x003cc34c
                  0x003cc34c
                  0x00000000
                  0x003cc34c
                  0x003cc34a
                  0x003cc327
                  0x003cc327
                  0x00000000
                  0x003cc327
                  0x003cc30a
                  0x003cc30a
                  0x003cc30a
                  0x00000000
                  0x003cc30a
                  0x003cc243
                  0x003cc243
                  0x003cc252
                  0x003cc25a
                  0x003cc25c
                  0x003cc25f
                  0x003cc27f
                  0x003cc291
                  0x00000000
                  0x003cc261
                  0x003cc261
                  0x003cc26e
                  0x003cc270
                  0x003cc275
                  0x00000000
                  0x003cc275
                  0x003cc25f
                  0x003cc216
                  0x003cc216
                  0x003cc219
                  0x00000000
                  0x003cc21b
                  0x003cc22b
                  0x003cc22d
                  0x003cc22f
                  0x003cc23b
                  0x003cc23b
                  0x00000000
                  0x003cc231
                  0x003cc231
                  0x00000000
                  0x003cc231
                  0x003cc22f
                  0x003cc219
                  0x003cc203
                  0x003cc203
                  0x00000000
                  0x003cc203
                  0x003cc1df
                  0x003cc1df
                  0x00000000
                  0x003cc1df
                  0x003cc1bb
                  0x003cc1bb
                  0x003cc4f7
                  0x003cc4f7
                  0x00000000
                  0x003cc4f7
                  0x003cc172
                  0x003cc172
                  0x003cc17f
                  0x003cc181
                  0x003cc186
                  0x00000000
                  0x003cc186
                  0x003cc139
                  0x003cc139
                  0x003cc146
                  0x003cc148
                  0x003cc14d
                  0x003cc152
                  0x003cc152
                  0x003cc4f8
                  0x003cc4f8
                  0x003cc4fe
                  0x003cc4ff
                  0x003cc506
                  0x003cc509
                  0x003cc509
                  0x003cc514

                  Strings
                  • Failed to copy cache id for pseudo bundle., xrefs: 003CC327
                  • Failed to copy repair arguments for related bundle package, xrefs: 003CC398
                  • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 003CC186
                  • Failed to append relation type to repair arguments for related bundle package, xrefs: 003CC3B9
                  • Failed to copy key for pseudo bundle., xrefs: 003CC30A
                  • Failed to copy display name for pseudo bundle., xrefs: 003CC4F2
                  • Failed to copy local source path for pseudo bundle., xrefs: 003CC203
                  • Failed to copy filename for pseudo bundle., xrefs: 003CC1DF
                  • Failed to allocate memory for dependency providers., xrefs: 003CC481
                  • Failed to allocate memory for pseudo bundle payload hash., xrefs: 003CC275
                  • Failed to append relation type to install arguments for related bundle package, xrefs: 003CC371
                  • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 003CC40C
                  • Failed to copy version for pseudo bundle., xrefs: 003CC4D0
                  • Failed to copy key for pseudo bundle payload., xrefs: 003CC1BB
                  • -%ls, xrefs: 003CC114
                  • Failed to copy uninstall arguments for related bundle package, xrefs: 003CC3EB
                  • Failed to copy download source for pseudo bundle., xrefs: 003CC231
                  • pseudobundle.cpp, xrefs: 003CC141, 003CC17A, 003CC269, 003CC475
                  • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 003CC14D
                  • Failed to copy install arguments for related bundle package, xrefs: 003CC34C
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
                  • API String ID: 1357844191-2832335422
                  • Opcode ID: 12f8729d3697fa72805fdd53343e1d5b69bb333151bce73daaae569cb683b6c8
                  • Instruction ID: b081d252b569f0ef6ec368ff0a330b3532e6220deaf27085aa5edab54c14bb71
                  • Opcode Fuzzy Hash: 12f8729d3697fa72805fdd53343e1d5b69bb333151bce73daaae569cb683b6c8
                  • Instruction Fuzzy Hash: 6EC1D172A20656AFDB179E69CC51F7A76A8FF09700B059229FD09EB741D774EC008B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A44E9, Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 137COMMON
                  Download Yara Rule
                  C-Code - Quality: 43%
                  			E003A44E9(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t13;
				int _t24;
				signed short _t31;
				signed short _t34;
				signed short _t37;
				void* _t45;
				int _t47;
				int _t48;
				signed int _t60;

				_t45 = __edx;
				_t13 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t13 ^ _t60;
				asm("stosd");
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t47 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 0x20,  &_v28) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					if(LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v24.Privileges)) != 0) {
						if(AdjustTokenPrivileges(_v28, 0,  &_v24, 0x10, 0, 0) != 0) {
							do {
								_t48 = 0;
								Sleep(0x3e8);
								_push(0x80040002);
								_push(1);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								if( *0x40aa5c() == 0) {
									_t48 =  <=  ? GetLastError() : _t30 & 0x0000ffff | 0x80070000;
								}
								_t24 = _t47;
								_t47 = _t47 + 1;
							} while (_t24 < 0xa && (_t48 == 0x800704f7 || _t48 == 0x80070015));
							if(_t48 < 0) {
								E003A37D3(_t24, "engine.cpp", 0x376, _t48);
								_push("Failed to schedule restart.");
								goto L13;
							}
						} else {
							_t31 = GetLastError();
							_t53 =  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
							_t48 =  >=  ? 0x80004005 :  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "engine.cpp", 0x362, _t48);
							_push("Failed to adjust token to add shutdown privileges.");
							goto L13;
						}
					} else {
						_t34 = GetLastError();
						_t56 =  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						_t48 =  >=  ? 0x80004005 :  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "engine.cpp", 0x35d, _t48);
						_push("Failed to get shutdown privilege LUID.");
						goto L13;
					}
				} else {
					_t37 = GetLastError();
					_t59 =  <=  ? _t37 : _t37 & 0x0000ffff | 0x80070000;
					_t48 =  >=  ? 0x80004005 :  <=  ? _t37 : _t37 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "engine.cpp", 0x356, _t48);
					_push("Failed to get process token.");
					L13:
					_push(_t48);
					E003E012F();
				}
				if(_v28 != 0) {
					CloseHandle(_v28);
				}
				return E003CDE36(0, _v8 ^ _t60, _t45, _t47, _t48);
			}




















                  0x003a44e9
                  0x003a44ef
                  0x003a44f6
                  0x003a4501
                  0x003a4504
                  0x003a4507
                  0x003a4508
                  0x003a4509
                  0x003a4510
                  0x003a4521
                  0x003a455e
                  0x003a456c
                  0x003a457b
                  0x003a45c9
                  0x003a4600
                  0x003a4605
                  0x003a4607
                  0x003a460d
                  0x003a4612
                  0x003a4614
                  0x003a4615
                  0x003a4616
                  0x003a4617
                  0x003a4620
                  0x003a4633
                  0x003a4633
                  0x003a4636
                  0x003a4638
                  0x003a4639
                  0x003a4650
                  0x003a465d
                  0x003a4662
                  0x00000000
                  0x003a4662
                  0x003a45cb
                  0x003a45cb
                  0x003a45dc
                  0x003a45e6
                  0x003a45f4
                  0x003a45f9
                  0x00000000
                  0x003a45f9
                  0x003a457d
                  0x003a457d
                  0x003a458e
                  0x003a4598
                  0x003a45a6
                  0x003a45ab
                  0x00000000
                  0x003a45ab
                  0x003a4523
                  0x003a4523
                  0x003a4534
                  0x003a453e
                  0x003a454c
                  0x003a4551
                  0x003a4667
                  0x003a4667
                  0x003a4668
                  0x003a466e
                  0x003a4672
                  0x003a4677
                  0x003a4677
                  0x003a468f

                  APIs
                  • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 003A4512
                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 003A4519
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 003A4523
                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 003A4573
                  • GetLastError.KERNEL32 ref: 003A457D
                  • CloseHandle.KERNEL32(?), ref: 003A4677
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastProcess$CloseCurrentHandleLookupOpenPrivilegeTokenValue
                  • String ID: @Mxt$Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$user.cpp
                  • API String ID: 4232854991-806501321
                  • Opcode ID: 81a93e0ab4a2154b1f428e7debc1f935b5bdf91b74a1de2dfd0cfa14ce36e6cd
                  • Instruction ID: 013296e77c7e5af7e2b00e96a97577ddc48f733acb1130d881f7cd4044b7948a
                  • Opcode Fuzzy Hash: 81a93e0ab4a2154b1f428e7debc1f935b5bdf91b74a1de2dfd0cfa14ce36e6cd
                  • Instruction Fuzzy Hash: 0C412E72A40365AFEB239BB59C85FBFB69CEB42751F010225FE01FA1E0D7654D0086E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A6184, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 147COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 19%
                  			E003A6184(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct _OSVERSIONINFOEXW _v292;
				intOrPtr _v300;
				intOrPtr _v312;
				signed int _v316;
				intOrPtr _v320;
				signed int _v324;
				void* __ebx;
				signed int __edi;
				intOrPtr* __esi;
				void* __ebp;
				signed int _t33;
				signed int _t42;
				signed short _t49;
				intOrPtr _t52;
				signed int _t53;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t64;
				signed int _t68;

				_t59 = __edx;
				_t33 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t33 ^ _t68;
				_t52 = _a8;
				E003CF670(_t60,  &_v292, 0, 0x11c);
				_v292.dwOSVersionInfoSize = 0x11c;
				_t61 =  &_v316;
				_t53 = 6;
				memset(_t61, 0, _t53 << 2);
				_t62 = _t61 + _t53;
				if(GetVersionExW( &_v292) != 0) {
					_t42 = _a4 + 0xfffffffc;
					if(_t42 <= 9) {
						switch( *((intOrPtr*)(_t42 * 4 +  &M003A6338))) {
							case 0:
								_t48 = _v292.wProductType & 0x000000ff;
								asm("cdq");
								_v312 = _t59;
								_v300 = 1;
								goto L21;
							case 1:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 2;
								goto L6;
							case 2:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 7;
								goto L6;
							case 3:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 1;
								goto L6;
							case 4:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 9;
								goto L6;
							case 5:
								__eax = _v292.wSuiteMask;
								goto L6;
							case 6:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 5;
								goto L6;
							case 7:
								__eax = _v292.wSuiteMask;
								__eax = _v292.wSuiteMask >> 0xa;
								L6:
								__edi = 0;
								__edi = 1;
								__eax = __eax & 1;
								goto L7;
							case 8:
								__edi = 0;
								__edi = 1;
								_push(1);
								_push(2);
								_push(0);
								_push(0);
								__esi = __imp__VerSetConditionMask;
								__eax =  *__esi();
								_push(1);
								_push(1);
								_push(__edx);
								_push(__eax);
								__eax =  *__esi();
								_push(1);
								_push(0x20);
								_push(__edx);
								_push(__eax);
								__eax =  *__esi();
								_push(1);
								_push(0x10);
								_push(__edx);
								_push(__eax);
								__eax =  *__esi();
								_push(__edx);
								 &_v292 = VerifyVersionInfoW( &_v292, 0x33,  &_v292);
								L7:
								asm("cdq");
								_v312 = __edx;
								goto L20;
							case 9:
								__eax = _v292.wSuiteMask;
								__edi = 0;
								__edi = 1;
								if((__al & 0x00000010) == 0) {
									L18:
									asm("xorps xmm0, xmm0");
									asm("movlpd [ebp-0x140], xmm0");
									__esi = _v320;
									__eax = _v324;
								} else {
									__eax = __eax & 0x00000100;
									__ecx = 0;
									if(__cx != __ax) {
										goto L18;
									} else {
										__eax = 1;
									}
								}
								_v312 = __esi;
								L20:
								_v300 = __edi;
								L21:
								_v316 = _t48;
								goto L22;
						}
					}
					L22:
					_t64 = E003BFF73(_t59,  &_v316, _t52);
					if(_t64 < 0) {
						_push("Failed to set variant value.");
						goto L24;
					}
				} else {
					_t49 = GetLastError();
					_t67 =  <=  ? _t49 : _t49 & 0x0000ffff | 0x80070000;
					_t64 =  >=  ? 0x80004005 :  <=  ? _t49 : _t49 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "variable.cpp", 0x6a1, _t64);
					_push("Failed to get OS info.");
					L24:
					_push(_t64);
					E003E012F();
				}
				return E003CDE36(_t52, _v8 ^ _t68, _t59, _t62, _t64);
			}

























                  0x003a6184
                  0x003a618d
                  0x003a6194
                  0x003a6198
                  0x003a61ac
                  0x003a61b4
                  0x003a61c0
                  0x003a61c8
                  0x003a61c9
                  0x003a61c9
                  0x003a61da
                  0x003a6217
                  0x003a621d
                  0x003a6223
                  0x00000000
                  0x003a622a
                  0x003a622e
                  0x003a622f
                  0x003a6235
                  0x00000000
                  0x00000000
                  0x003a6244
                  0x003a6247
                  0x00000000
                  0x00000000
                  0x003a625b
                  0x003a625e
                  0x00000000
                  0x00000000
                  0x003a6263
                  0x003a6266
                  0x00000000
                  0x00000000
                  0x003a626a
                  0x003a626d
                  0x00000000
                  0x00000000
                  0x003a6272
                  0x00000000
                  0x00000000
                  0x003a6277
                  0x003a627a
                  0x00000000
                  0x00000000
                  0x003a627f
                  0x003a6282
                  0x003a624a
                  0x003a624a
                  0x003a624c
                  0x003a624d
                  0x00000000
                  0x00000000
                  0x003a6287
                  0x003a6289
                  0x003a628a
                  0x003a628b
                  0x003a628d
                  0x003a628e
                  0x003a628f
                  0x003a6295
                  0x003a6297
                  0x003a6298
                  0x003a6299
                  0x003a629a
                  0x003a629b
                  0x003a629d
                  0x003a629e
                  0x003a62a0
                  0x003a62a1
                  0x003a62a2
                  0x003a62a4
                  0x003a62a5
                  0x003a62a7
                  0x003a62a8
                  0x003a62a9
                  0x003a62ab
                  0x003a62b6
                  0x003a624f
                  0x003a624f
                  0x003a6250
                  0x00000000
                  0x00000000
                  0x003a62be
                  0x003a62c1
                  0x003a62c3
                  0x003a62c6
                  0x003a62d8
                  0x003a62d8
                  0x003a62db
                  0x003a62e3
                  0x003a62e9
                  0x003a62c8
                  0x003a62c8
                  0x003a62cd
                  0x003a62d2
                  0x00000000
                  0x003a62d4
                  0x003a62d4
                  0x003a62d4
                  0x003a62d2
                  0x003a62ef
                  0x003a62f5
                  0x003a62f5
                  0x003a62fb
                  0x003a62fb
                  0x00000000
                  0x00000000
                  0x003a6223
                  0x003a6301
                  0x003a630e
                  0x003a6312
                  0x003a6314
                  0x00000000
                  0x003a6314
                  0x003a61dc
                  0x003a61dc
                  0x003a61ed
                  0x003a61f7
                  0x003a6205
                  0x003a620a
                  0x003a6319
                  0x003a6319
                  0x003a631a
                  0x003a6320
                  0x003a6333

                  APIs
                  • GetVersionExW.KERNEL32(0000011C), ref: 003A61D2
                  • GetLastError.KERNEL32 ref: 003A61DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastVersion
                  • String ID: @Mxt$Failed to get OS info.$Failed to set variant value.$variable.cpp
                  • API String ID: 305913169-1725581424
                  • Opcode ID: 66c00624cd2cc975d881158595cdd90f59b96c9dc99e937c953dfdc55aa33c1d
                  • Instruction ID: cfe9c49c0688e3df7843d84519bc425c76ff4704e956ea3c35e52c32a41f5a1d
                  • Opcode Fuzzy Hash: 66c00624cd2cc975d881158595cdd90f59b96c9dc99e937c953dfdc55aa33c1d
                  • Instruction Fuzzy Hash: E5418771A00268ABDB229B65CC46FEF7BBCEB8A710F14069AF505E7190D7709E91CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A834D, Relevance: 61.6, APIs: 5, Strings: 30, Instructions: 331COMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E003A834D(struct _CRITICAL_SECTION* _a4, intOrPtr _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				void* _v24;
				int _v28;
				char _v32;
				char _v36;
				void _v60;
				intOrPtr* _t97;
				int _t148;
				struct _CRITICAL_SECTION* _t154;
				signed int _t155;
				intOrPtr* _t158;
				signed int _t159;
				int _t169;
				signed int _t170;
				void* _t171;
				signed int _t172;
				struct _CRITICAL_SECTION* _t174;
				void* _t176;
				int _t177;
				void* _t179;
				void* _t180;

				_t154 = _a4;
				_t155 = 6;
				_v24 = 0;
				_v16 = 0;
				memset( &_v60, 0, _t155 << 2);
				_t180 = _t179 + 0xc;
				_v32 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v36 = 0;
				_v28 = 0;
				EnterCriticalSection(_t154);
				if(E003E3803(_a8, L"Variable",  &_v24) >= 0) {
					_t97 = _v24;
					_t166 =  &_v32;
					_t157 =  *_t97;
					_t176 =  *((intOrPtr*)( *_t97 + 0x20))(_t97,  &_v32);
					if(_t176 >= 0) {
						_t169 = 0;
						_a4 = 0;
						if(_v32 > 0) {
							while(1) {
								_t176 = E003E3760(_t157, _v24,  &_v16, _t169);
								if(_t176 < 0) {
									break;
								}
								_t176 = E003E31C7(_v16, L"Id",  &_v8);
								if(_t176 < 0) {
									_push("Failed to get @Id.");
									goto L57;
								} else {
									_t176 = E003E33DB(_t157, _v16, L"Hidden",  &_v20);
									if(_t176 < 0) {
										_push("Failed to get @Hidden.");
										goto L57;
									} else {
										_t176 = E003E33DB(_t157, _v16, L"Persisted",  &_v36);
										if(_t176 < 0) {
											_push("Failed to get @Persisted.");
											goto L57;
										} else {
											_t176 = E003E31C7(_v16, L"Value",  &_v12);
											if(_t176 == 0x80070490) {
												_t177 = _t169;
												goto L25;
											} else {
												if(_t176 < 0) {
													_push("Failed to get @Value.");
													goto L57;
												} else {
													_t176 = E003C02F4( &_v60, _v12, _t169);
													if(_t176 < 0) {
														_push("Failed to set variant value.");
														goto L57;
													} else {
														_t176 = E003E31C7(_v16, L"Type",  &_v12);
														if(_t176 < 0) {
															_push("Failed to get @Type.");
															goto L57;
														} else {
															_t148 = CompareStringW(0x7f, _t169, _v12, 0xffffffff, L"numeric", 0xffffffff);
															_t177 = 2;
															if(_t148 != _t177) {
																if(CompareStringW(0x7f, _t169, _v12, 0xffffffff, L"string", 0xffffffff) != _t177) {
																	if(CompareStringW(0x7f, _t169, _v12, 0xffffffff, L"version", 0xffffffff) != _t177) {
																		_push(_v12);
																		_t171 = 0x80070057;
																		_t176 = 0x80070057;
																		_push("Invalid value for @Type: %ls");
																		goto L42;
																	} else {
																		if(_v20 == 0) {
																			_push(_v60);
																			E003E061A(_t177, "Initializing version variable \'%ls\' to value \'%ls\'", _v8);
																			_t180 = _t180 + 0x10;
																		}
																		_t177 = 3;
																		goto L25;
																	}
																} else {
																	if(_v20 != 0) {
																		goto L26;
																	} else {
																		_push(_v60);
																		E003E061A(_t177, "Initializing string variable \'%ls\' to value \'%ls\'", _v8);
																		_t180 = _t180 + 0x10;
																		goto L25;
																	}
																	goto L27;
																}
															} else {
																if(_v20 == 0) {
																	_push(_v60);
																	E003E061A(_t177, "Initializing numeric variable \'%ls\' to value \'%ls\'", _v8);
																	_t180 = _t180 + 0x10;
																}
																_t177 = 1;
																L25:
																if(_v20 != 0) {
																	L26:
																	E003E061A(2, "Initializing hidden variable \'%ls\'", _v8);
																	_t180 = _t180 + 0xc;
																}
																L27:
																_t176 = E003BFEB7(_t166,  &_v60, _t177);
																if(_t176 < 0) {
																	_push("Failed to change variant type.");
																	goto L57;
																} else {
																	_t176 = E003A55B6(_t157, _t154, _v8,  &_v28);
																	if(_t176 < 0) {
																		_push(_v8);
																		_push("Failed to find variable value \'%ls\'.");
																		goto L51;
																	} else {
																		_t170 = _v28;
																		if(_t176 != 1) {
																			_t124 =  *((intOrPtr*)(_t154 + 0x20));
																			if( *((intOrPtr*)(_t170 * 0x38 +  *((intOrPtr*)(_t154 + 0x20)) + 0x2c)) > 0) {
																				_t171 = 0x80070057;
																				_t176 = 0x80070057;
																				E003A37D3(_t124, "variable.cpp", 0x18a, 0x80070057);
																				_push(_v8);
																				_push("Attempt to set built-in variable value: %ls");
																				L42:
																				_push(_t171);
																				goto L43;
																			} else {
																				goto L33;
																			}
																		} else {
																			_t176 = E003A6AC6(_t122, _t157, _t154, _v8, _t170);
																			if(_t176 >= 0) {
																				L33:
																				_t172 = _t170 * 0x38;
																				 *((intOrPtr*)(_t172 +  *((intOrPtr*)(_t154 + 0x20)) + 0x20)) = _v20;
																				 *((intOrPtr*)(_t172 +  *((intOrPtr*)(_t154 + 0x20)) + 0x28)) = _v36;
																				_t176 = E003C035B(_t166,  *((intOrPtr*)(_t154 + 0x20)) + 8 + _t172,  &_v60);
																				if(_t176 < 0) {
																					_push(_v8);
																					_push("Failed to set value of variable: %ls");
																					goto L51;
																				} else {
																					_t176 = E003C0246( *((intOrPtr*)(_t154 + 0x20)) + 8 + _t172, _v20);
																					if(_t176 < 0) {
																						_push("Failed to set variant encryption");
																						goto L57;
																					} else {
																						_t157 = _v16;
																						if(_t157 != 0) {
																							 *((intOrPtr*)( *_t157 + 8))(_t157);
																							_v16 = _v16 & 0x00000000;
																						}
																						E003C0499( &_v60);
																						if(_v12 != 0) {
																							E003A2793(_v12);
																							_v12 = _v12 & 0x00000000;
																						}
																						_t174 = _a4 + 1;
																						_a4 = _t174;
																						if(_t174 < _v32) {
																							_t169 = 0;
																							continue;
																						}
																					}
																				}
																			} else {
																				_push(_v8);
																				_push("Failed to insert variable \'%ls\'.");
																				L51:
																				_push(_t176);
																				L43:
																				E003E012F();
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
								goto L58;
							}
							_push("Failed to get next node.");
							goto L57;
						}
					} else {
						_push("Failed to get variable node count.");
						goto L57;
					}
				} else {
					_push("Failed to select variable nodes.");
					L57:
					_push(_t176);
					E003E012F();
				}
				L58:
				LeaveCriticalSection(_t154);
				_t158 = _v24;
				if(_t158 != 0) {
					 *((intOrPtr*)( *_t158 + 8))(_t158);
				}
				_t159 = _v16;
				if(_t159 != 0) {
					 *((intOrPtr*)( *_t159 + 8))(_t159);
				}
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				E003C0499( &_v60);
				return _t176;
			}



























                  0x003a8354
                  0x003a835d
                  0x003a8360
                  0x003a8366
                  0x003a8369
                  0x003a8369
                  0x003a836c
                  0x003a836f
                  0x003a8372
                  0x003a8375
                  0x003a8378
                  0x003a837b
                  0x003a837e
                  0x003a8399
                  0x003a83a5
                  0x003a83a8
                  0x003a83ad
                  0x003a83b2
                  0x003a83b6
                  0x003a83c2
                  0x003a83c4
                  0x003a83ca
                  0x003a83d0
                  0x003a83dd
                  0x003a83e1
                  0x00000000
                  0x00000000
                  0x003a83f8
                  0x003a83fc
                  0x003a86c6
                  0x00000000
                  0x003a8402
                  0x003a8413
                  0x003a8417
                  0x003a86bf
                  0x00000000
                  0x003a841d
                  0x003a842e
                  0x003a8432
                  0x003a86b8
                  0x00000000
                  0x003a8438
                  0x003a8449
                  0x003a8451
                  0x003a853d
                  0x00000000
                  0x003a8457
                  0x003a8459
                  0x003a866d
                  0x00000000
                  0x003a845f
                  0x003a846c
                  0x003a8470
                  0x003a8666
                  0x00000000
                  0x003a8476
                  0x003a8487
                  0x003a848b
                  0x003a865f
                  0x00000000
                  0x003a8491
                  0x003a84a0
                  0x003a84a8
                  0x003a84ab
                  0x003a84e3
                  0x003a8518
                  0x003a8645
                  0x003a8648
                  0x003a864d
                  0x003a864f
                  0x00000000
                  0x003a851e
                  0x003a8522
                  0x003a8524
                  0x003a8530
                  0x003a8535
                  0x003a8535
                  0x003a853a
                  0x00000000
                  0x003a853a
                  0x003a84e5
                  0x003a84e9
                  0x00000000
                  0x003a84eb
                  0x003a84eb
                  0x003a84f7
                  0x003a84fc
                  0x00000000
                  0x003a84fc
                  0x00000000
                  0x003a84e9
                  0x003a84ad
                  0x003a84b1
                  0x003a84b3
                  0x003a84bf
                  0x003a84c4
                  0x003a84c4
                  0x003a84c9
                  0x003a853f
                  0x003a8543
                  0x003a8545
                  0x003a854f
                  0x003a8554
                  0x003a8554
                  0x003a8557
                  0x003a8561
                  0x003a8565
                  0x003a86b1
                  0x00000000
                  0x003a856b
                  0x003a8578
                  0x003a857c
                  0x003a86a6
                  0x003a86a9
                  0x00000000
                  0x003a8582
                  0x003a8582
                  0x003a8588
                  0x003a85a7
                  0x003a85b2
                  0x003a8685
                  0x003a8695
                  0x003a8697
                  0x003a869c
                  0x003a869f
                  0x003a8654
                  0x003a8654
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a858a
                  0x003a8594
                  0x003a8598
                  0x003a85b8
                  0x003a85be
                  0x003a85c1
                  0x003a85cb
                  0x003a85e1
                  0x003a85e5
                  0x003a867b
                  0x003a867e
                  0x00000000
                  0x003a85eb
                  0x003a85fc
                  0x003a8600
                  0x003a8674
                  0x00000000
                  0x003a8602
                  0x003a8602
                  0x003a8607
                  0x003a860c
                  0x003a860f
                  0x003a860f
                  0x003a8617
                  0x003a8620
                  0x003a8625
                  0x003a862a
                  0x003a862a
                  0x003a8631
                  0x003a8632
                  0x003a8638
                  0x003a863e
                  0x00000000
                  0x003a863e
                  0x003a8638
                  0x003a8600
                  0x003a859a
                  0x003a859a
                  0x003a859d
                  0x003a86ae
                  0x003a86ae
                  0x003a8655
                  0x003a8655
                  0x003a865a
                  0x003a8598
                  0x003a8588
                  0x003a857c
                  0x003a8565
                  0x003a84ab
                  0x003a848b
                  0x003a8470
                  0x003a8459
                  0x003a8451
                  0x003a8432
                  0x003a8417
                  0x00000000
                  0x003a83fc
                  0x003a86cd
                  0x00000000
                  0x003a86cd
                  0x003a83b8
                  0x003a83b8
                  0x00000000
                  0x003a83b8
                  0x003a839b
                  0x003a839b
                  0x003a86d2
                  0x003a86d2
                  0x003a86d3
                  0x003a86d9
                  0x003a86da
                  0x003a86db
                  0x003a86e1
                  0x003a86e6
                  0x003a86eb
                  0x003a86eb
                  0x003a86ee
                  0x003a86f3
                  0x003a86f8
                  0x003a86f8
                  0x003a86ff
                  0x003a8704
                  0x003a8704
                  0x003a870d
                  0x003a8712
                  0x003a8712
                  0x003a871b
                  0x003a8728

                  APIs
                  • EnterCriticalSection.KERNEL32(?,?,00000000,80070490,?,?,?,?,?,?,?,=S:,003CBF87,?,?,?), ref: 003A837E
                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,=S:,003CBF87,?,?,?,?,=S:,Chain), ref: 003A86DB
                  Strings
                  • variable.cpp, xrefs: 003A8690
                  • Persisted, xrefs: 003A8421
                  • Failed to insert variable '%ls'., xrefs: 003A859D
                  • Failed to get variable node count., xrefs: 003A83B8
                  • Hidden, xrefs: 003A8406
                  • Initializing numeric variable '%ls' to value '%ls', xrefs: 003A84B9
                  • Failed to get @Hidden., xrefs: 003A86BF
                  • Failed to get @Value., xrefs: 003A866D
                  • Failed to set value of variable: %ls, xrefs: 003A867E
                  • Invalid value for @Type: %ls, xrefs: 003A864F
                  • Failed to set variant value., xrefs: 003A8666
                  • Initializing string variable '%ls' to value '%ls', xrefs: 003A84F1
                  • numeric, xrefs: 003A8493
                  • Failed to get @Type., xrefs: 003A865F
                  • string, xrefs: 003A84CE
                  • Failed to set variant encryption, xrefs: 003A8674
                  • =S:, xrefs: 003A834D
                  • Type, xrefs: 003A847A
                  • version, xrefs: 003A8503
                  • Value, xrefs: 003A843C
                  • Failed to change variant type., xrefs: 003A86B1
                  • Attempt to set built-in variable value: %ls, xrefs: 003A869F
                  • Failed to get @Persisted., xrefs: 003A86B8
                  • Failed to get @Id., xrefs: 003A86C6
                  • Failed to get next node., xrefs: 003A86CD
                  • Initializing hidden variable '%ls', xrefs: 003A8548
                  • Variable, xrefs: 003A8388
                  • Failed to select variable nodes., xrefs: 003A839B
                  • Failed to find variable value '%ls'., xrefs: 003A86A9
                  • Initializing version variable '%ls' to value '%ls', xrefs: 003A852A
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: =S:$Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
                  • API String ID: 3168844106-156582727
                  • Opcode ID: 17bb3f351f6fe7935916854ceef44917cd31062ea2dabd3ccedcfb98627e26cf
                  • Instruction ID: e341c9a3359e38f9ffa977148684862a6eff7a620271b9955b8596e15d1878b5
                  • Opcode Fuzzy Hash: 17bb3f351f6fe7935916854ceef44917cd31062ea2dabd3ccedcfb98627e26cf
                  • Instruction Fuzzy Hash: 8CB1CD72D40269BBDB179B95CC45EEEBB79EF06710F110365FA10BB2A0CB709E419B80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B52E3, Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 222filepipesleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E003B52E3(long _a4) {
				long _v8;
				signed int _v12;
				void _v16;
				signed int _v20;
				WCHAR* _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				WCHAR* _t40;
				long _t43;
				signed int _t44;
				signed short _t48;
				signed short _t56;
				signed short _t62;
				signed short _t67;
				signed short _t73;
				signed short _t79;
				void* _t83;
				long _t84;
				signed int _t88;
				void* _t109;

				_t84 = _a4;
				_t88 = 0;
				_v40 =  *((intOrPtr*)(_t84 + 0x10));
				_v36 =  *((intOrPtr*)(_t84 + 0x14));
				_t40 =  *(_t84 + 4);
				_v24 = _t40;
				_v16 = lstrlenW(_t40) + _t41;
				_t43 = GetCurrentProcessId();
				_v32 = _v32 & 0;
				_a4 = _a4 & 0;
				_v28 = _t43;
				_t44 = 0;
				_v20 = 0;
				while(1) {
					L1:
					_t83 =  *(_t109 + _t44 * 4 - 0x24);
					if(_t83 == 0xffffffff) {
						break;
					}
					_v8 = 1;
					if(SetNamedPipeHandleState(_t83,  &_v8, 0, 0) == 0) {
						_t48 = GetLastError();
						_t91 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						_t88 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "pipe.cpp", 0x1ce, _t88);
						_push("Failed to set pipe to non-blocking.");
						goto L28;
					} else {
						_v12 = _v12 & 0x00000000;
						do {
							if(ConnectNamedPipe(_t83, 0) != 0) {
								goto L9;
							} else {
								_t52 = GetLastError();
								if(_t52 == 0x217) {
									_t88 = 0;
									L11:
									_v8 = _v8 & 0x00000000;
									if(SetNamedPipeHandleState(_t83,  &_v8, 0, 0) == 0) {
										_t56 = GetLastError();
										_t94 =  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
										_t88 =  >=  ? 0x80004005 :  <=  ? _t56 : _t56 & 0x0000ffff | 0x80070000;
										E003A37D3(0x80004005, "pipe.cpp", 0x1f9, _t88);
										_push("Failed to reset pipe to blocking.");
										goto L28;
									} else {
										if(WriteFile(_t83,  &_v16, 4,  &_a4, 0) == 0) {
											_t62 = GetLastError();
											_t97 =  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
											_t88 =  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "pipe.cpp", 0x1ff, _t88);
											_push("Failed to write secret length to pipe.");
											goto L28;
										} else {
											_t31 =  &_v24; // 0x3a442a
											if(WriteFile(_t83,  *_t31, _v16,  &_a4, 0) == 0) {
												_t67 = GetLastError();
												_t100 =  <=  ? _t67 : _t67 & 0x0000ffff | 0x80070000;
												_t88 =  >=  ? 0x80004005 :  <=  ? _t67 : _t67 & 0x0000ffff | 0x80070000;
												E003A37D3(0x80004005, "pipe.cpp", 0x204, _t88);
												_push("Failed to write secret to pipe.");
												goto L28;
											} else {
												if(WriteFile(_t83,  &_v28, 4,  &_a4, 0) == 0) {
													_t73 = GetLastError();
													_t103 =  <=  ? _t73 : _t73 & 0x0000ffff | 0x80070000;
													_t88 =  >=  ? 0x80004005 :  <=  ? _t73 : _t73 & 0x0000ffff | 0x80070000;
													E003A37D3(0x80004005, "pipe.cpp", 0x209, _t88);
													_push("Failed to write our process id to pipe.");
													goto L28;
												} else {
													if(ReadFile(_t83,  &_v32, 4,  &_a4, 0) == 0) {
														_t79 = GetLastError();
														_t106 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
														_t88 =  >=  ? 0x80004005 :  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
														E003A37D3(0x80004005, "pipe.cpp", 0x20f, _t88);
														_push("Failed to read ACK from pipe.");
														goto L28;
													} else {
														_t44 = _v20 + 1;
														_v20 = _t44;
														if(_t44 < 2) {
															goto L1;
														} else {
														}
													}
												}
											}
										}
									}
								} else {
									if(_t52 != 0x218) {
										_t88 =  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
										break;
									} else {
										_t52 = _v12;
										if(_t52 >= 0x708) {
											_t88 = 0x800705b4;
											L21:
											E003A37D3(_t52, "pipe.cpp", 0x1f3, _t88);
											_push("Failed to wait for child to connect to pipe.");
											L28:
											_push(_t88);
											E003E012F();
										} else {
											_t52 = _t52 + 1;
											_t88 = 0x80070218;
											_v12 = _t52;
											Sleep(0x64);
											goto L9;
										}
									}
								}
							}
							goto L29;
							L9:
						} while (_t88 == 0x80070218);
						if(_t88 < 0) {
							goto L21;
						} else {
							goto L11;
						}
					}
					break;
				}
				L29:
				return _t88;
			}

























                  0x003b52e9
                  0x003b52f2
                  0x003b52f4
                  0x003b52fa
                  0x003b52fd
                  0x003b5301
                  0x003b530c
                  0x003b530f
                  0x003b5315
                  0x003b5318
                  0x003b5321
                  0x003b5324
                  0x003b5326
                  0x003b5329
                  0x003b5329
                  0x003b5329
                  0x003b5330
                  0x00000000
                  0x00000000
                  0x003b533d
                  0x003b534e
                  0x003b557b
                  0x003b5588
                  0x003b5592
                  0x003b55a0
                  0x003b55a5
                  0x00000000
                  0x003b5354
                  0x003b5354
                  0x003b5358
                  0x003b5363
                  0x00000000
                  0x003b5365
                  0x003b5365
                  0x003b536c
                  0x003b5457
                  0x003b53ac
                  0x003b53ac
                  0x003b53c1
                  0x003b554a
                  0x003b5557
                  0x003b5561
                  0x003b556f
                  0x003b5574
                  0x00000000
                  0x003b53c7
                  0x003b53dc
                  0x003b5519
                  0x003b5526
                  0x003b5530
                  0x003b553e
                  0x003b5543
                  0x00000000
                  0x003b53e2
                  0x003b53eb
                  0x003b53f7
                  0x003b54e5
                  0x003b54f2
                  0x003b54fc
                  0x003b550a
                  0x003b550f
                  0x00000000
                  0x003b53fd
                  0x003b5412
                  0x003b54b1
                  0x003b54be
                  0x003b54c8
                  0x003b54d6
                  0x003b54db
                  0x00000000
                  0x003b5418
                  0x003b542d
                  0x003b547d
                  0x003b548a
                  0x003b5494
                  0x003b54a2
                  0x003b54a7
                  0x00000000
                  0x003b542f
                  0x003b5432
                  0x003b5433
                  0x003b5439
                  0x00000000
                  0x00000000
                  0x003b543f
                  0x003b5439
                  0x003b542d
                  0x003b5412
                  0x003b53f7
                  0x003b53dc
                  0x003b5372
                  0x003b5377
                  0x003b544f
                  0x00000000
                  0x003b537d
                  0x003b537d
                  0x003b5385
                  0x003b545e
                  0x003b5463
                  0x003b546e
                  0x003b5473
                  0x003b55aa
                  0x003b55aa
                  0x003b55ab
                  0x003b538b
                  0x003b538b
                  0x003b538c
                  0x003b5393
                  0x003b5396
                  0x00000000
                  0x003b5396
                  0x003b5385
                  0x003b5377
                  0x003b536c
                  0x00000000
                  0x003b539c
                  0x003b539c
                  0x003b53a6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003b53a6
                  0x00000000
                  0x003b534e
                  0x003b55b3
                  0x003b55ba

                  APIs
                  • lstrlenW.KERNEL32(?,?,00000000,?,003EB4F0,?,00000000,?,003A442A,?,003EB4F0), ref: 003B5304
                  • GetCurrentProcessId.KERNEL32(?,003A442A,?,003EB4F0), ref: 003B530F
                  • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,003A442A,?,003EB4F0), ref: 003B5346
                  • ConnectNamedPipe.KERNEL32(?,00000000,?,003A442A,?,003EB4F0), ref: 003B535B
                  • GetLastError.KERNEL32(?,003A442A,?,003EB4F0), ref: 003B5365
                  • Sleep.KERNEL32(00000064,?,003A442A,?,003EB4F0), ref: 003B5396
                  • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,003A442A,?,003EB4F0), ref: 003B53B9
                  • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,003A442A,?,003EB4F0), ref: 003B53D4
                  • WriteFile.KERNEL32(?,*D:,003EB4F0,00000000,00000000,?,003A442A,?,003EB4F0), ref: 003B53EF
                  • WriteFile.KERNEL32(?,comres.dll,00000004,feclient.dll,00000000,?,003A442A,?,003EB4F0), ref: 003B540A
                  • ReadFile.KERNEL32(?,wininet.dll,00000004,feclient.dll,00000000,?,003A442A,?,003EB4F0), ref: 003B5425
                  • GetLastError.KERNEL32(?,003A442A,?,003EB4F0), ref: 003B547D
                  • GetLastError.KERNEL32(?,003A442A,?,003EB4F0), ref: 003B54B1
                  • GetLastError.KERNEL32(?,003A442A,?,003EB4F0), ref: 003B54E5
                  • GetLastError.KERNEL32(?,003A442A,?,003EB4F0), ref: 003B557B
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                  • String ID: *D:$Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$comres.dll$crypt32.dll$feclient.dll$pipe.cpp$wininet.dll
                  • API String ID: 2944378912-1258324580
                  • Opcode ID: c1c2daa6ab72e94e371382889c1c7cd887be3f6c4ae8bb96745eadb99018f9e6
                  • Instruction ID: f53e75b33ac7aa0f91d368f9f18db7d7903cdbc526ff6294e6c9adf44a15c9f7
                  • Opcode Fuzzy Hash: c1c2daa6ab72e94e371382889c1c7cd887be3f6c4ae8bb96745eadb99018f9e6
                  • Instruction Fuzzy Hash: 9361E876E40729AAE722DAA58C85BFBB6ECEF04741F124125FF05FB580D7748D008AE1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E72F4, Relevance: 45.8, APIs: 13, Strings: 13, Instructions: 340COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E003E72F4(void* __ebx, void* __eflags, int _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				void* __edi;
				int _t110;
				int _t111;
				int _t112;
				int _t114;
				int _t116;
				int _t117;
				int _t118;
				int _t119;
				int _t120;
				int _t121;
				int _t122;
				int _t123;
				int _t124;
				int _t125;
				int _t128;
				void* _t147;
				intOrPtr* _t150;
				void* _t151;
				signed int _t153;
				intOrPtr* _t154;
				intOrPtr _t160;
				int _t161;

				_t149 = __ebx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t160 = E003A38D4(0x48, 1);
				if(_t160 != 0) {
					_t150 = _a4;
					 *((intOrPtr*)(_t160 + 0x40)) = _t150;
					 *((intOrPtr*)( *_t150 + 4))(_t150, __ebx);
					_t7 = _t160 + 0x20; // 0x20
					_t8 = _t160 + 0x24; // 0x24
					_t161 = E003E64F4(_t8, _t150, L"author", _t8, _t7);
					__eflags = _t161;
					if(_t161 >= 0) {
						_t9 = _t160 + 0x28; // 0x28
						_t10 = _t160 + 0x2c; // 0x2c
						_t161 = E003E658C(_t10, _t150, L"category", _t10, _t9);
						__eflags = _t161;
						if(_t161 >= 0) {
							_t11 = _t160 + 0x30; // 0x30
							_t12 = _t160 + 0x34; // 0x34
							_t161 = E003E6624(_t12, _t150, L"entry", _t12, _t11);
							__eflags = _t161;
							if(_t161 >= 0) {
								_t13 = _t160 + 0x38; // 0x38
								_t14 = _t160 + 0x3c; // 0x3c
								_t161 = E003E66BC(_t14, _t150, L"link", _t14, _t13);
								__eflags = _t161;
								if(_t161 >= 0) {
									_t158 =  &_v16;
									_t161 =  *((intOrPtr*)( *_t150 + 0x30))(_t150,  &_v16);
									__eflags = _t161;
									if(_t161 >= 0) {
										_t110 = E003E3760( &_v16, _v16,  &_v12,  &_v8);
										_t161 = _t110;
										__eflags = _t161;
										if(_t161 != 0) {
											L45:
											_t111 =  *(_t160 + 8);
											__eflags = _t111;
											if(_t111 == 0) {
												L54:
												_t112 = 0x8007000d;
												_push(0x8007000d);
												_push(0x197);
												goto L55;
											} else {
												__eflags =  *_t111;
												if( *_t111 == 0) {
													goto L54;
												} else {
													_t114 =  *(_t160 + 0x14);
													__eflags = _t114;
													if(_t114 == 0) {
														L53:
														_t112 = 0x8007000d;
														_push(0x8007000d);
														_push(0x19c);
														goto L55;
													} else {
														__eflags =  *_t114;
														if( *_t114 == 0) {
															goto L53;
														} else {
															__eflags =  *(_t160 + 0x1c);
															if( *(_t160 + 0x1c) != 0) {
																L52:
																 *_a8 = _t160;
																_t160 = 0;
															} else {
																__eflags =  *(_t160 + 0x18);
																if( *(_t160 + 0x18) != 0) {
																	goto L52;
																} else {
																	_t112 = 0x8007000d;
																	_push(0x8007000d);
																	_push(0x1a1);
																	L55:
																	_push("atomutil.cpp");
																	_t161 = _t112;
																	E003A37D3(_t112);
																}
															}
														}
													}
												}
											}
										} else {
											_t151 = CompareStringW;
											_v28 = _t161;
											_v24 = _t110;
											_v20 = _t110;
											_a4 = _t110;
											while(1) {
												_t116 = CompareStringW(0x7f, _t110, _v8, 0xffffffff, L"generator", 0xffffffff);
												__eflags = _t116 - 2;
												if(_t116 != 2) {
													goto L13;
												}
												_push(_v12);
												_push(_t160);
												L12:
												_t128 = E003E67C4(_t158);
												L39:
												_t161 = _t128;
												__eflags = _t161;
												if(_t161 >= 0) {
													L40:
													__eflags = _v8;
													if(_v8 != 0) {
														__imp__#6(_v8);
														_t68 =  &_v8;
														 *_t68 = _v8 & 0x00000000;
														__eflags =  *_t68;
													}
													_t158 = _v12;
													__eflags = _t158;
													if(_t158 != 0) {
														 *((intOrPtr*)( *_t158 + 8))(_t158);
														_t72 =  &_v12;
														 *_t72 = _v12 & 0x00000000;
														__eflags =  *_t72;
													}
													_t161 = E003E3760(_t158, _v16,  &_v12,  &_v8);
													__eflags = _t161;
													if(_t161 == 0) {
														_t161 = _v28;
														_t110 = 0;
														__eflags = 0;
														continue;
													} else {
														goto L45;
													}
												}
												goto L56;
												L13:
												_t117 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"icon", 0xffffffff);
												__eflags = _t117 - 2;
												if(_t117 != 2) {
													_t118 = CompareStringW(0x7f, 0, _v8, 0xffffffff, 0x403c78, 0xffffffff);
													__eflags = _t118 - 2;
													if(_t118 != 2) {
														_t119 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"logo", 0xffffffff);
														__eflags = _t119 - 2;
														if(_t119 != 2) {
															_t120 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"subtitle", 0xffffffff);
															__eflags = _t120 - 2;
															if(_t120 != 2) {
																_t121 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"title", 0xffffffff);
																__eflags = _t121 - 2;
																if(_t121 != 2) {
																	_t122 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"updated", 0xffffffff);
																	__eflags = _t122 - 2;
																	if(_t122 != 2) {
																		_t123 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"author", 0xffffffff);
																		__eflags = _t123 - 2;
																		if(_t123 != 2) {
																			_t124 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"category", 0xffffffff);
																			__eflags = _t124 - 2;
																			if(_t124 != 2) {
																				_t125 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"entry", 0xffffffff);
																				__eflags = _t125 - 2;
																				if(_t125 != 2) {
																					__eflags = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"link", 0xffffffff) - 2;
																					if(__eflags != 0) {
																						_t64 = _t160 + 0x44; // 0x44
																						_t128 = E003E79CC(_t151, __eflags, _v12, _t64);
																						goto L39;
																					} else {
																						_t161 = E003E76A1(_v12,  *((intOrPtr*)(_t160 + 0x3c)) + _t161);
																						__eflags = _t161;
																						if(_t161 >= 0) {
																							_v28 = _v28 + 0x28;
																							goto L40;
																						}
																					}
																				} else {
																					_t161 = E003E6FB7(_v12,  *((intOrPtr*)(_t160 + 0x34)) + _v24);
																					__eflags = _t161;
																					if(_t161 >= 0) {
																						_v24 = _v24 + 0x40;
																						goto L40;
																					}
																				}
																			} else {
																				_t161 = E003E6BF6(_v12,  *((intOrPtr*)(_t160 + 0x2c)) + _v20);
																				__eflags = _t161;
																				if(_t161 >= 0) {
																					_v20 = _v20 + 0x10;
																					goto L40;
																				}
																			}
																		} else {
																			_t161 = E003E6ACD(_v12,  *((intOrPtr*)(_t160 + 0x24)) + _a4);
																			__eflags = _t161;
																			if(_t161 >= 0) {
																				_a4 = _a4 + 0xc;
																				goto L40;
																			}
																		}
																	} else {
																		_t40 = _t160 + 0x18; // 0x18
																		_t128 = E003E6754(_t158, _t40, _v12);
																		goto L39;
																	}
																} else {
																	_t37 = _t160 + 0x14; // 0x14
																	_t147 = _t37;
																	goto L15;
																}
															} else {
																_t35 = _t160 + 0x10; // 0x10
																_t147 = _t35;
																goto L15;
															}
														} else {
															_t33 = _t160 + 0xc; // 0xc
															_t147 = _t33;
															goto L15;
														}
													} else {
														_t31 = _t160 + 8; // 0x8
														_t147 = _t31;
														goto L15;
													}
												} else {
													_t28 = _t160 + 4; // 0x4
													_t147 = _t28;
													L15:
													_push(_v12);
													_push(_t147);
													goto L12;
												}
												goto L56;
											}
										}
									}
								}
							}
						}
					}
					L56:
					_pop(_t149);
				} else {
					_t161 = 0x8007000e;
					E003A37D3(_t89, "atomutil.cpp", 0x134, 0x8007000e);
				}
				if(_v8 != 0) {
					__imp__#6(_v8);
				}
				_t153 = _v12;
				if(_t153 != 0) {
					 *((intOrPtr*)( *_t153 + 8))(_t153);
				}
				_t154 = _v16;
				if(_t154 != 0) {
					 *((intOrPtr*)( *_t154 + 8))(_t154);
				}
				if(_t160 != 0) {
					E003E7B68(_t149, _t160, _t160);
				}
				return _t161;
			}
































                  0x003e72f4
                  0x003e7302
                  0x003e7305
                  0x003e7308
                  0x003e7310
                  0x003e7314
                  0x003e7331
                  0x003e7334
                  0x003e733a
                  0x003e733d
                  0x003e7341
                  0x003e7350
                  0x003e7352
                  0x003e7354
                  0x003e735a
                  0x003e735e
                  0x003e736d
                  0x003e736f
                  0x003e7371
                  0x003e7377
                  0x003e737b
                  0x003e738a
                  0x003e738c
                  0x003e738e
                  0x003e7394
                  0x003e7398
                  0x003e73a7
                  0x003e73a9
                  0x003e73ab
                  0x003e73b3
                  0x003e73bb
                  0x003e73bd
                  0x003e73bf
                  0x003e73d0
                  0x003e73d5
                  0x003e73d7
                  0x003e73d9
                  0x003e7605
                  0x003e7605
                  0x003e7608
                  0x003e760a
                  0x003e764c
                  0x003e764c
                  0x003e7651
                  0x003e7652
                  0x00000000
                  0x003e760c
                  0x003e760e
                  0x003e7611
                  0x00000000
                  0x003e7613
                  0x003e7613
                  0x003e7616
                  0x003e7618
                  0x003e763f
                  0x003e763f
                  0x003e7644
                  0x003e7645
                  0x00000000
                  0x003e761a
                  0x003e761a
                  0x003e761d
                  0x00000000
                  0x003e761f
                  0x003e761f
                  0x003e7622
                  0x003e7636
                  0x003e7639
                  0x003e763b
                  0x003e7624
                  0x003e7624
                  0x003e7627
                  0x00000000
                  0x003e7629
                  0x003e7629
                  0x003e762e
                  0x003e762f
                  0x003e7657
                  0x003e7657
                  0x003e765c
                  0x003e765e
                  0x003e765e
                  0x003e7627
                  0x003e7622
                  0x003e761d
                  0x003e7618
                  0x003e7611
                  0x003e73df
                  0x003e73df
                  0x003e73e5
                  0x003e73e8
                  0x003e73eb
                  0x003e73ee
                  0x003e73f8
                  0x003e7407
                  0x003e7409
                  0x003e740c
                  0x00000000
                  0x00000000
                  0x003e740e
                  0x003e7411
                  0x003e7412
                  0x003e7412
                  0x003e75bd
                  0x003e75bd
                  0x003e75bf
                  0x003e75c1
                  0x003e75c7
                  0x003e75c7
                  0x003e75cb
                  0x003e75d0
                  0x003e75d6
                  0x003e75d6
                  0x003e75d6
                  0x003e75d6
                  0x003e75da
                  0x003e75dd
                  0x003e75df
                  0x003e75e4
                  0x003e75e7
                  0x003e75e7
                  0x003e75e7
                  0x003e75e7
                  0x003e75fb
                  0x003e75fd
                  0x003e75ff
                  0x003e73f3
                  0x003e73f6
                  0x003e73f6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e75ff
                  0x00000000
                  0x003e741c
                  0x003e742c
                  0x003e742e
                  0x003e7431
                  0x003e744c
                  0x003e744e
                  0x003e7451
                  0x003e7468
                  0x003e746a
                  0x003e746d
                  0x003e7484
                  0x003e7486
                  0x003e7489
                  0x003e74a0
                  0x003e74a2
                  0x003e74a5
                  0x003e74bc
                  0x003e74be
                  0x003e74c1
                  0x003e74e4
                  0x003e74e6
                  0x003e74e9
                  0x003e751d
                  0x003e751f
                  0x003e7522
                  0x003e7556
                  0x003e7558
                  0x003e755b
                  0x003e758e
                  0x003e7591
                  0x003e75b1
                  0x003e75b8
                  0x00000000
                  0x003e7593
                  0x003e75a1
                  0x003e75a3
                  0x003e75a5
                  0x003e75ab
                  0x00000000
                  0x003e75ab
                  0x003e75a5
                  0x003e755d
                  0x003e756c
                  0x003e756e
                  0x003e7570
                  0x003e7576
                  0x00000000
                  0x003e7576
                  0x003e7570
                  0x003e7524
                  0x003e7533
                  0x003e7535
                  0x003e7537
                  0x003e753d
                  0x00000000
                  0x003e753d
                  0x003e7537
                  0x003e74eb
                  0x003e74fa
                  0x003e74fc
                  0x003e74fe
                  0x003e7504
                  0x00000000
                  0x003e7504
                  0x003e74fe
                  0x003e74c3
                  0x003e74c6
                  0x003e74ca
                  0x00000000
                  0x003e74ca
                  0x003e74a7
                  0x003e74a7
                  0x003e74a7
                  0x00000000
                  0x003e74a7
                  0x003e748b
                  0x003e748b
                  0x003e748b
                  0x00000000
                  0x003e748b
                  0x003e746f
                  0x003e746f
                  0x003e746f
                  0x00000000
                  0x003e746f
                  0x003e7453
                  0x003e7453
                  0x003e7453
                  0x00000000
                  0x003e7453
                  0x003e7433
                  0x003e7433
                  0x003e7433
                  0x003e7436
                  0x003e7436
                  0x003e7439
                  0x00000000
                  0x003e7439
                  0x00000000
                  0x003e7431
                  0x003e73f8
                  0x003e73d9
                  0x003e73bf
                  0x003e73ab
                  0x003e738e
                  0x003e7371
                  0x003e7663
                  0x003e7663
                  0x003e7316
                  0x003e7316
                  0x003e7326
                  0x003e7326
                  0x003e7668
                  0x003e766d
                  0x003e766d
                  0x003e7673
                  0x003e7678
                  0x003e767d
                  0x003e767d
                  0x003e7680
                  0x003e7685
                  0x003e768a
                  0x003e768a
                  0x003e768f
                  0x003e7692
                  0x003e7692
                  0x003e769e

                  APIs
                    • Part of subcall function 003A38D4: GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                    • Part of subcall function 003A38D4: RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,generator,000000FF,?,?,?), ref: 003E7407
                  • SysFreeString.OLEAUT32(00000000), ref: 003E75D0
                  • SysFreeString.OLEAUT32(00000000), ref: 003E766D
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: String$FreeHeap$AllocateCompareProcess
                  • String ID: ($@$atomutil.cpp$author$category$entry$generator$icon$link$logo$subtitle$title$updated
                  • API String ID: 1555028553-2592408802
                  • Opcode ID: 0adc383aee5d8da41f5ec73b872e05de4c7e006e2c7d763f2256d17848710c94
                  • Instruction ID: 0b0ebaa4c12263ee728e72b6d83825038e4100f2c41402cff584279cf089c2f9
                  • Opcode Fuzzy Hash: 0adc383aee5d8da41f5ec73b872e05de4c7e006e2c7d763f2256d17848710c94
                  • Instruction Fuzzy Hash: 78B1D471908676FBCB229B9ACC41FAEB678AF01724F210355F521BA6D1D770EE10DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AA311, Relevance: 45.8, APIs: 8, Strings: 18, Instructions: 299registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 66%
                  			E003AA311(long _a4, intOrPtr _a8) {
				int _v8;
				char _v12;
				int _v16;
				int _v20;
				int _v24;
				intOrPtr _v32;
				void _v48;
				signed short _t79;
				signed short _t85;
				void* _t87;
				void* _t89;
				void* _t103;
				long _t106;
				signed short _t110;
				void* _t114;
				WCHAR* _t131;
				signed int _t132;
				long _t143;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t158;
				void* _t159;

				_t132 = 6;
				memset( &_v48, 0, _t132 << 2);
				_t159 = _t158 + 0xc;
				_t143 = _a4;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t131 = 0;
				_t72 =  ==  ? 1 : 0x101;
				_v24 = 0;
				_a4 =  ==  ? 1 : 0x101;
				_v8 = 0;
				if(E003A71CF(_a8,  *((intOrPtr*)(_t143 + 0x1c)),  &_v12, 0) >= 0) {
					if( *((intOrPtr*)(_t143 + 0x20)) == 0) {
						L5:
						_t145 = E003E0E3F( *((intOrPtr*)(_t143 + 0x18)), _v12, _a4,  &_v16);
						if(_t145 != 0x80070002) {
							if(_t145 >= 0) {
								_t79 = RegQueryValueExW(_v16, _v20, 0,  &_v24, 0,  &_v8);
								if(_t79 != 2) {
									if(_t79 == 0) {
										_t131 = E003A38D4(_v8 + 2, 1);
										if(_t131 != 0) {
											_t85 = RegQueryValueExW(_v16, _v20, 0,  &_v24, _t131,  &_v8);
											if(_t85 == 0) {
												_t87 = _v24 - 1;
												if(_t87 == 0) {
													L38:
													_t89 = E003C02F4( &_v48, _t131, 0);
													goto L39;
												} else {
													_t103 = _t87 - 1;
													if(_t103 == 0) {
														if( *((intOrPtr*)(_t143 + 0x28)) == 0) {
															goto L38;
														} else {
															_t147 = E003A1EDE( &_v48, _v8);
															if(_t147 >= 0) {
																_v32 = 2;
																_t106 = ExpandEnvironmentStringsW(_t131, _v48, _v8);
																_a4 = _t106;
																if(_t106 <= _v8) {
																	goto L40;
																} else {
																	_t148 = E003A1EDE( &_v48, _t106);
																	if(_t148 < 0) {
																		goto L33;
																	} else {
																		if(_a4 == ExpandEnvironmentStringsW(_t131, _v48, _a4)) {
																			goto L40;
																		} else {
																			_t110 = GetLastError();
																			_t151 =  <=  ? _t110 : _t110 & 0x0000ffff | 0x80070000;
																			_t148 =  >=  ? 0x80004005 :  <=  ? _t110 : _t110 & 0x0000ffff | 0x80070000;
																			E003A37D3(0x80004005, "search.cpp", 0x396, _t148);
																			_push("Failed to get expand environment string.");
																			goto L46;
																		}
																	}
																}
															} else {
																L33:
																_push("Failed to allocate string buffer.");
																goto L46;
															}
														}
													} else {
														_t114 = _t103;
														if(_t114 == 0) {
															if(_v8 != 4) {
																goto L26;
															} else {
																asm("cdq");
																_push(0);
																_push( *_t131);
																goto L28;
															}
														} else {
															if(_t114 == 7) {
																if(_v8 == 8) {
																	_push(_t131[2]);
																	_push( *_t131);
																	L28:
																	_push( &_v48);
																	_t89 = E003C02B0();
																	L39:
																	_t147 = _t89;
																	L40:
																	if(_t147 >= 0) {
																		_t148 = E003BFEB7(0,  &_v48,  *((intOrPtr*)(_t143 + 0x14)));
																		if(_t148 >= 0) {
																			_t148 = E003A8137(_a8,  *((intOrPtr*)(_t143 + 4)),  &_v48);
																			if(_t148 < 0) {
																				_push("Failed to set variable.");
																				goto L46;
																			}
																		} else {
																			_push("Failed to change value type.");
																			goto L46;
																		}
																	} else {
																		_push("Failed to read registry value.");
																		goto L46;
																	}
																} else {
																	L26:
																	_t148 = 0x8000ffff;
																	goto L47;
																}
															} else {
																_t148 = 0x80004001;
																E003E012F(0x80004001, "Unsupported registry key value type. Type = \'%u\'", _v24);
																_t159 = _t159 + 0xc;
																goto L47;
															}
														}
													}
												}
											} else {
												_t154 =  <=  ? _t85 : _t85 & 0x0000ffff | 0x80070000;
												_t148 =  >=  ? 0x80004005 :  <=  ? _t85 : _t85 & 0x0000ffff | 0x80070000;
												E003A37D3(0x80004005, "search.cpp", 0x375, _t148);
												_push("Failed to query registry key value.");
												goto L46;
											}
										} else {
											_t148 = 0x8007000e;
											E003A37D3(_t82, "search.cpp", 0x372, 0x8007000e);
											_push("Failed to allocate memory registry value.");
											_push(0x8007000e);
											E003E012F();
											goto L47;
										}
									} else {
										_t157 =  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
										_t148 =  >=  ? 0x80004005 :  <=  ? _t79 : _t79 & 0x0000ffff | 0x80070000;
										E003A37D3(0x80004005, "search.cpp", 0x36f, _t148);
										_push("Failed to query registry key value size.");
										goto L46;
									}
								} else {
									_push(_v20);
									E003E061A(_t79, "Registry value not found. Key = \'%ls\', Value = \'%ls\'", _v12);
									_t159 = _t159 + 0x10;
									goto L7;
								}
							} else {
								_push("Failed to open registry key.");
								goto L46;
							}
						} else {
							E003E061A(2, "Registry key not found. Key = \'%ls\'", _v12);
							_t159 = _t159 + 0xc;
							L7:
							_t148 = E003A8137(_a8,  *((intOrPtr*)(_t143 + 4)),  &_v48);
							if(_t148 >= 0) {
								_t148 = 0;
							} else {
								_push("Failed to clear variable.");
								goto L46;
							}
						}
					} else {
						_t148 = E003A71CF(_a8,  *((intOrPtr*)(_t143 + 0x20)),  &_v20, 0);
						if(_t148 >= 0) {
							goto L5;
						} else {
							_push("Failed to format value string.");
							goto L46;
						}
					}
				} else {
					_push("Failed to format key string.");
					L46:
					_push(_t148);
					E003E012F();
					if(_t148 < 0) {
						L47:
						_push(_t148);
						E003E061A(2, "RegistrySearchValue failed: ID \'%ls\', HRESULT 0x%x", _v12);
					}
				}
				E003A2793(_v12);
				E003A2793(_v20);
				if(_v16 != 0) {
					RegCloseKey(_v16);
					_v16 = _v16 & 0x00000000;
				}
				if(_t131 != 0) {
					E003A3999(_t131);
				}
				E003C0499( &_v48);
				return _t148;
			}


























                  0x003aa31c
                  0x003aa322
                  0x003aa322
                  0x003aa324
                  0x003aa32b
                  0x003aa32f
                  0x003aa337
                  0x003aa33d
                  0x003aa340
                  0x003aa343
                  0x003aa346
                  0x003aa350
                  0x003aa35f
                  0x003aa36e
                  0x003aa391
                  0x003aa3a3
                  0x003aa3ab
                  0x003aa3e7
                  0x003aa40b
                  0x003aa410
                  0x003aa42a
                  0x003aa46c
                  0x003aa470
                  0x003aa4aa
                  0x003aa4ae
                  0x003aa4e5
                  0x003aa4e8
                  0x003aa5e2
                  0x003aa5e9
                  0x00000000
                  0x003aa4ee
                  0x003aa4ee
                  0x003aa4f1
                  0x003aa54d
                  0x00000000
                  0x003aa553
                  0x003aa55f
                  0x003aa563
                  0x003aa572
                  0x003aa57d
                  0x003aa583
                  0x003aa589
                  0x00000000
                  0x003aa58b
                  0x003aa595
                  0x003aa599
                  0x00000000
                  0x003aa59b
                  0x003aa5ab
                  0x00000000
                  0x003aa5ad
                  0x003aa5ad
                  0x003aa5be
                  0x003aa5c8
                  0x003aa5d6
                  0x003aa5db
                  0x00000000
                  0x003aa5db
                  0x003aa5ab
                  0x003aa599
                  0x003aa565
                  0x003aa565
                  0x003aa565
                  0x00000000
                  0x003aa565
                  0x003aa563
                  0x003aa4f3
                  0x003aa4f4
                  0x003aa4f7
                  0x003aa540
                  0x00000000
                  0x003aa542
                  0x003aa544
                  0x003aa545
                  0x003aa546
                  0x00000000
                  0x003aa546
                  0x003aa4f9
                  0x003aa4fc
                  0x003aa51d
                  0x003aa529
                  0x003aa52c
                  0x003aa52e
                  0x003aa531
                  0x003aa532
                  0x003aa5ee
                  0x003aa5ee
                  0x003aa5f0
                  0x003aa5f2
                  0x003aa607
                  0x003aa60b
                  0x003aa623
                  0x003aa627
                  0x003aa629
                  0x00000000
                  0x003aa629
                  0x003aa60d
                  0x003aa60d
                  0x00000000
                  0x003aa60d
                  0x003aa5f4
                  0x003aa5f4
                  0x00000000
                  0x003aa5f4
                  0x003aa51f
                  0x003aa51f
                  0x003aa51f
                  0x00000000
                  0x003aa51f
                  0x003aa4fe
                  0x003aa501
                  0x003aa50c
                  0x003aa511
                  0x00000000
                  0x003aa511
                  0x003aa4fc
                  0x003aa4f7
                  0x003aa4f1
                  0x003aa4b0
                  0x003aa4bb
                  0x003aa4c5
                  0x003aa4d3
                  0x003aa4d8
                  0x00000000
                  0x003aa4d8
                  0x003aa472
                  0x003aa472
                  0x003aa482
                  0x003aa487
                  0x003aa48c
                  0x003aa48d
                  0x00000000
                  0x003aa493
                  0x003aa42c
                  0x003aa437
                  0x003aa441
                  0x003aa44f
                  0x003aa454
                  0x00000000
                  0x003aa454
                  0x003aa412
                  0x003aa412
                  0x003aa41e
                  0x003aa423
                  0x00000000
                  0x003aa423
                  0x003aa3e9
                  0x003aa3e9
                  0x00000000
                  0x003aa3e9
                  0x003aa3ad
                  0x003aa3b7
                  0x003aa3bc
                  0x003aa3bf
                  0x003aa3ce
                  0x003aa3d2
                  0x003aa3de
                  0x003aa3d4
                  0x003aa3d4
                  0x00000000
                  0x003aa3d4
                  0x003aa3d2
                  0x003aa370
                  0x003aa381
                  0x003aa385
                  0x00000000
                  0x003aa387
                  0x003aa387
                  0x00000000
                  0x003aa387
                  0x003aa385
                  0x003aa361
                  0x003aa361
                  0x003aa62e
                  0x003aa62e
                  0x003aa62f
                  0x003aa638
                  0x003aa63a
                  0x003aa63a
                  0x003aa645
                  0x003aa64a
                  0x003aa638
                  0x003aa650
                  0x003aa658
                  0x003aa661
                  0x003aa666
                  0x003aa66c
                  0x003aa66c
                  0x003aa672
                  0x003aa675
                  0x003aa675
                  0x003aa67e
                  0x003aa68b

                  APIs
                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 003AA356
                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 003AA37C
                  • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 003AA666
                  Strings
                  • Failed to read registry value., xrefs: 003AA5F4
                  • @Mxt, xrefs: 003AA5AD
                  • Failed to get expand environment string., xrefs: 003AA5DB
                  • Failed to allocate string buffer., xrefs: 003AA565
                  • Unsupported registry key value type. Type = '%u', xrefs: 003AA506
                  • Failed to allocate memory registry value., xrefs: 003AA487
                  • Failed to clear variable., xrefs: 003AA3D4
                  • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 003AA418
                  • Failed to format value string., xrefs: 003AA387
                  • Failed to set variable., xrefs: 003AA629
                  • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 003AA63E
                  • Failed to open registry key., xrefs: 003AA3E9
                  • Failed to format key string., xrefs: 003AA361
                  • Failed to query registry key value., xrefs: 003AA4D8
                  • search.cpp, xrefs: 003AA44A, 003AA47D, 003AA4CE, 003AA5D1
                  • Failed to query registry key value size., xrefs: 003AA454
                  • Registry key not found. Key = '%ls', xrefs: 003AA3B0
                  • Failed to change value type., xrefs: 003AA60D
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Open@16$Close
                  • String ID: @Mxt$Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
                  • API String ID: 2348241696-793903078
                  • Opcode ID: 8f4256619f06ce7024ebd47873bda8db1bd18b651107c54cdb575c1d75954d95
                  • Instruction ID: 80da94922e30ed491bacdc6a5c6e9219497f4d48705f675e0ed391445e8919f5
                  • Opcode Fuzzy Hash: 8f4256619f06ce7024ebd47873bda8db1bd18b651107c54cdb575c1d75954d95
                  • Instruction Fuzzy Hash: 5BA10973D40A69BBDF279AA5CC45EEE7AADEF06310F114225F900BA190D7758E00DB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CD22C, Relevance: 45.8, APIs: 10, Strings: 16, Instructions: 276processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 56%
                  			E003CD22C(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, DWORD* _a20) {
				signed int _v8;
				char _v88;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				struct _SECURITY_ATTRIBUTES* _v120;
				signed short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				struct _PROCESS_INFORMATION _v148;
				intOrPtr _v152;
				WCHAR* _v156;
				DWORD* _v160;
				intOrPtr _v164;
				void* _v168;
				signed int _v172;
				signed short _v176;
				signed int _v180;
				char _v184;
				struct _STARTUPINFOW _v252;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t84;
				signed short _t86;
				signed short _t89;
				signed short _t100;
				signed short _t104;
				signed short _t105;
				long _t119;
				signed short _t123;
				signed short _t124;
				signed short _t127;
				void* _t134;
				DWORD* _t139;
				signed short _t140;
				void* _t143;
				void* _t147;
				signed short _t156;
				signed short _t159;
				signed short _t162;
				signed int _t163;

				_t143 = __edx;
				_t73 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t73 ^ _t163;
				_v156 = _a4;
				_v152 = _a8;
				_v132 = _a12;
				_v128 = _a16;
				_v160 = _a20;
				asm("stosd");
				_t133 = 0;
				_v116 = 0;
				asm("stosd");
				_v112 = 0;
				_v120 = 0;
				_v108 = 0;
				asm("stosd");
				asm("stosd");
				E003CF670( &_v104,  &_v252, 0, 0x44);
				_v124 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t84 =  &_v104;
				__imp__UuidCreate(_t84);
				if((_t84 | 0x00000001) >= 0) {
					_t86 =  &_v104;
					__imp__StringFromGUID2(_t86,  &_v88, 0x27);
					__eflags = _t86;
					if(_t86 != 0) {
						_t89 = E003A1F20( &_v112, L"NetFxSection.%ls",  &_v88);
						__eflags = _t89;
						if(_t89 >= 0) {
							__eflags = E003A1F20( &_v116, L"NetFxEvent.%ls",  &_v88);
							if(__eflags >= 0) {
								_t153 = E003CCC24(0, _t134, __eflags, _v112, _v116,  &_v108);
								__eflags = _t153;
								if(_t153 >= 0) {
									_push(_v112);
									_t153 = E003A1F62( &_v120, L"%ls /pipe %ls", _v152);
									__eflags = _t153;
									if(_t153 >= 0) {
										_t146 = _v156;
										_v252.cb = 0x44;
										_t100 = CreateProcessW(_v156, _v120, 0, 0, 0, 0x8000000, 0, 0,  &_v252,  &_v148);
										__eflags = _t100;
										if(_t100 != 0) {
											_t133 = _v108;
											_t146 = WaitForMultipleObjects;
											_v168 = _v148.hProcess;
											_v164 =  *((intOrPtr*)(_v108 + 4));
											while(1) {
												_t104 = WaitForMultipleObjects(2,  &_v168, 0, 0x64);
												__eflags = _t104;
												if(_t104 == 0) {
													break;
												}
												__eflags = _t104 - 1;
												if(_t104 != 1) {
													__eflags = _t104 - 0xffffffff;
													if(_t104 == 0xffffffff) {
														_t105 = GetLastError();
														__eflags = _t105;
														_t156 =  <=  ? _t105 : _t105 & 0x0000ffff | 0x80070000;
														__eflags = _t156;
														_t153 =  >=  ? 0x80004005 : _t156;
														E003A37D3(0x80004005, "NetFxChainer.cpp", 0x19e, _t153);
														_push("Failed to wait for netfx chainer process to complete");
														L2:
														_push(_t153);
														E003E012F();
														L29:
														if(_v112 != 0) {
															E003E54EF(_v112);
														}
														if(_v116 != 0) {
															E003E54EF(_v116);
														}
														E003A2793(_v120);
														E003CCEF5(_t133, _t146, _t133);
														_t147 = CloseHandle;
														if(_v148.hThread != 0) {
															CloseHandle(_v148.hThread);
															_v148.hThread = _v148.hThread & 0x00000000;
														}
														if(_v148.hProcess != 0) {
															CloseHandle(_v148.hProcess);
														}
														return E003CDE36(_t133, _v8 ^ _t163, _t143, _t147, _t153);
													}
													continue;
												}
												_t153 = E003CD12C(_t133, _v132, _v128);
												__eflags = _t153;
												if(_t153 >= 0) {
													continue;
												}
												_push("Failed to process netfx chainer message.");
												goto L2;
											}
											_t119 = E003CCFFC(_t133,  &_v124);
											_t139 = _v160;
											 *_t139 = _t119;
											__eflags = _t119 - 0x8000000a;
											if(_t119 != 0x8000000a) {
												_t140 = _v124;
												__eflags = _t140;
												if(_t140 < 0) {
													_t146 =  &_v184;
													asm("stosd");
													asm("stosd");
													asm("stosd");
													asm("stosd");
													_v180 = _v180 & 0x00000000;
													_t56 =  &_v172;
													 *_t56 = _v172 & 0x00000000;
													__eflags =  *_t56;
													_v184 = 1;
													_v176 = _t140;
													_v132( &_v184, _v128);
												}
												goto L29;
											}
											_t123 = GetExitCodeProcess(_v148, _t139);
											__eflags = _t123;
											if(_t123 != 0) {
												goto L29;
											}
											_t124 = GetLastError();
											__eflags = _t124;
											_t159 =  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000;
											__eflags = _t159;
											_t153 =  >=  ? 0x80004005 : _t159;
											E003A37D3(0x80004005, "NetFxChainer.cpp", 0x18a, _t153);
											_push("Failed to get netfx return code.");
											goto L2;
										}
										_t127 = GetLastError();
										__eflags = _t127;
										_t162 =  <=  ? _t127 : _t127 & 0x0000ffff | 0x80070000;
										__eflags = _t162;
										_t153 =  >=  ? 0x80004005 : _t162;
										E003A37D3(0x80004005, "NetFxChainer.cpp", 0x17a,  >=  ? 0x80004005 : _t162);
										E003E012F( >=  ? 0x80004005 : _t162, "Failed to CreateProcess on path: %ls", _t146);
										L12:
										_t133 = _v108;
										goto L29;
									}
									_push("Failed to allocate netfx chainer arguments.");
									L11:
									_push(_t153);
									E003E012F();
									goto L12;
								}
								_push("Failed to create netfx chainer.");
								goto L11;
							}
							_push("Failed to allocate event name.");
							goto L2;
						}
						_push("Failed to allocate section name.");
						goto L2;
					}
					_t153 = 0x8007000e;
					E003A37D3(_t86, "NetFxChainer.cpp", 0x168, 0x8007000e);
					_push("Failed to convert netfx chainer guid into string.");
					goto L2;
				}
				_push("Failed to create netfx chainer guid.");
				goto L2;
			}
















































                  0x003cd22c
                  0x003cd235
                  0x003cd23c
                  0x003cd242
                  0x003cd24b
                  0x003cd254
                  0x003cd25b
                  0x003cd263
                  0x003cd270
                  0x003cd271
                  0x003cd276
                  0x003cd279
                  0x003cd27a
                  0x003cd27d
                  0x003cd280
                  0x003cd283
                  0x003cd284
                  0x003cd28c
                  0x003cd293
                  0x003cd29f
                  0x003cd2a0
                  0x003cd2a1
                  0x003cd2a2
                  0x003cd2a3
                  0x003cd2a7
                  0x003cd2b2
                  0x003cd2cc
                  0x003cd2d0
                  0x003cd2d6
                  0x003cd2d8
                  0x003cd303
                  0x003cd30d
                  0x003cd30f
                  0x003cd32f
                  0x003cd331
                  0x003cd34c
                  0x003cd34e
                  0x003cd350
                  0x003cd367
                  0x003cd37e
                  0x003cd383
                  0x003cd385
                  0x003cd38e
                  0x003cd3a1
                  0x003cd3bc
                  0x003cd3c2
                  0x003cd3c4
                  0x003cd408
                  0x003cd411
                  0x003cd417
                  0x003cd420
                  0x003cd44e
                  0x003cd45b
                  0x003cd45d
                  0x003cd45f
                  0x00000000
                  0x00000000
                  0x003cd428
                  0x003cd42b
                  0x003cd449
                  0x003cd44c
                  0x003cd4cb
                  0x003cd4da
                  0x003cd4dc
                  0x003cd4e4
                  0x003cd4e6
                  0x003cd4f4
                  0x003cd4f9
                  0x003cd2b9
                  0x003cd2b9
                  0x003cd2ba
                  0x003cd541
                  0x003cd545
                  0x003cd54a
                  0x003cd54a
                  0x003cd553
                  0x003cd558
                  0x003cd558
                  0x003cd560
                  0x003cd566
                  0x003cd572
                  0x003cd578
                  0x003cd580
                  0x003cd582
                  0x003cd582
                  0x003cd590
                  0x003cd598
                  0x003cd598
                  0x003cd5ac
                  0x003cd5ac
                  0x00000000
                  0x003cd44c
                  0x003cd439
                  0x003cd43b
                  0x003cd43d
                  0x00000000
                  0x00000000
                  0x003cd43f
                  0x00000000
                  0x003cd43f
                  0x003cd466
                  0x003cd46b
                  0x003cd471
                  0x003cd473
                  0x003cd478
                  0x003cd503
                  0x003cd506
                  0x003cd508
                  0x003cd50f
                  0x003cd515
                  0x003cd516
                  0x003cd517
                  0x003cd518
                  0x003cd51f
                  0x003cd526
                  0x003cd526
                  0x003cd526
                  0x003cd52e
                  0x003cd538
                  0x003cd53e
                  0x003cd53e
                  0x00000000
                  0x003cd508
                  0x003cd485
                  0x003cd48b
                  0x003cd48d
                  0x00000000
                  0x00000000
                  0x003cd493
                  0x003cd4a2
                  0x003cd4a4
                  0x003cd4ac
                  0x003cd4ae
                  0x003cd4bc
                  0x003cd4c1
                  0x00000000
                  0x003cd4c1
                  0x003cd3c6
                  0x003cd3d5
                  0x003cd3d7
                  0x003cd3df
                  0x003cd3e1
                  0x003cd3ef
                  0x003cd3fb
                  0x003cd35f
                  0x003cd35f
                  0x00000000
                  0x003cd35f
                  0x003cd387
                  0x003cd357
                  0x003cd357
                  0x003cd358
                  0x00000000
                  0x003cd35e
                  0x003cd352
                  0x00000000
                  0x003cd352
                  0x003cd333
                  0x00000000
                  0x003cd333
                  0x003cd311
                  0x00000000
                  0x003cd311
                  0x003cd2da
                  0x003cd2ea
                  0x003cd2ef
                  0x00000000
                  0x003cd2ef
                  0x003cd2b4
                  0x00000000

                  APIs
                  • UuidCreate.RPCRT4(?), ref: 003CD2A7
                  • StringFromGUID2.OLE32(?,?,00000027), ref: 003CD2D0
                  • CreateProcessW.KERNEL32 ref: 003CD3BC
                  • GetLastError.KERNEL32(?,?,?,?), ref: 003CD3C6
                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00000064,?,?,?,?), ref: 003CD45B
                  • GetExitCodeProcess.KERNEL32 ref: 003CD485
                  • GetLastError.KERNEL32(?,?,?,?), ref: 003CD493
                  • GetLastError.KERNEL32(?,?,?,?), ref: 003CD4CB
                    • Part of subcall function 003CD12C: WaitForSingleObject.KERNEL32(?,000000FF,747DF730,00000000,?,?,?,?,003CD439,?), ref: 003CD145
                    • Part of subcall function 003CD12C: ReleaseMutex.KERNEL32(?,?,?,?,003CD439,?), ref: 003CD161
                    • Part of subcall function 003CD12C: WaitForSingleObject.KERNEL32(?,000000FF), ref: 003CD1A4
                    • Part of subcall function 003CD12C: ReleaseMutex.KERNEL32(?), ref: 003CD1BB
                    • Part of subcall function 003CD12C: SetEvent.KERNEL32(?), ref: 003CD1C4
                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 003CD580
                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 003CD598
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastWait$CloseCreateHandleMutexObjectProcessReleaseSingle$CodeEventExitFromMultipleObjectsStringUuid
                  • String ID: %ls /pipe %ls$@Mxt$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
                  • API String ID: 2531618940-3300396495
                  • Opcode ID: 0aaaf4f705a9a063247b8e8df4ec4516717842351e4b055d0aee969cdfb3876c
                  • Instruction ID: e9e68e7f2358eb01420f1d6ef282e53bb6ae7fce5588c5711b75e99829c6d38e
                  • Opcode Fuzzy Hash: 0aaaf4f705a9a063247b8e8df4ec4516717842351e4b055d0aee969cdfb3876c
                  • Instruction Fuzzy Hash: CBA19F71D40328ABEB229BA5CC45FAEB7B9AF04310F11017AF909FB191DB759E408F91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A567D, Relevance: 42.5, APIs: 5, Strings: 19, Instructions: 476stringCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E003A567D(struct _CRITICAL_SECTION* _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _t138;
				WCHAR* _t141;
				intOrPtr _t143;
				WCHAR* _t144;
				signed short _t156;
				signed short _t162;
				intOrPtr _t168;
				signed short _t169;
				WCHAR* _t190;
				intOrPtr _t199;
				signed int _t215;
				void* _t216;
				char _t219;
				void* _t221;
				char _t227;
				intOrPtr* _t228;
				signed int _t229;
				intOrPtr* _t237;
				WCHAR* _t238;
				signed int _t239;
				WCHAR* _t240;
				signed int _t241;
				signed int _t242;
				WCHAR* _t243;
				intOrPtr _t244;
				WCHAR* _t248;
				WCHAR* _t249;
				intOrPtr _t250;
				void* _t265;

				_t215 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				_v36 = 0;
				_v32 = 0;
				EnterCriticalSection(_a4);
				_t238 = _a8;
				_t248 = E003A1EDE( &_v16, lstrlenW(_t238) + 1);
				_a8 = _t248;
				if(_t248 >= 0) {
					while(1) {
						_push(0x5b);
						_t216 = E003CF7CA(_t219);
						_t221 = _t238;
						if(_t216 == 0) {
							break;
						}
						_t12 = _t216 + 2; // 0x2
						_push(0x5d);
						_t138 = E003CF7CA(_t221);
						_v40 = _t138;
						if(_t138 == 0) {
							break;
						}
						_t219 = (_t138 - _t216 >> 1) - 1;
						_v20 = _t219;
						if(_t219 != 0) {
							if(_t216 <= _t238) {
								L12:
								_t26 = _t216 + 2; // 0x2
								_v28 = 0 | _a20 == 0x00000000;
								_t249 = E003A8281(_a20 == 0,  &_v12, _t26, _t219);
								_a8 = _t249;
								if(_t249 < 0) {
									_push("Failed to get variable name.");
									L7:
									_push(_t249);
									L8:
									E003E012F();
									L66:
									_t215 = _v8;
									goto L67;
								}
								_t219 = _v24;
								_push(1);
								_push(4 + _v8 * 4);
								if(_t219 == 0) {
									_t244 = E003A38D4();
									_v24 = _t244;
									if(_t244 == 0) {
										_t243 = 0x8007000e;
										_t249 = 0x8007000e;
										_a8 = 0x8007000e;
										E003A37D3(_t180, "variable.cpp", 0x4b6, 0x8007000e);
										_push("Failed to allocate variable array.");
										L37:
										_push(_t243);
										goto L8;
									}
									L17:
									if(_v20 < 2) {
										L20:
										if(_a20 == 0) {
											L22:
											_t215 = _v8;
											if(_v36 == 0) {
												_t245 = _t244 + _t215 * 4;
												_t249 = E003A7203(_t219, _a4, _v12, _t244 + _t215 * 4);
												_a8 = _t249;
												if(_t249 != 0x80070490) {
													L27:
													_t246 = _v28;
													L28:
													if(_t249 < 0) {
														_push("Failed to set variable value.");
														goto L2;
													}
													_t215 = _t215 + 1;
													_v8 = _t215;
													_t249 = E003A8260(_t246,  &_v12, L"[%d]", _t215);
													_t265 = _t265 + 0x10;
													_a8 = _t249;
													if(_t249 < 0) {
														_push("Failed to format placeholder string.");
														goto L2;
													}
													_t249 = E003A823E(_t246,  &_v16, _v12, 0);
													_a8 = _t249;
													if(_t249 < 0) {
														_push("Failed to append placeholder.");
														goto L2;
													}
													L31:
													_t238 = _v40 + 2;
													continue;
												}
												_t190 = E003A22F9(_t245, 0x3eb524, 0);
												L26:
												_t249 = _t190;
												_a8 = _t249;
												goto L27;
											}
											_t190 = E003A21A5(_t244 + _t215 * 4, L"*****", 0);
											goto L26;
										}
										_t249 = E003A7E13(_t219, _a4, _v12,  &_v36);
										_a8 = _t249;
										if(_t249 < 0) {
											E003E012F(_t249, "Failed to determine variable visibility: \'%ls\'.", _v12);
											goto L66;
										}
										goto L22;
									}
									_t219 = 0x5c;
									if(_t219 !=  *((intOrPtr*)(_t216 + 2))) {
										goto L20;
									}
									_t41 = _t216 + 4; // 0x4
									_t215 = _v8;
									_t246 = _v28;
									_t249 = E003A8281(_v28, _t244 + _t215 * 4, _t41, 1);
									_a8 = _t249;
									goto L28;
								}
								_push(_t219);
								_t199 = E003A3A72();
								if(_t199 == 0) {
									_t243 = 0x8007000e;
									_t249 = 0x8007000e;
									_a8 = 0x8007000e;
									E003A37D3(_t199, "variable.cpp", 0x4b0, 0x8007000e);
									_push("Failed to reallocate variable array.");
									goto L37;
								}
								_t244 = _t199;
								_v24 = _t244;
								goto L17;
							}
							_t249 = E003A823E(0 | _a20 == 0x00000000,  &_v16, _t238, _t216 - _t238 >> 1);
							_a8 = _t249;
							if(_t249 < 0) {
								L6:
								_push("Failed to append string.");
								goto L7;
							} else {
								_t219 = _v20;
								goto L12;
							}
						}
						_t249 = E003A823E(0 | _a20 == 0x00000000,  &_v16, _t238, (_t138 - _t238 >> 1) + 1);
						_a8 = _t249;
						if(_t249 >= 0) {
							goto L31;
						}
						goto L6;
					}
					_t218 = 0 | _a20 == 0x00000000;
					_t141 = E003A823E(_a20 == 0,  &_v16, _t238, 0);
					_t249 = _t141;
					_a8 = _t249;
					if(_t249 < 0) {
						goto L6;
					}
					_push(_v8);
					L003DF3D0();
					_t240 = _t141;
					_v32 = _t240;
					if(_t240 != 0) {
						_push(_v16);
						_push(0);
						_push(_t240);
						L003DF3E0();
						if(0 == 0) {
							_t227 = 0;
							_t241 = 0;
							if(_v8 <= 0) {
								L53:
								_t242 = _v32;
								_t156 =  &_v20;
								_push(_t156);
								_push(0x3eb524);
								_push(_t242);
								_push(_t227);
								_v20 = _t227;
								L003DF3F0();
								if(_t156 == 0xea || _t156 == 0) {
									if(_a12 == 0) {
										L64:
										_t228 = _a16;
										if(_t228 != 0) {
											 *_t228 = _v20;
										}
										goto L66;
									}
									_v20 = _v20 + 1;
									_t249 = E003A821F(_t218,  &_v12, _v20 + 1);
									_a8 = _t249;
									if(_t249 >= 0) {
										_t162 =  &_v20;
										_push(_t162);
										_push(_v12);
										_push(_t242);
										_push(0);
										L003DF3F0();
										if(_t162 == 0) {
											_t249 = E003A8281(_t218, _a12, _v12, 0);
											_a8 = _t249;
											if(_t249 >= 0) {
												goto L64;
											}
											_push("Failed to copy string.");
											goto L7;
										}
										_t254 =  <=  ? _t162 : _t162 & 0x0000ffff | 0x80070000;
										_t249 =  >=  ? 0x80004005 :  <=  ? _t162 : _t162 & 0x0000ffff | 0x80070000;
										_a8 = _t249;
										E003A37D3(0x80004005, "variable.cpp", 0x508, _t249);
										_push("Failed to format record.");
										goto L7;
									}
									_push("Failed to allocate string.");
								} else {
									_t257 =  <=  ? _t156 : _t156 & 0x0000ffff | 0x80070000;
									_t249 =  >=  ? 0x80004005 :  <=  ? _t156 : _t156 & 0x0000ffff | 0x80070000;
									_a8 = _t249;
									E003A37D3(0x80004005, "variable.cpp", 0x4fe, _t249);
									_push("Failed to get formatted length.");
								}
								goto L7;
							}
							_t168 = _v24;
							_t229 = _v8;
							do {
								_t237 =  *((intOrPtr*)(_t168 + _t241 * 4));
								_t249 = _a8;
								if( *_t237 == 0) {
									goto L51;
								}
								_push(_t237);
								_t89 = _t241 + 1; // 0x1
								_t169 = _t89;
								_push(_t169);
								_push(_v32);
								L003DF3E0();
								if(_t169 != 0) {
									_t261 =  <=  ? _t169 : _t169 & 0x0000ffff | 0x80070000;
									_t249 =  >=  ? 0x80004005 :  <=  ? _t169 : _t169 & 0x0000ffff | 0x80070000;
									_a8 = _t249;
									E003A37D3(0x80004005, "variable.cpp", 0x4f2, _t249);
									_push("Failed to set record string.");
									goto L7;
								}
								_t168 = _v24;
								_t229 = _v8;
								L51:
								_t241 = _t241 + 1;
							} while (_t241 < _t229);
							_t227 = 0;
							goto L53;
						}
						_t264 =  <=  ? 0 : 0xffffffff80070000;
						_t249 =  >=  ? 0x80004005 :  <=  ? 0 : 0xffffffff80070000;
						_a8 = _t249;
						E003A37D3(0x80004005, "variable.cpp", 0x4ea, _t249);
						_push("Failed to set record format string.");
						goto L7;
					}
					_t243 = 0x8007000e;
					_t249 = 0x8007000e;
					_a8 = 0x8007000e;
					E003A37D3(_t141, "variable.cpp", 0x4e6, 0x8007000e);
					_push("Failed to allocate record.");
					goto L37;
				} else {
					_push("Failed to allocate buffer for format string.");
					L2:
					_push(_t249);
					E003E012F();
					L67:
					LeaveCriticalSection(_a4);
					_t143 = _v24;
					if(_t143 == 0) {
						L77:
						_t144 = _v32;
						if(_t144 != 0) {
							_push(_t144);
							L003DF3C0();
						}
						if(_a20 == 0) {
							E003A2793(0);
							E003A2793(_v16);
							E003A2793(_v12);
						} else {
							if(_v16 != 0) {
								E003E54EF(_v16);
							}
							if(_v12 != 0) {
								E003E54EF(_v12);
							}
						}
						return _t249;
					}
					_t239 = 0;
					if(_t215 == 0) {
						L76:
						E003A3999(_t143);
						goto L77;
					}
					_t250 = _t143;
					do {
						if(_a20 == 0) {
							E003A2793( *((intOrPtr*)(_t250 + _t239 * 4)));
						} else {
							if( *((intOrPtr*)(_t250 + _t239 * 4)) != 0) {
								E003E54EF( *((intOrPtr*)(_t250 + _t239 * 4)));
							}
						}
						_t239 = _t239 + 1;
					} while (_t239 < _t215);
					_t249 = _a8;
					_t143 = _v24;
					goto L76;
				}
			}









































                  0x003a568b
                  0x003a568d
                  0x003a5690
                  0x003a5693
                  0x003a5696
                  0x003a5699
                  0x003a569c
                  0x003a569f
                  0x003a56a2
                  0x003a56a8
                  0x003a56bd
                  0x003a56bf
                  0x003a56c4
                  0x003a58b1
                  0x003a58b1
                  0x003a58b9
                  0x003a58bc
                  0x003a58bf
                  0x00000000
                  0x00000000
                  0x003a56dc
                  0x003a56df
                  0x003a56e2
                  0x003a56e7
                  0x003a56ee
                  0x00000000
                  0x00000000
                  0x003a56fa
                  0x003a56fd
                  0x003a5700
                  0x003a573c
                  0x003a5764
                  0x003a5767
                  0x003a5776
                  0x003a577e
                  0x003a5780
                  0x003a5785
                  0x003a5998
                  0x003a572d
                  0x003a572d
                  0x003a572e
                  0x003a572e
                  0x003a5b50
                  0x003a5b50
                  0x00000000
                  0x003a5b50
                  0x003a578e
                  0x003a5791
                  0x003a579a
                  0x003a579d
                  0x003a57b9
                  0x003a57bb
                  0x003a57c0
                  0x003a5977
                  0x003a5982
                  0x003a5989
                  0x003a598c
                  0x003a5991
                  0x003a593d
                  0x003a593d
                  0x00000000
                  0x003a593d
                  0x003a57c6
                  0x003a57ca
                  0x003a57f2
                  0x003a57f6
                  0x003a5814
                  0x003a5818
                  0x003a581b
                  0x003a5830
                  0x003a583f
                  0x003a5841
                  0x003a584a
                  0x003a585f
                  0x003a585f
                  0x003a5862
                  0x003a5864
                  0x003a596d
                  0x00000000
                  0x003a596d
                  0x003a586a
                  0x003a5876
                  0x003a587e
                  0x003a5880
                  0x003a5883
                  0x003a5888
                  0x003a5963
                  0x00000000
                  0x003a5963
                  0x003a589e
                  0x003a58a0
                  0x003a58a5
                  0x003a5959
                  0x00000000
                  0x003a5959
                  0x003a58ab
                  0x003a58ae
                  0x00000000
                  0x003a58ae
                  0x003a5855
                  0x003a585a
                  0x003a585a
                  0x003a585c
                  0x00000000
                  0x003a585c
                  0x003a5829
                  0x00000000
                  0x003a5829
                  0x003a5807
                  0x003a5809
                  0x003a580e
                  0x003a594c
                  0x00000000
                  0x003a5951
                  0x00000000
                  0x003a580e
                  0x003a57ce
                  0x003a57d3
                  0x00000000
                  0x00000000
                  0x003a57d5
                  0x003a57d8
                  0x003a57e1
                  0x003a57eb
                  0x003a57ed
                  0x00000000
                  0x003a57ed
                  0x003a579f
                  0x003a57a0
                  0x003a57a7
                  0x003a591e
                  0x003a5929
                  0x003a5930
                  0x003a5933
                  0x003a5938
                  0x00000000
                  0x003a5938
                  0x003a57ad
                  0x003a57af
                  0x00000000
                  0x003a57af
                  0x003a5758
                  0x003a575a
                  0x003a575f
                  0x003a5728
                  0x003a5728
                  0x00000000
                  0x003a5761
                  0x003a5761
                  0x00000000
                  0x003a5761
                  0x003a575f
                  0x003a571b
                  0x003a571d
                  0x003a5722
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a5722
                  0x003a58ca
                  0x003a58d6
                  0x003a58db
                  0x003a58dd
                  0x003a58e2
                  0x00000000
                  0x00000000
                  0x003a58e8
                  0x003a58eb
                  0x003a58f0
                  0x003a58f2
                  0x003a58f7
                  0x003a59a2
                  0x003a59a7
                  0x003a59a8
                  0x003a59a9
                  0x003a59b0
                  0x003a59e7
                  0x003a59e9
                  0x003a59ee
                  0x003a5a21
                  0x003a5a21
                  0x003a5a24
                  0x003a5a27
                  0x003a5a28
                  0x003a5a2d
                  0x003a5a2e
                  0x003a5a2f
                  0x003a5a32
                  0x003a5a3c
                  0x003a5ab0
                  0x003a5b44
                  0x003a5b44
                  0x003a5b49
                  0x003a5b4e
                  0x003a5b4e
                  0x00000000
                  0x003a5b49
                  0x003a5abb
                  0x003a5ac8
                  0x003a5aca
                  0x003a5acf
                  0x003a5adb
                  0x003a5ae0
                  0x003a5ae1
                  0x003a5ae4
                  0x003a5ae5
                  0x003a5ae6
                  0x003a5aed
                  0x003a5b31
                  0x003a5b33
                  0x003a5b38
                  0x00000000
                  0x00000000
                  0x003a5b3a
                  0x00000000
                  0x003a5b3a
                  0x003a5afa
                  0x003a5b04
                  0x003a5b12
                  0x003a5b15
                  0x003a5b1a
                  0x00000000
                  0x003a5b1a
                  0x003a5ad1
                  0x003a5a42
                  0x003a5a4d
                  0x003a5a57
                  0x003a5a65
                  0x003a5a68
                  0x003a5a6d
                  0x003a5a6d
                  0x00000000
                  0x003a5a3c
                  0x003a59f0
                  0x003a59f3
                  0x003a59f6
                  0x003a59f6
                  0x003a59fe
                  0x003a5a01
                  0x00000000
                  0x00000000
                  0x003a5a03
                  0x003a5a04
                  0x003a5a04
                  0x003a5a07
                  0x003a5a08
                  0x003a5a0b
                  0x003a5a12
                  0x003a5a82
                  0x003a5a8c
                  0x003a5a9a
                  0x003a5a9d
                  0x003a5aa2
                  0x00000000
                  0x003a5aa2
                  0x003a5a14
                  0x003a5a17
                  0x003a5a1a
                  0x003a5a1a
                  0x003a5a1b
                  0x003a5a1f
                  0x00000000
                  0x003a5a1f
                  0x003a59bd
                  0x003a59c7
                  0x003a59d5
                  0x003a59d8
                  0x003a59dd
                  0x00000000
                  0x003a59dd
                  0x003a58fd
                  0x003a5908
                  0x003a590f
                  0x003a5912
                  0x003a5917
                  0x00000000
                  0x003a56ca
                  0x003a56ca
                  0x003a56cf
                  0x003a56cf
                  0x003a56d0
                  0x003a5b53
                  0x003a5b56
                  0x003a5b5c
                  0x003a5b61
                  0x003a5b9c
                  0x003a5b9c
                  0x003a5ba1
                  0x003a5ba3
                  0x003a5ba4
                  0x003a5ba4
                  0x003a5bad
                  0x003a5bd0
                  0x003a5bd8
                  0x003a5be0
                  0x003a5baf
                  0x003a5bb3
                  0x003a5bb8
                  0x003a5bb8
                  0x003a5bc1
                  0x003a5bc6
                  0x003a5bc6
                  0x003a5bc1
                  0x003a5bed
                  0x003a5bed
                  0x003a5b65
                  0x003a5b69
                  0x003a5b96
                  0x003a5b97
                  0x00000000
                  0x003a5b97
                  0x003a5b6b
                  0x003a5b6d
                  0x003a5b71
                  0x003a5b86
                  0x003a5b73
                  0x003a5b77
                  0x003a5b7c
                  0x003a5b7c
                  0x003a5b77
                  0x003a5b8b
                  0x003a5b8c
                  0x003a5b90
                  0x003a5b93
                  0x00000000
                  0x003a5b93

                  APIs
                  • EnterCriticalSection.KERNEL32(000002C0,00000100,00000100,00000000,00000000,?,003A99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 003A56A2
                  • lstrlenW.KERNEL32(00000000,?,003A99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0,00000100), ref: 003A56AC
                  • _wcschr.LIBVCRUNTIME ref: 003A58B4
                  • LeaveCriticalSection.KERNEL32(000002C0,00000000,00000000,00000000,00000000,00000000,00000001,?,003A99BB,000002C0,?,00000000,00000000,000002C0,00000100,000002C0), ref: 003A5B56
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave_wcschrlstrlen
                  • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
                  • API String ID: 1026845265-2050445661
                  • Opcode ID: e1d1f1b436df9f7a21ea66af213b8dc10c8ac46788a93cc11f6e63a554096a7c
                  • Instruction ID: d47d13470a00ec6355ef230bef0319ac8d3926e2074737ae53559a7db9b4c3d4
                  • Opcode Fuzzy Hash: e1d1f1b436df9f7a21ea66af213b8dc10c8ac46788a93cc11f6e63a554096a7c
                  • Instruction Fuzzy Hash: 50F1A472E00729EFDB13DFA58841AAF77A8EF05750F15422AFD05BB280D7349E018BA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E15CB, Relevance: 40.6, APIs: 21, Strings: 2, Instructions: 320COMMON
                  Download Yara Rule
                  C-Code - Quality: 26%
                  			E003E15CB(void* __edx) {
				signed int _v8;
				char* _v12;
				int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char* _v108;
				int _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				void* _v140;
				int _v160;
				intOrPtr _v164;
				char _v168;
				void _v240;
				char _v312;
				char _v384;
				char _v456;
				char _v528;
				char _v532;
				int _v536;
				struct _SECURITY_DESCRIPTOR _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed short _t103;
				struct _SECURITY_DESCRIPTOR* _t112;
				signed short _t116;
				void* _t117;
				signed short _t119;
				signed short _t120;
				signed short _t121;
				signed short _t122;
				signed short _t123;
				signed short _t124;
				signed short _t125;
				signed short _t126;
				intOrPtr _t128;
				void* _t131;
				char _t133;
				intOrPtr* _t134;
				intOrPtr _t135;
				signed int _t167;

				_t131 = __edx;
				_t65 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t65 ^ _t167;
				_v556.Revision = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				E003CF670( &(_v556.Sbz1),  &_v168, 0, 0xa0);
				_t133 = 0x48;
				_v536 = 0;
				E003CF670(_t133,  &_v240, 0, _t133);
				E003CF670(_t133,  &_v312, 0, _t133);
				E003CF670(_t133,  &_v384, 0, _t133);
				E003CF670(_t133,  &_v456, 0, _t133);
				E003CF670(_t133,  &_v528, 0, _t133);
				_v532 = 0;
				if(InitializeSecurityDescriptor( &_v556, 1) != 0) {
					_t134 = __imp__CreateWellKnownSid;
					_push( &_v532);
					_v532 = _t133;
					_push( &_v240);
					_push(0);
					_push(0x1a);
					if( *_t134() != 0) {
						_v532 = _t133;
						_push( &_v532);
						_push( &_v312);
						_push(0);
						_push(0x17);
						if( *_t134() != 0) {
							_v532 = _t133;
							_push( &_v532);
							_push( &_v384);
							_push(0);
							_push(0x18);
							if( *_t134() != 0) {
								_v532 = _t133;
								_push( &_v532);
								_push( &_v456);
								_push(0);
								_push(0x10);
								if( *_t134() != 0) {
									_v532 = _t133;
									_push( &_v532);
									_push( &_v528);
									_push(0);
									_push(0x16);
									if( *_t134() != 0) {
										asm("movaps xmm0, [0x406480]");
										_v140 =  &_v240;
										_v108 =  &_v312;
										_t128 = 3;
										_v76 =  &_v384;
										_t135 = 2;
										asm("movups [ebp-0x98], xmm0");
										_v44 =  &_v456;
										asm("movaps xmm0, [0x406480]");
										asm("movups [ebp-0x78], xmm0");
										_v12 =  &_v528;
										asm("movaps xmm0, [0x406480]");
										asm("movups [ebp-0x58], xmm0");
										_t103 =  &_v168;
										_v168 = _t128;
										asm("movaps xmm0, [0x406480]");
										asm("movups [ebp-0x38], xmm0");
										asm("movaps xmm0, [0x406480]");
										_v164 = _t135;
										_v160 = 0;
										_v136 = _t128;
										_v132 = _t135;
										_v128 = 0;
										_v104 = _t128;
										_v100 = _t135;
										_v96 = 0;
										_v72 = _t128;
										_v68 = _t135;
										_v64 = 0;
										_v40 = _t128;
										_v36 = _t135;
										_v32 = 0;
										asm("movups [ebp-0x18], xmm0");
										__imp__SetEntriesInAclA(5, _t103, 0,  &_v536);
										if(_t103 == 0) {
											if(SetSecurityDescriptorOwner( &_v556,  &_v240, 0) != 0) {
												if(SetSecurityDescriptorGroup( &_v556,  &_v240, 0) != 0) {
													if(SetSecurityDescriptorDacl( &_v556, 1, _v536, 0) != 0) {
														_t112 =  &_v556;
														__imp__CoInitializeSecurity(_t112, 0xffffffff, 0, 0, 6, _t135, 0, 0x3000, 0);
														_t136 = _t112;
													} else {
														_t116 = GetLastError();
														_t139 =  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000;
														_t117 = 0x80004005;
														_t136 =  >=  ? 0x80004005 :  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000;
														_push( >=  ? 0x80004005 :  <=  ? _t116 : _t116 & 0x0000ffff | 0x80070000);
														_push(0xdf);
														goto L2;
													}
												} else {
													_t119 = GetLastError();
													_t142 =  <=  ? _t119 : _t119 & 0x0000ffff | 0x80070000;
													_t117 = 0x80004005;
													_t136 =  >=  ? 0x80004005 :  <=  ? _t119 : _t119 & 0x0000ffff | 0x80070000;
													_push( >=  ? 0x80004005 :  <=  ? _t119 : _t119 & 0x0000ffff | 0x80070000);
													_push(0xd9);
													goto L2;
												}
											} else {
												_t120 = GetLastError();
												_t145 =  <=  ? _t120 : _t120 & 0x0000ffff | 0x80070000;
												_t117 = 0x80004005;
												_t136 =  >=  ? 0x80004005 :  <=  ? _t120 : _t120 & 0x0000ffff | 0x80070000;
												_push( >=  ? 0x80004005 :  <=  ? _t120 : _t120 & 0x0000ffff | 0x80070000);
												_push(0xd3);
												goto L2;
											}
										} else {
											_t148 =  <=  ? _t103 : _t103 & 0x0000ffff | 0x80070000;
											_t117 = 0x80004005;
											_t136 =  >=  ? 0x80004005 :  <=  ? _t103 : _t103 & 0x0000ffff | 0x80070000;
											_push( >=  ? 0x80004005 :  <=  ? _t103 : _t103 & 0x0000ffff | 0x80070000);
											_push(0xce);
											goto L2;
										}
									} else {
										_t121 = GetLastError();
										_t151 =  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000;
										_t117 = 0x80004005;
										_t136 =  >=  ? 0x80004005 :  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000;
										_push( >=  ? 0x80004005 :  <=  ? _t121 : _t121 & 0x0000ffff | 0x80070000);
										_push(0x9a);
										goto L2;
									}
								} else {
									_t122 = GetLastError();
									_t154 =  <=  ? _t122 : _t122 & 0x0000ffff | 0x80070000;
									_t117 = 0x80004005;
									_t136 =  >=  ? 0x80004005 :  <=  ? _t122 : _t122 & 0x0000ffff | 0x80070000;
									_push( >=  ? 0x80004005 :  <=  ? _t122 : _t122 & 0x0000ffff | 0x80070000);
									_push(0x93);
									goto L2;
								}
							} else {
								_t123 = GetLastError();
								_t157 =  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000;
								_t117 = 0x80004005;
								_t136 =  >=  ? 0x80004005 :  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000;
								_push( >=  ? 0x80004005 :  <=  ? _t123 : _t123 & 0x0000ffff | 0x80070000);
								_push(0x8c);
								goto L2;
							}
						} else {
							_t124 = GetLastError();
							_t160 =  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000;
							_t117 = 0x80004005;
							_t136 =  >=  ? 0x80004005 :  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000;
							_push( >=  ? 0x80004005 :  <=  ? _t124 : _t124 & 0x0000ffff | 0x80070000);
							_push(0x85);
							goto L2;
						}
					} else {
						_t125 = GetLastError();
						_t163 =  <=  ? _t125 : _t125 & 0x0000ffff | 0x80070000;
						_t117 = 0x80004005;
						_t136 =  >=  ? 0x80004005 :  <=  ? _t125 : _t125 & 0x0000ffff | 0x80070000;
						_push( >=  ? 0x80004005 :  <=  ? _t125 : _t125 & 0x0000ffff | 0x80070000);
						_push(0x7e);
						goto L2;
					}
				} else {
					_t126 = GetLastError();
					_t166 =  <=  ? _t126 : _t126 & 0x0000ffff | 0x80070000;
					_t117 = 0x80004005;
					_t136 =  >=  ? 0x80004005 :  <=  ? _t126 : _t126 & 0x0000ffff | 0x80070000;
					_push( >=  ? 0x80004005 :  <=  ? _t126 : _t126 & 0x0000ffff | 0x80070000);
					_push(0x77);
					L2:
					_push("srputil.cpp");
					E003A37D3(_t117);
				}
				if(_v536 != 0) {
					LocalFree(_v536);
				}
				return E003CDE36(0, _v8 ^ _t167, _t131, _t133, _t136);
			}























































                  0x003e15cb
                  0x003e15d4
                  0x003e15db
                  0x003e15eb
                  0x003e15f1
                  0x003e15f8
                  0x003e15f9
                  0x003e15fa
                  0x003e15fb
                  0x003e15fd
                  0x003e1605
                  0x003e160c
                  0x003e1614
                  0x003e161c
                  0x003e162a
                  0x003e1638
                  0x003e1646
                  0x003e1654
                  0x003e165c
                  0x003e1673
                  0x003e16a5
                  0x003e16b1
                  0x003e16b8
                  0x003e16be
                  0x003e16bf
                  0x003e16c0
                  0x003e16c6
                  0x003e16f1
                  0x003e16f7
                  0x003e16fe
                  0x003e16ff
                  0x003e1700
                  0x003e1706
                  0x003e1737
                  0x003e173d
                  0x003e1744
                  0x003e1745
                  0x003e1746
                  0x003e174c
                  0x003e177d
                  0x003e1783
                  0x003e178a
                  0x003e178b
                  0x003e178c
                  0x003e1792
                  0x003e17c3
                  0x003e17c9
                  0x003e17d0
                  0x003e17d1
                  0x003e17d2
                  0x003e17d8
                  0x003e1803
                  0x003e1810
                  0x003e181c
                  0x003e1827
                  0x003e1828
                  0x003e1833
                  0x003e1834
                  0x003e183b
                  0x003e1844
                  0x003e184b
                  0x003e184f
                  0x003e1858
                  0x003e1860
                  0x003e1864
                  0x003e186a
                  0x003e1870
                  0x003e1878
                  0x003e187d
                  0x003e1886
                  0x003e188c
                  0x003e1892
                  0x003e1898
                  0x003e189b
                  0x003e189e
                  0x003e18a1
                  0x003e18a4
                  0x003e18a7
                  0x003e18aa
                  0x003e18ad
                  0x003e18b0
                  0x003e18b3
                  0x003e18b6
                  0x003e18b9
                  0x003e18bd
                  0x003e18c5
                  0x003e1901
                  0x003e1943
                  0x003e1986
                  0x003e19bf
                  0x003e19c6
                  0x003e19cc
                  0x003e1988
                  0x003e1988
                  0x003e1999
                  0x003e199c
                  0x003e19a3
                  0x003e19a6
                  0x003e19a7
                  0x00000000
                  0x003e19a7
                  0x003e1945
                  0x003e1945
                  0x003e1956
                  0x003e1959
                  0x003e1960
                  0x003e1963
                  0x003e1964
                  0x00000000
                  0x003e1964
                  0x003e1903
                  0x003e1903
                  0x003e1914
                  0x003e1917
                  0x003e191e
                  0x003e1921
                  0x003e1922
                  0x00000000
                  0x003e1922
                  0x003e18c7
                  0x003e18d2
                  0x003e18d5
                  0x003e18dc
                  0x003e18df
                  0x003e18e0
                  0x00000000
                  0x003e18e0
                  0x003e17da
                  0x003e17da
                  0x003e17eb
                  0x003e17ee
                  0x003e17f5
                  0x003e17f8
                  0x003e17f9
                  0x00000000
                  0x003e17f9
                  0x003e1794
                  0x003e1794
                  0x003e17a5
                  0x003e17a8
                  0x003e17af
                  0x003e17b2
                  0x003e17b3
                  0x00000000
                  0x003e17b3
                  0x003e174e
                  0x003e174e
                  0x003e175f
                  0x003e1762
                  0x003e1769
                  0x003e176c
                  0x003e176d
                  0x00000000
                  0x003e176d
                  0x003e1708
                  0x003e1708
                  0x003e1719
                  0x003e171c
                  0x003e1723
                  0x003e1726
                  0x003e1727
                  0x00000000
                  0x003e1727
                  0x003e16c8
                  0x003e16c8
                  0x003e16d9
                  0x003e16dc
                  0x003e16e3
                  0x003e16e6
                  0x003e16e7
                  0x00000000
                  0x003e16e7
                  0x003e1675
                  0x003e1675
                  0x003e1686
                  0x003e1689
                  0x003e1690
                  0x003e1693
                  0x003e1694
                  0x003e1696
                  0x003e1696
                  0x003e169b
                  0x003e169b
                  0x003e19d4
                  0x003e19dc
                  0x003e19dc
                  0x003e19f4

                  APIs
                  • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 003E166B
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E1675
                  • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 003E16C2
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E16C8
                  • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 003E1702
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E1708
                  • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 003E1748
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E174E
                  • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 003E178E
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E1794
                  • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 003E17D4
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 003E17DA
                  • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 003E18BD
                  • LocalFree.KERNEL32(?), ref: 003E19DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$CreateKnownWell$DescriptorEntriesFreeInitializeLocalSecurity
                  • String ID: @Mxt$srputil.cpp
                  • API String ID: 3627156773-3544925974
                  • Opcode ID: 3c325071dfa5c416270f2a55df1d610e2920a0a2fb913333211214fd4b987286
                  • Instruction ID: 5c105415b3b3dde5374166488d599b1049ca46313a613a800d34a208acf6659d
                  • Opcode Fuzzy Hash: 3c325071dfa5c416270f2a55df1d610e2920a0a2fb913333211214fd4b987286
                  • Instruction Fuzzy Hash: 88B12871D4137DAAEB329B658D44BEBB6FCEF08740F014266FD09F6190E7709D848AA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B44E7, Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 181fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E003B44E7(void* _a4, short* _a8, intOrPtr* _a12) {
				struct _OVERLAPPED* _v8;
				void _v12;
				long _v16;
				void _v20;
				long _v24;
				void _v28;
				long _t26;
				intOrPtr _t41;
				intOrPtr* _t66;
				void* _t69;
				void* _t70;
				void* _t71;

				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t26 = GetCurrentProcessId();
				_t69 = _a4;
				_v28 = _t26;
				_v24 = 0;
				if(ReadFile(_t69,  &_v12, 4,  &_v16, 0) != 0) {
					_t31 = _v12 >> 1;
					if(_v12 >> 1 <= 0xff) {
						_t71 = E003A1EDE( &_v8, _t31 + 1);
						if(_t71 >= 0) {
							if(ReadFile(_t69, _v8, _v12,  &_v16, 0) != 0) {
								if(CompareStringW(0, 0, _v8, 0xffffffff, _a8, 0xffffffff) == 2) {
									if(ReadFile(_t69,  &_v20, 4,  &_v16, 0) != 0) {
										_t66 = _a12;
										_t41 =  *_t66;
										if(_t41 != 0) {
											if(_t41 == _v20) {
												goto L15;
											} else {
												_t70 = 0x8007000d;
												_t71 = 0x8007000d;
												E003A37D3(_t41, "pipe.cpp", 0x36d, 0x8007000d);
												_push("Verification process id from parent does not match.");
												goto L4;
											}
										} else {
											 *_t66 = _v20;
											L15:
											if(WriteFile(_t69,  &_v28, 4,  &_v24, 0) == 0) {
												_t74 =  <=  ? GetLastError() : _t47 & 0x0000ffff | 0x80070000;
												_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t47 & 0x0000ffff | 0x80070000;
												E003A37D3(0x80004005, "pipe.cpp", 0x373, _t71);
												_push("Failed to inform parent process that child is running.");
												goto L17;
											}
										}
									} else {
										_t77 =  <=  ? GetLastError() : _t53 & 0x0000ffff | 0x80070000;
										_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t53 & 0x0000ffff | 0x80070000;
										E003A37D3(0x80004005, "pipe.cpp", 0x362, _t71);
										_push("Failed to read verification process id from parent pipe.");
										goto L17;
									}
								} else {
									_t70 = 0x8007000d;
									_t71 = 0x8007000d;
									E003A37D3(_t37, "pipe.cpp", 0x35c, 0x8007000d);
									_push("Verification secret from parent does not match.");
									goto L4;
								}
							} else {
								_t80 =  <=  ? GetLastError() : _t57 & 0x0000ffff | 0x80070000;
								_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t57 & 0x0000ffff | 0x80070000;
								E003A37D3(0x80004005, "pipe.cpp", 0x355, _t71);
								_push("Failed to read verification secret from parent pipe.");
								goto L17;
							}
						} else {
							_push("Failed to allocate buffer for verification secret.");
							goto L17;
						}
					} else {
						_t70 = 0x8007000d;
						_t71 = 0x8007000d;
						E003A37D3(_t31, "pipe.cpp", 0x34d, 0x8007000d);
						_push("Verification secret from parent is too big.");
						L4:
						_push(_t70);
						goto L18;
					}
				} else {
					_t83 =  <=  ? GetLastError() : _t61 & 0x0000ffff | 0x80070000;
					_t71 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t61 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "pipe.cpp", 0x347, _t71);
					_push("Failed to read size of verification secret from parent pipe.");
					L17:
					_push(_t71);
					L18:
					E003E012F();
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t71;
			}















                  0x003b44f2
                  0x003b44f5
                  0x003b44f8
                  0x003b44fb
                  0x003b44fe
                  0x003b4504
                  0x003b4508
                  0x003b4514
                  0x003b4523
                  0x003b4560
                  0x003b4567
                  0x003b4596
                  0x003b459a
                  0x003b45b7
                  0x003b4608
                  0x003b463c
                  0x003b4673
                  0x003b4676
                  0x003b467a
                  0x003b46ef
                  0x00000000
                  0x003b46f1
                  0x003b46f1
                  0x003b4701
                  0x003b4703
                  0x003b4708
                  0x00000000
                  0x003b4708
                  0x003b467c
                  0x003b467f
                  0x003b4681
                  0x003b4696
                  0x003b46a9
                  0x003b46b3
                  0x003b46c1
                  0x003b46c6
                  0x00000000
                  0x003b46c6
                  0x003b4696
                  0x003b463e
                  0x003b464f
                  0x003b4659
                  0x003b4667
                  0x003b466c
                  0x00000000
                  0x003b466c
                  0x003b460a
                  0x003b460a
                  0x003b461a
                  0x003b461c
                  0x003b4621
                  0x00000000
                  0x003b4621
                  0x003b45b9
                  0x003b45ca
                  0x003b45d4
                  0x003b45e2
                  0x003b45e7
                  0x00000000
                  0x003b45e7
                  0x003b459c
                  0x003b459c
                  0x00000000
                  0x003b459c
                  0x003b4569
                  0x003b4569
                  0x003b4579
                  0x003b457b
                  0x003b4580
                  0x003b4585
                  0x003b4585
                  0x00000000
                  0x003b4585
                  0x003b4525
                  0x003b4536
                  0x003b4540
                  0x003b454e
                  0x003b4553
                  0x003b46cb
                  0x003b46cb
                  0x003b46cc
                  0x003b46cc
                  0x003b46d2
                  0x003b46d7
                  0x003b46dc
                  0x003b46dc
                  0x003b46e9

                  APIs
                  • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,003B49FE,003EB4D8,?,feclient.dll,00000000,?,?), ref: 003B44FE
                  • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,003B49FE,003EB4D8,?,feclient.dll,00000000,?,?), ref: 003B451F
                  • GetLastError.KERNEL32(?,003B49FE,003EB4D8,?,feclient.dll,00000000,?,?), ref: 003B4525
                  • WriteFile.KERNEL32(feclient.dll,?,00000004,003B49FE,00000000,?,003B49FE,003EB4D8,?,feclient.dll,00000000,?,?), ref: 003B468E
                  • GetLastError.KERNEL32(?,003B49FE,003EB4D8,?,feclient.dll,00000000,?,?), ref: 003B4698
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLast$CurrentProcessReadWrite
                  • String ID: @Mxt$Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$feclient.dll$msasn1.dll$pipe.cpp
                  • API String ID: 3008747291-25624629
                  • Opcode ID: b435a60569506a2b5a9600f2dae24fd104ae36f89c1675eaf5bd755863351094
                  • Instruction ID: e8f7c5cc957db7cb4de3f980eb7adc9f65a8733ee8decc7c51882c681987073e
                  • Opcode Fuzzy Hash: b435a60569506a2b5a9600f2dae24fd104ae36f89c1675eaf5bd755863351094
                  • Instruction Fuzzy Hash: 8451C372A40319BBE7239AA58C81FFBB6ACEB05750F114216FF11EA591D7348E0086E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B84C4, Relevance: 37.0, APIs: 9, Strings: 12, Instructions: 205fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E003B84C4(void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				void* _t31;
				signed short _t51;
				signed short _t54;
				signed short _t57;
				signed short _t62;
				intOrPtr _t66;
				WCHAR* _t67;
				void* _t73;
				void* _t75;
				signed int _t91;

				_t73 = __edx;
				_t25 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t25 ^ _t91;
				_t67 = _a12;
				_t66 = _a16;
				_t76 = _a4;
				_v28 = _a8;
				_v32 = _a4;
				asm("stosd");
				asm("stosd");
				_v24 = _t67;
				asm("stosd");
				_t75 = CreateFileW(_t67, 0x40000000, 5, 0, 2, 0x8000080, 0);
				if(_t75 != 0xffffffff) {
					_t31 = E003E47D3(_t67, _t76, 0, 0, 0, 0);
					_t77 = _t31;
					if(_t31 >= 0) {
						_t77 = E003E3DB5(_t73, _v32, _t75,  *((intOrPtr*)(_t66 + 0xc)), 0, 0);
						if(_t77 >= 0) {
							if( *((intOrPtr*)(_t66 + 0x28)) != 0) {
								_push(0);
								if(SetFilePointerEx(_t75,  *(_t66 + 0x18), 0, 0) != 0) {
									if(E003E4CEE(0, _t75, _t66 + 0x24, 4) >= 0) {
										_push(0);
										if(SetFilePointerEx(_t75,  *(_t66 + 0x1c), 0, 0) != 0) {
											_t77 = E003E4CEE(0, _t75, _t66 + 0x28, 4);
											if(_t77 < 0) {
												goto L10;
											} else {
												_t77 = E003E4CEE(0, _t75, _t66 + 0x2c, 4);
												if(_t77 < 0) {
													goto L10;
												} else {
													_push(0);
													if(SetFilePointerEx(_t75,  *(_t66 + 0x20), 0, 0) != 0) {
														_t77 = E003E4CEE(0, _t75,  &_v20, 0xc);
														if(_t77 < 0) {
															_push("Failed to zero out original data offset.");
															goto L19;
														}
													} else {
														_t51 = GetLastError();
														_t81 =  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
														_t77 =  >=  ? 0x80004005 :  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
														E003A37D3(0x80004005, "cache.cpp", 0x6d6, _t77);
														_push("Failed to seek to original data in exe burn section header.");
														goto L19;
													}
												}
											}
										} else {
											_t54 = GetLastError();
											_t84 =  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
											_t77 =  >=  ? 0x80004005 :  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "cache.cpp", 0x6c9, _t77);
											_push("Failed to seek to signature table in exe header.");
											goto L19;
										}
									} else {
										L10:
										_push("Failed to update signature offset.");
										goto L19;
									}
								} else {
									_t57 = GetLastError();
									_t87 =  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
									_t77 =  >=  ? 0x80004005 :  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
									E003A37D3(0x80004005, "cache.cpp", 0x6bf, _t77);
									_push("Failed to seek to checksum in exe header.");
									L19:
									_push(_t77);
									E003E012F();
								}
							}
						} else {
							_push(_v24);
							E003E012F(_t77, "Failed to copy engine from: %ls to: %ls", _v28);
						}
					} else {
						E003E012F(_t77, "Failed to seek to beginning of engine file: %ls", _v28);
					}
					CloseHandle(_t75);
				} else {
					_t62 = GetLastError();
					_t90 =  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
					_t77 =  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "cache.cpp", 0x6af,  >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000);
					E003E012F( >=  ? 0x80004005 :  <=  ? _t62 : _t62 & 0x0000ffff | 0x80070000, "Failed to create engine file at path: %ls", _v24);
				}
				return E003CDE36(_t66, _v8 ^ _t91, _t73, _t75, _t77);
			}























                  0x003b84c4
                  0x003b84ca
                  0x003b84d1
                  0x003b84d7
                  0x003b84db
                  0x003b84df
                  0x003b84e5
                  0x003b84f2
                  0x003b84f7
                  0x003b8501
                  0x003b8503
                  0x003b8506
                  0x003b850d
                  0x003b8512
                  0x003b855f
                  0x003b8564
                  0x003b8568
                  0x003b8590
                  0x003b8594
                  0x003b85b4
                  0x003b85ba
                  0x003b85c9
                  0x003b8613
                  0x003b8621
                  0x003b8630
                  0x003b8676
                  0x003b867a
                  0x00000000
                  0x003b867c
                  0x003b8688
                  0x003b868c
                  0x00000000
                  0x003b868e
                  0x003b8690
                  0x003b869f
                  0x003b86e2
                  0x003b86e6
                  0x003b86e8
                  0x00000000
                  0x003b86e8
                  0x003b86a1
                  0x003b86a1
                  0x003b86b2
                  0x003b86bc
                  0x003b86ca
                  0x003b86cf
                  0x00000000
                  0x003b86cf
                  0x003b869f
                  0x003b868c
                  0x003b8632
                  0x003b8632
                  0x003b8643
                  0x003b864d
                  0x003b865b
                  0x003b8660
                  0x00000000
                  0x003b8660
                  0x003b8615
                  0x003b8615
                  0x003b8615
                  0x00000000
                  0x003b8615
                  0x003b85cb
                  0x003b85cb
                  0x003b85dc
                  0x003b85e6
                  0x003b85f4
                  0x003b85f9
                  0x003b86ed
                  0x003b86ed
                  0x003b86ee
                  0x003b86f4
                  0x003b85c9
                  0x003b8596
                  0x003b8596
                  0x003b85a2
                  0x003b85a7
                  0x003b856a
                  0x003b8573
                  0x003b8578
                  0x003b86f6
                  0x003b8514
                  0x003b8514
                  0x003b8525
                  0x003b852f
                  0x003b853d
                  0x003b854b
                  0x003b8550
                  0x003b870e

                  APIs
                  • CreateFileW.KERNEL32(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,003A4CB6,?,?,00000000,003A4CB6,00000000), ref: 003B8507
                  • GetLastError.KERNEL32 ref: 003B8514
                  • CloseHandle.KERNEL32(00000000,?,00000000,003EB4F0,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003B86F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseCreateErrorFileHandleLast
                  • String ID: @Mxt$Failed to copy user from: %ls to: %ls$Failed to create user file at path: %ls$Failed to seek to beginning of user file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cabinet.dll$cache.cpp$msi.dll
                  • API String ID: 2528220319-890718841
                  • Opcode ID: cd46e5bacbc25e53349d55d3273f02cdf1e221bb5e06d30082565495240c235b
                  • Instruction ID: 537772fb63adfa6100a434a582725f57ecf750f3cd09d8dd2cf2d4e340e63fc2
                  • Opcode Fuzzy Hash: cd46e5bacbc25e53349d55d3273f02cdf1e221bb5e06d30082565495240c235b
                  • Instruction Fuzzy Hash: 80519372A40225BBEB236B698C46FFB769CEB05754F010225FF05FB591EB609C00D6E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C25AF, Relevance: 36.9, APIs: 3, Strings: 18, Instructions: 145COMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E003C25AF(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* __ebx;
				int _t39;
				signed int _t48;
				intOrPtr _t50;
				void* _t57;
				void* _t58;
				void* _t59;

				_t45 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t43 = _a4;
				_t50 = _a8;
				if(E003E31C7(_a4, L"DetectCondition", _t50 + 0x90) >= 0) {
					if(E003E31C7(_t43, L"InstallArguments", _t50 + 0x94) >= 0) {
						if(E003E31C7(_t43, L"UninstallArguments", _t50 + 0x9c) >= 0) {
							if(E003E31C7(_t43, L"RepairArguments", _t50 + 0x98) >= 0) {
								_t57 = E003E33DB(_t45, _t43, L"Repairable", _t50 + 0xac);
								if(_t57 == 0x80070490 || _t57 >= 0) {
									_t58 = E003E31C7(_t43, L"Protocol",  &_v8);
									if(_t58 < 0) {
										if(_t58 == 0x80070490) {
											goto L14;
										} else {
											_push("Failed to get @Protocol.");
											goto L25;
										}
									} else {
										if(CompareStringW(0x7f, 0, _v8, 0xffffffff, L"burn", 0xffffffff) != 2) {
											_t39 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"netfx4", 0xffffffff);
											_t48 = 2;
											if(_t39 != _t48) {
												if(CompareStringW(0x7f, 0, _v8, 0xffffffff, L"none", 0xffffffff) != 2) {
													_t59 = 0x8000ffff;
													E003E012F(0x8000ffff, "Invalid protocol type: %ls", _v8);
												} else {
													 *(_t50 + 0xb0) =  *(_t50 + 0xb0) & 0x00000000;
													goto L14;
												}
											} else {
												 *(_t50 + 0xb0) = _t48;
												goto L14;
											}
										} else {
											 *(_t50 + 0xb0) = 1;
											L14:
											_t59 = E003C1970(_t43, _t43, _t50);
											if(_t59 >= 0) {
												_t59 = E003C17C4(_t43, _t50);
												if(_t59 < 0) {
													_push("Failed to parse command lines.");
													goto L25;
												}
											} else {
												_push("Failed to parse exit codes.");
												goto L25;
											}
										}
									}
								} else {
									_push("Failed to get @Repairable.");
									goto L25;
								}
							} else {
								_push("Failed to get @RepairArguments.");
								goto L25;
							}
						} else {
							_push("Failed to get @UninstallArguments.");
							goto L25;
						}
					} else {
						_push("Failed to get @InstallArguments.");
						goto L25;
					}
				} else {
					_push("Failed to get @DetectCondition.");
					L25:
					_push(_t59);
					E003E012F();
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t59;
			}











                  0x003c25af
                  0x003c25b2
                  0x003c25b3
                  0x003c25b8
                  0x003c25bd
                  0x003c25d6
                  0x003c25f8
                  0x003c261a
                  0x003c263c
                  0x003c265a
                  0x003c2662
                  0x003c2681
                  0x003c2685
                  0x003c2725
                  0x00000000
                  0x003c2727
                  0x003c2727
                  0x00000000
                  0x003c2727
                  0x003c268b
                  0x003c26a6
                  0x003c26d6
                  0x003c26da
                  0x003c26dd
                  0x003c26fc
                  0x003c270a
                  0x003c2715
                  0x003c26fe
                  0x003c26fe
                  0x00000000
                  0x003c26fe
                  0x003c26df
                  0x003c26df
                  0x00000000
                  0x003c26df
                  0x003c26a8
                  0x003c26a8
                  0x003c26b2
                  0x003c26b9
                  0x003c26bd
                  0x003c2735
                  0x003c2739
                  0x003c273b
                  0x00000000
                  0x003c273b
                  0x003c26bf
                  0x003c26bf
                  0x00000000
                  0x003c26bf
                  0x003c26bd
                  0x003c26a6
                  0x003c2668
                  0x003c2668
                  0x00000000
                  0x003c2668
                  0x003c263e
                  0x003c263e
                  0x00000000
                  0x003c263e
                  0x003c261c
                  0x003c261c
                  0x00000000
                  0x003c261c
                  0x003c25fa
                  0x003c25fa
                  0x00000000
                  0x003c25fa
                  0x003c25d8
                  0x003c25d8
                  0x003c2740
                  0x003c2740
                  0x003c2741
                  0x003c2747
                  0x003c274c
                  0x003c2751
                  0x003c2751
                  0x003c275e

                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: StringVariant$AllocClearFreeInit
                  • String ID: DetectCondition$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @UninstallArguments.$Failed to parse command lines.$Failed to parse exit codes.$InstallArguments$Invalid protocol type: %ls$Protocol$RepairArguments$Repairable$UninstallArguments$burn$netfx4$none
                  • API String ID: 760788290-1911311241
                  • Opcode ID: a022b60f91e1272afd4f3c8f71bf1547de676c65f2c2dbeb43d08dbac83c1a18
                  • Instruction ID: 8274fe94d5cb81128eaa2bac35076f5d11d851593b8ccd8468381a0e697fc1d7
                  • Opcode Fuzzy Hash: a022b60f91e1272afd4f3c8f71bf1547de676c65f2c2dbeb43d08dbac83c1a18
                  • Instruction Fuzzy Hash: 1441FD72A84B7A76C72751648C86FFBB55C5B20B30F210319FA14FB6D2CBA4AD1057A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AF09D, Relevance: 33.4, APIs: 3, Strings: 16, Instructions: 180registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E003AF09D(void* __edx, void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				signed short _t54;
				signed short _t59;
				void* _t70;
				void* _t71;
				void* _t76;
				intOrPtr _t77;
				void* _t79;

				_t76 = __edx;
				_t77 = _a4;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_push(E003B3C30( *((intOrPtr*)(_t77 + 8))));
				_push(E003B3C30(_a16));
				_push(E003B4257(_a12));
				E003A550F(2, 0x20000173,  *((intOrPtr*)(_t77 + 0x50)));
				E003E39CD( &_v16,  &_v20);
				_t70 = _a8;
				_t47 =  >=  ? L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" : L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
				_a4 =  >=  ? L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" : L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
				if(_t70 == 0) {
					L6:
					if(_a12 == 1) {
						goto L8;
					} else {
						goto L7;
					}
				} else {
					_t79 = E003E1344(_t70, L"Resume", _a12);
					if(_t79 >= 0) {
						if(_a12 != 3) {
							goto L6;
						} else {
							_t79 = E003E1344(_t70, L"Installed", 1);
							if(_t79 >= 0) {
								L7:
								if(_a16 == 0) {
									L17:
									_t79 = E003E0E3F( *((intOrPtr*)(_t77 + 0x4c)), _a4, 0x20006,  &_v8);
									if(_t79 == 0x80070002 || _t79 == 0x80070003) {
										_t79 = 0;
										goto L22;
									} else {
										_t59 =  ==  ? 0 : RegDeleteValueW(_v8,  *(_t77 + 0x10));
										if(_t59 == 0) {
											L22:
											if(_t70 != 0) {
												_t54 =  ==  ? 0 : RegDeleteValueW(_t70, L"BundleResumeCommandLine");
												if(_t54 != 0) {
													_t82 =  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
													_t79 =  >=  ? 0x80004005 :  <=  ? _t54 : _t54 & 0x0000ffff | 0x80070000;
													E003A37D3(0x80004005, "registration.cpp", 0x4e1, _t79);
													_push("Failed to delete resume command line value.");
													goto L25;
												}
											}
										} else {
											_t85 =  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
											_t79 =  >=  ? 0x80004005 :  <=  ? _t59 : _t59 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "registration.cpp", 0x4d7, _t79);
											_push("Failed to delete run key value.");
											goto L25;
										}
									}
								} else {
									L8:
									if( *((intOrPtr*)(_t77 + 8)) != 0) {
										goto L17;
									} else {
										_push(L"burn.runonce");
										_t79 = E003A1F20( &_v12, L"\"%ls\" /%ls",  *((intOrPtr*)(_t77 + 0x54)));
										if(_t79 >= 0) {
											_t79 = E003E0A88( *((intOrPtr*)(_t77 + 0x4c)), _a4, 0x20006,  &_v8);
											if(_t79 >= 0) {
												_t79 = E003E1392(_t71, _t76, _v8,  *(_t77 + 0x10), _v12);
												if(_t79 >= 0) {
													_t79 = E003E1392(_t71, _t76, _t70, L"BundleResumeCommandLine",  *((intOrPtr*)(_t77 + 0x58)));
													if(_t79 < 0) {
														_push("Failed to write resume command line value.");
														goto L25;
													}
												} else {
													_push("Failed to write run key value.");
													goto L25;
												}
											} else {
												_push("Failed to create run key.");
												goto L25;
											}
										} else {
											_push("Failed to format resume command line for RunOnce.");
											goto L25;
										}
									}
								}
							} else {
								_push("Failed to write Installed value.");
								goto L25;
							}
						}
					} else {
						_push("Failed to write Resume value.");
						L25:
						_push(_t79);
						E003E012F();
					}
				}
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t79;
			}














                  0x003af09d
                  0x003af0a6
                  0x003af0ab
                  0x003af0b3
                  0x003af0b6
                  0x003af0bc
                  0x003af0c4
                  0x003af0cd
                  0x003af0d6
                  0x003af0e1
                  0x003af0f1
                  0x003af0ff
                  0x003af102
                  0x003af105
                  0x003af10a
                  0x003af14d
                  0x003af151
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003af10c
                  0x003af11a
                  0x003af11e
                  0x003af12e
                  0x00000000
                  0x003af130
                  0x003af13d
                  0x003af141
                  0x003af153
                  0x003af157
                  0x003af1f4
                  0x003af208
                  0x003af210
                  0x003af261
                  0x00000000
                  0x003af21a
                  0x003af22b
                  0x003af230
                  0x003af263
                  0x003af265
                  0x003af278
                  0x003af27d
                  0x003af28a
                  0x003af294
                  0x003af2a2
                  0x003af2a7
                  0x00000000
                  0x003af2a7
                  0x003af27d
                  0x003af232
                  0x003af23d
                  0x003af247
                  0x003af255
                  0x003af25a
                  0x00000000
                  0x003af25a
                  0x003af230
                  0x003af15d
                  0x003af15d
                  0x003af161
                  0x00000000
                  0x003af167
                  0x003af167
                  0x003af17d
                  0x003af184
                  0x003af1a4
                  0x003af1a8
                  0x003af1c2
                  0x003af1c6
                  0x003af1e0
                  0x003af1e4
                  0x003af1ea
                  0x00000000
                  0x003af1ea
                  0x003af1c8
                  0x003af1c8
                  0x00000000
                  0x003af1c8
                  0x003af1aa
                  0x003af1aa
                  0x00000000
                  0x003af1aa
                  0x003af186
                  0x003af186
                  0x00000000
                  0x003af186
                  0x003af184
                  0x003af161
                  0x003af143
                  0x003af143
                  0x00000000
                  0x003af143
                  0x003af141
                  0x003af120
                  0x003af120
                  0x003af2ac
                  0x003af2ac
                  0x003af2ad
                  0x003af2b3
                  0x003af11e
                  0x003af2b8
                  0x003af2bd
                  0x003af2bd
                  0x003af2c6
                  0x003af2cb
                  0x003af2cb
                  0x003af2d9

                  APIs
                    • Part of subcall function 003E39CD: GetVersionExW.KERNEL32(?,?,00000000,?), ref: 003E3A1A
                  • RegCloseKey.ADVAPI32(00000000,?,00020006,00020006,00000000,?,?,00000002,00000000,?,00000000,00000001,00000002), ref: 003AF2CB
                    • Part of subcall function 003E1344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,003AF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 003E1359
                  Strings
                  • Installed, xrefs: 003AF132
                  • Failed to delete resume command line value., xrefs: 003AF2A7
                  • Failed to format resume command line for RunOnce., xrefs: 003AF186
                  • Failed to write Resume value., xrefs: 003AF120
                  • Failed to write Installed value., xrefs: 003AF143
                  • Resume, xrefs: 003AF10F
                  • BundleResumeCommandLine, xrefs: 003AF1D5, 003AF267
                  • burn.runonce, xrefs: 003AF167
                  • Failed to write run key value., xrefs: 003AF1C8
                  • "%ls" /%ls, xrefs: 003AF172
                  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 003AF0AE
                  • Failed to write resume command line value., xrefs: 003AF1EA
                  • registration.cpp, xrefs: 003AF250, 003AF29D
                  • Failed to delete run key value., xrefs: 003AF25A
                  • Failed to create run key., xrefs: 003AF1AA
                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 003AF0FA
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseValueVersion
                  • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
                  • API String ID: 2348918689-3140388177
                  • Opcode ID: e6a410a4e2085592839c97b2bf773a264339d2220ed45ab76c189ed7386ab58a
                  • Instruction ID: 846d051633bc3c2e5141d2f2bbcf633f89ec2f7389f9fcc279946979e00447ba
                  • Opcode Fuzzy Hash: e6a410a4e2085592839c97b2bf773a264339d2220ed45ab76c189ed7386ab58a
                  • Instruction Fuzzy Hash: 7551C37AA40769FEDF236AE4CC41BBA7AA8EF01750F010635FE00FA191D771DE109680
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B80AE, Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 151COMMON
                  Download Yara Rule
                  C-Code - Quality: 52%
                  			E003B80AE(void* __edx, intOrPtr _a8) {
				signed int _v8;
				char _v88;
				short _v608;
				char _v624;
				signed int _v628;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				intOrPtr _t23;
				signed int _t32;
				signed int _t33;
				signed int _t35;
				signed short _t40;
				signed short _t48;
				intOrPtr _t51;
				void* _t52;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;

				_t57 = __edx;
				_t18 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t18 ^ _t68;
				_v628 = _v628 & 0x00000000;
				_t51 = _a8;
				E003CF670(_t58,  &_v608, 0, 0x208);
				_t59 =  &_v624;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t23 =  *0x40aa94; // 0x0
				if(_t23 != 0) {
					L17:
					_t60 = E003A21A5(_t51, _t23, 0);
					__eflags = _t60;
					if(_t60 < 0) {
						_push("Failed to copy working folder path.");
						goto L19;
					}
				} else {
					E003E076C(GetCurrentProcess(),  &_v628);
					if(_v628 == 0) {
						_t32 = GetTempPathW(0x104,  &_v608);
						__eflags = _t32;
						if(_t32 != 0) {
							goto L10;
						} else {
							_t40 = GetLastError();
							__eflags = _t40;
							_t64 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
							__eflags = _t64;
							_t60 =  >=  ? 0x80004005 : _t64;
							E003A37D3(0x80004005, "cache.cpp", 0x46b, _t60);
							_push("Failed to get temp path for working folder.");
							goto L19;
						}
					} else {
						_t59 = 0x104;
						if(GetWindowsDirectoryW( &_v608, 0x104) != 0) {
							_t60 = E003A338F(_t52, __eflags,  &_v608, 0x104);
							__eflags = _t60;
							if(_t60 >= 0) {
								_t60 = E003A36B4(_t52,  &_v608, 0x104, L"Temp\\");
								__eflags = _t60;
								if(_t60 >= 0) {
									L10:
									_t33 =  &_v624;
									__imp__UuidCreate(_t33);
									_t60 = _t33 | 0x00000001;
									__eflags = _t60;
									if(_t60 >= 0) {
										_t35 =  &_v624;
										__imp__StringFromGUID2(_t35,  &_v88, 0x27);
										__eflags = _t35;
										if(_t35 != 0) {
											_push( &_v88);
											_t60 = E003A1F20(0x40aa94, L"%ls%ls\\",  &_v608);
											__eflags = _t60;
											if(_t60 >= 0) {
												_t23 =  *0x40aa94; // 0x0
												goto L17;
											} else {
												_push("Failed to append bundle id on to temp path for working folder.");
												goto L19;
											}
										} else {
											_t60 = 0x8007000e;
											E003A37D3(_t35, "cache.cpp", 0x475, 0x8007000e);
											_push("Failed to convert working folder guid into string.");
											goto L19;
										}
									} else {
										_push("Failed to create working folder guid.");
										goto L19;
									}
								} else {
									_push("Failed to concat Temp directory on windows path for working folder.");
									goto L19;
								}
							} else {
								_push("Failed to ensure windows path for working folder ended in backslash.");
								goto L19;
							}
						} else {
							_t48 = GetLastError();
							_t67 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							_t60 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "cache.cpp", 0x460, _t60);
							_push("Failed to get windows path for working folder.");
							L19:
							_push(_t60);
							E003E012F();
						}
					}
				}
				return E003CDE36(_t51, _v8 ^ _t68, _t57, _t59, _t60);
			}


























                  0x003b80ae
                  0x003b80b7
                  0x003b80be
                  0x003b80c1
                  0x003b80cf
                  0x003b80dc
                  0x003b80e3
                  0x003b80e9
                  0x003b80ed
                  0x003b80ee
                  0x003b80ef
                  0x003b80f0
                  0x003b80f7
                  0x003b8270
                  0x003b8279
                  0x003b827b
                  0x003b827d
                  0x003b827f
                  0x00000000
                  0x003b827f
                  0x003b80fd
                  0x003b810b
                  0x003b811d
                  0x003b81b1
                  0x003b81b7
                  0x003b81b9
                  0x00000000
                  0x003b81bb
                  0x003b81bb
                  0x003b81ca
                  0x003b81cc
                  0x003b81d4
                  0x003b81d6
                  0x003b81e4
                  0x003b81e9
                  0x00000000
                  0x003b81e9
                  0x003b8123
                  0x003b8123
                  0x003b8132
                  0x003b8179
                  0x003b817b
                  0x003b817d
                  0x003b819b
                  0x003b819d
                  0x003b819f
                  0x003b81f3
                  0x003b81f3
                  0x003b81fa
                  0x003b8202
                  0x003b8202
                  0x003b8205
                  0x003b8214
                  0x003b821b
                  0x003b8221
                  0x003b8223
                  0x003b8244
                  0x003b825b
                  0x003b8260
                  0x003b8262
                  0x003b826b
                  0x00000000
                  0x003b8264
                  0x003b8264
                  0x00000000
                  0x003b8264
                  0x003b8225
                  0x003b8225
                  0x003b8235
                  0x003b823a
                  0x00000000
                  0x003b823a
                  0x003b8207
                  0x003b8207
                  0x00000000
                  0x003b8207
                  0x003b81a1
                  0x003b81a1
                  0x00000000
                  0x003b81a1
                  0x003b817f
                  0x003b817f
                  0x00000000
                  0x003b817f
                  0x003b8134
                  0x003b8134
                  0x003b8145
                  0x003b814f
                  0x003b815d
                  0x003b8162
                  0x003b8284
                  0x003b8284
                  0x003b8285
                  0x003b828b
                  0x003b8132
                  0x003b811d
                  0x003b829e

                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,003A5381), ref: 003B8104
                    • Part of subcall function 003E076C: OpenProcessToken.ADVAPI32(?,00000008,?,003A52B5,00000000,?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E078A
                    • Part of subcall function 003E076C: GetLastError.KERNEL32(?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E0794
                    • Part of subcall function 003E076C: FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,003B74AB,00000000), ref: 003E081D
                  • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 003B812A
                  • GetLastError.KERNEL32 ref: 003B8134
                  • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 003B81B1
                  • GetLastError.KERNEL32 ref: 003B81BB
                  Strings
                  • @Mxt, xrefs: 003B8134, 003B81BB
                  • cache.cpp, xrefs: 003B8158, 003B81DF, 003B8230
                  • Failed to ensure windows path for working folder ended in backslash., xrefs: 003B817F
                  • Failed to copy working folder path., xrefs: 003B827F
                  • Failed to create working folder guid., xrefs: 003B8207
                  • %ls%ls\, xrefs: 003B824C
                  • Temp\, xrefs: 003B8189
                  • Failed to append bundle id on to temp path for working folder., xrefs: 003B8264
                  • Failed to get windows path for working folder., xrefs: 003B8162
                  • Failed to convert working folder guid into string., xrefs: 003B823A
                  • Failed to concat Temp directory on windows path for working folder., xrefs: 003B81A1
                  • Failed to get temp path for working folder., xrefs: 003B81E9
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$Process$ChangeCloseCurrentDirectoryFindNotificationOpenPathTempTokenWindows
                  • String ID: %ls%ls\$@Mxt$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$cache.cpp
                  • API String ID: 58964441-260479516
                  • Opcode ID: 851dda30124767a150b3b8ffdf918166ad114094353a454f963c4ee0d79f40bd
                  • Instruction ID: 402d71df9ca9653f513aaa8db8392d3a73f110bc767b5d31ab12125c55571524
                  • Opcode Fuzzy Hash: 851dda30124767a150b3b8ffdf918166ad114094353a454f963c4ee0d79f40bd
                  • Instruction Fuzzy Hash: 0F41E972B407286BDF2397B48D4AFEB73AC9B04714F010665FB05FF580EA749D048AA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BE177, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 144registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 55%
                  			E003BE177(void* __eflags, void** _a4) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				void _v24;
				struct tagMSG _v52;
				struct _WNDCLASSW _v92;
				int _t47;
				signed short _t58;
				signed short _t61;
				struct HWND__* _t67;
				signed int _t69;
				void** _t82;
				void* _t83;

				asm("stosd");
				_t69 = 0xa;
				_push(7);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v52, memset( &_v92, 0, _t69 << 2), 0 << 2);
				_t82 = _a4;
				_t83 = E003BE05E(_t82[1],  &_v24);
				if(_t83 >= 0) {
					_v92.lpfnWndProc = E003BE31B;
					_v92.hInstance = _t82[1];
					_v92.hCursor = LoadCursorW(0, 0x7f00);
					_v92.lpszClassName = L"WixBurnSplashScreen";
					if(RegisterClassW( &_v92) != 0) {
						_t67 = CreateWindowExW(0x80, _v92.lpszClassName, _t82[2], 0x90000000, _v20, _v16, _v12, _v8, 0, 0, _t82[1],  &_v24);
						if(_t67 != 0) {
							 *(_t82[3]) = _t67;
							SetEvent( *_t82);
							while(1) {
								_t47 = GetMessageW( &_v52, 0, 0, 0);
								if(_t47 == 0) {
									break;
								}
								if(_t47 == 0xffffffff) {
									_t83 = 0x8000ffff;
									_push("Unexpected return value from message pump.");
									L13:
									_push(_t83);
									E003E012F();
									L14:
									L15:
									UnregisterClassW(L"WixBurnSplashScreen", _t82[1]);
									if(_v24 != 0) {
										DeleteObject(_v24);
									}
									return _t83;
								}
								if(IsDialogMessageW(_t67,  &_v52) == 0) {
									TranslateMessage( &_v52);
									DispatchMessageW( &_v52);
								}
							}
							goto L14;
						}
						_t58 = GetLastError();
						_t86 =  <=  ? _t58 : _t58 & 0x0000ffff | 0x80070000;
						_t83 =  >=  ? 0x80004005 :  <=  ? _t58 : _t58 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "splashscreen.cpp", 0x8b, _t83);
						_push("Failed to create window.");
						goto L13;
					}
					_t61 = GetLastError();
					_t89 =  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
					_t83 =  >=  ? 0x80004005 :  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "splashscreen.cpp", 0x85, _t83);
					_push("Failed to register window.");
					goto L13;
				}
				_push("Failed to load splash screen.");
				_push(_t83);
				E003E012F();
				goto L15;
			}

















                  0x003be184
                  0x003be187
                  0x003be188
                  0x003be18a
                  0x003be18b
                  0x003be18c
                  0x003be18d
                  0x003be199
                  0x003be19b
                  0x003be1aa
                  0x003be1ae
                  0x003be1cd
                  0x003be1d5
                  0x003be1de
                  0x003be1e5
                  0x003be1f5
                  0x003be25a
                  0x003be25e
                  0x003be298
                  0x003be29c
                  0x003be2cc
                  0x003be2d5
                  0x003be2dd
                  0x00000000
                  0x00000000
                  0x003be2a7
                  0x003be2e1
                  0x003be2e6
                  0x003be2eb
                  0x003be2eb
                  0x003be2ec
                  0x003be2f3
                  0x003be2f4
                  0x003be2fc
                  0x003be306
                  0x003be30b
                  0x003be30b
                  0x003be318
                  0x003be318
                  0x003be2b6
                  0x003be2bc
                  0x003be2c6
                  0x003be2c6
                  0x003be2b6
                  0x00000000
                  0x003be2df
                  0x003be260
                  0x003be271
                  0x003be27b
                  0x003be289
                  0x003be28e
                  0x00000000
                  0x003be28e
                  0x003be1f7
                  0x003be208
                  0x003be212
                  0x003be220
                  0x003be225
                  0x00000000
                  0x003be225
                  0x003be1b0
                  0x003be1b5
                  0x003be1b6
                  0x00000000

                  APIs
                    • Part of subcall function 003BE05E: LoadBitmapW.USER32(?,00000001), ref: 003BE094
                    • Part of subcall function 003BE05E: GetLastError.KERNEL32 ref: 003BE0A0
                  • LoadCursorW.USER32(00000000,00007F00), ref: 003BE1D8
                  • RegisterClassW.USER32 ref: 003BE1EC
                  • GetLastError.KERNEL32 ref: 003BE1F7
                  • UnregisterClassW.USER32 ref: 003BE2FC
                  • DeleteObject.GDI32(00000000), ref: 003BE30B
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                  • String ID: @Mxt$Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
                  • API String ID: 164797020-1336151071
                  • Opcode ID: d5c9ee1ee292e16733088437de54cb92e74705825cd0da132a1bccded810042c
                  • Instruction ID: c987c4e706174fd2c7621f2c787e28b3ca97c66eb402e9d5915b1359171428d2
                  • Opcode Fuzzy Hash: d5c9ee1ee292e16733088437de54cb92e74705825cd0da132a1bccded810042c
                  • Instruction Fuzzy Hash: FB418476A00659FFEB13ABE8DC45AEBB7ADFF04304F100225FA05EA5A0D7719D008B91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E76A1, Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 210COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E003E76A1(intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				void* __ebx;
				void* _t79;
				void* _t87;
				int _t95;
				int _t96;
				int _t97;
				void* _t100;
				void* _t106;
				intOrPtr* _t110;
				void* _t111;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t115;
				intOrPtr _t118;
				void* _t120;
				void* _t122;
				void* _t131;
				void* _t139;

				_t110 = _a4;
				_t112 =  &_v20;
				_v20 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t120 =  *((intOrPtr*)( *_t110 + 0x44))(_t110,  &_v20);
				if(_t120 < 0) {
					L37:
					if(_v8 != 0) {
						__imp__#6(_v8);
					}
					_t113 = _v12;
					if(_t113 != 0) {
						 *((intOrPtr*)( *_t113 + 8))(_t113);
					}
					_t114 = _v16;
					if(_t114 != 0) {
						 *((intOrPtr*)( *_t114 + 8))(_t114);
					}
					_t115 = _v20;
					if(_t115 != 0) {
						 *((intOrPtr*)( *_t115 + 8))(_t115);
					}
					return _t120;
				}
				_t79 = E003E36D7( &_v20, _v20,  &_v12,  &_v8);
				_t118 = _a8;
				_t120 = _t79;
				if(_t120 != 0) {
					L24:
					if(_t131 < 0) {
						L36:
						goto L37;
					}
					_t116 =  &_v16;
					_t120 =  *((intOrPtr*)( *_t110 + 0x30))(_t110,  &_v16);
					if(_t120 < 0) {
						goto L36;
					}
					_t120 = E003E3760( &_v16, _v16,  &_v12,  &_v8);
					_t133 = _t120;
					if(_t120 != 0) {
						L34:
						if(_t139 >= 0) {
							_t120 = E003E67C4(_t116, _t118 + 0x10, _t110);
						}
						goto L36;
					}
					_t87 = _t118 + 0x24;
					while(1) {
						_t120 = E003E79CC(_t110, _t133, _v12, _t87);
						if(_t120 < 0) {
							goto L36;
						}
						if(_v8 != 0) {
							__imp__#6(_v8);
							_v8 = _v8 & 0x00000000;
						}
						_t116 = _v12;
						if(_t116 != 0) {
							 *((intOrPtr*)( *_t116 + 8))(_t116);
							_v12 = _v12 & 0x00000000;
						}
						_t120 = E003E3760(_t116, _v16,  &_v12,  &_v8);
						_t87 = _t118 + 0x24;
						_t139 = _t120;
						if(_t139 == 0) {
							continue;
						} else {
							goto L34;
						}
					}
					goto L36;
				}
				_t111 = CompareStringW;
				do {
					if(CompareStringW(0x7f, 0, _v8, 0xffffffff, L"rel", 0xffffffff) != 2) {
						_t95 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"href", 0xffffffff);
						__eflags = _t95 - 2;
						if(_t95 != 2) {
							_t96 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"length", 0xffffffff);
							__eflags = _t96 - 2;
							if(_t96 != 2) {
								_t97 = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"title", 0xffffffff);
								__eflags = _t97 - 2;
								if(_t97 != 2) {
									__eflags = CompareStringW(0x7f, 0, _v8, 0xffffffff, L"type", 0xffffffff) - 2;
									if(__eflags != 0) {
										_t100 = E003E78C5(_t111, __eflags, _v12, _t118 + 0x20);
										L16:
										_t120 = _t100;
										L17:
										if(_t120 < 0) {
											goto L36;
										}
										goto L18;
									}
									_t106 = _t118 + 8;
									L8:
									_push(_v12);
									_push(_t106);
									L5:
									_t100 = E003E67C4(_t112);
									goto L16;
								}
								_t106 = _t118 + 4;
								goto L8;
							}
							_t122 = E003E329B(_a4, _v8, _t118 + 0x18);
							__eflags = _t122 - 0x80070057;
							_t120 =  ==  ? 0x8007000d : _t122;
							goto L17;
						}
						_t106 = _t118 + 0xc;
						goto L8;
					}
					_push(_v12);
					_push(_t118);
					goto L5;
					L18:
					if(_v8 != 0) {
						__imp__#6(_v8);
						_v8 = _v8 & 0x00000000;
					}
					_t112 = _v12;
					if(_t112 != 0) {
						 *((intOrPtr*)( *_t112 + 8))(_t112);
						_v12 = _v12 & 0x00000000;
					}
					_t120 = E003E36D7(_t112, _v20,  &_v12,  &_v8);
					_t131 = _t120;
				} while (_t131 == 0);
				_t110 = _a4;
				goto L24;
			}

























                  0x003e76a8
                  0x003e76ab
                  0x003e76b1
                  0x003e76b4
                  0x003e76b7
                  0x003e76ba
                  0x003e76c4
                  0x003e76c8
                  0x003e7885
                  0x003e7889
                  0x003e788e
                  0x003e788e
                  0x003e7894
                  0x003e7899
                  0x003e789e
                  0x003e789e
                  0x003e78a1
                  0x003e78a6
                  0x003e78ab
                  0x003e78ab
                  0x003e78ae
                  0x003e78b3
                  0x003e78b8
                  0x003e78b8
                  0x003e78c2
                  0x003e78c2
                  0x003e76da
                  0x003e76df
                  0x003e76e2
                  0x003e76e6
                  0x003e77fb
                  0x003e77fb
                  0x003e7884
                  0x00000000
                  0x003e7884
                  0x003e7803
                  0x003e780b
                  0x003e780f
                  0x00000000
                  0x00000000
                  0x003e7821
                  0x003e7823
                  0x003e7825
                  0x003e7876
                  0x003e7876
                  0x003e7882
                  0x003e7882
                  0x00000000
                  0x003e7876
                  0x003e7827
                  0x003e782a
                  0x003e7833
                  0x003e7837
                  0x00000000
                  0x00000000
                  0x003e783d
                  0x003e7842
                  0x003e7848
                  0x003e7848
                  0x003e784c
                  0x003e7851
                  0x003e7856
                  0x003e7859
                  0x003e7859
                  0x003e786d
                  0x003e786f
                  0x003e7872
                  0x003e7874
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e7874
                  0x00000000
                  0x003e782a
                  0x003e76ec
                  0x003e76f2
                  0x003e7708
                  0x003e7727
                  0x003e7729
                  0x003e772c
                  0x003e7746
                  0x003e7748
                  0x003e774b
                  0x003e777d
                  0x003e777f
                  0x003e7782
                  0x003e779a
                  0x003e779d
                  0x003e77ab
                  0x003e77b0
                  0x003e77b0
                  0x003e77b2
                  0x003e77b4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e77b4
                  0x003e779f
                  0x003e7731
                  0x003e7731
                  0x003e7734
                  0x003e770e
                  0x003e770e
                  0x00000000
                  0x003e770e
                  0x003e7784
                  0x00000000
                  0x003e7784
                  0x003e775c
                  0x003e7763
                  0x003e7769
                  0x00000000
                  0x003e7769
                  0x003e772e
                  0x00000000
                  0x003e772e
                  0x003e770a
                  0x003e770d
                  0x00000000
                  0x003e77ba
                  0x003e77be
                  0x003e77c3
                  0x003e77c9
                  0x003e77c9
                  0x003e77cd
                  0x003e77d2
                  0x003e77d7
                  0x003e77da
                  0x003e77da
                  0x003e77ee
                  0x003e77f0
                  0x003e77f0
                  0x003e77f8
                  0x00000000

                  APIs
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,rel,000000FF,?,?,?,00000000), ref: 003E7703
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,href,000000FF), ref: 003E7727
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,length,000000FF), ref: 003E7746
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,title,000000FF), ref: 003E777D
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,type,000000FF), ref: 003E7798
                  • SysFreeString.OLEAUT32(00000000), ref: 003E77C3
                  • SysFreeString.OLEAUT32(00000000), ref: 003E7842
                  • SysFreeString.OLEAUT32(00000000), ref: 003E788E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: String$Compare$Free
                  • String ID: comres.dll$feclient.dll$href$length$msasn1.dll$msi.dll$rel$title$type$version.dll
                  • API String ID: 318886736-3944986760
                  • Opcode ID: bae05f2f5e54bd1b647b9bdb45c13b90b4e0df2627fe2543d70727b3dd94e6d1
                  • Instruction ID: 8327144e09394ff17d299fcbcd265835a7a63656e344fdd81985184e57290dc5
                  • Opcode Fuzzy Hash: bae05f2f5e54bd1b647b9bdb45c13b90b4e0df2627fe2543d70727b3dd94e6d1
                  • Instruction Fuzzy Hash: 23716135904169FBDF12DBA5CC89EAEBB78AF04320F2103A5F525AB1D1D7319E40DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BE563, Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 135registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E003BE563(signed int _a4) {
				int _v8;
				void _v12;
				struct tagMSG _v40;
				struct _WNDCLASSW _v80;
				int _t35;
				intOrPtr _t37;
				struct HWND__* _t44;
				int _t47;
				signed short _t57;
				signed short _t60;
				void** _t64;
				signed int _t65;
				void* _t77;
				struct HWND__* _t79;

				_t64 = _a4;
				_t65 = 0xa;
				_t79 = 0;
				_t35 = memset( &_v80, 0, _t65 << 2);
				_push(7);
				_v12 = 0;
				memset( &_v40, _t35, 0 << 2);
				_t77 = _t64[2];
				_v8 = 0;
				_t37 =  *((intOrPtr*)(_t77 + 0x490));
				_a4 = 0 | _t37 == 0x00000002;
				if(_t37 != 2 || TlsSetValue( *(_t77 + 0x498),  *(_t77 + 0x4b0)) != 0) {
					_v80.hInstance = _t64[1];
					_v80.lpfnWndProc = E003BE705;
					_v80.lpszClassName = L"WixBurnMessageWindow";
					if(RegisterClassW( &_v80) != 0) {
						_v12 = _a4;
						_v8 = _t77 + 0xb8;
						_t44 = CreateWindowExW(0x80, _v80.lpszClassName, _t79, 0x90000000, 0x80000000, 8, _t79, _t79, _t79, _t79, _t64[1],  &_v12);
						if(_t44 != 0) {
							 *(_t77 + 0x3e0) = _t44;
							SetEvent( *_t64);
							while(1) {
								_t47 = GetMessageW( &_v40, _t79, _t79, _t79);
								if(_t47 == 0) {
									break;
								}
								if(_t47 == 0xffffffff) {
									_t79 = 0x8000ffff;
									_push("Unexpected return value from message pump.");
									L14:
									_push(_t79);
									E003E012F();
									goto L15;
								}
								if(IsDialogMessageW(_v40,  &_v40) == 0) {
									TranslateMessage( &_v40);
									DispatchMessageW( &_v40);
								}
							}
							goto L15;
						}
						_t57 = GetLastError();
						_t82 =  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
						_t79 =  >=  ? 0x80004005 :  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "uithread.cpp", 0x8a, _t79);
						_push("Failed to create window.");
						goto L14;
					}
					_t60 = GetLastError();
					_t85 =  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					_t79 =  >=  ? 0x80004005 :  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "uithread.cpp", 0x80, _t79);
					_push("Failed to register window.");
					goto L14;
				} else {
					_t79 = 0x8007139f;
					L15:
					UnregisterClassW(L"WixBurnMessageWindow", _t64[1]);
					return _t79;
				}
			}

















                  0x003be56a
                  0x003be573
                  0x003be577
                  0x003be579
                  0x003be57b
                  0x003be581
                  0x003be584
                  0x003be586
                  0x003be58b
                  0x003be58e
                  0x003be59a
                  0x003be5a0
                  0x003be5c5
                  0x003be5cc
                  0x003be5d3
                  0x003be5e3
                  0x003be620
                  0x003be629
                  0x003be64c
                  0x003be654
                  0x003be68b
                  0x003be693
                  0x003be6cb
                  0x003be6d2
                  0x003be6d6
                  0x00000000
                  0x00000000
                  0x003be6a4
                  0x003be6da
                  0x003be6df
                  0x003be6e4
                  0x003be6e4
                  0x003be6e5
                  0x00000000
                  0x003be6eb
                  0x003be6b5
                  0x003be6bb
                  0x003be6c5
                  0x003be6c5
                  0x003be6b5
                  0x00000000
                  0x003be6d8
                  0x003be656
                  0x003be667
                  0x003be671
                  0x003be67f
                  0x003be684
                  0x00000000
                  0x003be684
                  0x003be5e5
                  0x003be5f6
                  0x003be600
                  0x003be60e
                  0x003be613
                  0x00000000
                  0x003be5b8
                  0x003be5b8
                  0x003be6ec
                  0x003be6f4
                  0x003be702
                  0x003be702

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ClassErrorLast$CreateRegisterUnregisterValueWindow
                  • String ID: @Mxt$Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
                  • API String ID: 213125376-1217627749
                  • Opcode ID: 4af39c723e4f79c3e2e3ff219589e6e2a3b1d99f67f1b8ffe572ff3240416410
                  • Instruction ID: 93927f005279ac08263c9bd5427def17376e59582d7bab523d281f602afd23b2
                  • Opcode Fuzzy Hash: 4af39c723e4f79c3e2e3ff219589e6e2a3b1d99f67f1b8ffe572ff3240416410
                  • Instruction Fuzzy Hash: 5041B976A00258ABDB239BA4DC45BDBBFECFF04354F114116FA05EA590D7309D40CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AF410, Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 152registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 56%
                  			E003AF410(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _t59;
				char* _t60;
				void* _t64;
				void* _t72;

				_t57 = __edx;
				_t54 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t59 = _a4;
				_t64 = E003AE7CD(__ecx, _t59,  &_v12);
				if(_t64 >= 0) {
					_t64 = E003E0A88( *((intOrPtr*)(_t59 + 0x4c)), _v12, 0x20006,  &_v8);
					if(_t64 >= 0) {
						if(E003E1392(__ecx, __edx, _v8, L"ThisVersionInstalled", "Y") >= 0) {
							if(E003E1392(__ecx, __edx, _v8, L"PackageName",  *((intOrPtr*)(_t59 + 0x60))) >= 0) {
								if(E003E1392(_t54, __edx, _v8, L"PackageVersion",  *((intOrPtr*)(_t59 + 0x64))) >= 0) {
									if(E003E1392(_t54, __edx, _v8, L"Publisher",  *((intOrPtr*)(_t59 + 0x68))) >= 0) {
										_t40 =  *((intOrPtr*)(_t59 + 0xa4));
										if( *((intOrPtr*)(_t59 + 0xa4)) == 0) {
											L16:
											_t60 = L"ReleaseType";
											if(E003E1392(_t54, _t57, _v8, _t60,  *((intOrPtr*)(_t59 + 0xb0))) >= 0) {
												_t61 = _a8;
												if(E003AEDB1(_t54, _t57, _v8, _a8, L"LogonUser", L"InstalledBy") >= 0) {
													if(E003AEDB1(_t54, _t57, _v8, _t61, L"Date", L"InstalledDate") >= 0) {
														_t72 = E003AEDB1(_t54, _t57, _v8, _t61, L"InstallerName", L"InstallerName");
														if(_t72 >= 0) {
															_t72 = E003AEDB1(_t54, _t57, _v8, _t61, L"InstallerVersion", L"InstallerVersion");
															if(_t72 < 0) {
																_push(L"InstallerVersion");
																goto L26;
															}
														} else {
															_push(L"InstallerName");
															goto L26;
														}
													} else {
														_push(L"InstalledDate");
														goto L26;
													}
												} else {
													_push(L"InstalledBy");
													goto L26;
												}
											} else {
												_push(_t60);
												goto L26;
											}
										} else {
											_t72 = E003E1392(_t54, _t57, _v8, L"PublishingGroup", _t40);
											if(_t72 >= 0) {
												goto L16;
											} else {
												_push(L"PublishingGroup");
												goto L26;
											}
										}
									} else {
										_push(L"Publisher");
										goto L26;
									}
								} else {
									_push(L"PackageVersion");
									goto L26;
								}
							} else {
								_push(L"PackageName");
								goto L26;
							}
						} else {
							_push(L"ThisVersionInstalled");
							L26:
							_push("Failed to write %ls value.");
							_push(_t72);
							E003E012F();
						}
					} else {
						_push("Failed to create the key for update registration.");
						goto L2;
					}
				} else {
					_push("Failed to get the formatted key path for update registration.");
					L2:
					_push(_t64);
					E003E012F();
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
					_v8 = _v8 & 0x00000000;
				}
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				return _t72;
			}









                  0x003af410
                  0x003af410
                  0x003af413
                  0x003af414
                  0x003af415
                  0x003af41c
                  0x003af422
                  0x003af42c
                  0x003af430
                  0x003af458
                  0x003af45c
                  0x003af47b
                  0x003af49b
                  0x003af4bb
                  0x003af4db
                  0x003af4e7
                  0x003af4ef
                  0x003af50f
                  0x003af515
                  0x003af527
                  0x003af52c
                  0x003af546
                  0x003af566
                  0x003af57f
                  0x003af583
                  0x003af59c
                  0x003af5a0
                  0x003af5a2
                  0x00000000
                  0x003af5a2
                  0x003af585
                  0x003af585
                  0x00000000
                  0x003af585
                  0x003af568
                  0x003af568
                  0x00000000
                  0x003af568
                  0x003af548
                  0x003af548
                  0x00000000
                  0x003af548
                  0x003af529
                  0x003af529
                  0x00000000
                  0x003af529
                  0x003af4f1
                  0x003af4ff
                  0x003af503
                  0x00000000
                  0x003af505
                  0x003af505
                  0x00000000
                  0x003af505
                  0x003af503
                  0x003af4dd
                  0x003af4dd
                  0x00000000
                  0x003af4dd
                  0x003af4bd
                  0x003af4bd
                  0x00000000
                  0x003af4bd
                  0x003af49d
                  0x003af49d
                  0x00000000
                  0x003af49d
                  0x003af47d
                  0x003af47d
                  0x003af5a7
                  0x003af5a7
                  0x003af5ac
                  0x003af5ad
                  0x003af5b2
                  0x003af45e
                  0x003af45e
                  0x00000000
                  0x003af45e
                  0x003af432
                  0x003af432
                  0x003af437
                  0x003af437
                  0x003af438
                  0x003af43e
                  0x003af5b9
                  0x003af5be
                  0x003af5c4
                  0x003af5c4
                  0x003af5cc
                  0x003af5d1
                  0x003af5d1
                  0x003af5dd

                  APIs
                  • RegCloseKey.ADVAPI32(00000000,00000000,003B0348,InstallerVersion,InstallerVersion,00000000,003B0348,InstallerName,InstallerName,00000000,003B0348,Date,InstalledDate,00000000,003B0348,LogonUser), ref: 003AF5BE
                    • Part of subcall function 003E1392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,003AF1C2,00000000,?,00020006), ref: 003E13C5
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseValue
                  • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                  • API String ID: 3132538880-2703781546
                  • Opcode ID: 4ab58d2b380fe68ce65dddbd9e72352d6300cf624cf7f24cbbf2f2a6115a826b
                  • Instruction ID: 05fe0302b274c8d63ded5404f4244561e63abbb3023c55ff9f7298b80461b4a7
                  • Opcode Fuzzy Hash: 4ab58d2b380fe68ce65dddbd9e72352d6300cf624cf7f24cbbf2f2a6115a826b
                  • Instruction Fuzzy Hash: 34417732E4167AFFCB236A95CC06EBF7A69EB03750F114264F9007A291D7719E10A690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CC517, Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 272COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E003CC517(intOrPtr __ecx, void* __eflags, signed int _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				intOrPtr _t121;
				intOrPtr _t176;
				intOrPtr* _t190;
				intOrPtr* _t197;
				intOrPtr _t198;
				intOrPtr _t203;
				signed int _t206;
				intOrPtr _t207;
				intOrPtr _t208;
				signed int _t209;
				signed int _t210;
				signed int _t212;
				void* _t214;
				void* _t220;
				signed int _t223;
				intOrPtr* _t224;
				void* _t225;

				_t193 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t190 = _a24;
				_t121 = E003A38D4( *(_t190 + 0x80) << 3, 1);
				_t212 = _a4;
				 *((intOrPtr*)(_t212 + 0x7c)) = _t121;
				if(_t121 != 0) {
					_t206 = 0;
					 *(_t212 + 0x80) =  *(_t190 + 0x80);
					_a4 = 0;
					if( *(_t190 + 0x80) <= 0) {
						L16:
						 *(_t212 + 0x14) =  *(_t212 + 0x14) & 0x00000000;
						 *((intOrPtr*)(_t212 + 0xa8)) = 1;
						 *((intOrPtr*)(_t212 + 0x8c)) =  *((intOrPtr*)(_t190 + 0x8c));
						 *((intOrPtr*)(_t212 + 0x40)) =  *((intOrPtr*)(_t190 + 0x40));
						 *((intOrPtr*)(_t212 + 0x44)) =  *((intOrPtr*)(_t190 + 0x44));
						 *((intOrPtr*)(_t212 + 0x28)) =  *((intOrPtr*)(_t190 + 0x28));
						 *((intOrPtr*)(_t212 + 0x2c)) =  *((intOrPtr*)(_t190 + 0x2c));
						 *((intOrPtr*)(_t212 + 0x30)) =  *((intOrPtr*)(_t190 + 0x30));
						 *((intOrPtr*)(_t212 + 0x34)) =  *((intOrPtr*)(_t190 + 0x34));
						 *((intOrPtr*)(_t212 + 0x1c)) =  *((intOrPtr*)(_t190 + 0x1c));
						if(E003A21A5(_t212,  *_t190, 0) >= 0) {
							_t97 = _t212 + 0x24; // 0x124
							if(E003A21A5(_t97,  *((intOrPtr*)(_t190 + 0x24)), 0) >= 0) {
								 *((intOrPtr*)(_t212 + 0xb0)) =  *((intOrPtr*)(_t190 + 0xb0));
								if(E003B7C29(_t193,  &_v8,  *_a8,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(_a8 + 8)),  *((intOrPtr*)(_a8 + 0x1c)), 1, _a16, _a20, _a12,  *((intOrPtr*)(_t135 + 0xc))) >= 0) {
									_t109 = _t212 + 0x94; // 0x194
									if(E003A21A5(_t109, _v8, 0) >= 0) {
										_t112 = _t212 + 0x98; // 0x198
										_t220 = E003A21A5(_t112, _v8, 0);
										if(_t220 >= 0) {
											_t114 = _t212 + 0x9c; // 0x19c
											 *((intOrPtr*)(_t212 + 0xac)) = 1;
											_t220 = E003A21A5(_t114, _v8, 0);
											if(_t220 >= 0) {
												 *((intOrPtr*)(_t212 + 0x18)) = 1;
											} else {
												_push("Failed to copy uninstall arguments for passthrough bundle package");
												goto L23;
											}
										} else {
											_push("Failed to copy related arguments for passthrough bundle package");
											goto L23;
										}
									} else {
										_push("Failed to copy install arguments for passthrough bundle package");
										goto L23;
									}
								} else {
									_push("Failed to recreate command-line arguments.");
									goto L23;
								}
							} else {
								_push("Failed to copy cache id for passthrough pseudo bundle.");
								goto L23;
							}
						} else {
							_push("Failed to copy key for passthrough pseudo bundle.");
							goto L23;
						}
					} else {
						while(1) {
							_t223 = _t206 << 3;
							_a24 =  *((intOrPtr*)(_t190 + 0x7c)) + _t223;
							 *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c)))) = E003A38D4(0x58, 1);
							_t150 =  *((intOrPtr*)(_t212 + 0x7c));
							_t207 =  *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c))));
							if(_t207 == 0) {
								break;
							}
							_t197 = _a24;
							 *((intOrPtr*)(_t207 + 4)) =  *((intOrPtr*)( *_t197 + 4));
							_t198 =  *_t197;
							_t208 =  *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c))));
							 *((intOrPtr*)(_t208 + 0x10)) =  *((intOrPtr*)(_t198 + 0x10));
							 *((intOrPtr*)(_t208 + 0x14)) =  *((intOrPtr*)(_t198 + 0x14));
							_t220 = E003A21A5( *((intOrPtr*)(_t223 +  *((intOrPtr*)(_t212 + 0x7c)))),  *((intOrPtr*)( *_a24)), 0);
							if(_t220 < 0) {
								_push("Failed to copy key for passthrough pseudo bundle payload.");
								goto L23;
							} else {
								_t220 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _a4 * 8)) + 0x18,  *((intOrPtr*)( *_a24 + 0x18)), 0);
								if(_t220 < 0) {
									_push("Failed to copy filename for passthrough pseudo bundle.");
									goto L23;
								} else {
									_t220 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _a4 * 8)) + 0x38,  *((intOrPtr*)( *_a24 + 0x38)), 0);
									if(_t220 < 0) {
										_push("Failed to copy local source path for passthrough pseudo bundle.");
										goto L23;
									} else {
										_t224 = _a24;
										_t173 =  *_t224;
										if( *((intOrPtr*)( *_t224 + 0x40)) == 0) {
											L12:
											_t174 =  *_t224;
											if( *((intOrPtr*)( *_t224 + 0x30)) == 0) {
												L15:
												_t209 = _a4;
												_t193 =  *((intOrPtr*)(_t212 + 0x7c));
												 *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + 4 + _t209 * 8)) =  *((intOrPtr*)(_t224 + 4));
												_t206 = _t209 + 1;
												_a4 = _t206;
												if(_t206 <  *(_t190 + 0x80)) {
													continue;
												} else {
													goto L16;
												}
											} else {
												_t176 = E003A38D4( *((intOrPtr*)(_t174 + 0x34)), 0);
												_t210 = _a4;
												 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8)) + 0x30)) = _t176;
												_t177 =  *((intOrPtr*)(_t212 + 0x7c));
												_t203 =  *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8));
												if( *((intOrPtr*)(_t203 + 0x30)) == 0) {
													_t214 = 0x8007000e;
													_t220 = 0x8007000e;
													E003A37D3(_t177, "pseudobundle.cpp", 0xc9, 0x8007000e);
													_push("Failed to allocate memory for pseudo bundle payload hash.");
													goto L2;
												} else {
													 *((intOrPtr*)(_t203 + 0x34)) =  *((intOrPtr*)( *_t224 + 0x34));
													E003C1664( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8)) + 0x30)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _t210 * 8)) + 0x34)),  *((intOrPtr*)( *_t224 + 0x30)),  *((intOrPtr*)( *_t224 + 0x34)));
													_t225 = _t225 + 0x10;
													goto L15;
												}
											}
										} else {
											_t220 = E003A21A5( *((intOrPtr*)( *((intOrPtr*)(_t212 + 0x7c)) + _a4 * 8)) + 0x40,  *((intOrPtr*)(_t173 + 0x40)), 0);
											if(_t220 < 0) {
												_push("Failed to copy download source for passthrough pseudo bundle.");
												L23:
												_push(_t220);
												goto L3;
											} else {
												_t224 = _a24;
												goto L12;
											}
										}
									}
								}
							}
							goto L36;
						}
						_t214 = 0x8007000e;
						_t220 = 0x8007000e;
						E003A37D3(_t150, "pseudobundle.cpp", 0xb3, 0x8007000e);
						_push("Failed to allocate space for burn payload inside of related bundle struct");
						goto L2;
					}
				} else {
					_t214 = 0x8007000e;
					_t220 = 0x8007000e;
					E003A37D3(_t121, "pseudobundle.cpp", 0xab, 0x8007000e);
					_push("Failed to allocate space for burn package payload inside of passthrough bundle.");
					L2:
					_push(_t214);
					L3:
					E003E012F();
				}
				L36:
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t220;
			}





















                  0x003cc517
                  0x003cc51a
                  0x003cc51b
                  0x003cc520
                  0x003cc531
                  0x003cc536
                  0x003cc539
                  0x003cc53e
                  0x003cc56f
                  0x003cc571
                  0x003cc577
                  0x003cc580
                  0x003cc6d7
                  0x003cc6d7
                  0x003cc6db
                  0x003cc6eb
                  0x003cc6f4
                  0x003cc6fa
                  0x003cc700
                  0x003cc706
                  0x003cc70c
                  0x003cc712
                  0x003cc71a
                  0x003cc729
                  0x003cc799
                  0x003cc7a6
                  0x003cc7b5
                  0x003cc7e4
                  0x003cc7ef
                  0x003cc803
                  0x003cc813
                  0x003cc81f
                  0x003cc823
                  0x003cc833
                  0x003cc839
                  0x003cc849
                  0x003cc84d
                  0x003cc859
                  0x003cc84f
                  0x003cc84f
                  0x00000000
                  0x003cc84f
                  0x003cc825
                  0x003cc825
                  0x00000000
                  0x003cc825
                  0x003cc805
                  0x003cc805
                  0x00000000
                  0x003cc805
                  0x003cc7e6
                  0x003cc7e6
                  0x00000000
                  0x003cc7e6
                  0x003cc7a8
                  0x003cc7a8
                  0x00000000
                  0x003cc7a8
                  0x003cc72b
                  0x003cc72b
                  0x00000000
                  0x003cc72b
                  0x003cc586
                  0x003cc586
                  0x003cc58b
                  0x003cc594
                  0x003cc59f
                  0x003cc5a2
                  0x003cc5a5
                  0x003cc5aa
                  0x00000000
                  0x00000000
                  0x003cc5b0
                  0x003cc5ba
                  0x003cc5c0
                  0x003cc5c2
                  0x003cc5c8
                  0x003cc5ce
                  0x003cc5e3
                  0x003cc5e7
                  0x003cc768
                  0x00000000
                  0x003cc5ed
                  0x003cc609
                  0x003cc60d
                  0x003cc761
                  0x00000000
                  0x003cc613
                  0x003cc62f
                  0x003cc633
                  0x003cc75a
                  0x00000000
                  0x003cc639
                  0x003cc639
                  0x003cc63c
                  0x003cc642
                  0x003cc668
                  0x003cc668
                  0x003cc66e
                  0x003cc6ba
                  0x003cc6ba
                  0x003cc6bd
                  0x003cc6c3
                  0x003cc6c7
                  0x003cc6c8
                  0x003cc6d1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003cc670
                  0x003cc675
                  0x003cc67d
                  0x003cc683
                  0x003cc686
                  0x003cc689
                  0x003cc690
                  0x003cc739
                  0x003cc749
                  0x003cc74b
                  0x003cc750
                  0x00000000
                  0x003cc696
                  0x003cc69b
                  0x003cc6b2
                  0x003cc6b7
                  0x00000000
                  0x003cc6b7
                  0x003cc690
                  0x003cc644
                  0x003cc65b
                  0x003cc65f
                  0x003cc732
                  0x003cc76d
                  0x003cc76d
                  0x00000000
                  0x003cc665
                  0x003cc665
                  0x00000000
                  0x003cc665
                  0x003cc65f
                  0x003cc642
                  0x003cc633
                  0x003cc60d
                  0x00000000
                  0x003cc5e7
                  0x003cc773
                  0x003cc783
                  0x003cc785
                  0x003cc78a
                  0x00000000
                  0x003cc78a
                  0x003cc540
                  0x003cc540
                  0x003cc550
                  0x003cc552
                  0x003cc557
                  0x003cc55c
                  0x003cc55c
                  0x003cc55d
                  0x003cc55d
                  0x003cc563
                  0x003cc860
                  0x003cc864
                  0x003cc869
                  0x003cc869
                  0x003cc876

                  Strings
                  • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 003CC78A
                  • Failed to copy filename for passthrough pseudo bundle., xrefs: 003CC761
                  • Failed to copy key for passthrough pseudo bundle payload., xrefs: 003CC768
                  • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 003CC557
                  • Failed to allocate memory for pseudo bundle payload hash., xrefs: 003CC750
                  • Failed to copy key for passthrough pseudo bundle., xrefs: 003CC72B
                  • Failed to copy install arguments for passthrough bundle package, xrefs: 003CC805
                  • Failed to copy related arguments for passthrough bundle package, xrefs: 003CC825
                  • Failed to copy download source for passthrough pseudo bundle., xrefs: 003CC732
                  • Failed to copy cache id for passthrough pseudo bundle., xrefs: 003CC7A8
                  • Failed to copy local source path for passthrough pseudo bundle., xrefs: 003CC75A
                  • Failed to recreate command-line arguments., xrefs: 003CC7E6
                  • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 003CC84F
                  • pseudobundle.cpp, xrefs: 003CC54B, 003CC744, 003CC77E
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
                  • API String ID: 1357844191-115096447
                  • Opcode ID: e88392738e9299ff6411e1e979680c38ba045c5cf6e896d55868ead25ecec9da
                  • Instruction ID: 2f013dae08e1a5d0f453a63425bb370f8aacedff24caf5549f16ee936eaacf72
                  • Opcode Fuzzy Hash: e88392738e9299ff6411e1e979680c38ba045c5cf6e896d55868ead25ecec9da
                  • Instruction Fuzzy Hash: 8EB13775A10615AFDB12DF28C981F56BBA5FF09710F1142A9FE18AB762C731EC20DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AB106, Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 136COMMON
                  Download Yara Rule
                  C-Code - Quality: 23%
                  			E003AB106(intOrPtr _a4) {
				void* _t35;
				signed short _t40;
				intOrPtr* _t45;
				void* _t47;
				intOrPtr _t49;
				signed int _t50;
				signed int _t53;
				intOrPtr _t56;
				signed int _t57;
				intOrPtr* _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;

				_t57 = 0;
				_t61 = GetModuleHandleW(0);
				if(_t61 != 0) {
					if(0x5a4d ==  *_t61) {
						_t49 =  *((intOrPtr*)(_t61 + 0x3c));
						if( *((intOrPtr*)(_t49 + _t61)) == 0x4550) {
							_t5 = _t61 + 0x18; // 0x18
							_t45 = _t5 + ( *(_t49 + _t61 + 0x14) & 0x0000ffff) + _t49;
							if(E003CF919(_t45, ".wixburn", 8) == 0) {
								L13:
								if( *((intOrPtr*)(_t45 + 0x10)) >= 0x34) {
									_t47 =  *((intOrPtr*)(_t45 + 0xc)) + _t61;
									if( *((intOrPtr*)(_t47 + 4)) == 2) {
										_t56 = _a4;
										_t50 = _t57;
										while(1) {
											_t26 =  *((intOrPtr*)(_t56 + _t50 * 4));
											if( *((intOrPtr*)(_t56 + _t50 * 4)) !=  *((intOrPtr*)(_t47 + 8 + _t50 * 4))) {
												break;
											}
											_t50 = _t50 + 1;
											if(_t50 != 4) {
												continue;
											} else {
											}
											goto L25;
										}
										_t62 = 0x8007000d;
										_t57 = 0x8007000d;
										E003A37D3(_t26, "section.cpp", 0x18a, 0x8007000d);
										_push("Bundle guid didn\'t match the guid in the PE Header in memory.");
										goto L24;
									} else {
										_t63 = 0x8007000d;
										_t57 = 0x8007000d;
										E003A37D3(_t25, "section.cpp", 0x184, 0x8007000d);
										_push( *((intOrPtr*)(_t47 + 4)));
										_push("Failed to read section info, unsupported version: %08x");
										goto L18;
									}
								} else {
									_t63 = 0x8007000d;
									_t57 = 0x8007000d;
									E003A37D3(_t25, "section.cpp", 0x17a, 0x8007000d);
									_push( *((intOrPtr*)(_t45 + 0x10)));
									_push("Failed to read section info, data to short: %u");
									L18:
									_push(_t63);
									E003E012F();
								}
							} else {
								_t53 =  *( *((intOrPtr*)(_t61 + 0x3c)) + _t61 + 6) & 0x0000ffff;
								_t35 = 1;
								while(_t35 < _t53) {
									_t45 = _t45 + 0x28;
									_t35 = _t35 + 1;
									if( *_t45 != 0x7869772e ||  *((intOrPtr*)(_t45 + 4)) != 0x6e727562) {
										continue;
									} else {
										goto L13;
									}
									goto L25;
								}
								_t62 = 0x8007000d;
								_t57 = 0x8007000d;
								E003A37D3(_t35, "section.cpp", 0x16e, 0x8007000d);
								_push("Failed to find Burn section.");
								L24:
								_push(_t62);
								E003E012F();
							}
							L25:
						} else {
							_t64 = 0x8007000d;
							_t57 = 0x8007000d;
							E003A37D3(0x5a4d, "section.cpp", 0x155, 0x8007000d);
							_push("Failed to find valid NT image header in buffer.");
							goto L5;
						}
					} else {
						_t64 = 0x8007000d;
						_t57 = 0x8007000d;
						E003A37D3(0x5a4d, "section.cpp", 0x14a, 0x8007000d);
						_push("Failed to find valid DOS image header in buffer.");
						L5:
						_push(_t64);
						goto L2;
					}
				} else {
					_t40 = GetLastError();
					_t60 =  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
					_t57 =  >=  ? 0x80004005 :  <=  ? _t40 : _t40 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "section.cpp", 0x140, _t57);
					_push("Failed to get module handle to process.");
					_push(_t57);
					L2:
					E003E012F();
				}
				return _t57;
			}
















                  0x003ab10b
                  0x003ab114
                  0x003ab118
                  0x003ab162
                  0x003ab183
                  0x003ab18d
                  0x003ab1b5
                  0x003ab1ba
                  0x003ab1cc
                  0x003ab1f2
                  0x003ab1f6
                  0x003ab23a
                  0x003ab240
                  0x003ab26c
                  0x003ab26f
                  0x003ab271
                  0x003ab271
                  0x003ab278
                  0x00000000
                  0x00000000
                  0x003ab27a
                  0x003ab27e
                  0x00000000
                  0x00000000
                  0x003ab280
                  0x00000000
                  0x003ab27e
                  0x003ab282
                  0x003ab292
                  0x003ab294
                  0x003ab299
                  0x00000000
                  0x003ab242
                  0x003ab242
                  0x003ab252
                  0x003ab254
                  0x003ab259
                  0x003ab25c
                  0x00000000
                  0x003ab25c
                  0x003ab1f8
                  0x003ab1f8
                  0x003ab208
                  0x003ab20a
                  0x003ab20f
                  0x003ab212
                  0x003ab261
                  0x003ab261
                  0x003ab262
                  0x003ab267
                  0x003ab1ce
                  0x003ab1d1
                  0x003ab1d8
                  0x003ab1d9
                  0x003ab1dd
                  0x003ab1e0
                  0x003ab1e7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003ab1e7
                  0x003ab219
                  0x003ab229
                  0x003ab22b
                  0x003ab230
                  0x003ab29e
                  0x003ab29e
                  0x003ab29f
                  0x003ab2a5
                  0x003ab2a6
                  0x003ab18f
                  0x003ab18f
                  0x003ab19f
                  0x003ab1a1
                  0x003ab1a6
                  0x00000000
                  0x003ab1a6
                  0x003ab164
                  0x003ab164
                  0x003ab174
                  0x003ab176
                  0x003ab17b
                  0x003ab180
                  0x003ab180
                  0x00000000
                  0x003ab180
                  0x003ab11a
                  0x003ab11a
                  0x003ab12b
                  0x003ab135
                  0x003ab143
                  0x003ab148
                  0x003ab14d
                  0x003ab14e
                  0x003ab14e
                  0x003ab154
                  0x003ab2ac

                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?,003AB9F7,00000008,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB10E
                  • GetLastError.KERNEL32(?,003AB9F7,00000008,?,00000000,00000000,?,?,?,00000000,77E49EB0,00000000), ref: 003AB11A
                  • _memcmp.LIBVCRUNTIME ref: 003AB1C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorHandleLastModule_memcmp
                  • String ID: .wix$.wixburn$@Mxt$Bundle guid didn't match the guid in the PE Header in memory.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get module handle to process.$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$burn$section.cpp
                  • API String ID: 3888311042-2219769500
                  • Opcode ID: 6d19ce959ba775c1caf18dc3653e1a5b46ef4d5eece7eca6dfe647db687525cb
                  • Instruction ID: e3d17e49225980a229e72213b002ee3fdcfa83db91e953bc60fb3ddb914b3202
                  • Opcode Fuzzy Hash: 6d19ce959ba775c1caf18dc3653e1a5b46ef4d5eece7eca6dfe647db687525cb
                  • Instruction Fuzzy Hash: AB412B72380360EBD7235552DC42FAB6255EB42B60F15462AF9026F5C2DBA5C90183A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AA17D, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 138registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E003AA17D(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				int _v12;
				int _v16;
				int _v20;
				signed short _t51;
				intOrPtr _t55;
				signed short _t60;
				void* _t64;
				void* _t66;
				void* _t70;

				_t55 = _a4;
				_a4 =  *((intOrPtr*)(_t55 + 0x24));
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				if(E003A71CF(_a8,  *((intOrPtr*)(_t55 + 0x1c)),  &_v8, 0) >= 0) {
					_t64 = 1;
					_t37 =  ==  ? 1 : 0x101;
					_t66 = E003E0E3F( *((intOrPtr*)(_t55 + 0x18)), _v8,  ==  ? 1 : 0x101,  &_v16);
					if(_t66 < 0) {
						_push(_v8);
						if(_t66 != 0x80070002) {
							_push("Failed to open registry key. Key = \'%ls\'");
							_push(_t66);
							E003E012F();
							_t70 = _t70 + 0xc;
							L18:
							if(_t66 < 0) {
								_push(_t66);
								E003E061A(2, "RegistrySearchExists failed: ID \'%ls\', HRESULT 0x%x", _v8);
							}
							L20:
							E003A2793(_v8);
							E003A2793(_v12);
							if(_v16 != 0) {
								RegCloseKey(_v16);
							}
							return _t66;
						}
						_push("Registry key not found. Key = \'%ls\'");
						_push(2);
						E003E061A();
						_t70 = _t70 + 0xc;
						L14:
						_t64 = 0;
						L15:
						_t66 = E003A8152(_a8,  *((intOrPtr*)(_t55 + 4)), _t64, 0, 0);
						if(_t66 >= 0) {
							goto L20;
						}
						_push("Failed to set variable.");
						L2:
						_push(_t66);
						E003E012F();
						goto L18;
					}
					if( *((intOrPtr*)(_t55 + 0x20)) == 0) {
						goto L15;
					}
					_t66 = E003A71CF(_a8,  *((intOrPtr*)(_t55 + 0x20)),  &_v12, 0);
					if(_t66 >= 0) {
						_t51 = RegQueryValueExW(_v16, _v12, 0,  &_v20, 0, 0);
						_t60 = _t51;
						if(_t60 == 0) {
							goto L15;
						}
						if(_t60 == 0) {
							_push(_v12);
							E003E061A(2, "Registry value not found. Key = \'%ls\', Value = \'%ls\'", _v8);
							_t70 = _t70 + 0x10;
							goto L14;
						}
						if(_t51 == 0) {
							goto L15;
						}
						_t69 =  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
						_t66 =  >=  ? 0x80004005 :  <=  ? _t51 : _t51 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "search.cpp", 0x322, _t66);
						_push("Failed to query registry key value.");
						goto L2;
					}
					_push("Failed to format value string.");
					goto L2;
				}
				_push("Failed to format key string.");
				goto L2;
			}













                  0x003aa184
                  0x003aa18f
                  0x003aa199
                  0x003aa19f
                  0x003aa1a2
                  0x003aa1a5
                  0x003aa1b1
                  0x003aa1cb
                  0x003aa1d5
                  0x003aa1e4
                  0x003aa1e8
                  0x003aa286
                  0x003aa28f
                  0x003aa2c2
                  0x003aa2c7
                  0x003aa2c8
                  0x003aa2cd
                  0x003aa2d0
                  0x003aa2d2
                  0x003aa2d4
                  0x003aa2df
                  0x003aa2e4
                  0x003aa2e7
                  0x003aa2ea
                  0x003aa2f2
                  0x003aa2fb
                  0x003aa300
                  0x003aa300
                  0x003aa30e
                  0x003aa30e
                  0x003aa291
                  0x003aa296
                  0x003aa298
                  0x003aa29d
                  0x003aa2a0
                  0x003aa2a0
                  0x003aa2a2
                  0x003aa2b2
                  0x003aa2b6
                  0x00000000
                  0x00000000
                  0x003aa2b8
                  0x003aa1b8
                  0x003aa1b8
                  0x003aa1b9
                  0x00000000
                  0x003aa1bf
                  0x003aa1f2
                  0x00000000
                  0x00000000
                  0x003aa209
                  0x003aa20d
                  0x003aa226
                  0x003aa22e
                  0x003aa231
                  0x00000000
                  0x00000000
                  0x003aa237
                  0x003aa26f
                  0x003aa27c
                  0x003aa281
                  0x00000000
                  0x003aa281
                  0x003aa23b
                  0x00000000
                  0x00000000
                  0x003aa248
                  0x003aa252
                  0x003aa260
                  0x003aa265
                  0x00000000
                  0x003aa265
                  0x003aa20f
                  0x00000000
                  0x003aa20f
                  0x003aa1b3
                  0x00000000

                  APIs
                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 003AA1A8
                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 003AA204
                  • RegQueryValueExW.ADVAPI32(000002C0,00000000,00000000,000002C0,00000000,00000000,000002C0,?,00000000,00000000,?,00000000,00000101,000002C0,000002C0,?), ref: 003AA226
                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,000002C0,00000100,00000000,000002C0), ref: 003AA300
                  Strings
                  • Failed to format key string., xrefs: 003AA1B3
                  • Failed to query registry key value., xrefs: 003AA265
                  • search.cpp, xrefs: 003AA25B
                  • Failed to open registry key. Key = '%ls', xrefs: 003AA2C2
                  • Registry key not found. Key = '%ls', xrefs: 003AA291
                  • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 003AA275
                  • Failed to set variable., xrefs: 003AA2B8
                  • Failed to format value string., xrefs: 003AA20F
                  • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 003AA2D8
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Open@16$CloseQueryValue
                  • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
                  • API String ID: 2702208347-46557908
                  • Opcode ID: 50eb7d6c613e8dfc328e949490548b40d52c8dc8537427ece78f66a2928d706a
                  • Instruction ID: 5573e4b4c31b0c58c0c0a336596eef1a1fc46f149258c1fab9eef7b3674dbd73
                  • Opcode Fuzzy Hash: 50eb7d6c613e8dfc328e949490548b40d52c8dc8537427ece78f66a2928d706a
                  • Instruction Fuzzy Hash: 9B411432E40664BBDF276FA5CC06FEEBAA9EB05700F114265FD04B92D1D7728E10D692
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B95AC, Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 122fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 16%
                  			E003B95AC(void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16) {
				intOrPtr _t15;
				intOrPtr _t26;
				signed short _t27;
				intOrPtr _t32;
				void* _t34;
				void* _t36;
				WCHAR* _t37;
				intOrPtr _t39;
				intOrPtr _t40;

				_t36 = __edx;
				_t37 = _a12;
				_t34 = CreateFileW(_t37, 0x80000000, 5, 0, 3, 0x8000000, 0);
				_a12 = _t34;
				if(_t34 != 0xffffffff) {
					_t15 = _a4;
					__eflags =  *((intOrPtr*)(_t15 + 0x20));
					if( *((intOrPtr*)(_t15 + 0x20)) == 0) {
						__eflags =  *((intOrPtr*)(_t15 + 0x1c));
						if( *((intOrPtr*)(_t15 + 0x1c)) == 0) {
							__eflags =  *((intOrPtr*)(_t15 + 0x30));
							if(__eflags == 0) {
								goto L12;
							} else {
								_t40 = E003B8F8E(_t36, __eflags,  *((intOrPtr*)(_t15 + 0x30)),  *((intOrPtr*)(_t15 + 0x34)), _t37, _t34);
								__eflags = _t40;
								if(_t40 >= 0) {
									goto L12;
								} else {
									_push(_a8);
									_push("Failed to verify payload hash: %ls");
									goto L6;
								}
							}
						} else {
							_t26 = E003B91F7(_t36, _t15, _t37, _t34);
							goto L4;
						}
					} else {
						_t26 = E003BA998(_t36, _t15, _t37, _t34);
						L4:
						_t40 = _t26;
						__eflags = _t40;
						if(_t40 >= 0) {
							L12:
							_t39 = _a16;
							_t32 = _a8;
							__eflags = _t39;
							_push(_t32);
							_push(_t37);
							_t17 =  ==  ? L"Copying" : L"Moving";
							E003E061A(2, "%ls payload from working path \'%ls\' to path \'%ls\'",  ==  ? L"Copying" : L"Moving");
							_push(0x7d0);
							_push(3);
							_push(1);
							__eflags = _t39;
							if(_t39 == 0) {
								_push(_t32);
								_push(_t37);
								_t40 = E003E3FE7();
								__eflags = _t40;
								if(_t40 < 0) {
									_push(_t32);
									_push(_t37);
									_push("Failed to copy %ls to %ls");
									goto L17;
								}
							} else {
								_push(1);
								_push(_t32);
								_push(_t37);
								_t40 = E003E41D1();
								__eflags = _t40;
								if(_t40 < 0) {
									_push(_t32);
									_push(_t37);
									_push("Failed to move %ls to %ls");
									L17:
									_push(_t40);
									E003E012F();
								}
							}
						} else {
							_push(_a8);
							_push("Failed to verify payload signature: %ls");
							L6:
							_push(_t40);
							E003E012F();
						}
					}
					CloseHandle(_a12);
				} else {
					_t27 = GetLastError();
					_t43 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					_t40 =  >=  ? 0x80004005 :  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "cache.cpp", 0x56b, _t40);
					E003E012F(_t40, "Failed to open payload in working path: %ls", _t37);
				}
				return _t40;
			}












                  0x003b95ac
                  0x003b95b1
                  0x003b95cd
                  0x003b95cf
                  0x003b95d5
                  0x003b9619
                  0x003b961c
                  0x003b961f
                  0x003b9645
                  0x003b9648
                  0x003b9654
                  0x003b9657
                  0x00000000
                  0x003b9659
                  0x003b9666
                  0x003b9668
                  0x003b966a
                  0x00000000
                  0x003b966c
                  0x003b966c
                  0x003b966f
                  0x00000000
                  0x003b966f
                  0x003b966a
                  0x003b964a
                  0x003b964d
                  0x00000000
                  0x003b964d
                  0x003b9621
                  0x003b9624
                  0x003b9629
                  0x003b9629
                  0x003b962b
                  0x003b962d
                  0x003b9676
                  0x003b9676
                  0x003b967f
                  0x003b9682
                  0x003b9684
                  0x003b9685
                  0x003b968b
                  0x003b9696
                  0x003b969e
                  0x003b96a3
                  0x003b96a5
                  0x003b96a7
                  0x003b96a9
                  0x003b96c3
                  0x003b96c4
                  0x003b96ca
                  0x003b96cc
                  0x003b96ce
                  0x003b96d0
                  0x003b96d1
                  0x003b96d2
                  0x00000000
                  0x003b96d2
                  0x003b96ab
                  0x003b96ab
                  0x003b96ad
                  0x003b96ae
                  0x003b96b4
                  0x003b96b6
                  0x003b96b8
                  0x003b96ba
                  0x003b96bb
                  0x003b96bc
                  0x003b96d7
                  0x003b96d7
                  0x003b96d8
                  0x003b96dd
                  0x003b96b8
                  0x003b962f
                  0x003b962f
                  0x003b9632
                  0x003b9637
                  0x003b9637
                  0x003b9638
                  0x003b963d
                  0x003b962d
                  0x003b96e4
                  0x003b95d7
                  0x003b95d7
                  0x003b95e8
                  0x003b95f2
                  0x003b9600
                  0x003b960c
                  0x003b9611
                  0x003b96ef

                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,003BA63D,?,00000000,?,?,003CB049), ref: 003B95C7
                  • GetLastError.KERNEL32(?,003BA63D,?,00000000,?,?,003CB049,?,00000000,?,00000000,?,?,003CB049,?), ref: 003B95D7
                  • CloseHandle.KERNEL32(?,003CB049,00000001,00000003,000007D0,?,?,003CB049,?), ref: 003B96E4
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseCreateErrorFileHandleLast
                  • String ID: %ls payload from working path '%ls' to path '%ls'$@Mxt$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
                  • API String ID: 2528220319-3536088138
                  • Opcode ID: 232eeefb69949b1fc3436141b3c4203e1ff4696e31b8790cb9147001f778c023
                  • Instruction ID: a4251104eadfb432b3a94d8d8ae4fe6b7eaceef7e255898854a16ea64ec7fe7f
                  • Opcode Fuzzy Hash: 232eeefb69949b1fc3436141b3c4203e1ff4696e31b8790cb9147001f778c023
                  • Instruction Fuzzy Hash: 1F31C771E406787BD7331A268C46FBB2A5CDF41B64F01021AFF04BEA91D7609D1095E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C1341, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 80synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 57%
                  			E003C1341(void* __ebx, char _a4) {
				signed short _t30;
				signed short _t34;
				void* _t37;
				void* _t42;
				intOrPtr _t49;

				_t37 = __ebx;
				_t1 =  &_a4; // 0x3a533d
				_t49 =  *_t1;
				_t42 = 0;
				if( *(_t49 + 0x20) != 0) {
					 *((intOrPtr*)(_t49 + 0x2c)) = 5;
					if(SetEvent( *(_t49 + 0x24)) != 0) {
						if(WaitForSingleObject( *(_t49 + 0x20), 0xffffffff) != 0) {
							_t30 = GetLastError();
							_t45 =  <=  ? _t30 : _t30 & 0x0000ffff | 0x80070000;
							_t42 =  >=  ? 0x80004005 :  <=  ? _t30 : _t30 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "cabextract.cpp", 0x10b, _t42);
							_push("Failed to wait for thread to terminate.");
							goto L5;
						}
					} else {
						_t34 = GetLastError();
						_t48 =  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						_t42 =  >=  ? 0x80004005 :  <=  ? _t34 : _t34 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "cabextract.cpp", 0x105, _t42);
						_push("Failed to set begin operation event.");
						L5:
						_push(_t42);
						E003E012F();
					}
				}
				_push(_t37);
				if( *(_t49 + 0x20) != 0) {
					CloseHandle( *(_t49 + 0x20));
					 *(_t49 + 0x20) =  *(_t49 + 0x20) & 0x00000000;
				}
				if( *(_t49 + 0x24) != 0) {
					CloseHandle( *(_t49 + 0x24));
					 *(_t49 + 0x24) =  *(_t49 + 0x24) & 0x00000000;
				}
				if( *(_t49 + 0x28) != 0) {
					CloseHandle( *(_t49 + 0x28));
					 *(_t49 + 0x28) =  *(_t49 + 0x28) & 0x00000000;
				}
				if( *((intOrPtr*)(_t49 + 0x4c)) != 0) {
					E003A3999( *((intOrPtr*)(_t49 + 0x4c)));
				}
				if( *((intOrPtr*)(_t49 + 0x1c)) != 0) {
					E003E54EF( *((intOrPtr*)(_t49 + 0x1c)));
				}
				return _t42;
			}








                  0x003c1341
                  0x003c1345
                  0x003c1345
                  0x003c1349
                  0x003c134e
                  0x003c1357
                  0x003c1366
                  0x003c13aa
                  0x003c13ac
                  0x003c13bd
                  0x003c13c7
                  0x003c13d5
                  0x003c13da
                  0x00000000
                  0x003c13da
                  0x003c1368
                  0x003c1368
                  0x003c1379
                  0x003c1383
                  0x003c1391
                  0x003c1396
                  0x003c13df
                  0x003c13df
                  0x003c13e0
                  0x003c13e6
                  0x003c1366
                  0x003c13eb
                  0x003c13f2
                  0x003c13f7
                  0x003c13f9
                  0x003c13f9
                  0x003c1401
                  0x003c1406
                  0x003c1408
                  0x003c1408
                  0x003c1410
                  0x003c1415
                  0x003c1417
                  0x003c1417
                  0x003c1420
                  0x003c1425
                  0x003c1425
                  0x003c142e
                  0x003c1433
                  0x003c1433
                  0x003c143d

                  APIs
                  • SetEvent.KERNEL32(003EB468,=S:,00000000,?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000,?), ref: 003C135E
                  • GetLastError.KERNEL32(?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000,?,003A5381,FFF9E89D,003A5381), ref: 003C1368
                  • WaitForSingleObject.KERNEL32(003EB478,000000FF,?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000,?,003A5381), ref: 003C13A2
                  • GetLastError.KERNEL32(?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000,?,003A5381,FFF9E89D,003A5381), ref: 003C13AC
                  • CloseHandle.KERNEL32(00000000,003A5381,=S:,00000000,?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000), ref: 003C13F7
                  • CloseHandle.KERNEL32(00000000,003A5381,=S:,00000000,?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000), ref: 003C1406
                  • CloseHandle.KERNEL32(00000000,003A5381,=S:,00000000,?,003AC06D,=S:,003A52B5,00000000,?,003B763B,?,003A5565,003A5371,003A5371,00000000), ref: 003C1415
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                  • String ID: =S:$=S:$@Mxt$Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
                  • API String ID: 1206859064-3764698965
                  • Opcode ID: b8a3d9901a58da7f6f5b730d0b1ef48e6599d7d34bbf5037959b6e6f24fd1806
                  • Instruction ID: cee4096b237660e197b7b62abdd3af81ad46c3cd76d63ed8ecf63e95be016b85
                  • Opcode Fuzzy Hash: b8a3d9901a58da7f6f5b730d0b1ef48e6599d7d34bbf5037959b6e6f24fd1806
                  • Instruction Fuzzy Hash: A021E1322007009BE7336B27CC48B67B6F5FF85752F02062DE58A959E0DB75E840EB25
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E01F0, Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 123COMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E003E01F0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				short _v528;
				short _v1048;
				char _v1052;
				struct HINSTANCE__* _v1056;
				struct HINSTANCE__* _v1060;
				long _v1064;
				void* __ebp;
				signed int _t25;
				long _t29;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t52;
				void* _t53;
				void* _t54;
				char* _t56;
				void* _t61;
				unsigned int _t62;
				unsigned int _t64;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t72;
				intOrPtr _t74;
				void* _t75;
				signed int _t76;
				void* _t77;

				_t68 = __edx;
				_t25 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t25 ^ _t76;
				_push(__ebx);
				_push(__esi);
				_t74 =  *0x40a77c; // 0x406238
				_push(__edi);
				_v1064 = 0x104;
				_v1060 = 0;
				_v1056 = 0;
				_v1052 = 0;
				_t29 = GetModuleFileNameW(0,  &_v528, 0x104);
				_t70 = 0x208;
				if(_t29 == 0) {
					E003CF670(0x208,  &_v528, 0, 0x208);
					_t77 = _t77 + 0xc;
				}
				if(E003E4932( &_v528,  &_v1060,  &_v1056) < 0) {
					_v1060 = 0;
					_v1056 = 0;
				}
				if(GetComputerNameW( &_v1048,  &_v1064) != 0) {
					L7:
					E003E858F(_t70, _t83,  &_v1052, 0);
					_push(_v1052);
					_push("=== Logging started: %ls ===");
					_t71 = 2;
					_push(_t71);
					E003E061A();
					_t62 = _v1056;
					_push(_t62 & 0x0000ffff);
					_push(_t62 >> 0x10);
					_t64 = _v1060;
					_push(_t64 & 0x0000ffff);
					_push(_t64 >> 0x10);
					E003E061A(_t71, "Executable: %ls v%d.%d.%d.%d",  &_v528);
					E003E061A(_t71, "Computer  : %ls",  &_v1048);
					_t46 =  *0x40a778; // 0x3
					_t47 = _t46;
					if(_t47 == 0) {
						_t74 =  *0x40a790; // 0x406264
					} else {
						_t52 = _t47 - 1;
						if(_t52 == 0) {
							_t74 =  *0x40a780; // 0x406240
						} else {
							_t53 = _t52 - 1;
							if(_t53 == 0) {
								_t74 =  *0x40a784; // 0x406248
							} else {
								_t54 = _t53 - 1;
								if(_t54 == 0) {
									_t74 =  *0x40a788; // 0x406254
								} else {
									if(_t54 == 1) {
										_t74 =  *0x40a78c; // 0x40625c
									}
								}
							}
						}
					}
					E003E061A(_t71, "--- logging level: %hs ---", _t74);
					_pop(_t72);
					_pop(_t75);
					_pop(_t61);
					if(_v1052 != 0) {
						E003E54EF(_v1052);
					}
					return E003CDE36(_t61, _v8 ^ _t76, _t68, _t72, _t75);
				} else {
					_t56 =  &_v1048;
					do {
						 *_t56 = 0;
						_t56 = _t56 + 1;
						_t70 = _t70 - 1;
						_t83 = _t70;
					} while (_t70 != 0);
					goto L7;
				}
			}






























                  0x003e01f0
                  0x003e01f9
                  0x003e0200
                  0x003e0203
                  0x003e0204
                  0x003e0205
                  0x003e0210
                  0x003e0212
                  0x003e0220
                  0x003e0228
                  0x003e022e
                  0x003e0234
                  0x003e023a
                  0x003e0241
                  0x003e024c
                  0x003e0251
                  0x003e0251
                  0x003e0270
                  0x003e0272
                  0x003e0278
                  0x003e0278
                  0x003e0294
                  0x003e02a4
                  0x003e02ac
                  0x003e02b1
                  0x003e02b7
                  0x003e02be
                  0x003e02bf
                  0x003e02c0
                  0x003e02c5
                  0x003e02ce
                  0x003e02d2
                  0x003e02d3
                  0x003e02dc
                  0x003e02e6
                  0x003e02ee
                  0x003e0300
                  0x003e0305
                  0x003e030d
                  0x003e030f
                  0x003e0345
                  0x003e0311
                  0x003e0311
                  0x003e0314
                  0x003e033d
                  0x003e0316
                  0x003e0316
                  0x003e0319
                  0x003e0335
                  0x003e031b
                  0x003e031b
                  0x003e031e
                  0x003e032d
                  0x003e0320
                  0x003e0323
                  0x003e0325
                  0x003e0325
                  0x003e0323
                  0x003e031e
                  0x003e0319
                  0x003e0314
                  0x003e0352
                  0x003e0361
                  0x003e0362
                  0x003e0363
                  0x003e0364
                  0x003e036c
                  0x003e036c
                  0x003e0380
                  0x003e0296
                  0x003e0296
                  0x003e029c
                  0x003e029c
                  0x003e029e
                  0x003e029f
                  0x003e029f
                  0x003e029f
                  0x00000000
                  0x003e029c

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000001,00000000,00000000), ref: 003E0234
                  • GetComputerNameW.KERNEL32 ref: 003E028C
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Name$ComputerFileModule
                  • String ID: --- logging level: %hs ---$8b@$=== Logging started: %ls ===$@b@$Computer : %ls$Executable: %ls v%d.%d.%d.%d$Hb@$Tb@$\b@$db@
                  • API String ID: 2577110986-1100371090
                  • Opcode ID: 773b9ddfdfa3ef85958a66a6bed4a3c77349b892650e86dfe4673e999d1041df
                  • Instruction ID: f6c4c9f539fedb776a38f3cbdb08b5c9f31fd19ba3fa49df2521cc941ebb3118
                  • Opcode Fuzzy Hash: 773b9ddfdfa3ef85958a66a6bed4a3c77349b892650e86dfe4673e999d1041df
                  • Instruction Fuzzy Hash: 9D4196B290016C9BCB269F65DD84EAA73BCEB44300F0142B9FA09E7181D6709ED58F65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B9496, Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 101fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,003BA5CE,?,00000000,?,?,003CB041), ref: 003B94B1
                  • GetLastError.KERNEL32(?,003BA5CE,?,00000000,?,?,003CB041,?,00000000,?,00000000,?,?,003CB041,?), ref: 003B94BF
                  • CloseHandle.KERNEL32(?,003CB041,00000001,00000003,000007D0,?,?,003CB041,?), ref: 003B959E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseCreateErrorFileHandleLast
                  • String ID: %ls container from working path '%ls' to path '%ls'$@Mxt$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
                  • API String ID: 2528220319-1470793541
                  • Opcode ID: 90bae559f4db79ea55d9979d6c8c5fbe22c64689f4ab5d5fd8fec1f4c724814e
                  • Instruction ID: 755fb9caec475e769d66dcfbfee3baa21a9ebf7798898876d9781736c9b86a4b
                  • Opcode Fuzzy Hash: 90bae559f4db79ea55d9979d6c8c5fbe22c64689f4ab5d5fd8fec1f4c724814e
                  • Instruction Fuzzy Hash: E6210471A803787BE7331A258C46FBB361CDF56B64F01021AFF05BE6C0D2A19D1185E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E43A6, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 247fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E003E43A6(signed short _a4, signed short* _a8, long _a12, long _a16, long _a20, signed short _a24, signed short _a28) {
				void* _v8;
				signed short _v12;
				char _v16;
				WCHAR* _t36;
				signed short _t38;
				void* _t41;
				signed short _t45;
				signed short _t49;
				signed short _t50;
				long _t60;
				signed short _t61;
				signed short _t65;
				signed short _t68;
				signed short _t73;
				intOrPtr _t76;
				void* _t77;
				long _t78;
				signed short _t82;
				long _t83;
				signed short _t85;
				void* _t86;
				signed short* _t87;
				signed short _t88;
				signed short _t91;
				signed short _t96;
				signed short _t97;

				_t83 = 0;
				_v16 = 0;
				_v12 = 0;
				if(_a8 != 0) {
					__eflags = _a4;
					if(_a4 != 0) {
						_t36 = _a12;
						__eflags = _t36;
						if(_t36 != 0) {
							__eflags = 0 -  *_t36;
							if(0 !=  *_t36) {
								_t86 = CreateFileW(_t36, 0x80000000, 5, 0, 3, 0x8000080, 0);
								_v8 = _t86;
								__eflags = _t86 - 0xffffffff;
								if(_t86 != 0xffffffff) {
									L14:
									_t38 =  &_v16;
									__imp__GetFileSizeEx(_t86, _t38);
									__eflags = _t38;
									if(_t38 != 0) {
										__eflags = _a16 - _t83;
										if(_a16 == _t83) {
											L25:
											__eflags = _a28;
											if(_a28 == 0) {
												_t76 = _v16;
												_t39 = _v12;
												_t73 = _t76 - _t83;
												_t77 = _t76 - _t83;
												_push(0);
												_pop(0);
												asm("sbb eax, edi");
												__eflags = 0 - _v12;
												if(__eflags > 0) {
													L27:
													_t87 = _a4;
													__eflags =  *_t87;
													if( *_t87 == 0) {
														__eflags = _t73;
														if(_t73 == 0) {
															L30:
															_t88 = 0;
															 *_a8 = 0;
															L51:
															_t41 = _v8;
															__eflags = _t41 - 0xffffffff;
															if(_t41 != 0xffffffff) {
																CloseHandle(_t41);
															}
															L53:
															goto L54;
														}
														_t85 = E003A38D4(_t73, 1);
														__eflags = _t85;
														if(_t85 != 0) {
															L40:
															_t78 = 0;
															_t45 = 0;
															_a12 = 0;
															_a24 = 0;
															while(1) {
																_a16 = _t78;
																_t88 = E003E3D92(_t73, _t45,  &_a16);
																__eflags = _t88;
																if(_t88 < 0) {
																	break;
																}
																_t49 = ReadFile(_v8, _a24 + _t85, _a16,  &_a12, 0);
																__eflags = _t49;
																if(_t49 == 0) {
																	_t50 = GetLastError();
																	__eflags = _t50;
																	_t91 =  <=  ? _t50 : _t50 & 0x0000ffff | 0x80070000;
																	__eflags = _t91;
																	_t88 =  >=  ? 0x80004005 : _t91;
																	E003A37D3(0x80004005, "fileutil.cpp", 0x399, _t88);
																	break;
																}
																_t45 = _a24 + _a12;
																__eflags = _a12;
																_a24 = _t45;
																if(_a12 != 0) {
																	_t78 = 0;
																	__eflags = 0;
																	continue;
																}
																__eflags = _t45 - _t73;
																if(_t45 == _t73) {
																	 *_a4 = _t85;
																	_t85 = 0;
																	 *_a8 = _t73;
																} else {
																	_t88 = 0x8000ffff;
																}
																break;
															}
															__eflags = _t85;
															if(_t85 != 0) {
																E003A3999(_t85);
															}
															goto L51;
														}
														_t39 = 0x8007000e;
														_push(0x8007000e);
														_t88 = 0x8007000e;
														_push(0x38c);
														L16:
														_push("fileutil.cpp");
														E003A37D3(_t39);
														goto L51;
													}
													__eflags = _t73;
													if(_t73 != 0) {
														_t85 = E003A3A72( *_t87, _t73, 1);
														__eflags = _t85;
														if(_t85 != 0) {
															goto L40;
														}
														_t39 = 0x8007000e;
														_push(0x8007000e);
														_t88 = 0x8007000e;
														_push(0x37f);
														goto L16;
													}
													E003A3999( *_t87);
													 *_t87 = 0;
													goto L30;
												}
												if(__eflags < 0) {
													L34:
													_t88 = 0x8007007a;
													_push(0x8007007a);
													_push(0x371);
													goto L16;
												}
												__eflags = _a24 - _t77;
												if(_a24 >= _t77) {
													goto L27;
												}
												goto L34;
											}
											_t73 = _a24;
											__eflags = 0;
											goto L27;
										}
										_t83 = _a20;
										__eflags = 0 - _v12;
										if(__eflags < 0) {
											L22:
											_t60 = SetFilePointer(_t86, _t83, 0, 1);
											__eflags = _t60 - 0xffffffff;
											if(_t60 != 0xffffffff) {
												goto L25;
											}
											_t39 = GetLastError();
											__eflags = _t39;
											_t88 =  <=  ? _t39 : _t39 & 0x0000ffff | 0x80070000;
											__eflags = _t88;
											if(_t88 >= 0) {
												goto L25;
											}
											_push(_t88);
											_push(0x35f);
											goto L16;
										}
										if(__eflags > 0) {
											L21:
											_t88 = 0x80070057;
											goto L51;
										}
										__eflags = _t83 - _v16;
										if(_t83 <= _v16) {
											goto L22;
										}
										goto L21;
									}
									_t61 = GetLastError();
									__eflags = _t61;
									_t96 =  <=  ? _t61 : _t61 & 0x0000ffff | 0x80070000;
									_t39 = 0x80004005;
									__eflags = _t96;
									_t88 =  >=  ? 0x80004005 : _t96;
									_push(_t88);
									_push(0x351);
									goto L16;
								}
								_t82 = GetLastError();
								_t88 = 0x80070002;
								__eflags = _t82;
								_t65 =  <=  ? _t82 : _t82 & 0x0000ffff | 0x80070000;
								__eflags = _t65 - 0x80070002;
								if(_t65 == 0x80070002) {
									goto L53;
								}
								__eflags = _t82;
								if(_t82 == 0) {
									_t86 = _v8;
									goto L14;
								}
								_t97 = _t65;
								__eflags = _t97;
								_t88 =  >=  ? 0x80004005 : _t97;
								E003A37D3(0x80004005, "fileutil.cpp", 0x34c, _t88);
								goto L53;
							}
							_t68 = 0x80070057;
							_push(0x80070057);
							_push(0x342);
							goto L2;
						}
						_t68 = 0x80070057;
						_push(0x80070057);
						_push(0x341);
					} else {
						_t68 = 0x80070057;
						_push(0x80070057);
						_push(0x340);
					}
					goto L2;
				} else {
					_t68 = 0x80070057;
					_push(0x80070057);
					_push(0x33f);
					L2:
					_push("fileutil.cpp");
					_t88 = _t68;
					E003A37D3(_t68);
					L54:
					return _t88;
				}
			}





























                  0x003e43ae
                  0x003e43b0
                  0x003e43b3
                  0x003e43b9
                  0x003e43da
                  0x003e43dc
                  0x003e43eb
                  0x003e43ee
                  0x003e43f0
                  0x003e4401
                  0x003e4404
                  0x003e4431
                  0x003e4433
                  0x003e4436
                  0x003e4439
                  0x003e4481
                  0x003e4481
                  0x003e4486
                  0x003e448c
                  0x003e448e
                  0x003e44bf
                  0x003e44c2
                  0x003e450b
                  0x003e450b
                  0x003e450f
                  0x003e4537
                  0x003e453c
                  0x003e453f
                  0x003e4541
                  0x003e4543
                  0x003e4545
                  0x003e4546
                  0x003e4548
                  0x003e454a
                  0x003e4516
                  0x003e4516
                  0x003e4519
                  0x003e451c
                  0x003e4585
                  0x003e4587
                  0x003e452b
                  0x003e452e
                  0x003e4530
                  0x003e4647
                  0x003e4647
                  0x003e464a
                  0x003e464d
                  0x003e4650
                  0x003e4650
                  0x003e4656
                  0x00000000
                  0x003e4656
                  0x003e4591
                  0x003e4593
                  0x003e4595
                  0x003e45a9
                  0x003e45a9
                  0x003e45ab
                  0x003e45ad
                  0x003e45b0
                  0x003e45b7
                  0x003e45b7
                  0x003e45c5
                  0x003e45c7
                  0x003e45c9
                  0x00000000
                  0x00000000
                  0x003e45dd
                  0x003e45e3
                  0x003e45e5
                  0x003e460f
                  0x003e461e
                  0x003e4620
                  0x003e4628
                  0x003e462a
                  0x003e4638
                  0x00000000
                  0x003e4638
                  0x003e45ea
                  0x003e45ed
                  0x003e45f1
                  0x003e45f4
                  0x003e45b5
                  0x003e45b5
                  0x00000000
                  0x003e45b5
                  0x003e45f6
                  0x003e45f8
                  0x003e4604
                  0x003e4606
                  0x003e460b
                  0x003e45fa
                  0x003e45fa
                  0x003e45fa
                  0x00000000
                  0x003e45f8
                  0x003e463d
                  0x003e463f
                  0x003e4642
                  0x003e4642
                  0x00000000
                  0x003e463f
                  0x003e4597
                  0x003e459c
                  0x003e459d
                  0x003e459f
                  0x003e44b0
                  0x003e44b0
                  0x003e44b5
                  0x00000000
                  0x003e44b5
                  0x003e451e
                  0x003e4520
                  0x003e456d
                  0x003e456f
                  0x003e4571
                  0x00000000
                  0x00000000
                  0x003e4573
                  0x003e4578
                  0x003e4579
                  0x003e457b
                  0x00000000
                  0x003e457b
                  0x003e4524
                  0x003e4529
                  0x00000000
                  0x003e4529
                  0x003e454c
                  0x003e4553
                  0x003e4553
                  0x003e4558
                  0x003e4559
                  0x00000000
                  0x003e4559
                  0x003e454e
                  0x003e4551
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e4551
                  0x003e4511
                  0x003e4514
                  0x00000000
                  0x003e4514
                  0x003e44c4
                  0x003e44c9
                  0x003e44cc
                  0x003e44df
                  0x003e44e4
                  0x003e44ea
                  0x003e44ed
                  0x00000000
                  0x00000000
                  0x003e44ef
                  0x003e44fa
                  0x003e44fc
                  0x003e44ff
                  0x003e4501
                  0x00000000
                  0x00000000
                  0x003e4503
                  0x003e4504
                  0x00000000
                  0x003e4504
                  0x003e44ce
                  0x003e44d5
                  0x003e44d5
                  0x00000000
                  0x003e44d5
                  0x003e44d0
                  0x003e44d3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e44d3
                  0x003e4490
                  0x003e449b
                  0x003e449d
                  0x003e44a0
                  0x003e44a5
                  0x003e44a7
                  0x003e44aa
                  0x003e44ab
                  0x00000000
                  0x003e44ab
                  0x003e443d
                  0x003e443f
                  0x003e444c
                  0x003e444e
                  0x003e4451
                  0x003e4453
                  0x00000000
                  0x00000000
                  0x003e4459
                  0x003e445b
                  0x003e447e
                  0x00000000
                  0x003e447e
                  0x003e445d
                  0x003e4464
                  0x003e4466
                  0x003e4474
                  0x00000000
                  0x003e4474
                  0x003e4406
                  0x003e440b
                  0x003e440c
                  0x00000000
                  0x003e440c
                  0x003e43f2
                  0x003e43f7
                  0x003e43f8
                  0x003e43de
                  0x003e43de
                  0x003e43e3
                  0x003e43e4
                  0x003e43e4
                  0x00000000
                  0x003e43bb
                  0x003e43bb
                  0x003e43c0
                  0x003e43c1
                  0x003e43c6
                  0x003e43c6
                  0x003e43cb
                  0x003e43cd
                  0x003e4658
                  0x003e465e
                  0x003e465e

                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,?,?,00000000,?,00000000,?,?,?), ref: 003E4425
                  • GetLastError.KERNEL32 ref: 003E443B
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 003E4486
                  • GetLastError.KERNEL32 ref: 003E4490
                  • CloseHandle.KERNEL32(?), ref: 003E4650
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLast$CloseCreateHandleSize
                  • String ID: @Mxt$fileutil.cpp
                  • API String ID: 3555958901-830300176
                  • Opcode ID: 6bcc18ff04972c69f4ba0e6f8cc5d0acd048c4dfc06fa02d71e069be4fdd28c1
                  • Instruction ID: f7da67609b7b4eff7bf2eca7b50684208923acd1725e556c196430021de12f46
                  • Opcode Fuzzy Hash: 6bcc18ff04972c69f4ba0e6f8cc5d0acd048c4dfc06fa02d71e069be4fdd28c1
                  • Instruction Fuzzy Hash: E871D471A002A5EBEB238E6B8C44B6B76DCEB49760F124329FD15EF2D0D774DD008A94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BE3F4, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 95threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 57%
                  			E003BE3F4(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				void* _t23;
				void* _t29;
				int _t31;
				void* _t47;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t23 = CreateEventW(0, 1, 0, 0);
				_v16 = _t23;
				if(_t23 != 0) {
					_v32 = _t23;
					_v28 = _a4;
					_v24 = _a8;
					_v20 = _a12;
					_t29 = CreateThread(0, 0, E003BE177,  &_v32, 0,  &_v8);
					_v12 = _t29;
					if(_t29 != 0) {
						_t31 = WaitForMultipleObjects(2,  &_v16, 0, 0xffffffff);
					} else {
						_t46 =  <=  ? GetLastError() : _t33 & 0x0000ffff | 0x80070000;
						_t47 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t33 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "splashscreen.cpp", 0x42, _t47);
						_push("Failed to create UI thread.");
						goto L2;
					}
				} else {
					_t50 =  <=  ? GetLastError() : _t36 & 0x0000ffff | 0x80070000;
					_t47 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t36 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "splashscreen.cpp", 0x39, _t47);
					_push("Failed to create modal event.");
					L2:
					_push(_t47);
					_t31 = E003E012F();
				}
				if(_v12 != 0) {
					_t31 = CloseHandle(_v12);
					_v12 = 0;
				}
				if(_v16 != 0) {
					return CloseHandle(_v16);
				}
				return _t31;
			}














                  0x003be401
                  0x003be402
                  0x003be403
                  0x003be404
                  0x003be40c
                  0x003be40f
                  0x003be412
                  0x003be415
                  0x003be41b
                  0x003be420
                  0x003be45c
                  0x003be462
                  0x003be468
                  0x003be46e
                  0x003be481
                  0x003be487
                  0x003be48c
                  0x003be4c9
                  0x003be48e
                  0x003be49f
                  0x003be4a9
                  0x003be4b4
                  0x003be4b9
                  0x00000000
                  0x003be4b9
                  0x003be422
                  0x003be433
                  0x003be43d
                  0x003be448
                  0x003be44d
                  0x003be452
                  0x003be452
                  0x003be453
                  0x003be459
                  0x003be4d8
                  0x003be4dd
                  0x003be4df
                  0x003be4df
                  0x003be4e5
                  0x00000000
                  0x003be4ea
                  0x003be4f1

                  APIs
                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,003A5386,?,?), ref: 003BE415
                  • GetLastError.KERNEL32(?,?,003A5386,?,?), ref: 003BE422
                  • CreateThread.KERNEL32 ref: 003BE481
                  • GetLastError.KERNEL32(?,?,003A5386,?,?), ref: 003BE48E
                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,003A5386,?,?), ref: 003BE4C9
                  • CloseHandle.KERNEL32(?,?,?,003A5386,?,?), ref: 003BE4DD
                  • CloseHandle.KERNEL32(?,?,?,003A5386,?,?), ref: 003BE4EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                  • String ID: @Mxt$Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
                  • API String ID: 2351989216-3317418479
                  • Opcode ID: 429ab975a56a23a4208d5246dc8e3b9683236ff387f12ea3b2dbaf108d13dc51
                  • Instruction ID: 361b7488bfbadcc68a871c30464337b854b0515b1193023957e369975fdd7039
                  • Opcode Fuzzy Hash: 429ab975a56a23a4208d5246dc8e3b9683236ff387f12ea3b2dbaf108d13dc51
                  • Instruction Fuzzy Hash: 6A315275D00219BBDB229FAA9C45AEFFBF8EF44750F114226FE15E6190D7744D008AA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C1224, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 88threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 55%
                  			E003C1224(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t20;
				intOrPtr _t50;

				_t50 = _a4;
				_v16 =  *(_t50 + 0x28);
				_v12 =  *(_t50 + 0x20);
				_v8 = 0;
				_t20 = WaitForMultipleObjects(2,  &_v16, 0, 0xffffffff);
				if(_t20 == 0) {
					if(ResetEvent( *(_t50 + 0x28)) != 0) {
						 *((intOrPtr*)(_t50 + 0x2c)) = 0;
					} else {
						_t37 =  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						_t38 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						_v8 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t23 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "cabextract.cpp", 0x13e, _t38);
						_push("Failed to reset operation complete event.");
						goto L7;
					}
				} else {
					if(_t20 == 1) {
						if(GetExitCodeThread( *(_t50 + 0x20),  &_v8) == 0) {
							_t43 =  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
							_t44 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
							_v8 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t29 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "cabextract.cpp", 0x145, _t44);
							_push("Failed to get extraction thread exit code.");
							goto L7;
						}
					} else {
						_t47 =  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
						_t48 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
						_v8 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t32 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "cabextract.cpp", 0x14b, _t48);
						_push("Failed to wait for operation complete event.");
						L7:
						_push(_v8);
						E003E012F();
					}
				}
				return _v8;
			}








                  0x003c122b
                  0x003c1236
                  0x003c123c
                  0x003c1246
                  0x003c1249
                  0x003c1251
                  0x003c12ef
                  0x003c1333
                  0x003c12f1
                  0x003c1302
                  0x003c130c
                  0x003c131a
                  0x003c131d
                  0x003c1322
                  0x00000000
                  0x003c1322
                  0x003c1257
                  0x003c125a
                  0x003c12a6
                  0x003c12bd
                  0x003c12c7
                  0x003c12d5
                  0x003c12d8
                  0x003c12dd
                  0x00000000
                  0x003c12dd
                  0x003c125c
                  0x003c126d
                  0x003c1277
                  0x003c1285
                  0x003c1288
                  0x003c128d
                  0x003c1327
                  0x003c1327
                  0x003c132a
                  0x003c1330
                  0x003c125a
                  0x003c133e

                  APIs
                  • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,747DF5E0,?,?,003A52FD,003A52B5,00000000,003A533D), ref: 003C1249
                  • GetLastError.KERNEL32 ref: 003C125C
                  • GetExitCodeThread.KERNEL32(003EB478,?), ref: 003C129E
                  • GetLastError.KERNEL32 ref: 003C12AC
                  • ResetEvent.KERNEL32(003EB450), ref: 003C12E7
                  • GetLastError.KERNEL32 ref: 003C12F1
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                  • String ID: @Mxt$Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
                  • API String ID: 2979751695-3125173681
                  • Opcode ID: 1e893c056942ed093ffe9dcfb24200e0ba66de81e2dfa76fd76c2c7142e27d3f
                  • Instruction ID: 8b33092a8a9ec1aa8902b1c3302892a0757396bbb431e96d9bea0bd8b76c5740
                  • Opcode Fuzzy Hash: 1e893c056942ed093ffe9dcfb24200e0ba66de81e2dfa76fd76c2c7142e27d3f
                  • Instruction Fuzzy Hash: 2D21A2B5700308AFEB169B658D45ABFB6E8EF05710F00422EF94ADA5E0E7709D00AB15
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AD5C0, Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 61libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 18%
                  			E003AD5C0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				struct HINSTANCE__* _t9;
				signed short _t15;
				signed short _t18;
				intOrPtr* _t21;
				intOrPtr _t24;
				void* _t25;

				_t24 = _a4;
				_t2 = _t24 + 4; // 0x69006e
				_t9 = LoadLibraryW( *( *_t2 + 0x50));
				 *(_t24 + 0xc) = _t9;
				if(_t9 != 0) {
					_t21 = GetProcAddress(_t9, "BootstrapperApplicationCreate");
					if(_t21 != 0) {
						_t5 = _t24 + 0x10; // 0x3eb4a0
						_t25 =  *_t21(_a8, _a12, _t5);
						if(_t25 < 0) {
							_push("Failed to create UX.");
							goto L6;
						}
					} else {
						_t15 = GetLastError();
						_t28 =  <=  ? _t15 : _t15 & 0x0000ffff | 0x80070000;
						_t25 =  >=  ? 0x80004005 :  <=  ? _t15 : _t15 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "userexperience.cpp", 0x5d, _t25);
						_push("Failed to get BootstrapperApplicationCreate entry-point");
						goto L6;
					}
				} else {
					_t18 = GetLastError();
					_t31 =  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					_t25 =  >=  ? 0x80004005 :  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "userexperience.cpp", 0x59, _t25);
					_push("Failed to load UX DLL.");
					L6:
					_push(_t25);
					E003E012F();
				}
				return _t25;
			}









                  0x003ad5c4
                  0x003ad5c7
                  0x003ad5cd
                  0x003ad5d3
                  0x003ad5d8
                  0x003ad618
                  0x003ad61c
                  0x003ad650
                  0x003ad65c
                  0x003ad660
                  0x003ad662
                  0x00000000
                  0x003ad662
                  0x003ad61e
                  0x003ad61e
                  0x003ad62f
                  0x003ad639
                  0x003ad644
                  0x003ad649
                  0x00000000
                  0x003ad649
                  0x003ad5da
                  0x003ad5da
                  0x003ad5eb
                  0x003ad5f5
                  0x003ad600
                  0x003ad605
                  0x003ad667
                  0x003ad667
                  0x003ad668
                  0x003ad66e
                  0x003ad673

                  APIs
                  • LoadLibraryW.KERNEL32(?,00000000,?,003A46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,003A5386,?,?), ref: 003AD5CD
                  • GetLastError.KERNEL32(?,003A46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,003A5386,?,?), ref: 003AD5DA
                  • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 003AD612
                  • GetLastError.KERNEL32(?,003A46F8,00000000,00000000,wininet.dll,?,00000000,00000000,?,?,003A5386,?,?), ref: 003AD61E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$AddressLibraryLoadProc
                  • String ID: @Mxt$BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp$wininet.dll
                  • API String ID: 1866314245-1124049057
                  • Opcode ID: a1dac0d2b5cd9947d25f59bf9a59b7d4c94f74776de7f884e19065350edc0ed2
                  • Instruction ID: 79bd9c642b2c6cdf8c1e2c39d87094ba69195ec1c4cad3467150008c6c7502e3
                  • Opcode Fuzzy Hash: a1dac0d2b5cd9947d25f59bf9a59b7d4c94f74776de7f884e19065350edc0ed2
                  • Instruction Fuzzy Hash: F011E732640771AFDB275A655C04AA776D8DF05750F024229FD0AEB5D0DB61DC018AD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B91F7, Relevance: 18.2, APIs: 2, Strings: 10, Instructions: 223COMMON
                  Download Yara Rule
                  C-Code - Quality: 60%
                  			E003B91F7(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _v28;
				void* _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v52;
				intOrPtr _v64;
				void* _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				char _v92;
				signed int _v100;
				void* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				void* _t69;
				short* _t72;
				signed short _t74;
				char* _t88;
				signed short _t90;
				signed short _t100;
				void* _t104;
				void* _t106;
				signed int* _t107;
				signed short _t108;
				intOrPtr _t109;
				signed int _t111;
				void* _t118;
				void* _t119;
				void* _t122;
				signed int _t141;

				_t118 = __edx;
				_t64 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t64 ^ _t141;
				_t109 = _a12;
				_v44 = _a8;
				_v40 = _t109;
				E003CF670(_t119,  &_v92, 0, 0x30);
				_v24 = 0xaac56b;
				_v20 = 0x11d0cd44;
				_v32 = 0;
				_v36 = 0;
				_t111 = 9;
				_t69 = memset( &_v128, 0, _t111 << 2);
				_v28 = _t69;
				_t122 = _t69;
				_v16 = 0xc000c28c;
				_v12 = 0xee95c24f;
				if(E003A21A5( &_v32, _a8, _t69) >= 0) {
					_t72 = _v32;
					while(0 !=  *_t72) {
						 *_t72 =  *_t72 + 0x20;
						_t72 = _t72 + 2;
					}
					_push(0);
					_push(0);
					_push( &_v28);
					_push(_t109);
					L003DF45C();
					_t74 = GetLastError();
					if(_t74 != 0x7a) {
						if(_t74 == 0) {
							goto L11;
						} else {
							_t137 =  <=  ? _t74 : _t74 & 0x0000ffff | 0x80070000;
							_t104 = 0x80004005;
							_t128 =  >=  ? 0x80004005 :  <=  ? _t74 : _t74 & 0x0000ffff | 0x80070000;
							_push(_t128);
							_push(0x778);
							goto L8;
						}
					} else {
						_t106 = E003A38D4(_v28, 1);
						_push(0);
						_t122 = _t106;
						_t107 =  &_v28;
						_push(_t122);
						_push(_t107);
						_push(_t109);
						L003DF45C();
						if(_t107 != 0) {
							L11:
							_t110 = 1 + _v28 * 2;
							if(E003A1EDE( &_v36, 1 + _v28 * 2) >= 0) {
								if(E003A26EE(0, _t122, _v28, _v36, _t110) >= 0) {
									_v92 = 0x30;
									_v68 =  &_v128;
									_v100 = _v28;
									_v108 = _v40;
									_v116 = _v36;
									_v112 = _v32;
									_t110 = 2;
									_v80 = _t110;
									_v72 = _t110;
									_v64 = 1;
									_v52 = 0x80;
									_v128 = 0x24;
									_v104 = _t122;
									_v120 =  *((intOrPtr*)( *((intOrPtr*)(_a4 + 0x1c)) + 8));
									_push( &_v92);
									_t88 =  &_v24;
									_push(_t88);
									_push(0xffffffff);
									L003DF42C();
									_t128 = _t88;
									if(_t88 == 0) {
										L18:
										_v64 = _t110;
										_push( &_v92);
										_t90 =  &_v24;
										_push(_t90);
										_push(0xffffffff);
										L003DF42C();
										if(_t90 != 0) {
											_t131 =  <=  ? _t90 : _t90 & 0x0000ffff | 0x80070000;
											_t128 =  >=  ? 0x80004005 :  <=  ? _t90 : _t90 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "cache.cpp", 0x7a3, _t128);
											_push("Could not close verify handle.");
											goto L20;
										}
									} else {
										_v52 = _v52 | 0x00001000;
										_push( &_v92);
										_t100 =  &_v24;
										_push(_t100);
										_push(0xffffffff);
										L003DF42C();
										if(_t100 == 0) {
											goto L18;
										} else {
											_t134 =  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000;
											_t128 =  >=  ? 0x80004005 :  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "cache.cpp", 0x79d,  >=  ? 0x80004005 :  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000);
											E003E012F( >=  ? 0x80004005 :  <=  ? _t100 : _t100 & 0x0000ffff | 0x80070000, "Could not verify file %ls.", _v44);
										}
									}
								} else {
									_push("Failed to encode file hash.");
									goto L20;
								}
							} else {
								_push("Failed to allocate string.");
								goto L20;
							}
						} else {
							_t108 = GetLastError();
							_t140 =  <=  ? _t108 : _t108 & 0x0000ffff | 0x80070000;
							_t104 = 0x80004005;
							_t128 =  >=  ? 0x80004005 :  <=  ? _t108 : _t108 & 0x0000ffff | 0x80070000;
							_push(_t128);
							_push(0x773);
							L8:
							_push("cache.cpp");
							E003A37D3(_t104);
							_push("Failed to get file hash.");
							goto L20;
						}
					}
				} else {
					_push("Failed to allocate memory");
					L20:
					_push(_t128);
					E003E012F();
				}
				if(_v32 != 0) {
					E003E54EF(_v32);
				}
				if(_v36 != 0) {
					E003E54EF(_v36);
				}
				if(_t122 != 0) {
					E003A3999(_t122);
				}
				return E003CDE36(_t110, _v8 ^ _t141, _t118, _t122, _t128);
			}















































                  0x003b91f7
                  0x003b91fd
                  0x003b9204
                  0x003b9208
                  0x003b9218
                  0x003b921b
                  0x003b921e
                  0x003b9226
                  0x003b922f
                  0x003b9239
                  0x003b923c
                  0x003b9241
                  0x003b9242
                  0x003b9245
                  0x003b9248
                  0x003b924e
                  0x003b9256
                  0x003b9266
                  0x003b9272
                  0x003b927e
                  0x003b9277
                  0x003b927b
                  0x003b927b
                  0x003b9285
                  0x003b9286
                  0x003b928a
                  0x003b928b
                  0x003b928c
                  0x003b9297
                  0x003b929c
                  0x003b92f1
                  0x00000000
                  0x003b92f3
                  0x003b92fe
                  0x003b9301
                  0x003b9308
                  0x003b930b
                  0x003b930c
                  0x00000000
                  0x003b930c
                  0x003b929e
                  0x003b92a3
                  0x003b92a8
                  0x003b92aa
                  0x003b92ac
                  0x003b92af
                  0x003b92b0
                  0x003b92b1
                  0x003b92b2
                  0x003b92b9
                  0x003b9313
                  0x003b9316
                  0x003b932b
                  0x003b9348
                  0x003b9357
                  0x003b935e
                  0x003b9364
                  0x003b936a
                  0x003b9370
                  0x003b9376
                  0x003b937e
                  0x003b937f
                  0x003b9385
                  0x003b9388
                  0x003b938f
                  0x003b9396
                  0x003b939d
                  0x003b93a3
                  0x003b93a9
                  0x003b93aa
                  0x003b93ad
                  0x003b93ae
                  0x003b93b0
                  0x003b93b5
                  0x003b93b9
                  0x003b9410
                  0x003b9413
                  0x003b9416
                  0x003b9417
                  0x003b941a
                  0x003b941b
                  0x003b941d
                  0x003b9424
                  0x003b9431
                  0x003b943b
                  0x003b9449
                  0x003b944e
                  0x00000000
                  0x003b944e
                  0x003b93bb
                  0x003b93bb
                  0x003b93c5
                  0x003b93c6
                  0x003b93c9
                  0x003b93ca
                  0x003b93cc
                  0x003b93d3
                  0x00000000
                  0x003b93d5
                  0x003b93e0
                  0x003b93ea
                  0x003b93f8
                  0x003b9406
                  0x003b940b
                  0x003b93d3
                  0x003b934a
                  0x003b934a
                  0x00000000
                  0x003b934a
                  0x003b932d
                  0x003b932d
                  0x00000000
                  0x003b932d
                  0x003b92bb
                  0x003b92bb
                  0x003b92c8
                  0x003b92cb
                  0x003b92d2
                  0x003b92d5
                  0x003b92d6
                  0x003b92db
                  0x003b92db
                  0x003b92e0
                  0x003b92e5
                  0x00000000
                  0x003b92e5
                  0x003b92b9
                  0x003b9268
                  0x003b9268
                  0x003b9453
                  0x003b9453
                  0x003b9454
                  0x003b945a
                  0x003b945f
                  0x003b9464
                  0x003b9464
                  0x003b946d
                  0x003b9472
                  0x003b9472
                  0x003b9479
                  0x003b947c
                  0x003b947c
                  0x003b9493

                  APIs
                  • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 003B9297
                  • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 003B92BB
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID: $$0$@Mxt$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$cache.cpp
                  • API String ID: 1452528299-316113446
                  • Opcode ID: bf521cef9ab39c12089a58b351201ede82e5f6a87801931dd9207bdd137e337b
                  • Instruction ID: e0ee689f441183665c7597d960401eb39e6e65c1657c5e5c8b39a684f2ce523d
                  • Opcode Fuzzy Hash: bf521cef9ab39c12089a58b351201ede82e5f6a87801931dd9207bdd137e337b
                  • Instruction Fuzzy Hash: 56715372D00229AEDB12DBA5CC41BEFB7F8EB09714F110226FA05FB291D7749D418BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A3083, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 206COMMON
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E003A3083(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _t49;
				long _t57;
				void* _t63;
				signed short _t65;
				signed short _t66;
				long _t69;
				signed short _t77;
				signed short _t78;
				WCHAR* _t79;
				long _t81;
				long _t84;
				long _t85;
				long _t87;
				void* _t88;

				_t79 = _a8;
				_t49 = 0;
				_v12 = _v12 & 0;
				_t81 = 0;
				_v8 = 0;
				_v16 = 0;
				_t84 = 0x40;
				if((_a12 & 0x00000001) == 0) {
					L16:
					if((_a12 & 0x00000002) == 0) {
						_v8 = _v8 & 0x00000000;
						_v12 = _t49;
						goto L30;
					} else {
						_a12 = _a12 & 0x00000000;
						_t83 =  !=  ? _t49 : _t79;
						_a8 =  !=  ? _t49 : _t79;
						_t85 =  >  ? _t81 : _t84;
						_t88 = E003A1EDE( &_v12, _t85);
						if(_t88 >= 0) {
							_t57 = GetFullPathNameW(_a8, _t85, _v12,  &_a12);
							if(_t57 != 0) {
								if(_t85 >= _t57) {
									L26:
									if(_t57 <= 0x104) {
										L28:
										_t49 = _v12;
										L30:
										_t80 =  !=  ? _t49 : _t79;
										_t88 = E003A21A5(_a4,  !=  ? _t49 : _t79, 0);
									} else {
										_t88 = E003A3593( &_v12);
										if(_t88 >= 0) {
											goto L28;
										}
									}
								} else {
									_t34 = _t57 + 7; // 0x7
									_t87 =  <  ? _t57 : _t34;
									_t88 = E003A1EDE( &_v12, _t87);
									if(_t88 >= 0) {
										_t57 = GetFullPathNameW(_a8, _t87, _v12,  &_a12);
										if(_t57 != 0) {
											if(_t87 >= _t57) {
												goto L26;
											} else {
												_t63 = 0x8007007a;
												_push(0x8007007a);
												_t88 = 0x8007007a;
												_push(0x149);
												goto L4;
											}
										} else {
											_t65 = GetLastError();
											_t91 =  <=  ? _t65 : _t65 & 0x0000ffff | 0x80070000;
											_t63 = 0x80004005;
											_t88 =  >=  ? 0x80004005 :  <=  ? _t65 : _t65 & 0x0000ffff | 0x80070000;
											_push(_t88);
											_push(0x144);
											goto L4;
										}
									}
								}
							} else {
								_t66 = GetLastError();
								_t94 =  <=  ? _t66 : _t66 & 0x0000ffff | 0x80070000;
								_t63 = 0x80004005;
								_t88 =  >=  ? 0x80004005 :  <=  ? _t66 : _t66 & 0x0000ffff | 0x80070000;
								_push(_t88);
								_push(0x139);
								goto L4;
							}
						}
					}
				} else {
					_v16 = _t84;
					_t88 = E003A1EDE( &_v8, _t84);
					if(_t88 >= 0) {
						_t69 = ExpandEnvironmentStringsW(_t79, _v8, _v16);
						if(_t69 != 0) {
							_t81 = _v16;
							if(_t81 >= _t69) {
								L11:
								if(_t69 <= 0x104) {
									L15:
									_t49 = _v8;
									goto L16;
								} else {
									_t88 =  ==  ? 0 : E003A3593( &_v8);
									if(_t88 >= 0) {
										_t88 = E003A275D(_v8,  &_v16);
										if(_t88 >= 0) {
											_t81 = _v16;
											goto L15;
										}
									}
								}
							} else {
								_v16 = _t69;
								_t88 = E003A1EDE( &_v8, _t69);
								if(_t88 >= 0) {
									_t69 = ExpandEnvironmentStringsW(_t79, _v8, _v16);
									if(_t69 != 0) {
										_t81 = _v16;
										if(_t81 >= _t69) {
											goto L11;
										} else {
											_t63 = 0x8007007a;
											_push(0x8007007a);
											_t88 = 0x8007007a;
											_push(0x118);
											goto L4;
										}
									} else {
										_t77 = GetLastError();
										_t98 =  <=  ? _t77 : _t77 & 0x0000ffff | 0x80070000;
										_t63 = 0x80004005;
										_t88 =  >=  ? 0x80004005 :  <=  ? _t77 : _t77 & 0x0000ffff | 0x80070000;
										_push(_t88);
										_push(0x113);
										goto L4;
									}
								}
							}
						} else {
							_t78 = GetLastError();
							_t101 =  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
							_t63 = 0x80004005;
							_t88 =  >=  ? 0x80004005 :  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
							_push(_t88);
							_push(0x108);
							L4:
							_push("pathutil.cpp");
							E003A37D3(_t63);
						}
					}
				}
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t88;
			}




















                  0x003a308a
                  0x003a308d
                  0x003a308f
                  0x003a3092
                  0x003a309c
                  0x003a309f
                  0x003a30a2
                  0x003a30a3
                  0x003a31b0
                  0x003a31b4
                  0x003a32b1
                  0x003a32b5
                  0x00000000
                  0x003a31ba
                  0x003a31ba
                  0x003a31c2
                  0x003a31ca
                  0x003a31cd
                  0x003a31d7
                  0x003a31db
                  0x003a31ec
                  0x003a31f4
                  0x003a3221
                  0x003a3296
                  0x003a329b
                  0x003a32ac
                  0x003a32ac
                  0x003a32b8
                  0x003a32bc
                  0x003a32c8
                  0x003a329d
                  0x003a32a6
                  0x003a32aa
                  0x00000000
                  0x00000000
                  0x003a32aa
                  0x003a3223
                  0x003a3228
                  0x003a322b
                  0x003a3238
                  0x003a323c
                  0x003a324d
                  0x003a3255
                  0x003a3282
                  0x00000000
                  0x003a3284
                  0x003a3284
                  0x003a3289
                  0x003a328a
                  0x003a328c
                  0x00000000
                  0x003a328c
                  0x003a3257
                  0x003a3257
                  0x003a3268
                  0x003a326b
                  0x003a3272
                  0x003a3275
                  0x003a3276
                  0x00000000
                  0x003a3276
                  0x003a3255
                  0x003a323c
                  0x003a31f6
                  0x003a31f6
                  0x003a3207
                  0x003a320a
                  0x003a3211
                  0x003a3214
                  0x003a3215
                  0x00000000
                  0x003a3215
                  0x003a31f4
                  0x003a31db
                  0x003a30a9
                  0x003a30ad
                  0x003a30b6
                  0x003a30ba
                  0x003a30c7
                  0x003a30cf
                  0x003a3104
                  0x003a3109
                  0x003a316f
                  0x003a3174
                  0x003a31ad
                  0x003a31ad
                  0x00000000
                  0x003a3176
                  0x003a3189
                  0x003a318e
                  0x003a31a0
                  0x003a31a4
                  0x003a31aa
                  0x00000000
                  0x003a31aa
                  0x003a31a4
                  0x003a318e
                  0x003a310b
                  0x003a310c
                  0x003a3118
                  0x003a311c
                  0x003a3129
                  0x003a3131
                  0x003a3159
                  0x003a315e
                  0x00000000
                  0x003a3160
                  0x003a3160
                  0x003a3165
                  0x003a3166
                  0x003a3168
                  0x00000000
                  0x003a3168
                  0x003a3133
                  0x003a3133
                  0x003a3144
                  0x003a3147
                  0x003a314e
                  0x003a3151
                  0x003a3152
                  0x00000000
                  0x003a3152
                  0x003a3131
                  0x003a311c
                  0x003a30d1
                  0x003a30d1
                  0x003a30e2
                  0x003a30e5
                  0x003a30ec
                  0x003a30ef
                  0x003a30f0
                  0x003a30f5
                  0x003a30f5
                  0x003a30fa
                  0x003a30fa
                  0x003a30cf
                  0x003a30ba
                  0x003a32ce
                  0x003a32d3
                  0x003a32d3
                  0x003a32dc
                  0x003a32e1
                  0x003a32e1
                  0x003a32ee

                  APIs
                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000), ref: 003A30C7
                  • GetLastError.KERNEL32 ref: 003A30D1
                  • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003A3129
                  • GetLastError.KERNEL32 ref: 003A3133
                  • GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000), ref: 003A31EC
                  • GetLastError.KERNEL32 ref: 003A31F6
                  • GetFullPathNameW.KERNEL32(00000000,00000007,00000000,00000000,00000000,00000007), ref: 003A324D
                  • GetLastError.KERNEL32 ref: 003A3257
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                  • String ID: @Mxt$pathutil.cpp
                  • API String ID: 1547313835-2913857282
                  • Opcode ID: 3af92120384d0f0584ac406cf737f4d0ab1f6baa18eb1321aa92622f316b4f5a
                  • Instruction ID: bc2afa3e947a84f2c50a8b7c9251338920f81a7dcb237f6484960295c19815da
                  • Opcode Fuzzy Hash: 3af92120384d0f0584ac406cf737f4d0ab1f6baa18eb1321aa92622f316b4f5a
                  • Instruction Fuzzy Hash: B4618032E00229ABDF239AA5C849BAFBAE8EF45750F114665FD05EB150E735CE009B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BE05E, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 103windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 59%
                  			E003BE05E(struct HINSTANCE__* _a4, void** _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagMONITORINFO _v48;
				struct tagPOINT _v56;
				void* _v72;
				void* _v76;
				void _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t33;
				int _t36;
				void* _t38;
				struct HMONITOR__* _t44;
				signed short _t60;
				void** _t64;
				signed int _t65;
				void* _t67;
				struct HINSTANCE__* _t75;
				void* _t78;
				void* _t79;
				int _t80;
				signed int _t84;

				_t33 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t33 ^ _t84;
				_t75 = _a4;
				_t64 = _a8;
				_t65 = 6;
				_t80 = 0;
				_t36 = memset( &_v80, 0, _t65 << 2);
				_t67 = 0xa;
				_t78 =  &_v48;
				_v56.x = 0;
				memset(_t78, _t36, 0 << 2);
				_t79 = _t78 + _t67;
				_v56.y = 0;
				_t38 = LoadBitmapW(_t75, 1);
				 *_t64 = _t38;
				if(_t38 != 0) {
					GetObjectW(_t38, 0x18,  &_v80);
					_t64[1] = 0x80000000;
					_t64[2] = 0x80000000;
					_t64[3] = _v76;
					_t64[4] = _v72;
					_t44 = GetCursorPos( &_v56);
					if(_t44 != 0) {
						__imp__MonitorFromPoint(_v56.x, _v56.y, 2);
						if(_t44 != 0) {
							_v48.cbSize = 0x28;
							if(GetMonitorInfoW(_t44,  &_v48) != 0) {
								asm("cdq");
								_t64[1] = (_v20 - _t64[3] - _v48.rcWork - _t75 >> 1) + _v48.rcWork;
								asm("cdq");
								_t64[2] = (_v16 - _v24 - _t64[4] - _t75 >> 1) + _v24;
							}
						}
					}
				} else {
					_t60 = GetLastError();
					_t83 =  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					_t80 =  >=  ? 0x80004005 :  <=  ? _t60 : _t60 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "splashscreen.cpp", 0xe8, _t80);
					_push("Failed to load splash screen bitmap.");
					_push(_t80);
					E003E012F();
				}
				return E003CDE36(_t64, _v8 ^ _t84, _t75, _t79, _t80);
			}





























                  0x003be064
                  0x003be06b
                  0x003be06e
                  0x003be074
                  0x003be07b
                  0x003be081
                  0x003be083
                  0x003be085
                  0x003be088
                  0x003be08b
                  0x003be08e
                  0x003be08e
                  0x003be091
                  0x003be094
                  0x003be09a
                  0x003be09e
                  0x003be0e7
                  0x003be0f2
                  0x003be0f5
                  0x003be0fb
                  0x003be101
                  0x003be108
                  0x003be110
                  0x003be11a
                  0x003be122
                  0x003be127
                  0x003be138
                  0x003be143
                  0x003be14b
                  0x003be157
                  0x003be15f
                  0x003be15f
                  0x003be138
                  0x003be122
                  0x003be0a0
                  0x003be0a0
                  0x003be0b1
                  0x003be0bb
                  0x003be0c9
                  0x003be0ce
                  0x003be0d3
                  0x003be0d4
                  0x003be0da
                  0x003be174

                  APIs
                  • LoadBitmapW.USER32(?,00000001), ref: 003BE094
                  • GetLastError.KERNEL32 ref: 003BE0A0
                  • GetObjectW.GDI32(00000000,00000018,?), ref: 003BE0E7
                  • GetCursorPos.USER32(?), ref: 003BE108
                  • MonitorFromPoint.USER32(?,?,00000002), ref: 003BE11A
                  • GetMonitorInfoW.USER32 ref: 003BE130
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Monitor$BitmapCursorErrorFromInfoLastLoadObjectPoint
                  • String ID: ($@Mxt$Failed to load splash screen bitmap.$splashscreen.cpp
                  • API String ID: 2342928100-4268725994
                  • Opcode ID: c510d3ef782c441fdcde268a5be36f9e3f765d9725aeee90e41828b8aa2643bc
                  • Instruction ID: c4401ccf5ac6c5c1e698014f7f69f26a07cffce0be90bfeb7b640254db4a6797
                  • Opcode Fuzzy Hash: c510d3ef782c441fdcde268a5be36f9e3f765d9725aeee90e41828b8aa2643bc
                  • Instruction Fuzzy Hash: DC311D75A002199FDB11DFBDD985A9EBBF9EB08710F148129F905EB284DB70A905CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A64B6, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 93COMMON
                  Download Yara Rule
                  C-Code - Quality: 43%
                  			E003A64B6(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v528;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t10;
				char* _t14;
				signed short _t15;
				signed short _t23;
				signed short _t27;
				void* _t30;
				void* _t36;
				signed short _t39;
				signed short _t42;
				signed int _t46;

				_t36 = __edx;
				_t30 = __ebx;
				_t10 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t10 ^ _t46;
				_t37 = _a8;
				E003CF670(_a8,  &_v528, 0, 0x208);
				_t14 =  &_v528;
				_push(0x104);
				_push(_t14);
				if(_a4 == 0) {
					_t15 = GetSystemDirectoryW();
					__eflags = _t15;
					if(_t15 != 0) {
						goto L6;
					} else {
						_t23 = GetLastError();
						__eflags = _t23;
						_t42 =  <=  ? _t23 : _t23 & 0x0000ffff | 0x80070000;
						__eflags = _t42;
						_t39 =  >=  ? 0x80004005 : _t42;
						E003A37D3(0x80004005, "variable.cpp", 0x77e, _t39);
						_push("Failed to get 64-bit system folder.");
						goto L11;
					}
				} else {
					__imp__GetSystemWow64DirectoryW();
					if(_t14 != 0) {
						L6:
						__eflags = _v528;
						if(__eflags == 0) {
							L9:
							_t39 = E003C02F4(_t37,  &_v528, 0);
							__eflags = _t39;
							if(_t39 < 0) {
								_push("Failed to set system folder variant value.");
								goto L11;
							}
						} else {
							_t39 = E003A338F(0, __eflags,  &_v528, 0x104);
							__eflags = _t39;
							if(_t39 >= 0) {
								goto L9;
							} else {
								_push("Failed to backslash terminate system folder.");
								goto L11;
							}
						}
					} else {
						_t27 =  !=  ? 0 : GetLastError();
						if(_t27 == 0) {
							goto L6;
						} else {
							_t45 =  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
							_t39 =  >=  ? 0x80004005 :  <=  ? _t27 : _t27 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "variable.cpp", 0x777, _t39);
							_push("Failed to get 32-bit system folder.");
							L11:
							_push(_t39);
							E003E012F();
						}
					}
				}
				return E003CDE36(_t30, _v8 ^ _t46, _t36, _t37, _t39);
			}


















                  0x003a64b6
                  0x003a64b6
                  0x003a64bf
                  0x003a64c6
                  0x003a64cb
                  0x003a64dc
                  0x003a64e4
                  0x003a64f3
                  0x003a64f4
                  0x003a64f5
                  0x003a6546
                  0x003a654c
                  0x003a654e
                  0x00000000
                  0x003a6550
                  0x003a6550
                  0x003a655f
                  0x003a6561
                  0x003a6569
                  0x003a656b
                  0x003a6579
                  0x003a657e
                  0x00000000
                  0x003a657e
                  0x003a64f7
                  0x003a64f7
                  0x003a64ff
                  0x003a6585
                  0x003a6585
                  0x003a658d
                  0x003a65a9
                  0x003a65b8
                  0x003a65ba
                  0x003a65bc
                  0x003a65be
                  0x00000000
                  0x003a65be
                  0x003a658f
                  0x003a659c
                  0x003a659e
                  0x003a65a0
                  0x00000000
                  0x003a65a2
                  0x003a65a2
                  0x00000000
                  0x003a65a2
                  0x003a65a0
                  0x003a6505
                  0x003a6510
                  0x003a6515
                  0x00000000
                  0x003a6517
                  0x003a6522
                  0x003a652c
                  0x003a653a
                  0x003a653f
                  0x003a65c3
                  0x003a65c3
                  0x003a65c4
                  0x003a65ca
                  0x003a6515
                  0x003a64ff
                  0x003a65dc

                  APIs
                  • GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 003A64F7
                  • GetLastError.KERNEL32 ref: 003A6505
                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 003A6546
                  • GetLastError.KERNEL32 ref: 003A6550
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: DirectoryErrorLastSystem$Wow64
                  • String ID: @Mxt$Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
                  • API String ID: 2634638900-2315518921
                  • Opcode ID: 99f93b5194722c3ac6d7f8cefd38f203f093038e08b0832adb9214517945a044
                  • Instruction ID: 9a972c5db5ff37082a97b94be25983306ae447faa104861f3db9c7bec8aee363
                  • Opcode Fuzzy Hash: 99f93b5194722c3ac6d7f8cefd38f203f093038e08b0832adb9214517945a044
                  • Instruction Fuzzy Hash: C121E9B1E4037866EB239B669C4ABAB72DCDF02750F114269FD09EB1C0DA649D0486E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A1174, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 53libraryloadermemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E003A1174(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				long _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t18;
				intOrPtr _t21;
				void* _t22;
				signed int _t23;

				_t23 = 0;
				_v8 = 0;
				__imp__HeapSetInformation(0, 1, 0, 0, _t18, _t22, _t14, __ecx);
				_t15 = GetModuleHandleW(L"kernel32");
				_t9 = GetProcAddress(_t15, "SetDefaultDllDirectories");
				if(_t9 == 0) {
					L3:
					_t10 = GetProcAddress(_t15, "SetDllDirectoryW");
					if(_t10 == 0) {
						L5:
						_t11 = GetLastError();
					} else {
						_t11 =  *_t10(0x3eb524);
						if(_t11 == 0) {
							goto L5;
						}
					}
					if(_a8 > _t23) {
						_t21 = _a4;
						do {
							_t11 = E003A37D6( *((intOrPtr*)(_t21 + _t23 * 4)),  &_v8);
							_t23 = _t23 + 1;
						} while (_t23 < _a8);
					}
				} else {
					_t11 =  *_t9(0x800);
					if(_t11 == 0) {
						GetLastError();
						goto L3;
					}
				}
				return _t11;
			}













                  0x003a117b
                  0x003a1182
                  0x003a1185
                  0x003a1196
                  0x003a119e
                  0x003a11ac
                  0x003a11bb
                  0x003a11c1
                  0x003a11c9
                  0x003a11d6
                  0x003a11d6
                  0x003a11cb
                  0x003a11d0
                  0x003a11d4
                  0x00000000
                  0x00000000
                  0x003a11d4
                  0x003a11db
                  0x003a11dd
                  0x003a11e0
                  0x003a11e7
                  0x003a11ec
                  0x003a11ed
                  0x003a11e0
                  0x003a11ae
                  0x003a11b3
                  0x003a11b7
                  0x003a11b9
                  0x00000000
                  0x003a11b9
                  0x003a11b7
                  0x003a11f8

                  APIs
                  • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A1185
                  • GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A1190
                  • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 003A119E
                  • GetLastError.KERNEL32(?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A11B9
                  • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 003A11C1
                  • GetLastError.KERNEL32(?,?,?,?,003A111A,cabinet.dll,00000009,?,?,00000000), ref: 003A11D6
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AddressErrorLastProc$HandleHeapInformationModule
                  • String ID: @Mxt$SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                  • API String ID: 3104334766-2233792190
                  • Opcode ID: e7f8ebf2b04d9cc65069f1e216f77734fc1f9791fe2bd88c8ba585aedcbf9314
                  • Instruction ID: 511712df225cf6662f793fb1dbf2bdc3569fbc6eb38bd33d1352e90e3f702c2b
                  • Opcode Fuzzy Hash: e7f8ebf2b04d9cc65069f1e216f77734fc1f9791fe2bd88c8ba585aedcbf9314
                  • Instruction Fuzzy Hash: DF015271600265BBDA236BA69C49DABBB6CFB42791F014211FA15961D0DB70EE008BB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BE31B, Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003BE31B(void** _a4, int _a8, int _a12, long _a16) {
				void* _t16;
				void* _t19;
				long _t28;
				struct HDC__* _t32;
				void* _t35;
				void* _t36;
				void* _t38;
				void* _t39;
				struct HWND__* _t41;
				void** _t43;
				long _t45;

				_t41 = _a4;
				_t43 = GetWindowLongW(_t41, 0xffffffeb);
				_t16 = 2;
				_a4 = _t43;
				_t35 = _a8 - _t16;
				if(_t35 == 0) {
					PostQuitMessage(0);
					return 0;
				}
				_t36 = _t35 - 0x12;
				if(_t36 == 0) {
					_t32 = CreateCompatibleDC(_a12);
					_t19 = SelectObject(_t32,  *_t43);
					StretchBlt(_a12, 0, 0, _a4[3], _a4[4], _t32, 0, 0,  *(_t20 + 0xc),  *(_t20 + 0x10), 0xcc0020);
					SelectObject(_t32, _t19);
					DeleteDC(_t32);
					return 1;
				}
				_t45 = _a16;
				_t38 = _t36 - 0x6d;
				if(_t38 == 0) {
					SetWindowLongW(_t41, 0xffffffeb,  *_t45);
					L8:
					return DefWindowProcW(_t41, _a8, _a12, _t45);
				}
				_t39 = _t38 - 1;
				if(_t39 == 0) {
					_t28 = DefWindowProcW(_t41, 0x82, _a12, _t45);
					SetWindowLongW(_t41, 0xffffffeb, 0);
					return _t28;
				}
				if(_t39 != _t16) {
					goto L8;
				}
				return _t16;
			}














                  0x003be320
                  0x003be32f
                  0x003be333
                  0x003be334
                  0x003be337
                  0x003be339
                  0x003be3e6
                  0x00000000
                  0x003be3ec
                  0x003be33f
                  0x003be342
                  0x003be3a8
                  0x003be3ab
                  0x003be3cd
                  0x003be3d5
                  0x003be3d8
                  0x00000000
                  0x003be3e1
                  0x003be344
                  0x003be347
                  0x003be34a
                  0x003be380
                  0x003be386
                  0x00000000
                  0x003be38e
                  0x003be34c
                  0x003be34f
                  0x003be364
                  0x003be371
                  0x00000000
                  0x003be377
                  0x003be353
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetWindowLongW.USER32(?,000000EB), ref: 003BE326
                  • DefWindowProcW.USER32(?,00000082,?,?), ref: 003BE364
                  • SetWindowLongW.USER32 ref: 003BE371
                  • SetWindowLongW.USER32 ref: 003BE380
                  • DefWindowProcW.USER32(?,?,?,?), ref: 003BE38E
                  • CreateCompatibleDC.GDI32(?), ref: 003BE39A
                  • SelectObject.GDI32(00000000,00000000), ref: 003BE3AB
                  • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 003BE3CD
                  • SelectObject.GDI32(00000000,00000000), ref: 003BE3D5
                  • DeleteDC.GDI32(00000000), ref: 003BE3D8
                  • PostQuitMessage.USER32(00000000), ref: 003BE3E6
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                  • String ID:
                  • API String ID: 409979828-0
                  • Opcode ID: fe7f456c822fce544d44e1122d8ad6319c7b8c69ec38819ba92c8dd9af481223
                  • Instruction ID: 86431243f7bc9fe6a0ae23664570d5e97e67b3ba09b82c5bf59047e97200b86a
                  • Opcode Fuzzy Hash: fe7f456c822fce544d44e1122d8ad6319c7b8c69ec38819ba92c8dd9af481223
                  • Instruction Fuzzy Hash: E121AE3A100108BFCB275F689C8DEBB7FADEB49325F064618F61A8B5B0D73098109B60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A4690, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 128windowthreadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 36%
                  			E003A4690(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				void* _v8;
				struct tagMSG _v36;
				void* __ebx;
				long _t29;
				intOrPtr* _t34;
				int _t37;
				intOrPtr* _t40;
				void* _t41;
				void* _t57;
				signed int _t58;
				intOrPtr* _t65;
				void* _t68;
				intOrPtr _t71;
				int _t72;
				int _t73;
				void* _t77;

				_t77 = __eflags;
				_t68 = __edx;
				_t58 = 7;
				memset( &_v36, 0, _t58 << 2);
				_v8 = 0;
				PeekMessageW( &_v36, 0, 0x400, 0x400, 0);
				_t29 = GetCurrentThreadId();
				_t71 = _a4;
				_t72 = E003BFC51( &_v8, _t68, _t77, _t71, _t29,  &_v8);
				if(_t72 >= 0) {
					_t72 = E003AD5C0(_t71 + 0xb8, _v8, _t71 + 0x1c);
					__eflags = _t72;
					if(_t72 >= 0) {
						_t34 =  *((intOrPtr*)(_t71 + 0xc8));
						_t73 =  *((intOrPtr*)( *_t34 + 0xc))(_t34);
						__eflags = _t73;
						if(_t73 >= 0) {
							_push(0);
							_push(0);
							_push(0);
							_t57 = GetMessageW;
							while(1) {
								_t37 = GetMessageW( &_v36, ??, ??, ??);
								__eflags = _t37;
								if(_t37 == 0) {
									break;
								}
								__eflags = _t37 - 0xffffffff;
								if(_t37 == 0xffffffff) {
									_t73 = 0x8000ffff;
									E003A37D3(_t37, "engine.cpp", 0x2cd, 0x8000ffff);
									_push("Unexpected return value from message pump.");
									goto L7;
								} else {
									E003A43CD(_t57, _t71,  &_v36);
									__eflags = 0;
									_push(0);
									_push(0);
									_push(0);
									continue;
								}
								goto L13;
							}
							 *((intOrPtr*)(_t71 + 0xf8)) = _v36.wParam;
						} else {
							_push("Failed to start bootstrapper application.");
							L7:
							_push(_t73);
							E003E012F();
						}
						L13:
						_t40 =  *((intOrPtr*)(_t71 + 0xc8));
						_t41 =  *((intOrPtr*)( *_t40 + 0x10))(_t40);
						__eflags = _t41 - 0x66;
						if(_t41 != 0x66) {
							__eflags = _t41 - 0x68;
							if(_t41 == 0x68) {
								_push(0x20000006);
								_push(2);
								E003A550F();
								 *_a8 = 1;
								goto L18;
							}
						} else {
							E003A550F(2, 0x20000004, E003B3C30( *((intOrPtr*)(_t71 + 0x18))));
							 *((intOrPtr*)(_t71 + 0x18)) = 1;
						}
					} else {
						_push("Failed to load UX.");
						goto L2;
					}
				} else {
					_push("Failed to create engine for UX.");
					L2:
					_push(_t72);
					E003E012F();
					L18:
				}
				E003AD7CF(_t71 + 0xb8);
				_t65 = _v8;
				if(_t65 != 0) {
					 *((intOrPtr*)( *_t65 + 8))(_t65);
				}
				return _t73;
			}



















                  0x003a4690
                  0x003a4690
                  0x003a469b
                  0x003a46a4
                  0x003a46ab
                  0x003a46b5
                  0x003a46bb
                  0x003a46c1
                  0x003a46cf
                  0x003a46d3
                  0x003a46f8
                  0x003a46fa
                  0x003a46fc
                  0x003a4705
                  0x003a4711
                  0x003a4713
                  0x003a4715
                  0x003a4726
                  0x003a4727
                  0x003a4728
                  0x003a4729
                  0x003a4745
                  0x003a4749
                  0x003a474b
                  0x003a474d
                  0x00000000
                  0x00000000
                  0x003a4731
                  0x003a4734
                  0x003a478a
                  0x003a479a
                  0x003a479f
                  0x00000000
                  0x003a4736
                  0x003a473b
                  0x003a4740
                  0x003a4742
                  0x003a4743
                  0x003a4744
                  0x00000000
                  0x003a4744
                  0x00000000
                  0x003a4734
                  0x003a4752
                  0x003a4717
                  0x003a4717
                  0x003a471c
                  0x003a471c
                  0x003a471d
                  0x003a4723
                  0x003a4758
                  0x003a4758
                  0x003a4761
                  0x003a4764
                  0x003a4767
                  0x003a47a9
                  0x003a47ac
                  0x003a47ae
                  0x003a47b3
                  0x003a47b5
                  0x003a47bd
                  0x00000000
                  0x003a47bd
                  0x003a4769
                  0x003a4779
                  0x003a4781
                  0x003a4781
                  0x003a46fe
                  0x003a46fe
                  0x00000000
                  0x003a46fe
                  0x003a46d5
                  0x003a46d5
                  0x003a46da
                  0x003a46da
                  0x003a46db
                  0x003a47c3
                  0x003a47c4
                  0x003a47cc
                  0x003a47d1
                  0x003a47d6
                  0x003a47db
                  0x003a47db
                  0x003a47e6

                  APIs
                  • PeekMessageW.USER32 ref: 003A46B5
                  • GetCurrentThreadId.KERNEL32 ref: 003A46BB
                    • Part of subcall function 003BFC51: new.LIBCMT ref: 003BFC58
                  • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003A4749
                  Strings
                  • Failed to create user for UX., xrefs: 003A46D5
                  • Failed to load UX., xrefs: 003A46FE
                  • user.cpp, xrefs: 003A4795
                  • Unexpected return value from message pump., xrefs: 003A479F
                  • wininet.dll, xrefs: 003A46E8
                  • Failed to start bootstrapper application., xrefs: 003A4717
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Message$CurrentPeekThread
                  • String ID: Failed to create user for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$user.cpp$wininet.dll
                  • API String ID: 673430819-2573580774
                  • Opcode ID: d9649e73abb2bfb1b2334660fbd8047c8cc98cb7ee4bb2043dbe66a09a39e8d5
                  • Instruction ID: 3650387751aa5f012478a11d318d51cbcbbd0f258e83b4b4b3910c1c88bebd1e
                  • Opcode Fuzzy Hash: d9649e73abb2bfb1b2334660fbd8047c8cc98cb7ee4bb2043dbe66a09a39e8d5
                  • Instruction Fuzzy Hash: 1E41F271600159BFE7179BA4CC85EBBB3ACEF46314F100225F915EB190DB71ED4187A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BD01A, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 117threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E003BD01A(char _a4, intOrPtr _a8, intOrPtr _a12, char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr* _a52, intOrPtr* _a56) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v96;
				void _v100;
				void* __edi;
				intOrPtr _t76;
				char _t77;
				intOrPtr _t85;
				void* _t86;
				intOrPtr _t87;
				void* _t88;
				intOrPtr _t89;
				void* _t90;

				E003CF670(_t86,  &_v100, 0, 0x2c);
				E003CF670(_t86,  &_v56, 0, 0x2c);
				_t77 = _a4;
				_v96 = _a12;
				_t85 = _a40;
				_t87 = _a32;
				_t9 =  &_a36; // 0x3a444c
				_t89 =  *_t9;
				_v80 = _a20;
				_v76 = _a24;
				_v52 = _a8;
				_v48 = _a44;
				_v44 = _a48;
				_t19 =  &_a16; // 0x3a535e
				_v40 =  *_t19;
				_v100 = _t77;
				_v56 = _t77;
				_v36 = _a20;
				_v32 = _a24;
				_v12 = 0;
				_v8 = 0;
				_t76 = _a28;
				_v72 = _t76;
				_v68 = _t87;
				_v64 = _t89;
				_v60 = _t85;
				_v28 = _t76;
				_v24 = _t87;
				_v20 = _t89;
				_v16 = _t85;
				_t88 = CreateThread(0, 0, E003BAB3C,  &_v100, 0, 0);
				if(_t88 != 0) {
					_t90 = E003B4FB3(0, _t85, _a8, E003BC59C,  &_v56,  &_v12);
					if(_t90 >= 0) {
						_push(_v12);
						E003BCCF4(0, _t88);
						 *_a52 = _v12;
						 *_a56 = _v8;
					} else {
						_push("Failed to pump messages in child process.");
						_push(_t90);
						E003E012F();
					}
					CloseHandle(_t88);
				} else {
					_t93 =  <=  ? GetLastError() : _t71 & 0x0000ffff | 0x80070000;
					_t90 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t71 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "elevation.cpp", 0x45c, _t90);
					_push("Failed to create elevated cache thread.");
					_push(_t90);
					E003E012F();
				}
				return _t90;
			}

































                  0x003bd02c
                  0x003bd038
                  0x003bd043
                  0x003bd046
                  0x003bd04c
                  0x003bd04f
                  0x003bd052
                  0x003bd052
                  0x003bd055
                  0x003bd05b
                  0x003bd061
                  0x003bd067
                  0x003bd06d
                  0x003bd070
                  0x003bd073
                  0x003bd079
                  0x003bd07c
                  0x003bd082
                  0x003bd089
                  0x003bd096
                  0x003bd099
                  0x003bd09c
                  0x003bd0a0
                  0x003bd0a3
                  0x003bd0a6
                  0x003bd0a9
                  0x003bd0ac
                  0x003bd0af
                  0x003bd0b2
                  0x003bd0b5
                  0x003bd0be
                  0x003bd0c2
                  0x003bd116
                  0x003bd11a
                  0x003bd12b
                  0x003bd12f
                  0x003bd13a
                  0x003bd142
                  0x003bd11c
                  0x003bd11c
                  0x003bd121
                  0x003bd122
                  0x003bd128
                  0x003bd145
                  0x003bd0c4
                  0x003bd0d5
                  0x003bd0df
                  0x003bd0ed
                  0x003bd0f2
                  0x003bd0f7
                  0x003bd0f8
                  0x003bd0fe
                  0x003bd153

                  APIs
                  • CreateThread.KERNEL32 ref: 003BD0B8
                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003BD0C4
                  • CloseHandle.KERNEL32(00000000,00000000,?,?,003BC59C,00000001,?,?,?,?,?,00000000,00000000,?,?,?), ref: 003BD145
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseCreateErrorHandleLastThread
                  • String ID: @Mxt$Failed to create elevated cache thread.$Failed to pump messages in child process.$LD:$^S:$elevation.cpp
                  • API String ID: 747004058-2582867328
                  • Opcode ID: 6662a779543e1933a9a6dd6747dff4a9e19f06402908692e18616f640f732aba
                  • Instruction ID: 014342b33edf1bdcdd899e1c294d2ab595d244682b59c5c6deff5c9fde2e1d5f
                  • Opcode Fuzzy Hash: 6662a779543e1933a9a6dd6747dff4a9e19f06402908692e18616f640f732aba
                  • Instruction Fuzzy Hash: 4E41D6B5E01219AFDB16DFA9D8819EEBBF8EF48350F10412AF908E7340D770A9418F94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B473A, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 53%
                  			E003B473A(void* _a4, signed int* _a8) {
				long _v8;
				signed int _v12;
				signed int _v16;
				void* _t26;
				int _t30;
				long _t31;
				void* _t34;
				signed short _t41;
				void* _t43;
				signed int _t44;
				signed int* _t48;
				signed int _t49;

				_t49 = 0;
				_v16 = _v16 & 0;
				_v12 = _v12 & 0;
				_v8 = _v8 & 0;
				_t43 = 0;
				do {
					_push(0);
					_push( &_v8);
					_t26 = 8;
					_t30 = ReadFile(_a4,  &_v16 + _t43, _t26 - _t43, ??, ??);
					_t48 = _a8;
					if(_t30 != 0) {
						goto L6;
					} else {
						_t41 = GetLastError();
						if(_t41 != 0xea) {
							if(_t41 == 0x6d) {
								_t44 = 0;
								_t31 = 0;
								_v16 = 0;
								_v12 = 0;
								_t49 = 1;
								L8:
								 *_t48 = _t44;
								_t48[1] = _t31;
								if(_t31 != 0) {
									_t34 = E003A38D4(_t31, 0);
									_t48[3] = _t34;
									if(_t34 != 0) {
										if(ReadFile(_a4, _t34, _t48[1],  &_v8, 0) != 0) {
											_t48[2] = 1;
										} else {
											_t53 =  <=  ? GetLastError() : _t36 & 0x0000ffff | 0x80070000;
											_t49 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t36 & 0x0000ffff | 0x80070000;
											E003A37D3(0x80004005, "pipe.cpp", 0x327, _t49);
											_push("Failed to read data for message.");
											goto L12;
										}
									} else {
										_t49 = 0x8007000e;
										E003A37D3(_t34, "pipe.cpp", 0x323, 0x8007000e);
										_push("Failed to allocate data for message.");
										goto L12;
									}
								}
							} else {
								_t49 =  <=  ? _t41 : _t41 & 0x0000ffff | 0x80070000;
								if(_t49 < 0) {
									E003A37D3(_t41, "pipe.cpp", 0x318, _t49);
									_push("Failed to read message from pipe.");
									L12:
									_push(_t49);
									E003E012F();
								} else {
									goto L6;
								}
							}
						} else {
							_t49 = 0;
							goto L6;
						}
					}
					if(_t48[2] == 0 && _t48[3] != 0) {
						E003A3999(_t48[3]);
					}
					return _t49;
					L6:
					_t43 = _t43 + _v8;
				} while (_t43 < 8);
				_t31 = _v12;
				_t44 = _v16;
				goto L8;
			}















                  0x003b4742
                  0x003b4744
                  0x003b4747
                  0x003b474a
                  0x003b474d
                  0x003b4750
                  0x003b4750
                  0x003b4755
                  0x003b4758
                  0x003b4765
                  0x003b476b
                  0x003b4770
                  0x00000000
                  0x003b4772
                  0x003b4772
                  0x003b477d
                  0x003b4786
                  0x003b47ff
                  0x003b4801
                  0x003b4805
                  0x003b4808
                  0x003b480b
                  0x003b47a8
                  0x003b47a8
                  0x003b47aa
                  0x003b47af
                  0x003b47b8
                  0x003b47bd
                  0x003b47c2
                  0x003b4823
                  0x003b485a
                  0x003b4825
                  0x003b4836
                  0x003b4840
                  0x003b484e
                  0x003b4853
                  0x00000000
                  0x003b4853
                  0x003b47c4
                  0x003b47c4
                  0x003b47d4
                  0x003b47d9
                  0x00000000
                  0x003b47d9
                  0x003b47c2
                  0x003b4788
                  0x003b4793
                  0x003b4798
                  0x003b47eb
                  0x003b47f0
                  0x003b47f5
                  0x003b47f5
                  0x003b47f6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003b4798
                  0x003b477f
                  0x003b477f
                  0x00000000
                  0x003b477f
                  0x003b477d
                  0x003b4865
                  0x003b4870
                  0x003b4870
                  0x003b487d
                  0x003b479a
                  0x003b479a
                  0x003b479d
                  0x003b47a2
                  0x003b47a5
                  0x00000000

                  APIs
                  • ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,00000000,00000000,?,00000000,@G:,?,?,00000000,?,00000000), ref: 003B4765
                  • GetLastError.KERNEL32 ref: 003B4772
                  • ReadFile.KERNEL32(?,00000000,?,?,00000000,?,00000000), ref: 003B481B
                  • GetLastError.KERNEL32 ref: 003B4825
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastRead
                  • String ID: @Mxt$Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
                  • API String ID: 1948546556-3221275136
                  • Opcode ID: b783f419121f36ba0d263780adea76d324694d60f09ebfaa02dea020fc7f1e9b
                  • Instruction ID: c3df2bba1194f8eed8d2edad8b5f391e605df775f271d7cfdf5ce6ede3504126
                  • Opcode Fuzzy Hash: b783f419121f36ba0d263780adea76d324694d60f09ebfaa02dea020fc7f1e9b
                  • Instruction Fuzzy Hash: D8313572A40369BBDB139E65CC41BEBF76CEB01715F108225FA10EA981DB709E00CBD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B51E9, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 90synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 38%
                  			E003B51E9(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _t45;
				void* _t48;

				_t39 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t48 = E003DF7B2( &_v12,  &_v8, _a8);
				if(_t48 >= 0) {
					_t48 = E003DF7B2( &_v12,  &_v8, _a12);
					if(_t48 >= 0) {
						_t45 = _a4;
						if( *((intOrPtr*)(_t45 + 0x14)) == 0xffffffff) {
							L8:
							_t48 = E003B4880(_t39,  *((intOrPtr*)(_t45 + 0x10)), 0xf0000003, _v12, _v8);
							if(_t48 >= 0) {
								if( *(_t45 + 0xc) != 0 && WaitForSingleObject( *(_t45 + 0xc), 0x2bf20) == 0xffffffff) {
									_t52 =  <=  ? GetLastError() : _t30 & 0x0000ffff | 0x80070000;
									_t48 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t30 & 0x0000ffff | 0x80070000;
									E003A37D3(0x80004005, "pipe.cpp", 0x242, _t48);
									_push("Failed to wait for child process exit.");
									goto L13;
								}
							} else {
								_push("Failed to post terminate message to child process.");
								goto L13;
							}
						} else {
							_t48 = E003B4880(_t39,  *((intOrPtr*)(_t45 + 0x14)), 0xf0000003, _v12, _v8);
							if(_t48 >= 0) {
								goto L8;
							} else {
								_push("Failed to post terminate message to child process cache thread.");
								L13:
								_push(_t48);
								E003E012F();
							}
						}
					} else {
						_push("Failed to write restart to message buffer.");
						goto L2;
					}
				} else {
					_push("Failed to write exit code to message buffer.");
					L2:
					_push(_t48);
					E003E012F();
				}
				return _t48;
			}







                  0x003b51e9
                  0x003b51ec
                  0x003b51ed
                  0x003b51ee
                  0x003b51f5
                  0x003b5207
                  0x003b520b
                  0x003b522f
                  0x003b5233
                  0x003b523e
                  0x003b524a
                  0x003b5268
                  0x003b5277
                  0x003b527b
                  0x003b5288
                  0x003b52ae
                  0x003b52b8
                  0x003b52c6
                  0x003b52cb
                  0x00000000
                  0x003b52cb
                  0x003b527d
                  0x003b527d
                  0x00000000
                  0x003b527d
                  0x003b524c
                  0x003b525b
                  0x003b525f
                  0x00000000
                  0x003b5261
                  0x003b5261
                  0x003b52d0
                  0x003b52d0
                  0x003b52d1
                  0x003b52d7
                  0x003b525f
                  0x003b5235
                  0x003b5235
                  0x00000000
                  0x003b5235
                  0x003b520d
                  0x003b520d
                  0x003b5212
                  0x003b5212
                  0x003b5213
                  0x003b5219
                  0x003b52e0

                  APIs
                  • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,003A5386,00000000,00000000,?,00000000), ref: 003B5292
                  • GetLastError.KERNEL32(?,?,?,003A4B5B,?,?,00000000,?,?,?,?,?,?,003EB490,?,?), ref: 003B529D
                  Strings
                  • @Mxt, xrefs: 003B529D
                  • Failed to write restart to message buffer., xrefs: 003B5235
                  • Failed to post terminate message to child process cache thread., xrefs: 003B5261
                  • Failed to wait for child process exit., xrefs: 003B52CB
                  • Failed to write exit code to message buffer., xrefs: 003B520D
                  • Failed to post terminate message to child process., xrefs: 003B527D
                  • pipe.cpp, xrefs: 003B52C1
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastObjectSingleWait
                  • String ID: @Mxt$Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
                  • API String ID: 1211598281-3728872646
                  • Opcode ID: 1791f3b618a27ed0fef75d0b89e60831011a61c74cf0c410aa1549519de512a5
                  • Instruction ID: fc2c78b0c0f955d80a9e35d45076e7ddd0d9082c354f88283592fa2bcc417e15
                  • Opcode Fuzzy Hash: 1791f3b618a27ed0fef75d0b89e60831011a61c74cf0c410aa1549519de512a5
                  • Instruction Fuzzy Hash: 8921A532942B29BBDB135695DC01BEFB7A8EF01725F110311FA10BE990D7319E5097E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BF3E6, Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 155COMMON
                  Download Yara Rule
                  C-Code - Quality: 40%
                  			E003BF3E6(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				intOrPtr* _t41;
				intOrPtr* _t46;
				intOrPtr* _t49;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr* _t71;
				intOrPtr* _t72;
				signed int* _t75;
				void* _t77;

				_t62 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t60 = _a4;
				_v12 = 0;
				_v8 = 0;
				EnterCriticalSection( *(_t60 + 0xc));
				_t77 = E003AD459( *(_t60 + 0xc) + 0xb8);
				if(_t77 >= 0) {
					_t71 = _a12;
					if(_t71 == 0 ||  *_t71 == 0) {
						_t72 = _a8;
						if(_t72 == 0 ||  *_t72 == 0) {
							_t77 = 0x80070057;
							_push("UX did not provide container or payload id.");
							goto L34;
						} else {
							_t77 = E003AC0A9(_t62,  *(_t60 + 0xc) + 0x2a8, _t72,  &_v12);
							if(_t77 >= 0) {
								_t75 = _v12 + 0x2c;
								goto L15;
							}
							_push(_t72);
							_push("UX requested unknown container with id: %ls");
							goto L13;
						}
					} else {
						_t77 = E003ACC57(_t62,  *(_t60 + 0xc) + 0x2b8, _t71,  &_v8);
						if(_t77 >= 0) {
							_t57 = _v8;
							if( *((intOrPtr*)(_t57 + 4)) != 2) {
								_t75 = _t57 + 0x40;
								L15:
								_t41 = _a16;
								if(_t41 == 0 ||  *_t41 == 0) {
									if( *_t75 != 0) {
										E003E54EF( *_t75);
										 *_t75 =  *_t75 & 0x00000000;
									}
									goto L29;
								} else {
									_t77 = E003A21A5(_t75, _t41, 0);
									if(_t77 >= 0) {
										_t46 = _a20;
										if(_t46 == 0 ||  *_t46 == 0) {
											L29:
											if(_t75[1] != 0) {
												E003E54EF(_t75[1]);
												_t75[1] = _t75[1] & 0x00000000;
											}
											goto L31;
										} else {
											_t77 = E003A21A5( &(_t75[1]), _t46, 0);
											if(_t77 >= 0) {
												_t49 = _a24;
												if(_t49 == 0 ||  *_t49 == 0) {
													L31:
													if(_t75[2] != 0) {
														E003E54EF(_t75[2]);
														_t75[2] = _t75[2] & 0x00000000;
													}
												} else {
													_t77 = E003A21A5( &(_t75[2]), _t49, 0);
													if(_t77 >= 0) {
														goto L35;
													}
													_push("Failed to set download password.");
													L34:
													_push(_t77);
													E003E012F();
												}
												goto L35;
											}
											_push("Failed to set download user.");
											goto L34;
										}
									}
									_push("Failed to set download URL.");
									goto L34;
								}
							}
							_push(_t71);
							_t77 = 0x800710dd;
							_push("UX denied while trying to set download URL on embedded payload: %ls");
							goto L13;
						} else {
							_push(_t71);
							_push("UX requested unknown payload with id: %ls");
							L13:
							_push(_t77);
							E003E012F();
							L35:
							goto L36;
						}
					}
				} else {
					_push("Engine is active, cannot change engine state.");
					_push(_t77);
					E003E012F();
					L36:
					LeaveCriticalSection( *(_t60 + 0xc));
					return _t77;
				}
			}














                  0x003bf3e6
                  0x003bf3e9
                  0x003bf3ea
                  0x003bf3ec
                  0x003bf3f2
                  0x003bf3f5
                  0x003bf3fb
                  0x003bf40f
                  0x003bf413
                  0x003bf428
                  0x003bf42f
                  0x003bf472
                  0x003bf477
                  0x003bf560
                  0x003bf565
                  0x00000000
                  0x003bf486
                  0x003bf499
                  0x003bf49d
                  0x003bf4b6
                  0x00000000
                  0x003bf4b6
                  0x003bf49f
                  0x003bf4a0
                  0x00000000
                  0x003bf4a0
                  0x003bf436
                  0x003bf449
                  0x003bf44d
                  0x003bf457
                  0x003bf45e
                  0x003bf46d
                  0x003bf4b9
                  0x003bf4b9
                  0x003bf4be
                  0x003bf52e
                  0x003bf532
                  0x003bf537
                  0x003bf537
                  0x00000000
                  0x003bf4c7
                  0x003bf4cf
                  0x003bf4d3
                  0x003bf4df
                  0x003bf4e4
                  0x003bf53a
                  0x003bf53e
                  0x003bf543
                  0x003bf548
                  0x003bf548
                  0x00000000
                  0x003bf4ed
                  0x003bf4f8
                  0x003bf4fc
                  0x003bf505
                  0x003bf50a
                  0x003bf54c
                  0x003bf550
                  0x003bf555
                  0x003bf55a
                  0x003bf55a
                  0x003bf513
                  0x003bf51e
                  0x003bf522
                  0x00000000
                  0x00000000
                  0x003bf524
                  0x003bf56a
                  0x003bf56a
                  0x003bf56b
                  0x003bf571
                  0x00000000
                  0x003bf50a
                  0x003bf4fe
                  0x00000000
                  0x003bf4fe
                  0x003bf4e4
                  0x003bf4d5
                  0x00000000
                  0x003bf4d5
                  0x003bf4be
                  0x003bf460
                  0x003bf461
                  0x003bf466
                  0x00000000
                  0x003bf44f
                  0x003bf44f
                  0x003bf450
                  0x003bf4a5
                  0x003bf4a5
                  0x003bf4a6
                  0x003bf572
                  0x00000000
                  0x003bf572
                  0x003bf44d
                  0x003bf415
                  0x003bf415
                  0x003bf41a
                  0x003bf41b
                  0x003bf573
                  0x003bf576
                  0x003bf583
                  0x003bf583

                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 003BF3FB
                  • LeaveCriticalSection.KERNEL32(?), ref: 003BF576
                  Strings
                  • user is active, cannot change user state., xrefs: 003BF415
                  • UX requested unknown payload with id: %ls, xrefs: 003BF450
                  • Failed to set download URL., xrefs: 003BF4D5
                  • Failed to set download password., xrefs: 003BF524
                  • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 003BF466
                  • UX did not provide container or payload id., xrefs: 003BF565
                  • Failed to set download user., xrefs: 003BF4FE
                  • UX requested unknown container with id: %ls, xrefs: 003BF4A0
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: user is active, cannot change user state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                  • API String ID: 3168844106-2615595102
                  • Opcode ID: e9adf372b15a14afcd0fd9df7a8c2a59c22c5566d2da0597c03e8a7cc7c710dc
                  • Instruction ID: 92d2bcb1960b2198aaa6fbfc050790c7572f3320a1e3ad545dbcca1a3c3ee5ea
                  • Opcode Fuzzy Hash: e9adf372b15a14afcd0fd9df7a8c2a59c22c5566d2da0597c03e8a7cc7c710dc
                  • Instruction Fuzzy Hash: 8641D671900615BFDB239E25CC05AE7B368EF42718F169236EA05ABA80DB74DD40CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CA024, Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 172COMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E003CA024(intOrPtr* _a4, WCHAR* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _t62;
				intOrPtr _t64;
				void* _t68;
				intOrPtr* _t72;
				void* _t79;
				signed int _t83;
				long _t84;
				signed short _t86;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t98;
				intOrPtr* _t99;
				void* _t100;
				WCHAR* _t103;
				intOrPtr* _t104;
				void* _t105;

				_v8 = _v8 & 0x00000000;
				_t62 = 0x3eb524;
				_t104 = _a4;
				_v12 = 0x3eb524;
				_t5 = _t104 + 4; // 0x75c08524
				_t95 =  *_t5;
				if(_t95 == 0) {
					_t6 = _t104 + 8; // 0x2c453905
					_t98 =  *_t6;
					if(_t98 != 0) {
						_t62 =  *_t98;
					}
				} else {
					_t62 =  *_t95;
				}
				_t7 = _t104 + 0xc; // 0x458b3e74
				_t99 =  *_t7;
				_a4 = _t62;
				if(_t99 != 0) {
					_v12 =  *_t99;
				}
				_t10 = _t95 + 0x2c; // 0x75c08550
				_t94 = _t10;
				if(_t95 != 0) {
					_v20 =  *((intOrPtr*)(_t95 + 0x18));
					_t64 =  *((intOrPtr*)(_t95 + 0x1c));
				} else {
					_t12 = _t99 + 0x40; // 0x458b3eb4
					_t94 = _t12;
					_v20 =  *((intOrPtr*)(_t99 + 0x10));
					_t64 =  *((intOrPtr*)(_t99 + 0x14));
				}
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v16 = _t64;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(_t95 == 0) {
					_t68 =  !=  ? 0x20000152 : 0x2000014f;
				} else {
					_t68 = (0 | _t99 != 0x00000000) + 0x20000150;
				}
				_push( *_t94);
				_push("download");
				_push(_v12);
				E003A550F(2, _t68, _a4);
				_t103 = _a8;
				if(E003E4315(_t103,  &_v8) == 0) {
					L16:
					_v36 = _v36 & 0x00000000;
					_v40 = E003C993C;
					_v32 = _t104;
					_t72 =  *_t94;
					_t97 = 0x62;
					if(_t97 !=  *_t72) {
						L24:
						_v52 =  *_t104;
						_v48 = _a4;
						_v44 = _v12;
						_v24 =  &_v52;
						_v28 = E003C9855;
						_t79 = E003E635A(_t97, _t94, _v20, _v16, _t103,  &_v40,  &_v28);
						L25:
						_t105 = _t79;
						if(_t105 < 0) {
							_push(_t103);
							E003E012F(_t105, "Failed attempt to download URL: \'%ls\' to: \'%ls\'",  *_t94);
						}
						goto L27;
					}
					_t97 = 0x69;
					if(_t97 !=  *((intOrPtr*)(_t72 + 2))) {
						goto L24;
					}
					_t97 = 0x74;
					if(_t97 !=  *((intOrPtr*)(_t72 + 4))) {
						goto L24;
					}
					_t100 = 0x73;
					if(_t100 !=  *((intOrPtr*)(_t72 + 6))) {
						goto L24;
					}
					_t97 =  *(_t72 + 8) & 0x0000ffff;
					_a8 = 0x3a;
					if(_a8 == _t97) {
						L23:
						_t79 = E003CDC0D(_t100,  &_v40, _t94, _t103);
						goto L25;
					}
					if(_t100 != _t97) {
						goto L24;
					}
					_t97 = _a8;
					if(_a8 !=  *((intOrPtr*)(_t72 + 0xa))) {
						goto L24;
					}
					goto L23;
				} else {
					_t83 = _v8;
					if((_t83 & 0x00000001) == 0) {
						goto L16;
					}
					_t84 = _t83 & 0xfffffffe;
					_v8 = _t84;
					if(SetFileAttributesW(_t103, _t84) != 0) {
						goto L16;
					}
					_t86 = GetLastError();
					_t108 =  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
					_t105 =  >=  ? 0x80004005 :  <=  ? _t86 : _t86 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "apply.cpp", 0x568, _t105);
					E003E012F(_t105, "Failed to clear readonly bit on payload destination path: %ls", _t103);
					L27:
					return _t105;
				}
			}































                  0x003ca02a
                  0x003ca02e
                  0x003ca035
                  0x003ca039
                  0x003ca03c
                  0x003ca03c
                  0x003ca041
                  0x003ca047
                  0x003ca047
                  0x003ca04c
                  0x003ca04e
                  0x003ca04e
                  0x003ca043
                  0x003ca043
                  0x003ca043
                  0x003ca050
                  0x003ca050
                  0x003ca053
                  0x003ca058
                  0x003ca05c
                  0x003ca05c
                  0x003ca05f
                  0x003ca05f
                  0x003ca064
                  0x003ca0a2
                  0x003ca0a5
                  0x003ca066
                  0x003ca069
                  0x003ca069
                  0x003ca06c
                  0x003ca06f
                  0x003ca06f
                  0x003ca072
                  0x003ca079
                  0x003ca07d
                  0x003ca082
                  0x003ca083
                  0x003ca084
                  0x003ca08a
                  0x003ca08b
                  0x003ca08c
                  0x003ca08f
                  0x003ca0b6
                  0x003ca091
                  0x003ca098
                  0x003ca098
                  0x003ca0b9
                  0x003ca0bb
                  0x003ca0c0
                  0x003ca0c9
                  0x003ca0ce
                  0x003ca0e0
                  0x003ca13d
                  0x003ca13d
                  0x003ca141
                  0x003ca148
                  0x003ca14b
                  0x003ca14f
                  0x003ca153
                  0x003ca19c
                  0x003ca19e
                  0x003ca1a4
                  0x003ca1aa
                  0x003ca1b0
                  0x003ca1ba
                  0x003ca1ca
                  0x003ca1cf
                  0x003ca1cf
                  0x003ca1d3
                  0x003ca1d5
                  0x003ca1de
                  0x003ca1e3
                  0x00000000
                  0x003ca1d3
                  0x003ca157
                  0x003ca15c
                  0x00000000
                  0x00000000
                  0x003ca160
                  0x003ca165
                  0x00000000
                  0x00000000
                  0x003ca169
                  0x003ca16e
                  0x00000000
                  0x00000000
                  0x003ca170
                  0x003ca174
                  0x003ca17f
                  0x003ca18f
                  0x003ca195
                  0x00000000
                  0x003ca195
                  0x003ca184
                  0x00000000
                  0x00000000
                  0x003ca186
                  0x003ca18d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003ca0e2
                  0x003ca0e2
                  0x003ca0e7
                  0x00000000
                  0x00000000
                  0x003ca0e9
                  0x003ca0ee
                  0x003ca0f9
                  0x00000000
                  0x00000000
                  0x003ca0fb
                  0x003ca10c
                  0x003ca116
                  0x003ca124
                  0x003ca130
                  0x003ca1e7
                  0x003ca1ee
                  0x003ca1ee

                  APIs
                  • SetFileAttributesW.KERNEL32(?,00000000,?,00000000,?,?,?,00000001,00000000,?), ref: 003CA0F1
                  • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 003CA0FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AttributesErrorFileLast
                  • String ID: :$@Mxt$Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
                  • API String ID: 1799206407-367120636
                  • Opcode ID: 5b8041ec729087867bae55a5838a8156b194cdfc52cf05609463404bec7c1c2e
                  • Instruction ID: 7646556d662b1ffd71f2c48ffdf208da324c07597cb14a1211a09cf502b0e53f
                  • Opcode Fuzzy Hash: 5b8041ec729087867bae55a5838a8156b194cdfc52cf05609463404bec7c1c2e
                  • Instruction Fuzzy Hash: 2C51BD71A00619AFDB12DFA8C840FAAB7B9EF04714F15816DE805EB251E771EE40CB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E635A, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 152fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 40%
                  			E003E635A(void* __ecx, intOrPtr* _a4, signed short _a8, WCHAR* _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v12;
				signed int _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				char _v28;
				signed short _v32;
				void* _v36;
				WCHAR* _v40;
				char _v44;
				signed int _t57;
				WCHAR* _t69;
				signed short _t78;
				WCHAR* _t85;
				void* _t88;
				intOrPtr* _t90;

				_t82 = __ecx;
				_v16 = _v16 | 0xffffffff;
				_t81 = _a4;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_t85 = 0;
				_v8 = 0;
				_v20 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x20], xmm0");
				_t88 = E003A21A5( &_v12,  *_a4, 0);
				if(_t88 < 0) {
					L12:
					_t48 = _v20;
					if(_v20 != 0) {
						E003E54EF(_t48);
					}
					if(_t85 != 0) {
						 *0x40a96c(_t85);
					}
					if(_v12 != 0) {
						E003E54EF(_v12);
					}
					return _t88;
				}
				 *0x40a98c(L"Burn", 0, 0, 0, 0);
				_t85 = 0;
				if(0 != 0) {
					E003E56B2(__ecx, L"WiX\\Burn", L"DownloadTimeout", 0x78,  &_v8);
					_t57 = _v8;
					if(_t57 != 0) {
						_t90 =  *0x40a970; // 0x3ea79b
						_v8 = _t57 * 0x3e8;
						 *_t90(0, 2,  &_v8, 4);
						 *_t90(0, 6,  &_v8, 4);
						 *_t90(0, 5,  &_v8, 4);
					}
					_t88 = E003E5BBF(_t82, _t85,  &_v12,  *((intOrPtr*)(_t81 + 4)),  *((intOrPtr*)(_t81 + 8)), _a24,  &_v36,  &_v44);
					if(_t88 >= 0) {
						E003E5C68(_t82, _a16,  &_v20,  &_v16,  &_v28);
						_t88 = E003E5916(_t85,  &_v12,  *((intOrPtr*)(_t81 + 4)),  *((intOrPtr*)(_t81 + 8)), _a16, _a8, _a12, _v36, _v32, _v28, _v24, _v16, _a20, _a24);
						if(_t88 >= 0) {
							_t69 = _v20;
							if(_t69 != 0 &&  *_t69 != 0) {
								DeleteFileW(_t69);
							}
						}
						if(_v16 != 0xffffffff) {
							CloseHandle(_v16);
						}
					}
				} else {
					_t78 = GetLastError();
					_t93 =  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
					_t88 =  >=  ? 0x80004005 :  <=  ? _t78 : _t78 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "dlutil.cpp", 0x84, _t88);
				}
			}



















                  0x003e635a
                  0x003e6360
                  0x003e6367
                  0x003e636a
                  0x003e6372
                  0x003e6375
                  0x003e6377
                  0x003e637a
                  0x003e637d
                  0x003e6380
                  0x003e6387
                  0x003e638c
                  0x003e6396
                  0x003e639a
                  0x003e64c3
                  0x003e64c3
                  0x003e64c8
                  0x003e64cb
                  0x003e64cb
                  0x003e64d2
                  0x003e64d5
                  0x003e64d5
                  0x003e64df
                  0x003e64e4
                  0x003e64e4
                  0x003e64f1
                  0x003e64f1
                  0x003e63ab
                  0x003e63b1
                  0x003e63b5
                  0x003e63fa
                  0x003e63ff
                  0x003e6404
                  0x003e6406
                  0x003e6414
                  0x003e641e
                  0x003e6429
                  0x003e6434
                  0x003e6434
                  0x003e6451
                  0x003e6455
                  0x003e6466
                  0x003e6499
                  0x003e649d
                  0x003e649f
                  0x003e64a4
                  0x003e64ae
                  0x003e64ae
                  0x003e64a4
                  0x003e64b8
                  0x003e64bd
                  0x003e64bd
                  0x003e64b8
                  0x003e63b7
                  0x003e63b7
                  0x003e63c8
                  0x003e63d2
                  0x003e63e0
                  0x003e63e0

                  APIs
                  • GetLastError.KERNEL32 ref: 003E63B7
                  • DeleteFileW.KERNEL32(00000000,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 003E64AE
                  • CloseHandle.KERNEL32(000000FF,00000000,00000000,?,?,00000078,000000FF,00000000,?,?,?,00000078,000000FF,?,?,00000078), ref: 003E64BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseDeleteErrorFileHandleLast
                  • String ID: @Mxt$Burn$DownloadTimeout$WiX\Burn$dlutil.cpp
                  • API String ID: 3522763407-2849672825
                  • Opcode ID: 861715bda6845361caf4a858bf2c367d64b958b770d83896928c8b3355d78c3f
                  • Instruction ID: 3042ca32af515b5d0ea93e9dd02e1c4a1c4974e177bfd49a9c442b6811782d06
                  • Opcode Fuzzy Hash: 861715bda6845361caf4a858bf2c367d64b958b770d83896928c8b3355d78c3f
                  • Instruction Fuzzy Hash: 0D512E72900229BBDF12DFA5CD41EEEBBB9EF18750F114255FA04E61D0E7358A509BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B9080, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 138COMMON
                  Download Yara Rule
                  C-Code - Quality: 45%
                  			E003B9080(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t40;
				intOrPtr _t44;
				signed short _t57;
				void* _t64;
				void* _t71;
				void* _t72;
				signed int _t73;
				intOrPtr _t79;
				char* _t80;
				void* _t82;
				signed int _t87;
				void* _t88;

				_t40 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t40 ^ _t87;
				_t79 = _a8;
				_t80 =  &_v28;
				_v36 = 0x14;
				asm("stosd");
				_v32 = 0;
				_t72 = 0x80070490;
				_v40 = 0;
				_t73 = 0;
				_v48 = _t79;
				asm("stosd");
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 =  *((intOrPtr*)( *((intOrPtr*)(_t79 + 0x10))));
				if( *((intOrPtr*)(_t44 + 0xc)) <= 0) {
					L12:
					_t82 = _t72;
					if(_t72 >= 0) {
						L15:
						_t45 = _v32;
						if(_v32 != 0) {
							E003A3999(_t45);
						}
						return E003CDE36(_t72, _v8 ^ _t87, _t79, _t80, _t82);
					}
					_push("Failed to find expected public key in certificate chain.");
					_push(_t72);
					L14:
					E003E012F();
					goto L15;
				}
				_t80 = _a4;
				while(1) {
					_t83 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x10)) + _t73 * 4)) + 4));
					_push( &_v36);
					_push( &_v28);
					_push( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x10)) + _t73 * 4)) + 4)) + 0xc)) + 0x38);
					_push(1);
					_push(0);
					_push(0x8004);
					_push(0);
					if( *0x40a93c() == 0) {
						break;
					}
					_t60 = _v36;
					if( *((intOrPtr*)(_t80 + 0x24)) != _v36) {
						L11:
						_t73 = _v44 + 1;
						_v44 = _t73;
						_t44 =  *((intOrPtr*)( *((intOrPtr*)(_v48 + 0x10))));
						if(_t73 <  *((intOrPtr*)(_t44 + 0xc))) {
							continue;
						}
						goto L12;
					}
					_t64 = E003CF919( *((intOrPtr*)(_t80 + 0x20)),  &_v28, _t60);
					_t88 = _t88 + 0xc;
					if(_t64 != 0) {
						goto L11;
					}
					if( *((intOrPtr*)(_t80 + 0x28)) == _t64) {
						_t72 = 0;
						goto L12;
					}
					_t82 = E003E5587(_t73, _t83, 3,  &_v32,  &_v40);
					if(_t82 < 0) {
						_push("Failed to read certificate thumbprint.");
						L20:
						_push(_t82);
						goto L14;
					}
					_t68 = _v40;
					if( *((intOrPtr*)(_t80 + 0x2c)) != _v40) {
						L9:
						_t69 = _v32;
						if(_v32 != 0) {
							E003A3999(_t69);
							_v32 = _v32 & 0x00000000;
						}
						goto L11;
					}
					_t71 = E003CF919( *((intOrPtr*)(_t80 + 0x28)), _v32, _t68);
					_t88 = _t88 + 0xc;
					if(_t71 == 0) {
						_t82 = 0;
						goto L15;
					}
					goto L9;
				}
				_t57 = GetLastError();
				_t86 =  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
				_t82 =  >=  ? 0x80004005 :  <=  ? _t57 : _t57 & 0x0000ffff | 0x80070000;
				E003A37D3(0x80004005, "cache.cpp", 0x7c4, _t82);
				_push("Failed to get certificate public key identifier.");
				goto L20;
			}


























                  0x003b9086
                  0x003b908d
                  0x003b9090
                  0x003b9098
                  0x003b909b
                  0x003b90a2
                  0x003b90a5
                  0x003b90a8
                  0x003b90ad
                  0x003b90b0
                  0x003b90b2
                  0x003b90b5
                  0x003b90b6
                  0x003b90b9
                  0x003b90ba
                  0x003b90bb
                  0x003b90bf
                  0x003b90c4
                  0x003b917d
                  0x003b917d
                  0x003b9181
                  0x003b9190
                  0x003b9190
                  0x003b9195
                  0x003b9198
                  0x003b9198
                  0x003b91af
                  0x003b91af
                  0x003b9183
                  0x003b9188
                  0x003b9189
                  0x003b9189
                  0x00000000
                  0x003b918f
                  0x003b90ca
                  0x003b90cd
                  0x003b90d3
                  0x003b90d9
                  0x003b90dd
                  0x003b90e4
                  0x003b90e5
                  0x003b90e7
                  0x003b90e9
                  0x003b90ee
                  0x003b90f8
                  0x00000000
                  0x00000000
                  0x003b90fe
                  0x003b9104
                  0x003b9165
                  0x003b916b
                  0x003b916c
                  0x003b9172
                  0x003b9177
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003b9177
                  0x003b910e
                  0x003b9113
                  0x003b9118
                  0x00000000
                  0x00000000
                  0x003b911d
                  0x003b91be
                  0x00000000
                  0x003b91be
                  0x003b9133
                  0x003b9137
                  0x003b91b6
                  0x003b91bb
                  0x003b91bb
                  0x00000000
                  0x003b91bb
                  0x003b9139
                  0x003b913f
                  0x003b9154
                  0x003b9154
                  0x003b9159
                  0x003b915c
                  0x003b9161
                  0x003b9161
                  0x00000000
                  0x003b9159
                  0x003b9148
                  0x003b914d
                  0x003b9152
                  0x003b91b2
                  0x00000000
                  0x003b91b2
                  0x00000000
                  0x003b9152
                  0x003b91c2
                  0x003b91d3
                  0x003b91dd
                  0x003b91eb
                  0x003b91f0
                  0x00000000

                  APIs
                  • _memcmp.LIBVCRUNTIME ref: 003B910E
                    • Part of subcall function 003E5587: GetLastError.KERNEL32(?,?,003B9133,?,00000003,00000000,?), ref: 003E55A6
                  • _memcmp.LIBVCRUNTIME ref: 003B9148
                  • GetLastError.KERNEL32 ref: 003B91C2
                  Strings
                  • cache.cpp, xrefs: 003B91E6
                  • @Mxt, xrefs: 003B91C2
                  • Failed to read certificate thumbprint., xrefs: 003B91B6
                  • Failed to find expected public key in certificate chain., xrefs: 003B9183
                  • Failed to get certificate public key identifier., xrefs: 003B91F0
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast_memcmp
                  • String ID: @Mxt$Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
                  • API String ID: 3428363238-1041992534
                  • Opcode ID: 9d0b2f1fa93d421b6e77c7dc366e460e7369316f5b695a677f47521a61732b37
                  • Instruction ID: 7b976630464509d444433c1925e40c282400bb008e1bcb1adabf01ab851226c4
                  • Opcode Fuzzy Hash: 9d0b2f1fa93d421b6e77c7dc366e460e7369316f5b695a677f47521a61732b37
                  • Instruction Fuzzy Hash: 1A416471E00216AFDB12DAA9C845FEAB7B9EB08714F01412AFB05FB651D774DD00DBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AF2DC, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 109stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 51%
                  			E003AF2DC(void* __ebx, intOrPtr _a4, void* _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				intOrPtr* _t52;
				char _t54;
				intOrPtr* _t58;
				char _t59;

				_t58 = _a8;
				_t59 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				if( *((intOrPtr*)(_t58 + 4)) <= 0) {
					L22:
					return _t59;
				}
				_t54 = 0;
				_a8 = 0;
				while(1) {
					_t52 =  *_t58 + _t54;
					_t59 = E003A71CF(_a4,  *((intOrPtr*)(_t52 + 8)),  &_v16, 0);
					if(_t59 < 0) {
						break;
					}
					_t59 = E003A2D79(_t54, _v16, L"swidtag",  &_v8);
					if(_t59 < 0) {
						_push("Failed to allocate regid folder path.");
						L15:
						_push(_t59);
						E003E012F();
						L16:
						if(_v12 != 0) {
							E003E54EF(_v12);
						}
						if(_v8 != 0) {
							E003E54EF(_v8);
						}
						if(_v16 != 0) {
							E003E54EF(_v16);
						}
						goto L22;
					}
					_t59 = E003A2D79(_t54, _v8,  *_t52,  &_v12);
					if(_t59 < 0) {
						_push("Failed to allocate regid file path.");
						goto L15;
					}
					_t59 = E003A4013(_v8, 0);
					if(_t59 < 0) {
						_push(_v8);
						_push("Failed to create regid folder: %ls");
						L11:
						_push(_t59);
						E003E012F();
						goto L16;
					}
					_t59 = E003E4C67(_t54, _v12, 0x80,  *(_t52 + 0xc), lstrlenA( *(_t52 + 0xc)), 0);
					if(_t59 < 0) {
						_push(_v12);
						_push("Failed to write tag xml to file: %ls");
						goto L11;
					}
					_t49 = _v20 + 1;
					_t54 = _a8 + 0x10;
					_v20 = _t49;
					_t22 = _t58 + 4; // 0x8680a79
					_push(0);
					_a8 = _t54;
					_pop(0);
					if(_t49 <  *_t22) {
						continue;
					}
					goto L16;
				}
				_push("Failed to format tag folder path.");
				goto L15;
			}












                  0x003af2e6
                  0x003af2e9
                  0x003af2eb
                  0x003af2ee
                  0x003af2f1
                  0x003af2f4
                  0x003af2fa
                  0x003af407
                  0x003af40d
                  0x003af40d
                  0x003af300
                  0x003af302
                  0x003af306
                  0x003af309
                  0x003af31a
                  0x003af31e
                  0x00000000
                  0x00000000
                  0x003af335
                  0x003af339
                  0x003af3c7
                  0x003af3d3
                  0x003af3d3
                  0x003af3d4
                  0x003af3db
                  0x003af3e0
                  0x003af3e5
                  0x003af3e5
                  0x003af3ee
                  0x003af3f3
                  0x003af3f3
                  0x003af3fc
                  0x003af401
                  0x003af401
                  0x00000000
                  0x003af3fc
                  0x003af34d
                  0x003af351
                  0x003af3c0
                  0x00000000
                  0x003af3c0
                  0x003af35d
                  0x003af361
                  0x003af3ad
                  0x003af3b0
                  0x003af3b5
                  0x003af3b5
                  0x003af3b6
                  0x00000000
                  0x003af3bb
                  0x003af37f
                  0x003af383
                  0x003af3a3
                  0x003af3a6
                  0x00000000
                  0x003af3a6
                  0x003af38b
                  0x003af38c
                  0x003af38f
                  0x003af392
                  0x003af395
                  0x003af397
                  0x003af39a
                  0x003af39b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003af3a1
                  0x003af3ce
                  0x00000000

                  APIs
                  • _MREFOpen@16.MSPDB140-MSVCRT ref: 003AF315
                    • Part of subcall function 003A4013: CreateDirectoryW.KERNEL32(003A533D,003A53B5,00000000,00000000,?,003B9EE4,00000000,00000000,003A533D,00000000,003A52B5,00000000,?,=S:,003AD4AC,=S:), ref: 003A4021
                    • Part of subcall function 003A4013: GetLastError.KERNEL32(?,003B9EE4,00000000,00000000,003A533D,00000000,003A52B5,00000000,?,=S:,003AD4AC,=S:,00000000,00000000), ref: 003A402F
                  • lstrlenA.KERNEL32(003EB4F0,00000000,00000094,00000000,00000094,?,?,003B0328,swidtag,00000094,?,003EB508,003B0328,00000000,?,00000000), ref: 003AF368
                    • Part of subcall function 003E4C67: CreateFileW.KERNEL32(003EB4F0,40000000,00000001,00000000,00000002,00000080,00000000,003B0328,00000000,?,003AF37F,?,00000080,003EB4F0,00000000), ref: 003E4C7F
                    • Part of subcall function 003E4C67: GetLastError.KERNEL32(?,003AF37F,?,00000080,003EB4F0,00000000,?,003B0328,?,00000094,?,?,?,?,?,00000000), ref: 003E4C8C
                  Strings
                  • Failed to allocate regid file path., xrefs: 003AF3C0
                  • swidtag, xrefs: 003AF328
                  • Failed to format tag folder path., xrefs: 003AF3CE
                  • Failed to write tag xml to file: %ls, xrefs: 003AF3A6
                  • Failed to create regid folder: %ls, xrefs: 003AF3B0
                  • Failed to allocate regid folder path., xrefs: 003AF3C7
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                  • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$swidtag
                  • API String ID: 904508749-1201533908
                  • Opcode ID: ef7ced582afa86c11966bbecc7d7012acebd6e3fa19ae66e7652c6cf61a0e343
                  • Instruction ID: f2bd17997d2725983202908a3d949fa9f31c1eead882bca74a36e787dc6f640d
                  • Opcode Fuzzy Hash: ef7ced582afa86c11966bbecc7d7012acebd6e3fa19ae66e7652c6cf61a0e343
                  • Instruction Fuzzy Hash: F4318E36D00629FFCF13AAD5DC41AADBBB8EF05710F1082B6E900AA290D7719E509B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E837F, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 156COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E003E837F(void* __ecx, void* __eflags, signed int _a4, intOrPtr* _a8) {
				short* _v8;
				void* __ebx;
				void* __edi;
				signed int _t45;
				signed int _t51;
				short* _t52;
				signed int _t55;
				signed int _t64;
				short* _t67;
				short** _t75;
				short* _t81;
				intOrPtr* _t84;

				_t81 = 0;
				_t84 = E003A38D4(0x10, 1);
				_t75 =  *(_a4 + 0x44);
				while(_t75 != 0) {
					if(CompareStringW(0x7f, 0,  *_t75, 0xffffffff, L"http://appsyndication.org/2006/appsyn", 0xffffffff) != 2 || CompareStringW(0x7f, 0, _t75[1], 0xffffffff, L"application", 0xffffffff) != 2) {
						L9:
						_t75 = _t75[4];
						continue;
					} else {
						_t81 = E003A21A5(_t84, _t75[2], 0);
						if(_t81 < 0) {
							L29:
							if(_t84 != 0) {
								E003E8530(_t75, _t81, _t84);
							}
							return _t81;
						}
						_t67 = _t75[3];
						while(1) {
							_v8 = _t67;
							if(_t67 == 0) {
								goto L9;
							}
							_t6 =  &(_t67[2]); // 0x700079
							if(CompareStringW(0x7f, 0,  *_t6, 0xffffffff, L"type", 0xffffffff) != 2) {
								L7:
								_t67 = _v8[6];
								continue;
							}
							_t9 = _t84 + 4; // 0x4
							_t81 = E003A21A5(_t9, _v8[4], 0);
							if(_t81 < 0) {
								goto L29;
							}
							goto L7;
						}
						goto L9;
					}
				}
				_t75 = _a4;
				_t44 = _t75[0xc];
				if(_t75[0xc] == 0) {
					L22:
					_t45 =  *(_t84 + 8);
					if(_t45 == _t75[0xc]) {
						L28:
						 *_a8 = _t84;
						_t84 = 0;
						goto L29;
					}
					if(_t45 == 0) {
						if( *(_t84 + 0xc) != 0) {
							E003A3999( *(_t84 + 0xc));
							 *(_t84 + 0xc) =  *(_t84 + 0xc) & 0x00000000;
						}
						goto L28;
					}
					_t51 = E003A3A72( *(_t84 + 0xc), _t45 << 6, 0);
					 *(_t84 + 0xc) = _t51;
					if(_t51 != 0) {
						goto L28;
					}
					_t52 = 0x8007000e;
					_push(0x8007000e);
					_push(0x6c);
					L14:
					_push("apuputil.cpp");
					_t81 = _t52;
					E003A37D3(_t52);
					goto L29;
				}
				_t55 = E003A38D4(_t44 << 6, 1);
				 *(_t84 + 0xc) = _t55;
				if(_t55 != 0) {
					_a4 = _a4 & 0x00000000;
					if(_t75[0xc] <= 0) {
						L21:
						E003EA280( *(_t84 + 0xc),  *(_t84 + 8), 0x40, E003E7D0A, 0);
						goto L22;
					}
					_t78 = 0;
					_v8 = 0;
					while(1) {
						_t81 = E003E7FEC(_t75[0xd] + _t78,  *_t84, ( *(_t84 + 8) << 6) +  *(_t84 + 0xc));
						if(_t81 < 0) {
							goto L29;
						}
						if(_t81 != 1) {
							 *(_t84 + 8) =  *(_t84 + 8) + 1;
						}
						_t64 = _a4 + 1;
						_t78 =  &(_v8[0x20]);
						_a4 = _t64;
						_v8 =  &(_v8[0x20]);
						if(_t64 < _t75[0xc]) {
							continue;
						} else {
							goto L21;
						}
					}
					goto L29;
				}
				_t52 = 0x8007000e;
				_push(0x8007000e);
				_push(0x54);
				goto L14;
			}















                  0x003e838a
                  0x003e8394
                  0x003e8396
                  0x003e8433
                  0x003e83b6
                  0x003e8430
                  0x003e8430
                  0x00000000
                  0x003e83d3
                  0x003e83de
                  0x003e83e2
                  0x003e851b
                  0x003e851d
                  0x003e8520
                  0x003e8520
                  0x003e852d
                  0x003e852d
                  0x003e83e8
                  0x003e8429
                  0x003e8429
                  0x003e842e
                  0x00000000
                  0x00000000
                  0x003e83f6
                  0x003e8406
                  0x003e8423
                  0x003e8426
                  0x00000000
                  0x003e8426
                  0x003e8410
                  0x003e8419
                  0x003e841d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e841d
                  0x00000000
                  0x003e8429
                  0x003e83b6
                  0x003e843b
                  0x003e843e
                  0x003e8443
                  0x003e84d4
                  0x003e84d4
                  0x003e84da
                  0x003e8514
                  0x003e8517
                  0x003e8519
                  0x00000000
                  0x003e8519
                  0x003e84de
                  0x003e8506
                  0x003e850b
                  0x003e8510
                  0x003e8510
                  0x00000000
                  0x003e8506
                  0x003e84e9
                  0x003e84ee
                  0x003e84f3
                  0x00000000
                  0x00000000
                  0x003e84f5
                  0x003e84fa
                  0x003e84fb
                  0x003e8463
                  0x003e8463
                  0x003e8468
                  0x003e846a
                  0x00000000
                  0x003e846a
                  0x003e844f
                  0x003e8454
                  0x003e8459
                  0x003e8474
                  0x003e847c
                  0x003e84bd
                  0x003e84cc
                  0x00000000
                  0x003e84d1
                  0x003e847e
                  0x003e8480
                  0x003e8483
                  0x003e849a
                  0x003e849e
                  0x00000000
                  0x00000000
                  0x003e84a3
                  0x003e84a5
                  0x003e84a5
                  0x003e84ae
                  0x003e84af
                  0x003e84b2
                  0x003e84b5
                  0x003e84bb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e84bb
                  0x00000000
                  0x003e8483
                  0x003e845b
                  0x003e8460
                  0x003e8461
                  0x00000000

                  APIs
                    • Part of subcall function 003A38D4: GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                    • Part of subcall function 003A38D4: RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,http://appsyndication.org/2006/appsyn,000000FF,00000010,00000001,00000000,00000000,00000000,?,?,003C8E1F,000002C0,00000100), ref: 003E83AD
                  • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,application,000000FF,?,?,003C8E1F,000002C0,00000100,000002C0,000002C0,00000100,000002C0,00000410), ref: 003E83C8
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CompareHeapString$AllocateProcess
                  • String ID: application$apuputil.cpp$http://appsyndication.org/2006/appsyn$type
                  • API String ID: 2664528157-4206478990
                  • Opcode ID: 3ae24a3d6fab0470ffadc47a81ccc25ba9a7075ef331e9efc3cd0b1dbb05b3bf
                  • Instruction ID: 3592f3cb12c7b6f9481c3cb9920cc97b8481e3223244149a3d408dd6f52b445d
                  • Opcode Fuzzy Hash: 3ae24a3d6fab0470ffadc47a81ccc25ba9a7075ef331e9efc3cd0b1dbb05b3bf
                  • Instruction Fuzzy Hash: 3051E071A00762ABDB239F16CC82F6A77A5EB01760F218314F969AF2D1DF74E9408B10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B0419, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 70%
                  			E003B0419(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _t65;
				void* _t68;
				void* _t72;
				void* _t74;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t72 = __edx;
				_t68 = __ecx;
				_t75 = _a4;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_push(E003B3C30( *((intOrPtr*)(_t75 + 8))));
				_push(E003B4224(_a16));
				_push(E003B4257(_a12));
				E003A550F(2, 0x20000174,  *((intOrPtr*)(_t75 + 0x50)));
				_t78 = _t77 + 0x18;
				if(_a16 != 0) {
					_t65 = E003A1F20( &_v16, L"%ls.RebootRequired",  *((intOrPtr*)(_t75 + 0x50)));
					_t78 = _t78 + 0xc;
					if(_t65 < 0) {
						L3:
						_push("Failed to write volatile reboot required registry key.");
						E003E012F();
						_t68 = _t65;
					} else {
						_t65 = E003E0AD5(_t68,  *((intOrPtr*)(_t75 + 0x4c)), _v16, 0x20006, 1, 0,  &_v12, 0);
						if(_t65 < 0) {
							goto L3;
						}
					}
				}
				if(_a12 != 0) {
					_t74 = E003E0E3F( *((intOrPtr*)(_t75 + 0x4c)),  *((intOrPtr*)(_t75 + 0x50)), 0x20006,  &_v8);
					__eflags = _t74;
					if(_t74 >= 0) {
						goto L14;
					} else {
						_push("Failed to open registration key.");
						goto L16;
					}
				} else {
					if(_a20 == 1 || _a20 == 2) {
						E003C840F(_t68, _t75);
					}
					if( *((intOrPtr*)(_t75 + 0x9c)) != 0) {
						E003AEEF9(_t68, _t75);
					}
					_t19 = _t75 + 0x94; // 0x95
					E003AEE0F(_a8, _t19);
					_t74 = E003E0B49(_t68,  *((intOrPtr*)(_t75 + 0x4c)),  *((intOrPtr*)(_t75 + 0x50)), 0, 0);
					if(_t74 == 0x80070002 || _t74 >= 0) {
						E003BA66C(_t68, _t72,  *_t75,  *((intOrPtr*)(_t75 + 0x10)));
						L14:
						__eflags = _a16 - 2;
						_t74 = E003AF09D(_t72, _a16 - 2, _t75, _v8, _a12, 0 | _a16 == 0x00000002);
						__eflags = _t74;
						if(_t74 < 0) {
							_push("Failed to update resume mode.");
							L16:
							_push(_t74);
							E003E012F();
						}
					} else {
						E003E012F(_t74, "Failed to delete registration key: %ls",  *((intOrPtr*)(_t75 + 0x50)));
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
					_v8 = _v8 & 0x00000000;
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
					_v12 = _v12 & 0x00000000;
				}
				if(_v16 != 0) {
					E003E54EF(_v16);
				}
				return _t74;
			}













                  0x003b0419
                  0x003b0419
                  0x003b0420
                  0x003b0426
                  0x003b042c
                  0x003b042f
                  0x003b0437
                  0x003b0440
                  0x003b0449
                  0x003b0454
                  0x003b0459
                  0x003b045f
                  0x003b046d
                  0x003b0472
                  0x003b0477
                  0x003b0495
                  0x003b0495
                  0x003b049b
                  0x003b04a1
                  0x003b0479
                  0x003b048c
                  0x003b0493
                  0x00000000
                  0x00000000
                  0x003b0493
                  0x003b0477
                  0x003b04a5
                  0x003b058b
                  0x003b058d
                  0x003b058f
                  0x00000000
                  0x003b0591
                  0x003b0591
                  0x00000000
                  0x003b0591
                  0x003b04ab
                  0x003b04af
                  0x003b04b8
                  0x003b04b8
                  0x003b04c3
                  0x003b04c6
                  0x003b04c6
                  0x003b04cb
                  0x003b04d5
                  0x003b04e7
                  0x003b04ef
                  0x003b050d
                  0x003b0512
                  0x003b0514
                  0x003b0528
                  0x003b052a
                  0x003b052c
                  0x003b052e
                  0x003b0533
                  0x003b0533
                  0x003b0534
                  0x003b053a
                  0x003b04f5
                  0x003b04fe
                  0x003b0503
                  0x003b04ef
                  0x003b0545
                  0x003b054a
                  0x003b054c
                  0x003b054c
                  0x003b0554
                  0x003b0559
                  0x003b055b
                  0x003b055b
                  0x003b0563
                  0x003b0568
                  0x003b0568
                  0x003b0574

                  APIs
                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 003B054A
                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,?,00000000,?), ref: 003B0559
                    • Part of subcall function 003E0AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,003B0491,?,00000000,00020006), ref: 003E0AFA
                  Strings
                  • Failed to write volatile reboot required registry key., xrefs: 003B0495
                  • %ls.RebootRequired, xrefs: 003B0467
                  • Failed to update resume mode., xrefs: 003B052E
                  • Failed to delete registration key: %ls, xrefs: 003B04F8
                  • Failed to open registration key., xrefs: 003B0591
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Close$Create
                  • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
                  • API String ID: 359002179-2517785395
                  • Opcode ID: 9f8d8eb10f3a97690593dccc464b589eda09fb0a1f8cbb1d272aa0cf5657ba75
                  • Instruction ID: 58795c90f58a969f7d3b871f169f986d4bd8c07869846483ec074dc5affbc3a9
                  • Opcode Fuzzy Hash: 9f8d8eb10f3a97690593dccc464b589eda09fb0a1f8cbb1d272aa0cf5657ba75
                  • Instruction Fuzzy Hash: 8D418032900618FADF27AFA1DD02EEF7BB9EF41318F10442AFA4165851D7719A50EB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E143C, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 123stringregistryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E003E143C(void* _a4, short* _a8, intOrPtr _a12, signed int _a16) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _t43;
				signed int _t45;
				signed short _t52;
				signed int _t62;
				signed int _t64;
				char* _t65;
				signed int _t66;
				signed int _t68;
				void* _t70;
				char* _t74;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t82;
				signed int _t83;

				_t64 = _a16;
				_t43 = 0;
				_v16 = _v16 & 0;
				_t74 = 0;
				_v8 = 0;
				if(_t64 != 0) {
					_t66 = 0;
					_t45 = 1;
					_v12 = 0;
					_a16 = 1;
					if(_t64 == 0) {
						L5:
						_t77 = E003A1EDE( &_v8, _t45);
						if(_t77 < 0) {
							L14:
							_t74 = _v8;
							L15:
							if(_t74 != 0) {
								E003E54EF(_t74);
							}
							return _t77;
						}
						_t74 = _v8;
						_t78 = 0;
						_v12 = 0;
						if(_t64 == 0) {
							L10:
							_t43 = _a16;
							_t65 = _t74;
							L11:
							_push( &_v16);
							_t68 = 2;
							_push(_t43 * _t68 >> 0x20);
							_push(_t43 * _t68);
							_t77 = E003A6E2E();
							if(_t77 < 0) {
								goto L15;
							}
							_t52 = RegSetValueExW(_a4, _a8, 0, 7, _t65, _v16);
							if(_t52 != 0) {
								_t81 =  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
								_t77 =  >=  ? 0x80004005 :  <=  ? _t52 : _t52 & 0x0000ffff | 0x80070000;
								E003A37D3(0x80004005, "regutil.cpp", 0x35c, _t77);
							}
							goto L14;
						} else {
							goto L7;
						}
						while(1) {
							L7:
							_t77 = E003A1BEA(_t74, _a16,  *((intOrPtr*)(_a12 + _t78 * 4)));
							if(_t77 < 0) {
								goto L14;
							}
							_t82 = _v12;
							lstrlenW( *(_a12 + _t82 * 4));
							_t74 = _t74 + lstrlenW( *(_a12 + _t82 * 4)) * 2 + 2;
							_t78 = _t82 + 1;
							_v12 = _t78;
							if(_t78 < _t64) {
								continue;
							}
							_t74 = _v8;
							goto L10;
						}
						goto L14;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t76 = _t45;
						_t83 = _t45;
						_t62 = lstrlenW( *(_a12 + _t66 * 4));
						_t70 = _a16 + 1 + _t62;
						_t45 =  >=  ? _t70 : _t62 | 0xffffffff;
						_a16 = _t45;
						asm("sbb esi, esi");
						_t77 = _t83 & 0x80070216;
						if(_t70 < _t76) {
							goto L14;
						}
						_t66 = _v12 + 1;
						_v12 = _t66;
						if(_t66 < _t64) {
							continue;
						}
						goto L5;
					}
					goto L14;
				}
				_t65 = 0x406440;
				goto L11;
			}





















                  0x003e1443
                  0x003e1446
                  0x003e1448
                  0x003e144d
                  0x003e144f
                  0x003e1454
                  0x003e1462
                  0x003e1464
                  0x003e1465
                  0x003e1468
                  0x003e146d
                  0x003e14af
                  0x003e14b9
                  0x003e14bd
                  0x003e156f
                  0x003e156f
                  0x003e1572
                  0x003e1574
                  0x003e1577
                  0x003e1577
                  0x003e1584
                  0x003e1584
                  0x003e14c3
                  0x003e14c6
                  0x003e14c8
                  0x003e14cd
                  0x003e1514
                  0x003e1514
                  0x003e1517
                  0x003e1519
                  0x003e151c
                  0x003e151f
                  0x003e1522
                  0x003e1523
                  0x003e1529
                  0x003e152d
                  0x00000000
                  0x00000000
                  0x003e153d
                  0x003e1545
                  0x003e1552
                  0x003e155c
                  0x003e156a
                  0x003e156a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e14cf
                  0x003e14cf
                  0x003e14de
                  0x003e14e2
                  0x00000000
                  0x00000000
                  0x003e14eb
                  0x003e14f1
                  0x003e1506
                  0x003e1509
                  0x003e150a
                  0x003e150f
                  0x00000000
                  0x00000000
                  0x003e1511
                  0x00000000
                  0x003e1511
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e146f
                  0x003e146f
                  0x003e146f
                  0x003e1471
                  0x003e1479
                  0x003e1485
                  0x003e148c
                  0x003e1491
                  0x003e1494
                  0x003e1496
                  0x003e149e
                  0x00000000
                  0x00000000
                  0x003e14a7
                  0x003e14a8
                  0x003e14ad
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e14ad
                  0x00000000
                  0x003e146f
                  0x003e1456
                  0x00000000

                  APIs
                  • lstrlenW.KERNEL32(?,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 003E1479
                  • lstrlenW.KERNEL32(?,00000000,00000000,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006,00000000,?,?,?,00000001), ref: 003E14F1
                  • lstrlenW.KERNEL32(?,?,?,?,00000001), ref: 003E14FD
                  • RegSetValueExW.ADVAPI32(00020006,?,00000000,00000007,00000000,?,00000000,?,?,00000000,00000001,00000000,00000000,BundleUpgradeCode,?,00020006), ref: 003E153D
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: lstrlen$Value
                  • String ID: @d@$BundleUpgradeCode$regutil.cpp
                  • API String ID: 198323757-3820757401
                  • Opcode ID: 5e65ae41c38c22305b356e2f2854188852ca40e2d5b37e1913a0df1ad4235bef
                  • Instruction ID: 13fdcb82c7728702ffa4c04c0480507c53b66136819fc6aa8f09f4b3fabb6e7e
                  • Opcode Fuzzy Hash: 5e65ae41c38c22305b356e2f2854188852ca40e2d5b37e1913a0df1ad4235bef
                  • Instruction Fuzzy Hash: CC419932E1027AAFCF12DFA9C8419AE7BB9EF44710F164269FD05AB290D730DD118B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E041B, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E003E041B(void* __ecx, void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				char _v8;
				void* __ebx;
				void* __esi;
				intOrPtr* _t17;
				void* _t24;
				void* _t26;
				intOrPtr _t27;
				intOrPtr _t30;
				void* _t41;
				void* _t42;
				void* _t44;

				_t42 = __edi;
				_t41 = __edx;
				_t40 = __ecx;
				_push(__ecx);
				_v8 = 0;
				EnterCriticalSection(0x40b60c);
				_t17 = _a16;
				if(_t17 == 0 ||  *_t17 == 0) {
					_t44 = E003A2D79(_t40, _a4, _a8, 0x40b604);
					if(_t44 < 0) {
						goto L21;
					}
					_t44 = E003A3446(_t40,  *0x40b604,  &_v8);
					if(_t44 < 0) {
						goto L21;
					}
					_t44 = E003A4013(_v8, 0);
					if(_t44 < 0) {
						goto L21;
					}
					_push(0);
					_push(0x80);
					_t24 = 2;
					_t40 = 4;
					_t25 =  !=  ? _t40 : _t24;
					_t26 = CreateFileW( *0x40b604, 0x40000000, 1, 0,  !=  ? _t40 : _t24, ??, ??);
					 *0x40a774 = _t26;
					if(_t26 != 0xffffffff) {
						L11:
						if(_a20 != 0) {
							SetFilePointer(_t26, 0, 0, 2);
						}
						goto L13;
					}
					_t44 =  <=  ? GetLastError() : _t34 & 0x0000ffff | 0x80070000;
					if(_t44 >= 0) {
						_t26 =  *0x40a774; // 0xffffffff
						goto L11;
					}
					E003A37D3(_t34, "logutil.cpp", 0x81, _t44);
					goto L21;
				} else {
					_t44 = E003A2DE0(_t40, _a4, _a8, _a12, _t17, 0x40b604, 0x40a774);
					if(_t44 < 0) {
						L21:
						LeaveCriticalSection(0x40b60c);
						if(_v8 != 0) {
							E003E54EF(_v8);
						}
						return _t44;
					} else {
						L13:
						if(_a24 != 0) {
							E003E01F0(0, _t41, _t42, _t44);
						}
						_t27 =  *0x40b608; // 0x0
						if(_t27 != 0) {
							E003E0658(_t40, _t41, _t27);
							_t30 =  *0x40b608; // 0x0
							if(_t30 != 0) {
								E003E54EF(_t30);
								 *0x40b608 = 0;
							}
						}
						if(_a28 == 0) {
							L20:
							 *0x40b634 = 0;
							goto L21;
						} else {
							_t44 = E003A21A5(_a28,  *0x40b604, 0);
							if(_t44 < 0) {
								goto L21;
							}
							goto L20;
						}
					}
				}
			}














                  0x003e041b
                  0x003e041b
                  0x003e041b
                  0x003e041e
                  0x003e0428
                  0x003e042b
                  0x003e0431
                  0x003e0436
                  0x003e0475
                  0x003e0479
                  0x00000000
                  0x00000000
                  0x003e048e
                  0x003e0492
                  0x00000000
                  0x00000000
                  0x003e04a1
                  0x003e04a5
                  0x00000000
                  0x00000000
                  0x003e04ae
                  0x003e04af
                  0x003e04b6
                  0x003e04b9
                  0x003e04ba
                  0x003e04cc
                  0x003e04d2
                  0x003e04da
                  0x003e050b
                  0x003e050e
                  0x003e0515
                  0x003e0515
                  0x00000000
                  0x003e050e
                  0x003e04ed
                  0x003e04f2
                  0x003e0506
                  0x00000000
                  0x003e0506
                  0x003e04ff
                  0x00000000
                  0x003e043d
                  0x003e0456
                  0x003e045a
                  0x003e0569
                  0x003e056e
                  0x003e0577
                  0x003e057c
                  0x003e057c
                  0x003e0588
                  0x003e0460
                  0x003e051b
                  0x003e051e
                  0x003e0520
                  0x003e0520
                  0x003e0525
                  0x003e052c
                  0x003e052f
                  0x003e0534
                  0x003e053b
                  0x003e053e
                  0x003e0543
                  0x003e0543
                  0x003e053b
                  0x003e054c
                  0x003e0563
                  0x003e0563
                  0x00000000
                  0x003e054e
                  0x003e055d
                  0x003e0561
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e0561
                  0x003e054c
                  0x003e045a

                  APIs
                  • EnterCriticalSection.KERNEL32(0040B60C,00000000,?,?,?,003A5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 003E042B
                  • CreateFileW.KERNEL32(40000000,00000001,00000000,00000002,00000080,00000000,?,00000000,?,?,?,0040B604,?,003A5407,00000000,Setup), ref: 003E04CC
                  • GetLastError.KERNEL32(?,003A5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 003E04DC
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,003A5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 003E0515
                    • Part of subcall function 003A2DE0: GetLocalTime.KERNEL32(?,?,?,?,?,?), ref: 003A2F1F
                  • LeaveCriticalSection.KERNEL32(0040B60C,?,?,0040B604,?,003A5407,00000000,Setup,_Failed,txt,00000000,00000000,00000000,?,?,?), ref: 003E056E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime
                  • String ID: @Mxt$logutil.cpp
                  • API String ID: 4111229724-4105458427
                  • Opcode ID: 41590fed79e8f5e8e4c1f2c5e5dd2208894a9b0968e00287d81f7cb4b5f9d07e
                  • Instruction ID: 340c7ea8031da4ed04862ff9126bf34f5a6ab155d46e39cf199c423db53c1167
                  • Opcode Fuzzy Hash: 41590fed79e8f5e8e4c1f2c5e5dd2208894a9b0968e00287d81f7cb4b5f9d07e
                  • Instruction Fuzzy Hash: 0F3195719056B9EFDB239F629D81A6F7668EB01750F010335FA00BA1E0DBB1CD909BD5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AF69D, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 117registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E003AF69D(intOrPtr _a4, intOrPtr* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				void* _t46;
				void* _t48;
				void* _t50;
				intOrPtr* _t53;
				void* _t58;
				void* _t65;
				void* _t66;

				_t61 = _a4;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				if(E003A1F20( &_v16, L"%ls.RebootRequired",  *((intOrPtr*)(_a4 + 0x50))) >= 0) {
					if(E003E0E3F( *((intOrPtr*)(_t61 + 0x4c)), _v16, 1,  &_v12) < 0) {
						_t65 = E003E0E3F( *((intOrPtr*)(_t61 + 0x4c)),  *((intOrPtr*)(_t61 + 0x50)), 1,  &_v8);
						if(_t65 == 0x80070002 || _t65 == 0x80070003) {
							 *_a8 = 0;
							goto L23;
						} else {
							if(_t65 >= 0) {
								_t66 = E003E0EEC(_t58, _v8, L"Resume",  &_v20);
								if(_t66 != 0x80070002) {
									if(_t66 >= 0) {
										_t46 = _v20 - 1;
										if(_t46 == 0) {
											 *_a8 = 2;
										} else {
											_t48 = _t46 - 1;
											if(_t48 == 0) {
												 *_a8 = 5;
											} else {
												_t50 = _t48 - 1;
												if(_t50 == 0) {
													 *_a8 = 6;
												} else {
													_t53 = _a8;
													if(_t50 == 1) {
														 *_t53 = 4;
													} else {
														 *_t53 = 1;
													}
												}
											}
										}
										goto L24;
									}
									_push("Failed to read Resume value.");
									goto L2;
								}
								 *_a8 = 1;
								goto L23;
							} else {
								_push("Failed to open registration key.");
								goto L2;
							}
						}
					} else {
						 *_a8 = 3;
						L23:
						_t66 = 0;
						goto L24;
					}
				} else {
					_push("Failed to format pending restart registry key to read.");
					L2:
					_push(_t66);
					E003E012F();
					L24:
					if(_v8 != 0) {
						RegCloseKey(_v8);
						_v8 = 0;
					}
					if(_v12 != 0) {
						RegCloseKey(_v12);
						_v12 = 0;
					}
					if(_v16 != 0) {
						E003E54EF(_v16);
					}
					return _t66;
				}
			}














                  0x003af6a6
                  0x003af6ae
                  0x003af6b1
                  0x003af6b7
                  0x003af6c0
                  0x003af6cf
                  0x003af6f6
                  0x003af717
                  0x003af720
                  0x003af7bb
                  0x00000000
                  0x003af732
                  0x003af734
                  0x003af74e
                  0x003af752
                  0x003af761
                  0x003af770
                  0x003af773
                  0x003af7b0
                  0x003af775
                  0x003af775
                  0x003af778
                  0x003af7a5
                  0x003af77a
                  0x003af77a
                  0x003af77d
                  0x003af79a
                  0x003af77f
                  0x003af782
                  0x003af785
                  0x003af78f
                  0x003af787
                  0x003af787
                  0x003af787
                  0x003af785
                  0x003af77d
                  0x003af778
                  0x00000000
                  0x003af773
                  0x003af763
                  0x00000000
                  0x003af763
                  0x003af757
                  0x00000000
                  0x003af736
                  0x003af736
                  0x00000000
                  0x003af736
                  0x003af734
                  0x003af6f8
                  0x003af6fb
                  0x003af7bd
                  0x003af7bd
                  0x00000000
                  0x003af7bd
                  0x003af6d1
                  0x003af6d1
                  0x003af6d6
                  0x003af6d6
                  0x003af6d7
                  0x003af7bf
                  0x003af7c8
                  0x003af7cd
                  0x003af7cf
                  0x003af7cf
                  0x003af7d5
                  0x003af7da
                  0x003af7dc
                  0x003af7dc
                  0x003af7e2
                  0x003af7e7
                  0x003af7e7
                  0x003af7f4
                  0x003af7f4

                  APIs
                  • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 003AF7CD
                  • RegCloseKey.ADVAPI32(00000000,?,?,00000001,?,?,?,00000001,00000000,?,00000000,?,?,?,00000000,?), ref: 003AF7DA
                  Strings
                  • Failed to read Resume value., xrefs: 003AF763
                  • %ls.RebootRequired, xrefs: 003AF6BA
                  • Failed to format pending restart registry key to read., xrefs: 003AF6D1
                  • Resume, xrefs: 003AF741
                  • Failed to open registration key., xrefs: 003AF736
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Close
                  • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                  • API String ID: 3535843008-3890505273
                  • Opcode ID: 540078b0c8ad168b45a0804cb2e1a005584c47d7124f8d0d9c78ef2a09fe5c69
                  • Instruction ID: c27e61dd4ed9f931af284585848276661522213f98a9cc8ee8e79c8466f6fe1d
                  • Opcode Fuzzy Hash: 540078b0c8ad168b45a0804cb2e1a005584c47d7124f8d0d9c78ef2a09fe5c69
                  • Instruction Fuzzy Hash: 5F415336900119EFCB13AFD9C881AEDBBB9FF06350F154176E915AB260D372AE40DB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CD677, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.OLE32(00400A84,00000000,00000017,00400A94,?,?,00000000,00000000,?,?,?,?,?,003CDCAE,00000000,00000000), ref: 003CD6AF
                  Strings
                  • Failed to set BITS job to foreground., xrefs: 003CD730
                  • Failed to create IBackgroundCopyManager., xrefs: 003CD6BB
                  • Failed to set progress timeout., xrefs: 003CD719
                  • Failed to set notification flags for BITS job., xrefs: 003CD701
                  • WixBurn, xrefs: 003CD6DA
                  • Failed to create BITS job., xrefs: 003CD6E9
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CreateInstance
                  • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                  • API String ID: 542301482-468763447
                  • Opcode ID: 7402b336f18f75654e1a0ef3522c2a8e9862cc60d08ae424dcf3d1fb1ab3999d
                  • Instruction ID: 3e7432d33253339b054cafa916252dbe3166a5e455a7d971d8b8ddda8ba4ccdd
                  • Opcode Fuzzy Hash: 7402b336f18f75654e1a0ef3522c2a8e9862cc60d08ae424dcf3d1fb1ab3999d
                  • Instruction Fuzzy Hash: 08315E31B40216AFD716DFA8C855F6FBBB8AF98710F10017EB905EB290DA74AC01CB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CD12C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 39%
                  			E003CD12C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v24;
				char _v28;
				char _v32;
				void* _t50;
				char _t69;
				signed int _t70;
				intOrPtr _t71;
				void* _t72;

				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t71 = _a4;
				WaitForSingleObject( *(_t71 + 0xc), 0xffffffff);
				ReleaseMutex( *(_t71 + 0xc));
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t69 = 2;
				_push(_a12);
				_v32 = _t69;
				_v28 = 1;
				_v24 = (( *( *((intOrPtr*)(_t71 + 0x10)) + 0x219) & 0x000000ff) + ( *( *((intOrPtr*)(_t71 + 0x10)) + 0x218) & 0x000000ff) >> 0x00000001 & 0x000000ff) * 0x64 / 0xff;
				_push( &_v32);
				if(_a8() == _t69) {
					WaitForSingleObject( *(_t71 + 0xc), 0xffffffff);
					 *((char*)( *((intOrPtr*)(_t71 + 0x10)) + 2)) = 1;
					 *((char*)( *((intOrPtr*)(_t71 + 0x10)) + 3)) = 1;
					ReleaseMutex( *(_t71 + 0xc));
					SetEvent( *(_t71 + 8));
				}
				_t50 = E003CCF56(_t71,  &_v12,  &_v8,  &_v16);
				_t70 = _v8;
				_t72 = _t50;
				if(_t72 >= 0) {
					__eflags = _v12 - 0x1070001;
					if(__eflags == 0) {
						_t72 = E003CD047(__eflags, _a4, _t70, _a8, _a12);
						__eflags = _t72;
						if(_t72 < 0) {
							_push("Failed to send files in use message from netfx chainer.");
							goto L7;
						}
					}
				} else {
					_push("Failed to get message from netfx chainer.");
					L7:
					_push(_t72);
					E003E012F();
				}
				if(_t70 != 0) {
					E003A3999(_t70);
				}
				return _t72;
			}














                  0x003cd132
                  0x003cd136
                  0x003cd13c
                  0x003cd145
                  0x003cd161
                  0x003cd170
                  0x003cd178
                  0x003cd179
                  0x003cd17a
                  0x003cd181
                  0x003cd182
                  0x003cd185
                  0x003cd188
                  0x003cd191
                  0x003cd197
                  0x003cd19d
                  0x003cd1a4
                  0x003cd1ad
                  0x003cd1b4
                  0x003cd1bb
                  0x003cd1c4
                  0x003cd1c4
                  0x003cd1d7
                  0x003cd1dc
                  0x003cd1df
                  0x003cd1e3
                  0x003cd1ec
                  0x003cd1f3
                  0x003cd204
                  0x003cd206
                  0x003cd208
                  0x003cd20a
                  0x00000000
                  0x003cd20a
                  0x003cd208
                  0x003cd1e5
                  0x003cd1e5
                  0x003cd20f
                  0x003cd20f
                  0x003cd210
                  0x003cd216
                  0x003cd219
                  0x003cd21c
                  0x003cd21c
                  0x003cd229

                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,747DF730,00000000,?,?,?,?,003CD439,?), ref: 003CD145
                  • ReleaseMutex.KERNEL32(?,?,?,?,003CD439,?), ref: 003CD161
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003CD1A4
                  • ReleaseMutex.KERNEL32(?), ref: 003CD1BB
                  • SetEvent.KERNEL32(?), ref: 003CD1C4
                  Strings
                  • Failed to send files in use message from netfx chainer., xrefs: 003CD20A
                  • Failed to get message from netfx chainer., xrefs: 003CD1E5
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: MutexObjectReleaseSingleWait$Event
                  • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                  • API String ID: 2608678126-3424578679
                  • Opcode ID: 9cb660c332cd0eca1db860adf018c5b8f31bb8901aac62c9ee932adbef422310
                  • Instruction ID: fc54776addd437df36188f24f980b7c8243c31c5b82885b142789fa05ece2e88
                  • Opcode Fuzzy Hash: 9cb660c332cd0eca1db860adf018c5b8f31bb8901aac62c9ee932adbef422310
                  • Instruction Fuzzy Hash: A331C431900659AFCB239FA4DC48FAFBBB9EF44320F148669F555EA2A1C735DD408B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A410D, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 75COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E003A410D(void* __ecx, WCHAR** _a4) {
				long _v8;
				long _t6;
				void* _t12;
				WCHAR* _t18;
				long _t19;
				WCHAR** _t23;
				long _t26;

				_t18 = 0;
				_t23 = _a4;
				_t6 = 0;
				_v8 = 0;
				_t26 = 0;
				if(_t23 == 0 ||  *_t23 == 0) {
					L5:
					_t19 = GetCurrentDirectoryW(_t6, _t18);
					if(_t19 != 0) {
						if(_v8 >= _t19) {
							goto L12;
						}
						_t26 = E003A1EDE(_t23, _t19);
						if(_t26 >= 0 && GetCurrentDirectoryW(_t19,  *_t23) == 0) {
							_t30 =  <=  ? GetLastError() : _t11 & 0x0000ffff | 0x80070000;
							_t12 = 0x80004005;
							_t26 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t11 & 0x0000ffff | 0x80070000;
							_push(_t26);
							_push(0x190);
							L11:
							_push("dirutil.cpp");
							E003A37D3(_t12);
						}
						goto L12;
					}
					_t33 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_t12 = 0x80004005;
					_t26 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_push(_t26);
					_push(0x187);
					goto L11;
				} else {
					_t26 = E003A275D( *_t23,  &_v8);
					if(_t26 < 0) {
						L12:
						return _t26;
					}
					_t6 = _v8;
					if(_t6 != 0) {
						_t18 =  *_t23;
					}
					goto L5;
				}
			}










                  0x003a4113
                  0x003a4116
                  0x003a4119
                  0x003a411b
                  0x003a411e
                  0x003a4122
                  0x003a4146
                  0x003a414e
                  0x003a4152
                  0x003a417d
                  0x00000000
                  0x00000000
                  0x003a4186
                  0x003a418a
                  0x003a41aa
                  0x003a41ad
                  0x003a41b4
                  0x003a41b7
                  0x003a41b8
                  0x003a41bd
                  0x003a41bd
                  0x003a41c2
                  0x003a41c2
                  0x00000000
                  0x003a418a
                  0x003a4165
                  0x003a4168
                  0x003a416f
                  0x003a4172
                  0x003a4173
                  0x00000000
                  0x003a4128
                  0x003a4133
                  0x003a4137
                  0x003a41c7
                  0x003a41cf
                  0x003a41cf
                  0x003a413d
                  0x003a4142
                  0x003a4144
                  0x003a4144
                  0x00000000
                  0x003a4142

                  APIs
                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,00000000,crypt32.dll,?,?,003B3ED4,00000001,feclient.dll,?,00000000,?,?,?,003A4A0C), ref: 003A4148
                  • GetLastError.KERNEL32(?,?,003B3ED4,00000001,feclient.dll,?,00000000,?,?,?,003A4A0C,?,?,003EB478,?,00000001), ref: 003A4154
                  • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,003B3ED4,00000001,feclient.dll,?,00000000,?,?,?,003A4A0C,?), ref: 003A418F
                  • GetLastError.KERNEL32(?,?,003B3ED4,00000001,feclient.dll,?,00000000,?,?,?,003A4A0C,?,?,003EB478,?,00000001), ref: 003A4199
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CurrentDirectoryErrorLast
                  • String ID: @Mxt$crypt32.dll$dirutil.cpp
                  • API String ID: 152501406-982861029
                  • Opcode ID: ac604279f68fd3d047c1682c9b8e9f6711803d10807e8a0022e59c2e29c1eaea
                  • Instruction ID: 99e0ac337082873f5f643a1dfd4ef18b991ae84faaa50682aa1ca3ed1d785056
                  • Opcode Fuzzy Hash: ac604279f68fd3d047c1682c9b8e9f6711803d10807e8a0022e59c2e29c1eaea
                  • Instruction Fuzzy Hash: E911DA76A00726ABE7239AA98CC4A67F6ECDF55790F120235FD04EB250E7A1DC4086E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B444C, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 67%
                  			E003B444C(char _a4, intOrPtr _a8, char _a12, intOrPtr* _a16, intOrPtr* _a20) {
				char _t17;
				intOrPtr _t31;
				intOrPtr _t37;
				void* _t38;

				_t38 = 0;
				_t17 =  ==  ? 0 : _a12;
				_a12 = _t17;
				_t37 = _t17 + 8;
				_t31 = E003A38D4(_t37, 0);
				if(_t31 != 0) {
					E003C1664(_t31, _t37,  &_a4, 4);
					_t7 = _t37 - 4; // 0x3eb504
					_t8 = _t31 + 4; // 0x4
					E003C1664(_t8, _t7,  &_a12, 4);
					if(_a12 != 0) {
						_t11 = _t37 - 8; // 0x3eb500
						_t13 = _t31 + 8; // 0x8
						E003C1664(_t13, _t11, _a8, _a12);
					}
					 *_a20 = _t37;
					 *_a16 = _t31;
				} else {
					_t38 = 0x8007000e;
					E003A37D3(_t18, "pipe.cpp", 0x2be, 0x8007000e);
					_push("Failed to allocate memory for message.");
					_push(0x8007000e);
					E003E012F();
				}
				return _t38;
			}







                  0x003b4456
                  0x003b445c
                  0x003b4460
                  0x003b4463
                  0x003b446c
                  0x003b4470
                  0x003b449e
                  0x003b44a9
                  0x003b44ad
                  0x003b44b1
                  0x003b44bc
                  0x003b44c1
                  0x003b44c8
                  0x003b44cc
                  0x003b44d1
                  0x003b44d7
                  0x003b44dc
                  0x003b4472
                  0x003b4472
                  0x003b4482
                  0x003b4487
                  0x003b448c
                  0x003b448d
                  0x003b4493
                  0x003b44e4

                  APIs
                    • Part of subcall function 003A38D4: GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                    • Part of subcall function 003A38D4: RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  • _memcpy_s.LIBCMT ref: 003B449E
                  • _memcpy_s.LIBCMT ref: 003B44B1
                  • _memcpy_s.LIBCMT ref: 003B44CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: _memcpy_s$Heap$AllocateProcess
                  • String ID: @G:$Failed to allocate memory for message.$feclient.dll$pipe.cpp
                  • API String ID: 886498622-2331853264
                  • Opcode ID: 20e47104716a6a8c4231734b2e8acf1b0131ae7afa20b0052db27f2219b4b81f
                  • Instruction ID: cca196d2f453624a87e841529af7492d9f9aa3b9ee9d5fdf6c06473244dbda0b
                  • Opcode Fuzzy Hash: 20e47104716a6a8c4231734b2e8acf1b0131ae7afa20b0052db27f2219b4b81f
                  • Instruction Fuzzy Hash: FE1154B250031DABDB029E55CC86EEBB3ACEF05714B00452AFA01DB152E770DA64D7E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BF586, Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 118COMMON
                  Download Yara Rule
                  C-Code - Quality: 21%
                  			E003BF586(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				char _v12;
				intOrPtr* _t46;
				intOrPtr* _t58;
				intOrPtr* _t59;
				void* _t62;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = 0;
				_v8 = 0;
				EnterCriticalSection( *(_a4 + 0xc));
				_t62 = E003AD459( *(_a4 + 0xc) + 0xb8);
				if(_t62 >= 0) {
					_t46 = _a16;
					if(_t46 == 0 ||  *_t46 == 0) {
						L20:
						_t62 = 0x80070057;
					} else {
						_t58 = _a12;
						if(_t58 == 0 ||  *_t58 == 0) {
							_t59 = _a8;
							if(_t59 == 0 ||  *_t59 == 0) {
								goto L20;
							} else {
								_t62 = E003AC0A9(_t48,  *(_a4 + 0xc) + 0x2a8, _t59,  &_v12);
								if(_t62 >= 0) {
									_t62 = E003A21A5(_v12 + 0x28, _t46, 0);
									if(_t62 < 0) {
										_push("Failed to set source path for container.");
										goto L19;
									}
								} else {
									_push(_t59);
									_push("UX requested unknown container with id: %ls");
									goto L16;
								}
							}
						} else {
							_t62 = E003ACC57(_t48,  *(_a4 + 0xc) + 0x2b8, _t58,  &_v8);
							if(_t62 >= 0) {
								_t41 = _v8;
								if( *((intOrPtr*)(_v8 + 4)) != 2) {
									_t62 = E003A21A5(_t41 + 0x38, _t46, 0);
									if(_t62 < 0) {
										_push("Failed to set source path for payload.");
										L19:
										_push(_t62);
										E003E012F();
									}
								} else {
									_push(_t58);
									_t62 = 0x800710dd;
									_push("UX denied while trying to set source on embedded payload: %ls");
									goto L16;
								}
							} else {
								_push(_t58);
								_push("UX requested unknown payload with id: %ls");
								L16:
								_push(_t62);
								E003E012F();
							}
						}
					}
				} else {
					_push("Engine is active, cannot change engine state.");
					_push(_t62);
					E003E012F();
				}
				LeaveCriticalSection( *(_a4 + 0xc));
				return _t62;
			}









                  0x003bf586
                  0x003bf589
                  0x003bf58a
                  0x003bf592
                  0x003bf598
                  0x003bf59b
                  0x003bf5af
                  0x003bf5b3
                  0x003bf5c8
                  0x003bf5cd
                  0x003bf69c
                  0x003bf69c
                  0x003bf5dc
                  0x003bf5dc
                  0x003bf5e3
                  0x003bf63e
                  0x003bf643
                  0x00000000
                  0x003bf64a
                  0x003bf660
                  0x003bf664
                  0x003bf687
                  0x003bf68b
                  0x003bf68d
                  0x00000000
                  0x003bf68d
                  0x003bf666
                  0x003bf666
                  0x003bf667
                  0x00000000
                  0x003bf667
                  0x003bf664
                  0x003bf5ea
                  0x003bf600
                  0x003bf604
                  0x003bf60e
                  0x003bf615
                  0x003bf631
                  0x003bf635
                  0x003bf637
                  0x003bf692
                  0x003bf692
                  0x003bf693
                  0x003bf699
                  0x003bf617
                  0x003bf617
                  0x003bf618
                  0x003bf61d
                  0x00000000
                  0x003bf61d
                  0x003bf606
                  0x003bf606
                  0x003bf607
                  0x003bf66c
                  0x003bf66c
                  0x003bf66d
                  0x003bf672
                  0x003bf604
                  0x003bf5e3
                  0x003bf5b5
                  0x003bf5b5
                  0x003bf5ba
                  0x003bf5bb
                  0x003bf5c1
                  0x003bf6a8
                  0x003bf6b5

                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 003BF59B
                  • LeaveCriticalSection.KERNEL32(?), ref: 003BF6A8
                  Strings
                  • user is active, cannot change user state., xrefs: 003BF5B5
                  • UX requested unknown payload with id: %ls, xrefs: 003BF607
                  • Failed to set source path for container., xrefs: 003BF68D
                  • UX denied while trying to set source on embedded payload: %ls, xrefs: 003BF61D
                  • Failed to set source path for payload., xrefs: 003BF637
                  • UX requested unknown container with id: %ls, xrefs: 003BF667
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: user is active, cannot change user state.$Failed to set source path for container.$Failed to set source path for payload.$UX denied while trying to set source on embedded payload: %ls$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                  • API String ID: 3168844106-4121889706
                  • Opcode ID: e1d22efc462d6fee48e62db416f44cc803f59e510ec49c7771f5c124d2e2b685
                  • Instruction ID: 0f46e6e82064eac7d5a1dc6345ff7bdb0131630df900ca780d28197fd7b0fdeb
                  • Opcode Fuzzy Hash: e1d22efc462d6fee48e62db416f44cc803f59e510ec49c7771f5c124d2e2b685
                  • Instruction Fuzzy Hash: AB3107B2A40615AFCB238B58DC45FEBB3ACDF55724B158126FE04EB650DB74ED008790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A70D4, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 99stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 49%
                  			E003A70D4(void* __ebx, void* __ecx, WCHAR* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _t38;
				WCHAR* _t48;
				WCHAR* _t49;
				void* _t52;
				void* _t54;

				_t40 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_t48 = _a4;
				_t52 = E003A1EDE( &_v8, lstrlenW(_t48) + 1);
				if(_t52 >= 0) {
					while(1) {
						_t38 = E003D3E49(_t40, _t48, L"[]{}");
						if(_t38 == 0) {
							goto L5;
						}
						_t52 = E003A1EF2( &_v8, _t48, _t38);
						if(_t52 < 0) {
							_push("Failed to append characters.");
							L14:
							_push(_t52);
							E003E012F();
						} else {
							goto L5;
						}
						L15:
						goto L16;
						L5:
						_t49 =  &(_t48[_t38]);
						_t40 = 0;
						_t24 =  *_t49 & 0x0000ffff;
						if(0 == ( *_t49 & 0x0000ffff)) {
							_t52 = E003A21A5(_a8, _v8, 0);
							if(_t52 < 0) {
								_push("Failed to copy string.");
								goto L14;
							}
						} else {
							_t52 = E003A1F20( &_v12, L"[\\%c]", _t24);
							_t54 = _t54 + 0xc;
							if(_t52 < 0) {
								_push("Failed to format escape sequence.");
								goto L14;
							} else {
								_t52 = E003A1EF2( &_v8, _v12, 0);
								if(_t52 < 0) {
									_push("Failed to append escape sequence.");
									goto L14;
								} else {
									_t48 =  &(_t49[1]);
									continue;
								}
							}
						}
						goto L15;
					}
				} else {
					_push("Failed to allocate buffer for escaped string.");
					_push(_t52);
					E003E012F();
				}
				L16:
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				return _t52;
			}










                  0x003a70d4
                  0x003a70d7
                  0x003a70d8
                  0x003a70d9
                  0x003a70dd
                  0x003a70e3
                  0x003a70f8
                  0x003a70fc
                  0x003a7111
                  0x003a711c
                  0x003a7122
                  0x00000000
                  0x00000000
                  0x003a712f
                  0x003a7133
                  0x003a7173
                  0x003a71a0
                  0x003a71a0
                  0x003a71a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a71a8
                  0x00000000
                  0x003a7135
                  0x003a7135
                  0x003a7138
                  0x003a713a
                  0x003a7140
                  0x003a7195
                  0x003a7199
                  0x003a719b
                  0x00000000
                  0x003a719b
                  0x003a7142
                  0x003a7151
                  0x003a7153
                  0x003a7158
                  0x003a7181
                  0x00000000
                  0x003a715a
                  0x003a7168
                  0x003a716c
                  0x003a717a
                  0x00000000
                  0x003a716e
                  0x003a716e
                  0x00000000
                  0x003a716e
                  0x003a716c
                  0x003a7158
                  0x00000000
                  0x003a7140
                  0x003a70fe
                  0x003a70fe
                  0x003a7103
                  0x003a7104
                  0x003a710a
                  0x003a71a9
                  0x003a71ad
                  0x003a71b2
                  0x003a71b2
                  0x003a71bb
                  0x003a71c0
                  0x003a71c0
                  0x003a71cc

                  APIs
                  • lstrlenW.KERNEL32(00000000), ref: 003A70E7
                  Strings
                  • Failed to allocate buffer for escaped string., xrefs: 003A70FE
                  • Failed to format escape sequence., xrefs: 003A7181
                  • [\%c], xrefs: 003A7146
                  • Failed to append characters., xrefs: 003A7173
                  • Failed to copy string., xrefs: 003A719B
                  • []{}, xrefs: 003A7111
                  • Failed to append escape sequence., xrefs: 003A717A
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                  • API String ID: 1659193697-3250950999
                  • Opcode ID: e8441dbe9189a8991add0033be9d08ee620c7bd5eaa2f99377050a716ba66ec2
                  • Instruction ID: ae2c6b71bb007deb09691975a445737a57a2b5cc14dc4d44fc62944a6a7354ed
                  • Opcode Fuzzy Hash: e8441dbe9189a8991add0033be9d08ee620c7bd5eaa2f99377050a716ba66ec2
                  • Instruction Fuzzy Hash: 0121F833948275BADB135695DC86FEFB7ECDB02711F210256F800BA1C1EB74AE419694
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C9039, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E003C9039(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				int _v8;
				intOrPtr _v12;
				short* _t46;
				intOrPtr* _t51;
				void* _t80;
				intOrPtr* _t87;
				intOrPtr _t88;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr* _t96;
				intOrPtr _t97;
				intOrPtr _t99;
				int _t102;
				void* _t114;

				_push(__ecx);
				_push(__ecx);
				_t99 = _a12;
				_t102 = 0;
				_v8 = 0;
				_t46 =  *(_t99 + 0xbc);
				if(_t46 != 0 && CompareStringW(0, 1, _t46, 0xffffffff,  *(_t99 + 0x10), 0xffffffff) != 2) {
					_t51 =  *((intOrPtr*)(_t99 + 0x40));
					if(_t51 != 0 &&  *_t51 != 0) {
						_t96 = _a8;
						if( *_t96 != 5) {
							__eflags =  *_t96 - 3;
							if( *_t96 == 3) {
								L9:
								__eflags = E003C7B00(_t96, _t99, _t51);
								_t80 = 1;
								_t88 =  !=  ? _t80 : 0;
								__eflags = _t88;
								_v8 = _t88;
							} else {
								__eflags =  *_t96 - 6;
								if( *_t96 == 6) {
									goto L9;
								} else {
									__eflags =  *_t96 - 7;
									if( *_t96 == 7) {
										goto L9;
									}
								}
							}
						} else {
							_v8 = 1;
						}
					}
					_t91 = 0;
					_a12 = 0;
					if( *((intOrPtr*)(_t99 + 0xb8)) > 0) {
						_t97 = 0;
						_v12 = 0;
						do {
							_t87 =  *((intOrPtr*)(_t99 + 0xb4)) + _t97;
							if( *_t87 != 2) {
								goto L18;
							} else {
								_t114 =  *((intOrPtr*)(_t99 + 0x3c)) -  *((intOrPtr*)(_t87 + 0xc));
								if(_t114 > 0 || _t114 >= 0 &&  *((intOrPtr*)(_t99 + 0x38)) >  *((intOrPtr*)(_t87 + 8))) {
									goto L18;
								} else {
									if(CompareStringW(0, 1,  *(_t99 + 0xbc), 0xffffffff,  *(_t87 + 0x18), 0xffffffff) == 2) {
										_t92 =  *((intOrPtr*)(_a4 + 0x10));
										_a12 =  *((intOrPtr*)( *_t92 + 0x1c))(_t92,  *(_t87 + 0x18),  *_t87,  *((intOrPtr*)(_t87 + 0x10)),  *((intOrPtr*)(_t87 + 0x2c)),  *((intOrPtr*)(_t87 + 8)),  *((intOrPtr*)(_t87 + 0xc)), _v8);
										_t102 = E003AD58B(_a4, 1, _t59);
										__eflags = _t102;
										if(_t102 >= 0) {
											__eflags = _a12 - 1;
											if(__eflags != 0) {
												L27:
												_push(E003B3C30( *((intOrPtr*)(_t99 + 0xc4))));
												_push(E003B43FA( *((intOrPtr*)(_t87 + 8)),  *((intOrPtr*)(_t87 + 0xc))));
												_push(E003B40EF( *((intOrPtr*)(_t87 + 0x2c))));
												_push(E003B416A( *_t87));
												E003A550F(2, 0x2000006b,  *(_t87 + 0x18));
											} else {
												_t39 = _t99 + 0xc8; // 0x4d8
												_t102 = E003CC517(_t92, __eflags, _t39, _a8, 0,  *((intOrPtr*)(_t99 + 0x40)),  *((intOrPtr*)(_t99 + 0xc0)), _t87 + 0x18);
												__eflags = _t102;
												if(_t102 >= 0) {
													__eflags = 1;
													 *((intOrPtr*)(_t99 + 0xc4)) = 1;
													goto L27;
												} else {
													_push("Failed to initialize update bundle.");
													goto L22;
												}
											}
										} else {
											E003A37D3(_t62, "detect.cpp", 0x7e, _t102);
											_push("BA aborted detect forward compatible bundle.");
											L22:
											_push(_t102);
											E003E012F();
										}
									} else {
										_t91 = _a12;
										_t97 = _v12;
										goto L18;
									}
								}
							}
							goto L28;
							L18:
							_t91 = _t91 + 1;
							_t97 = _t97 + 0xf8;
							_a12 = _t91;
							_v12 = _t97;
						} while (_t91 <  *((intOrPtr*)(_t99 + 0xb8)));
					}
				}
				L28:
				return _t102;
			}

















                  0x003c903c
                  0x003c903d
                  0x003c9041
                  0x003c9048
                  0x003c904a
                  0x003c904d
                  0x003c9055
                  0x003c9077
                  0x003c907c
                  0x003c9085
                  0x003c908b
                  0x003c9095
                  0x003c9098
                  0x003c90a4
                  0x003c90ab
                  0x003c90af
                  0x003c90b0
                  0x003c90b0
                  0x003c90b3
                  0x003c909a
                  0x003c909a
                  0x003c909d
                  0x00000000
                  0x003c909f
                  0x003c909f
                  0x003c90a2
                  0x00000000
                  0x00000000
                  0x003c90a2
                  0x003c909d
                  0x003c908d
                  0x003c9090
                  0x003c9090
                  0x003c908b
                  0x003c90b8
                  0x003c90ba
                  0x003c90c3
                  0x003c90c9
                  0x003c90cb
                  0x003c90ce
                  0x003c90d4
                  0x003c90d9
                  0x00000000
                  0x003c90db
                  0x003c90de
                  0x003c90e1
                  0x00000000
                  0x003c90ed
                  0x003c910a
                  0x003c9138
                  0x003c914d
                  0x003c915a
                  0x003c915c
                  0x003c915e
                  0x003c917f
                  0x003c9182
                  0x003c91b9
                  0x003c91c4
                  0x003c91d0
                  0x003c91d9
                  0x003c91e1
                  0x003c91ec
                  0x003c9184
                  0x003c9197
                  0x003c91a3
                  0x003c91a5
                  0x003c91a7
                  0x003c91b2
                  0x003c91b3
                  0x00000000
                  0x003c91a9
                  0x003c91a9
                  0x00000000
                  0x003c91a9
                  0x003c91a7
                  0x003c9160
                  0x003c9168
                  0x003c916d
                  0x003c9172
                  0x003c9172
                  0x003c9173
                  0x003c9179
                  0x003c910c
                  0x003c910c
                  0x003c910f
                  0x00000000
                  0x003c910f
                  0x003c910a
                  0x003c90e1
                  0x00000000
                  0x003c9112
                  0x003c9112
                  0x003c9113
                  0x003c9119
                  0x003c911c
                  0x003c911f
                  0x003c9127
                  0x003c90c3
                  0x003c91f4
                  0x003c91fc

                  APIs
                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00000100,00000000,?,?,?,003B6F20,000000B8,0000001C,00000100), ref: 003C9068
                  • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,003EB4A8,000000FF,?,?,?,003B6F20,000000B8,0000001C,00000100,00000100,00000100,000000B0), ref: 003C9101
                  Strings
                  • detect.cpp, xrefs: 003C9163
                  • BA aborted detect forward compatible bundle., xrefs: 003C916D
                  • comres.dll, xrefs: 003C9187
                  • Failed to initialize update bundle., xrefs: 003C91A9
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CompareString
                  • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$comres.dll$detect.cpp
                  • API String ID: 1825529933-439563586
                  • Opcode ID: 3c9b5fb6d7a6c64911edd087be5098523c1170a40fc5817c7af27d2c913bbda3
                  • Instruction ID: b6e613cc7e7867578808548e1530bb40b70c3a693a04ef31005b954968d5b2db
                  • Opcode Fuzzy Hash: 3c9b5fb6d7a6c64911edd087be5098523c1170a40fc5817c7af27d2c913bbda3
                  • Instruction Fuzzy Hash: 9C51E071600216BFDB179F64CC89F6AB7AAFF05320B164269F915CA191DB31DC60DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E61FA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E003E61FA(void* __ecx, intOrPtr _a4, void* _a8, long _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr* _a36) {
				signed int _v8;
				signed int _v12;
				signed short _t39;
				void* _t40;
				signed short _t48;
				signed int _t49;
				intOrPtr* _t50;
				void* _t54;
				void* _t60;
				signed int _t61;
				intOrPtr* _t64;
				void* _t67;

				_t62 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t64 = _a12;
				_t67 = E003E47D3(__ecx, _a8,  *_t64,  *((intOrPtr*)(_t64 + 4)), 0, 0);
				if(_t67 >= 0) {
					while(1) {
						L2:
						_push( &_v8);
						_push(_a32);
						_push(_a28);
						_push(_a4);
						if( *0x40a974() == 0) {
							break;
						}
						if(_v8 != 0) {
							_t60 = 0;
							_a12 = _a12 & 0;
							while(WriteFile(_a8, _a28 + _t60, _v8 - _t60,  &_a12, 0) != 0) {
								_t60 = _t60 + _a12;
								if(_a12 == 0 || _t60 >= _v8) {
									 *_t64 =  *_t64 + _t60;
									_t49 = 0;
									asm("adc [edi+0x4], eax");
									if(_a16 != 0xffffffff) {
										_t61 = _t49;
										_v12 = _t49;
										if(E003E47D3(_t62, _a16, _t49, _t49, _t49, _t49) >= 0) {
											do {
												_push(0);
												_push( &_v12);
												_t54 = 8;
												WriteFile(_a16, _t64 + _t61 * 8, _t54 - _t61, ??, ??);
												_t61 = _t61 + _v12;
											} while (_v12 != 0 && _t61 < 8);
										}
									}
									_t50 = _a36;
									if(_t50 == 0 ||  *_t50 == 0) {
										L15:
										if(_v8 != 0) {
											goto L2;
										} else {
										}
									} else {
										_t67 = E003E5B46(_t50,  *_t64,  *((intOrPtr*)(_t64 + 4)), _a20, _a24, _a8);
										if(_t67 >= 0) {
											goto L15;
										}
									}
								} else {
									continue;
								}
								goto L20;
							}
							_t48 = GetLastError();
							_t74 =  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							_t40 = 0x80004005;
							_t67 =  >=  ? 0x80004005 :  <=  ? _t48 : _t48 & 0x0000ffff | 0x80070000;
							_push(_t67);
							_push(0x1a6);
							L19:
							_push("dlutil.cpp");
							E003A37D3(_t40);
						}
						L20:
						goto L21;
					}
					_t39 = GetLastError();
					_t71 =  <=  ? _t39 : _t39 & 0x0000ffff | 0x80070000;
					_t40 = 0x80004005;
					_t67 =  >=  ? 0x80004005 :  <=  ? _t39 : _t39 & 0x0000ffff | 0x80070000;
					_push(_t67);
					_push(0x19a);
					goto L19;
				}
				L21:
				return _t67;
			}















                  0x003e61fa
                  0x003e61fd
                  0x003e61fe
                  0x003e61ff
                  0x003e6205
                  0x003e6219
                  0x003e621d
                  0x003e6224
                  0x003e6224
                  0x003e6227
                  0x003e6228
                  0x003e622b
                  0x003e622e
                  0x003e6239
                  0x00000000
                  0x00000000
                  0x003e6243
                  0x003e6249
                  0x003e624b
                  0x003e624e
                  0x003e6271
                  0x003e6278
                  0x003e627f
                  0x003e6283
                  0x003e6284
                  0x003e628b
                  0x003e6294
                  0x003e6296
                  0x003e62a0
                  0x003e62a2
                  0x003e62a2
                  0x003e62a7
                  0x003e62aa
                  0x003e62b5
                  0x003e62bb
                  0x003e62be
                  0x003e62a2
                  0x003e62a0
                  0x003e62c9
                  0x003e62ce
                  0x003e62ef
                  0x003e62f3
                  0x00000000
                  0x00000000
                  0x003e62f9
                  0x003e62d5
                  0x003e62e9
                  0x003e62ed
                  0x00000000
                  0x00000000
                  0x003e62ed
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e6278
                  0x003e62fb
                  0x003e630c
                  0x003e630f
                  0x003e6316
                  0x003e6319
                  0x003e631a
                  0x003e6345
                  0x003e6345
                  0x003e634a
                  0x003e634a
                  0x003e634f
                  0x00000000
                  0x003e634f
                  0x003e6321
                  0x003e6332
                  0x003e6335
                  0x003e633c
                  0x003e633f
                  0x003e6340
                  0x00000000
                  0x003e6340
                  0x003e6350
                  0x003e6357

                  APIs
                    • Part of subcall function 003E47D3: SetFilePointerEx.KERNEL32(?,?,?,?,?,00000000,?,?,?,003B8564,00000000,00000000,00000000,00000000,00000000), ref: 003E47EB
                    • Part of subcall function 003E47D3: GetLastError.KERNEL32(?,?,?,003B8564,00000000,00000000,00000000,00000000,00000000), ref: 003E47F5
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,003E5AC5,?,?,?,?,?,?,?,00010000,?), ref: 003E6263
                  • WriteFile.KERNEL32(000000FF,00000008,00000008,?,00000000,000000FF,00000000,00000000,00000000,00000000,?,003E5AC5,?,?,?,?), ref: 003E62B5
                  • GetLastError.KERNEL32(?,003E5AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 003E62FB
                  • GetLastError.KERNEL32(?,003E5AC5,?,?,?,?,?,?,?,00010000,?,00000001,?,GET,?,?), ref: 003E6321
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLast$Write$Pointer
                  • String ID: @Mxt$dlutil.cpp
                  • API String ID: 133221148-2183580177
                  • Opcode ID: 22757ebfe39aa2fff299c371a6f564440e2bfc233d339176d7794b663ddcbfc4
                  • Instruction ID: 24fe8a1280b0ef9de6164db2784279f7a171329ac59243d3a90dd6775d6db99d
                  • Opcode Fuzzy Hash: 22757ebfe39aa2fff299c371a6f564440e2bfc233d339176d7794b663ddcbfc4
                  • Instruction Fuzzy Hash: 1E416072900269EFEF128E95CD45BAABBA8FF14391F150225BE04E60E0D771DD60DBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BD206, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 120COMMON
                  Download Yara Rule
                  C-Code - Quality: 21%
                  			E003BD206(void* __ebx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				void* __ecx;
				intOrPtr* _t18;
				void* _t43;
				void* _t57;
				intOrPtr _t58;
				void* _t60;
				void* _t61;
				void* _t64;

				_v8 = _v8 | 0xffffffff;
				_t58 = _a4;
				_t18 =  *((intOrPtr*)(_t58 + 0xc8));
				_t61 = E003AD58B(_t58 + 0xb8, 1,  *((intOrPtr*)( *_t18 + 0x74))(_t18, _t57, _t60, _t43));
				if(_t61 >= 0) {
					_push(__ebx);
					_t41 = _t58 + 0x4a0;
					if(E003B4B96(_t58 + 0x4a0, __edx, _t58 + 0x4a0, _t58 + 0x4a4) >= 0) {
						if(E003B4CE8(_t41, 1,  &_v8) >= 0) {
							_push(0x2000000a);
							_push(2);
							E003A550F();
							while(1) {
								_t64 = E003B4ED2( *((intOrPtr*)(_t58 + 0x49c)), _t41, 1, _a8);
								if(_t64 >= 0) {
									break;
								}
								if(_t64 != 0x800704c7) {
									L13:
									if(_t64 < 0) {
										goto L14;
									}
								} else {
									_t64 = 0x80070642;
									if(E003AD742(0x80070642,  *((intOrPtr*)(_t58 + 0xc8)), 0, 0, 0x80070642, 0, 0x15, 0) == 4) {
										continue;
									} else {
										L14:
										_push("Failed to elevate.");
										goto L16;
									}
								}
								goto L17;
							}
							_push(0x2000000b);
							_push(2);
							E003A550F();
							_t64 = E003B52E3(_t41);
							if(_t64 < 0) {
								_push("Failed to connect to elevated child process.");
								goto L16;
							} else {
								_push(0x2000000c);
								_push(2);
								E003A550F();
								goto L13;
							}
						} else {
							_push("Failed to create pipe and cache pipe.");
							goto L16;
						}
					} else {
						_push("Failed to create pipe name and client token.");
						L16:
						_push(_t64);
						E003E012F();
					}
					L17:
				} else {
					E003A37D3(_t21, "elevation.cpp", 0x100, _t61);
					_push("UX aborted elevation requirement.");
					_push(_t61);
					E003E012F();
				}
				if(_v8 != 0) {
					CloseHandle(_v8);
					_v8 = _v8 & 0x00000000;
				}
				if(_t64 < 0) {
					E003B4B2B(_t58 + 0x4a0);
				}
				return _t64;
			}












                  0x003bd20a
                  0x003bd210
                  0x003bd213
                  0x003bd22e
                  0x003bd232
                  0x003bd256
                  0x003bd25e
                  0x003bd26e
                  0x003bd28a
                  0x003bd296
                  0x003bd29b
                  0x003bd29d
                  0x003bd2a4
                  0x003bd2b5
                  0x003bd2b9
                  0x00000000
                  0x00000000
                  0x003bd2c1
                  0x003bd30d
                  0x003bd30f
                  0x00000000
                  0x00000000
                  0x003bd2c3
                  0x003bd2d7
                  0x003bd2e1
                  0x00000000
                  0x003bd2e3
                  0x003bd311
                  0x003bd311
                  0x00000000
                  0x003bd311
                  0x003bd2e1
                  0x00000000
                  0x003bd2c1
                  0x003bd2e5
                  0x003bd2ea
                  0x003bd2ec
                  0x003bd2f9
                  0x003bd2fd
                  0x003bd318
                  0x00000000
                  0x003bd2ff
                  0x003bd2ff
                  0x003bd304
                  0x003bd306
                  0x00000000
                  0x003bd30c
                  0x003bd28c
                  0x003bd28c
                  0x00000000
                  0x003bd28c
                  0x003bd270
                  0x003bd270
                  0x003bd31d
                  0x003bd31d
                  0x003bd31e
                  0x003bd324
                  0x003bd325
                  0x003bd234
                  0x003bd23f
                  0x003bd244
                  0x003bd249
                  0x003bd24a
                  0x003bd250
                  0x003bd32a
                  0x003bd32f
                  0x003bd335
                  0x003bd335
                  0x003bd33b
                  0x003bd344
                  0x003bd344
                  0x003bd350

                  APIs
                  • CloseHandle.KERNEL32(00000000,?,?,00000001,003EB4F0,?,00000001,000000FF,?,?,770DA770,00000000,00000001,00000000,?,003B72F3), ref: 003BD32F
                  Strings
                  • Failed to create pipe and cache pipe., xrefs: 003BD28C
                  • Failed to create pipe name and client token., xrefs: 003BD270
                  • Failed to connect to elevated child process., xrefs: 003BD318
                  • elevation.cpp, xrefs: 003BD23A
                  • Failed to elevate., xrefs: 003BD311
                  • UX aborted elevation requirement., xrefs: 003BD244
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseHandle
                  • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
                  • API String ID: 2962429428-3003415917
                  • Opcode ID: c04aa706ba49bc55a13827b9663dd6f3684efa72f3093053ecf9c29824aa756a
                  • Instruction ID: 0961a17c0af4f63e7a40f143aa1d7271fcef9a633b9daf7dbdd66bc91bff4d34
                  • Opcode Fuzzy Hash: c04aa706ba49bc55a13827b9663dd6f3684efa72f3093053ecf9c29824aa756a
                  • Instruction Fuzzy Hash: 98312B72A457257BEB2796608C46FEF679CEF01724F100215FB09AE582EB71ED0082A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A2436, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 118COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 27%
                  			E003A2436(signed int __edx, intOrPtr* _a4, short* _a8, signed int _a12, int _a16) {
				signed int _t16;
				int _t17;
				signed int _t18;
				signed short _t22;
				intOrPtr _t23;
				intOrPtr* _t25;
				signed short _t28;
				int _t31;
				short* _t40;
				void* _t41;
				intOrPtr _t43;
				int _t45;
				signed int _t48;
				int _t50;
				int _t52;
				intOrPtr* _t53;

				_t39 = _a4;
				_t45 = __edx | 0xffffffff;
				_t16 = _a12;
				_t31 = 0;
				_t52 = 0;
				_t48 = _t16;
				if( *_a4 == 0) {
					L4:
					_t40 = _a8;
					if(_t16 != 0) {
						if(0 == _t40[_t16]) {
							_t48 = _t16 - 1;
						}
						L11:
						_t17 = _t48 + 1;
						if(_t52 >= _t17) {
							L20:
							_t18 = _a12;
							_push(_t31);
							_push(_t31);
							_push(_t52);
							_t53 = _a4;
							_push( *_t53);
							_t41 = 0xffffffff;
							_t19 =  ==  ? _t41 : _t18;
							if(WideCharToMultiByte(_a16, _t31, _a8,  ==  ? _t41 : _t18, ??, ??, ??, ??) != 0) {
								 *(_t48 +  *_t53) = _t31;
								L23:
								return _t31;
							}
							_t22 = GetLastError();
							_t35 =  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
							_t23 = 0x80004005;
							_t31 =  >=  ? 0x80004005 :  <=  ? _t22 : _t22 & 0x0000ffff | 0x80070000;
							_push(_t31);
							_push(0x1de);
							L7:
							_push("strutil.cpp");
							E003A37D3(_t23);
							goto L23;
						}
						_t52 = _t17;
						if(_t52 < 0x7fffffff) {
							_t25 = _a4;
							_push(1);
							_push(_t52);
							if( *_t25 == _t31) {
								_t23 = E003A38D4();
							} else {
								_push( *_t25);
								_t23 = E003A3A72();
							}
							_t43 = _t23;
							if(_t43 != 0) {
								 *_a4 = _t43;
								goto L20;
							} else {
								_t31 = 0x8007000e;
								_push(0x8007000e);
								_push(0x1d7);
								goto L7;
							}
						}
						_t31 = 0x8007000e;
						goto L23;
					}
					_t50 = WideCharToMultiByte(_a16, _t31, _t40, _t45, _t31, _t31, _t31, _t31);
					if(_t50 != 0) {
						_t48 = _t50 - 1;
						goto L11;
					}
					_t28 = GetLastError();
					_t38 =  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
					_t23 = 0x80004005;
					_t31 =  >=  ? 0x80004005 :  <=  ? _t28 : _t28 & 0x0000ffff | 0x80070000;
					_push(_t31);
					_push(0x1bc);
					goto L7;
				}
				_t52 = E003A3B51( *_t39);
				_t45 = _t45 | 0xffffffff;
				if(_t52 != _t45) {
					_t16 = _t48;
					goto L4;
				}
				_t31 = 0x80070057;
				goto L23;
			}



















                  0x003a2439
                  0x003a243c
                  0x003a243f
                  0x003a2444
                  0x003a2446
                  0x003a2449
                  0x003a244d
                  0x003a246b
                  0x003a246b
                  0x003a2470
                  0x003a24c4
                  0x003a24c6
                  0x003a24c6
                  0x003a24c9
                  0x003a24c9
                  0x003a24ce
                  0x003a2514
                  0x003a2514
                  0x003a2519
                  0x003a251a
                  0x003a251b
                  0x003a251c
                  0x003a251f
                  0x003a2523
                  0x003a2524
                  0x003a2537
                  0x003a2564
                  0x003a2567
                  0x003a256d
                  0x003a256d
                  0x003a2539
                  0x003a254a
                  0x003a254d
                  0x003a2554
                  0x003a2557
                  0x003a2558
                  0x003a24ac
                  0x003a24ac
                  0x003a24b1
                  0x00000000
                  0x003a24b1
                  0x003a24d0
                  0x003a24d8
                  0x003a24e4
                  0x003a24e7
                  0x003a24e9
                  0x003a24ec
                  0x003a24f7
                  0x003a24ee
                  0x003a24ee
                  0x003a24f0
                  0x003a24f0
                  0x003a24fc
                  0x003a2500
                  0x003a2512
                  0x00000000
                  0x003a2502
                  0x003a2502
                  0x003a2507
                  0x003a2508
                  0x00000000
                  0x003a2508
                  0x003a2500
                  0x003a24da
                  0x00000000
                  0x003a24da
                  0x003a2482
                  0x003a2486
                  0x003a24bb
                  0x00000000
                  0x003a24bb
                  0x003a2488
                  0x003a2499
                  0x003a249c
                  0x003a24a3
                  0x003a24a6
                  0x003a24a7
                  0x00000000
                  0x003a24a7
                  0x003a2456
                  0x003a2458
                  0x003a245d
                  0x003a2469
                  0x00000000
                  0x003a2469
                  0x003a245f
                  0x00000000

                  APIs
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,003DFEE7,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,003DFEE7,?,00000000,00000000), ref: 003A247C
                  • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,003DFEE7,?,00000000,00000000,0000FDE9), ref: 003A2488
                    • Part of subcall function 003A3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,003A21DC,000001C7,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3B59
                    • Part of subcall function 003A3B51: HeapSize.KERNEL32(00000000,?,003A21DC,000001C7,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3B60
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                  • String ID: @Mxt$strutil.cpp
                  • API String ID: 3662877508-4037222359
                  • Opcode ID: bebf7c9b9e1f5021e5f0149a62d6d7313de10f7dc2f542a2d914eb49d1740f13
                  • Instruction ID: 1c590d27ae5a5cb818c179c11be84cfcd5f78eccf36b4dd90527e323c34f081c
                  • Opcode Fuzzy Hash: bebf7c9b9e1f5021e5f0149a62d6d7313de10f7dc2f542a2d914eb49d1740f13
                  • Instruction Fuzzy Hash: 9F31C471200359AFEB139E6E8CC4ABB72DEFB4A764B114329FD15DB1A0EB65CC408760
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E40C8, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99COMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E003E40C8(WCHAR* _a4, WCHAR* _a8, intOrPtr _a12, long _a16) {
				short _t20;
				WCHAR* _t25;
				long _t28;
				WCHAR* _t29;
				signed short _t32;
				short* _t34;
				short* _t35;

				_t25 = _a8;
				_t35 = 0;
				_t28 =  ==  ? 0 | _a12 != 0x00000000 : 0 | _a12 != 0x00000000 | 0x00000002;
				_a16 = _t28;
				if(MoveFileExW(_a4, _t25, _t28) != 0) {
					L20:
					return _t35;
				}
				_t32 = GetLastError();
				if(_a12 != 0 || _t32 != 0x50 && _t32 != 0xb7) {
					if(_t32 != 2) {
						L8:
						if(_t32 != 3) {
							L18:
							_t35 =  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000;
							goto L19;
						}
						_t34 = _t35;
						_t29 = _t25;
						if(( *_t25 & 0x0000ffff) == 0) {
							L17:
							_t35 = 0x80070003;
							goto L19;
						}
						_push(0x5c);
						do {
							_t34 =  ==  ? _t29 : _t34;
							_t29 =  &(_t29[1]);
						} while (( *_t29 & 0x0000ffff) != 0);
						if(_t34 == 0) {
							goto L17;
						}
						 *_t34 = 0;
						_t35 = E003A4013(_t25, _t35);
						_t20 = 0x5c;
						 *_t34 = _t20;
						if(_t35 >= 0 && MoveFileExW(_a4, _t25, _a16) == 0) {
							_t35 =  <=  ? GetLastError() : _t22 & 0x0000ffff | 0x80070000;
							if(_t35 < 0) {
								E003A37D3(_t22, "fileutil.cpp", 0x4cc, _t35);
							}
						}
						goto L19;
					}
					if(E003E4315(_a4, _t35) == 0) {
						goto L18;
					}
					_t32 = 3;
					goto L8;
				} else {
					_t35 = 1;
					L19:
					goto L20;
				}
			}










                  0x003e40cc
                  0x003e40d2
                  0x003e40e2
                  0x003e40ea
                  0x003e40f5
                  0x003e41c9
                  0x003e41ce
                  0x003e41ce
                  0x003e4102
                  0x003e4107
                  0x003e4121
                  0x003e4137
                  0x003e413a
                  0x003e41ba
                  0x003e41c5
                  0x00000000
                  0x003e41c5
                  0x003e413f
                  0x003e4141
                  0x003e4146
                  0x003e41b3
                  0x003e41b3
                  0x00000000
                  0x003e41b3
                  0x003e4148
                  0x003e414b
                  0x003e414e
                  0x003e4151
                  0x003e4157
                  0x003e415e
                  0x00000000
                  0x00000000
                  0x003e4164
                  0x003e416c
                  0x003e4170
                  0x003e4171
                  0x003e4176
                  0x003e419a
                  0x003e419f
                  0x003e41ac
                  0x003e41ac
                  0x003e419f
                  0x00000000
                  0x003e4176
                  0x003e412e
                  0x00000000
                  0x00000000
                  0x003e4136
                  0x00000000
                  0x003e4116
                  0x003e4118
                  0x003e41c8
                  0x00000000
                  0x003e41c8

                  APIs
                  • MoveFileExW.KERNEL32(00000003,00000001,00000000,00000000,00000101,?,003E4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,003B9E5F,00000000), ref: 003E40ED
                  • GetLastError.KERNEL32(00000001,?,003E4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,003B9E5F,00000000,000007D0,00000001,00000001,00000003), ref: 003E40FC
                  • MoveFileExW.KERNEL32(00000003,00000001,000007D0,00000001,00000000,?,003E4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,003B9E5F,00000000), ref: 003E417F
                  • GetLastError.KERNEL32(?,003E4203,00000003,00000001,00000001,000007D0,00000003,00000000,?,003B9E5F,00000000,000007D0,00000001,00000001,00000003,000007D0), ref: 003E4189
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastMove
                  • String ID: @Mxt$fileutil.cpp
                  • API String ID: 55378915-830300176
                  • Opcode ID: 1928cbf2be336d3124e8f1bb37bee279bbf5279a4e7948e23ffbd35be99e32a0
                  • Instruction ID: 727699222775d31707ae4e20a08100e0307d796c8f7b29eb5eeea848cadd95db
                  • Opcode Fuzzy Hash: 1928cbf2be336d3124e8f1bb37bee279bbf5279a4e7948e23ffbd35be99e32a0
                  • Instruction Fuzzy Hash: 2821E636A003B59BDF235E669C4167FB699EB697A1F034326FC059B2D0D7308C9192E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A7203, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 92COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 42%
                  			E003A7203(void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t29;
				char* _t38;
				signed int _t46;
				void* _t49;

				_t41 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t29 = E003A5C87(_t41, _a4, _a8,  &_v12);
				_t46 = _v12;
				_t49 = _t29;
				if(_t49 < 0 ||  *((intOrPtr*)(_t46 + 0x18)) != 0) {
					if(_t49 == 0x80070490) {
						goto L18;
					}
					if(_t49 >= 0) {
						if( *((intOrPtr*)(_t46 + 0x18)) != 2 ||  *((intOrPtr*)(_t46 + 0x2c)) != 0 ||  *((intOrPtr*)(_t46 + 0x24)) != 0) {
							_t24 = _t46 + 8; // 0x8
							_t49 = E003C00E0(_t24, _a12);
							if(_t49 >= 0) {
								goto L18;
							}
							_push(_a8);
							_push("Failed to get value as string for variable: %ls");
							L17:
							_push(_t49);
							E003E012F();
						} else {
							_t16 = _t46 + 8; // 0x8
							_t49 = E003C00E0(_t16,  &_v8);
							if(_t49 >= 0) {
								_t49 = E003A567D(_a4, _v8, _a12, 0, 0);
								if(_t49 < 0) {
									_t38 = L"*****";
									if( *((intOrPtr*)(_t46 + 0x20)) == 0) {
										_t38 =  *(_t46 + 8);
									}
									_push(_a8);
									E003E012F(_t49, "Failed to format value \'%ls\' of variable: %ls", _t38);
								}
							} else {
								_push("Failed to get unformatted string.");
								_push(_t49);
								E003E012F();
							}
						}
						goto L18;
					}
					_push(_a8);
					_push("Failed to get variable: %ls");
					goto L17;
				} else {
					_t49 = 0x80070490;
					L18:
					LeaveCriticalSection(_a4);
					E003A2793(_v8);
					return _t49;
				}
			}









                  0x003a7203
                  0x003a7206
                  0x003a7207
                  0x003a7208
                  0x003a720c
                  0x003a7215
                  0x003a7225
                  0x003a722a
                  0x003a722d
                  0x003a7231
                  0x003a7249
                  0x00000000
                  0x00000000
                  0x003a7251
                  0x003a7264
                  0x003a72d1
                  0x003a72da
                  0x003a72de
                  0x00000000
                  0x00000000
                  0x003a72e0
                  0x003a72e3
                  0x003a72e8
                  0x003a72e8
                  0x003a72e9
                  0x003a7272
                  0x003a7275
                  0x003a727f
                  0x003a7283
                  0x003a72a6
                  0x003a72aa
                  0x003a72b0
                  0x003a72b5
                  0x003a72b7
                  0x003a72b7
                  0x003a72ba
                  0x003a72c4
                  0x003a72c9
                  0x003a7285
                  0x003a7285
                  0x003a728a
                  0x003a728b
                  0x003a7291
                  0x003a7283
                  0x00000000
                  0x003a7264
                  0x003a7253
                  0x003a7256
                  0x00000000
                  0x003a7239
                  0x003a7239
                  0x003a72f1
                  0x003a72f4
                  0x003a72fd
                  0x003a7309
                  0x003a7309

                  APIs
                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,003A583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 003A7215
                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000002,00000000,?,?,?,003A583F,000002C0,000002C0,00000000,00000100,00000001,00000000,000002C0,00000002), ref: 003A72F4
                  Strings
                  • Failed to get value as string for variable: %ls, xrefs: 003A72E3
                  • Failed to get unformatted string., xrefs: 003A7285
                  • Failed to get variable: %ls, xrefs: 003A7256
                  • *****, xrefs: 003A72B0, 003A72BD
                  • Failed to format value '%ls' of variable: %ls, xrefs: 003A72BE
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                  • API String ID: 3168844106-2873099529
                  • Opcode ID: e12e4b778683e8b2333a0ca01ee37805debfe093baa6214b3442aebb3c97cbe6
                  • Instruction ID: 488cdf6f7a65f27ee685f1ed8f068487f2472928f6e1e205eeb6da69134b539a
                  • Opcode Fuzzy Hash: e12e4b778683e8b2333a0ca01ee37805debfe093baa6214b3442aebb3c97cbe6
                  • Instruction Fuzzy Hash: B931E53290466AFBCF235B50CC85B9EBB69EF12320F114625F8047A590D776AEA1DBC0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A4013, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E003A4013(WCHAR* _a4, struct _SECURITY_ATTRIBUTES* _a8) {
				long _t7;
				short _t12;
				signed short _t14;
				short* _t17;
				WCHAR* _t19;
				WCHAR* _t21;
				short _t22;

				_t21 = _a4;
				_t22 = 0;
				if(CreateDirectoryW(_t21, _a8) != 0) {
					L17:
					return _t22;
				}
				_t7 = GetLastError();
				if(_t7 != 0xb7) {
					if(_t7 == 3 || E003A40E2(_t21, 0) == 0) {
						_t8 =  *_t21 & 0x0000ffff;
						_t19 = _t21;
						_t17 = 0;
						if(( *_t21 & 0x0000ffff) == 0) {
							L15:
							_t22 = 0x80070003;
							E003A37D3(_t8, "dirutil.cpp", 0x72, 0x80070003);
							goto L16;
						} else {
							_push(0x5c);
							do {
								_t17 =  ==  ? _t19 : _t17;
								_t19 =  &(_t19[1]);
								_t8 =  *_t19 & 0x0000ffff;
							} while (( *_t19 & 0x0000ffff) != 0);
							if(_t17 == 0) {
								goto L15;
							} else {
								 *_t17 = 0;
								_t22 = E003A4013(_t21, _a8);
								_t12 = 0x5c;
								 *_t17 = _t12;
								if(_t22 >= 0) {
									if(CreateDirectoryW(_t21, _a8) != 0) {
										_t22 = 0;
									} else {
										_t14 = GetLastError();
										if(_t14 != 0xb7) {
											_t22 =  <=  ? _t14 : _t14 & 0x0000ffff | 0x80070000;
										} else {
											_t22 = 1;
										}
									}
								}
								L16:
								goto L17;
							}
						}
					} else {
						goto L2;
					}
				}
				L2:
				_t22 = 0;
				goto L17;
			}










                  0x003a401b
                  0x003a401e
                  0x003a4029
                  0x003a40db
                  0x003a40df
                  0x003a40df
                  0x003a402f
                  0x003a403a
                  0x003a4046
                  0x003a4054
                  0x003a4057
                  0x003a405a
                  0x003a405f
                  0x003a40c7
                  0x003a40c7
                  0x003a40d4
                  0x00000000
                  0x003a4061
                  0x003a4061
                  0x003a4064
                  0x003a4067
                  0x003a406a
                  0x003a406d
                  0x003a4070
                  0x003a4077
                  0x00000000
                  0x003a4079
                  0x003a407f
                  0x003a4087
                  0x003a408b
                  0x003a408c
                  0x003a4091
                  0x003a409f
                  0x003a40c3
                  0x003a40a1
                  0x003a40a1
                  0x003a40ac
                  0x003a40be
                  0x003a40ae
                  0x003a40b0
                  0x003a40b0
                  0x003a40ac
                  0x003a409f
                  0x003a40d9
                  0x00000000
                  0x003a40d9
                  0x003a4077
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003a4046
                  0x003a403c
                  0x003a403c
                  0x00000000

                  APIs
                  • CreateDirectoryW.KERNEL32(003A533D,003A53B5,00000000,00000000,?,003B9EE4,00000000,00000000,003A533D,00000000,003A52B5,00000000,?,=S:,003AD4AC,=S:), ref: 003A4021
                  • GetLastError.KERNEL32(?,003B9EE4,00000000,00000000,003A533D,00000000,003A52B5,00000000,?,=S:,003AD4AC,=S:,00000000,00000000), ref: 003A402F
                  • CreateDirectoryW.KERNEL32(003A533D,003A53B5,003A5381,?,003B9EE4,00000000,00000000,003A533D,00000000,003A52B5,00000000,?,=S:,003AD4AC,=S:,00000000), ref: 003A4097
                  • GetLastError.KERNEL32(?,003B9EE4,00000000,00000000,003A533D,00000000,003A52B5,00000000,?,=S:,003AD4AC,=S:,00000000,00000000), ref: 003A40A1
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CreateDirectoryErrorLast
                  • String ID: @Mxt$dirutil.cpp
                  • API String ID: 1375471231-2772354247
                  • Opcode ID: de94b1da53097ce3fc03441e0a498ec5649634aedbb8ce715cd138808ddb2903
                  • Instruction ID: f6309ec056e3325bfd20e62a187bd9a78e1ca1469543c823750cdf627695961f
                  • Opcode Fuzzy Hash: de94b1da53097ce3fc03441e0a498ec5649634aedbb8ce715cd138808ddb2903
                  • Instruction Fuzzy Hash: 7811E735600261E6EB339AA15C44B7BF658DFD2760F128225FF45DB190E7E58C01B2E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A55B6, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 56%
                  			E003A55B6(void* __ecx, intOrPtr _a4, short* _a8, intOrPtr* _a12) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _t17;
				signed int _t18;
				void* _t22;
				void* _t23;
				signed int _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				unsigned int _t43;
				intOrPtr _t46;

				_t37 = _a4;
				_t43 =  *(_t37 + 0x1c);
				_t46 = 0;
				_t33 = 0;
				if(_t43 == 0) {
					L10:
					_t46 = 1;
					 *_a12 = _t33;
				} else {
					while(1) {
						_t17 = _t43 >> 1;
						_v8 = _t17;
						_t18 = _t17 + _t33;
						_v12 = _t18;
						_t22 = CompareStringW(0x7f, 0x1000, _a8, 0xffffffff,  *(_t18 * 0x38 +  *((intOrPtr*)(_t37 + 0x20))), 0xffffffff) - 1;
						if(_t22 == 0) {
							goto L5;
						}
						_t23 = _t22 - 1;
						if(_t23 == 0) {
							 *_a12 = _v8 + _t33;
						} else {
							_t25 = _t23 - 1;
							if(_t25 != 0) {
								_t51 =  <=  ? GetLastError() : _t26 & 0x0000ffff | 0x80070000;
								_t46 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t26 & 0x0000ffff | 0x80070000;
								E003A37D3(0x80004005, "variable.cpp", 0x59f, _t46);
								_push("Failed to compare strings.");
								_push(_t46);
								E003E012F();
							} else {
								_t33 = _v12 + 1;
								_t43 = _t43 + (_t25 | 0xffffffff) - _v8;
								L6:
								if(_t43 == 0) {
									goto L10;
								} else {
									_t37 = _a4;
									continue;
								}
							}
						}
						goto L11;
						L5:
						_t43 = _v8;
						goto L6;
					}
				}
				L11:
				return _t46;
			}














                  0x003a55bb
                  0x003a55c1
                  0x003a55c4
                  0x003a55c6
                  0x003a55ca
                  0x003a566a
                  0x003a566f
                  0x003a5670
                  0x00000000
                  0x003a55d0
                  0x003a55d2
                  0x003a55d4
                  0x003a55d7
                  0x003a55d9
                  0x003a55f8
                  0x003a55fb
                  0x00000000
                  0x00000000
                  0x003a55fd
                  0x003a5600
                  0x003a5666
                  0x003a5602
                  0x003a5602
                  0x003a5605
                  0x003a5632
                  0x003a563c
                  0x003a564a
                  0x003a564f
                  0x003a5654
                  0x003a5655
                  0x003a5607
                  0x003a5610
                  0x003a5611
                  0x003a5618
                  0x003a561a
                  0x00000000
                  0x003a561c
                  0x003a561c
                  0x00000000
                  0x003a561c
                  0x003a561a
                  0x003a5605
                  0x00000000
                  0x003a5615
                  0x003a5615
                  0x00000000
                  0x003a5615
                  0x003a55d0
                  0x003a5672
                  0x003a567a

                  APIs
                  • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,00000000,00000007,003A648B,003A648B,?,003A554A,?,?,00000000), ref: 003A55F2
                  • GetLastError.KERNEL32(?,003A554A,?,?,00000000,?,00000000,003A648B,?,003A7DDC,?,?,?,?,?), ref: 003A5621
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CompareErrorLastString
                  • String ID: @Mxt$Failed to compare strings.$variable.cpp$version.dll
                  • API String ID: 1733990998-4142053337
                  • Opcode ID: 9949985a02c758e616aa30b5eca5334ce8c3c1349129b234920f397438dd3c89
                  • Instruction ID: 1ecc656d7532e3763c505174eeb9975ffa86f736073ff8c425a5116a6bc82ebd
                  • Opcode Fuzzy Hash: 9949985a02c758e616aa30b5eca5334ce8c3c1349129b234920f397438dd3c89
                  • Instruction Fuzzy Hash: DA210832640624AFC7168FACCC44A6AB7A8FF4B760F610319F815EB6E0DA31DE019790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B8003, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 003A38D4: GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                    • Part of subcall function 003A38D4: RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,?,?,003B8C10,0000001A,00000000,?,00000000,00000000), ref: 003B804C
                  • GetLastError.KERNEL32(?,?,003B8C10,0000001A,00000000,?,00000000,00000000,?,?,00000000,00000000,?,?,-00000004,00000000), ref: 003B8056
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                  • String ID: @Mxt$Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
                  • API String ID: 2186923214-3008950478
                  • Opcode ID: 73ac65578d8862da6249ffcfe7817ae57b1d944710b1cece27164803a9ee54a6
                  • Instruction ID: 6440485149776871c572fa5b98b238a32611b1f07a463d57074ad38f9428b407
                  • Opcode Fuzzy Hash: 73ac65578d8862da6249ffcfe7817ae57b1d944710b1cece27164803a9ee54a6
                  • Instruction Fuzzy Hash: 28010C766443247AE72377695C06EEB6A9CCF42BA0F11011AFE04AF580EEB58D0595E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A6644, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 55COMMON
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E003A6644(void* __ebx, void* __edx, void* __edi, intOrPtr _a8) {
				signed int _v8;
				short _v528;
				void* __esi;
				void* __ebp;
				signed int _t7;
				signed short _t18;
				void* _t21;
				void* _t26;
				intOrPtr _t28;
				void* _t29;
				signed int _t33;

				_t27 = __edi;
				_t26 = __edx;
				_t21 = __ebx;
				_t7 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t7 ^ _t33;
				_t28 = _a8;
				E003CF670(__edi,  &_v528, 0, 0x208);
				if(GetTempPathW(0x104,  &_v528) != 0) {
					_t29 = E003C02F4(_t28,  &_v528, 0);
					if(_t29 < 0) {
						_push("Failed to set variant value.");
						goto L4;
					}
				} else {
					_t18 = GetLastError();
					_t32 =  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					_t29 =  >=  ? 0x80004005 :  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "variable.cpp", 0x757, _t29);
					_push("Failed to get temp path.");
					L4:
					_push(_t29);
					E003E012F();
				}
				return E003CDE36(_t21, _v8 ^ _t33, _t26, _t27, _t29);
			}














                  0x003a6644
                  0x003a6644
                  0x003a6644
                  0x003a664d
                  0x003a6654
                  0x003a6658
                  0x003a6669
                  0x003a6685
                  0x003a66cb
                  0x003a66cf
                  0x003a66d1
                  0x00000000
                  0x003a66d1
                  0x003a6687
                  0x003a6687
                  0x003a6698
                  0x003a66a2
                  0x003a66b0
                  0x003a66b5
                  0x003a66d6
                  0x003a66d6
                  0x003a66d7
                  0x003a66dd
                  0x003a66ee

                  APIs
                  • GetTempPathW.KERNEL32(00000104,?), ref: 003A667D
                  • GetLastError.KERNEL32 ref: 003A6687
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastPathTemp
                  • String ID: @Mxt$Failed to get temp path.$Failed to set variant value.$variable.cpp
                  • API String ID: 1238063741-1096363475
                  • Opcode ID: a69e5b8d78e61be5bccadf614276b7fe7c2c30a841173dab3d117bebf193156f
                  • Instruction ID: 55d4a7ce34799a60848d7e1a316cecf5c6df8decbae3718c2f8a24d21ae23ca6
                  • Opcode Fuzzy Hash: a69e5b8d78e61be5bccadf614276b7fe7c2c30a841173dab3d117bebf193156f
                  • Instruction Fuzzy Hash: 3701D672A41378ABE723EB655C46FAA739CDB01710F100269FD04FB1C1EA609E0587D5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E4038, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E003E4038(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed char _v8;
				void* _t22;

				_v8 = _v8 | 0xffffffff;
				_t22 = 0;
				if(E003E4315(_a4,  &_v8) != 0) {
					if((_v8 & 0x00000007) == 0 || SetFileAttributesW(_a4, 0x80) != 0) {
						L5:
						if(DeleteFileW(_a4) == 0) {
							_t22 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
							if(_t22 < 0) {
								_push(_t22);
								_push(0x5c2);
								goto L8;
							}
						}
					} else {
						_t22 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
						if(_t22 >= 0) {
							goto L5;
						} else {
							_push(_t22);
							_push(0x5bc);
							L8:
							_push("fileutil.cpp");
							E003A37D3(_t14);
						}
					}
				}
				return _t22;
			}





                  0x003e403c
                  0x003e4048
                  0x003e4051
                  0x003e405d
                  0x003e408d
                  0x003e4098
                  0x003e40a7
                  0x003e40ac
                  0x003e40ae
                  0x003e40af
                  0x00000000
                  0x003e40af
                  0x003e40ac
                  0x003e4071
                  0x003e407e
                  0x003e4083
                  0x00000000
                  0x003e4085
                  0x003e4085
                  0x003e4086
                  0x003e40b4
                  0x003e40b4
                  0x003e40b9
                  0x003e40b9
                  0x003e4083
                  0x003e40be
                  0x003e40c5

                  APIs
                    • Part of subcall function 003E4315: FindFirstFileW.KERNEL32(003C8FFA,?,000002C0,00000000,00000000), ref: 003E4350
                    • Part of subcall function 003E4315: FindClose.KERNEL32(00000000), ref: 003E435C
                  • SetFileAttributesW.KERNEL32(003C8FFA,00000080,00000000,003C8FFA,000000FF,00000000,?,?,003C8FFA), ref: 003E4067
                  • GetLastError.KERNEL32(?,?,003C8FFA), ref: 003E4071
                  • DeleteFileW.KERNEL32(003C8FFA,00000000,003C8FFA,000000FF,00000000,?,?,003C8FFA), ref: 003E4090
                  • GetLastError.KERNEL32(?,?,003C8FFA), ref: 003E409A
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst
                  • String ID: @Mxt$fileutil.cpp
                  • API String ID: 3967264933-830300176
                  • Opcode ID: c640abf1c0be6eeeb7fa659e2bc1cf62dcaa42e7659977c94e0d7b2f04ea5baa
                  • Instruction ID: 13bdbfe28b992b8c920b885f17df10ff6b9bd5750f5daf1e1f04193da91dfdb2
                  • Opcode Fuzzy Hash: c640abf1c0be6eeeb7fa659e2bc1cf62dcaa42e7659977c94e0d7b2f04ea5baa
                  • Instruction Fuzzy Hash: 54019231A017B5A7D7335AAA8D48B9BFADCEF087A4F024325FD05EA1D0D7218D0095E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A60BA, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON
                  Download Yara Rule
                  C-Code - Quality: 55%
                  			E003A60BA(void* __ebx, void* __edx, intOrPtr _a8) {
				signed int _v8;
				short _v524;
				long _v528;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t8;
				void* _t20;
				void* _t25;
				intOrPtr _t26;
				void* _t27;
				signed int _t30;

				_t25 = __edx;
				_t20 = __ebx;
				_t8 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t8 ^ _t30;
				_t26 = _a8;
				_v528 = 0x101;
				if(GetUserNameW( &_v524,  &_v528) != 0) {
					L3:
					_t27 = E003C02F4(_t26,  &_v524, 0);
					if(_t27 < 0) {
						_push("Failed to set variant value.");
						goto L5;
					}
				} else {
					_t27 =  <=  ? GetLastError() : _t18 & 0x0000ffff | 0x80070000;
					if(_t27 >= 0) {
						goto L3;
					} else {
						E003A37D3(_t18, "variable.cpp", 0x8e5, _t27);
						_push("Failed to get the user name.");
						L5:
						_push(_t27);
						E003E012F();
					}
				}
				return E003CDE36(_t20, _v8 ^ _t30, _t25, _t26, _t27);
			}















                  0x003a60ba
                  0x003a60ba
                  0x003a60c3
                  0x003a60ca
                  0x003a60cf
                  0x003a60df
                  0x003a60f2
                  0x003a6123
                  0x003a6132
                  0x003a6136
                  0x003a6138
                  0x00000000
                  0x003a6138
                  0x003a60f4
                  0x003a6105
                  0x003a610a
                  0x00000000
                  0x003a610c
                  0x003a6117
                  0x003a611c
                  0x003a613d
                  0x003a613d
                  0x003a613e
                  0x003a6144
                  0x003a610a
                  0x003a6156

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastNameUser
                  • String ID: @Mxt$Failed to get the user name.$Failed to set variant value.$variable.cpp
                  • API String ID: 2054405381-1574831680
                  • Opcode ID: 6f7496856abe06d76e0d551c1c7f0875fb4d873d970c9bf25d9c53d08bfa95b5
                  • Instruction ID: 2aa1d6d2e3fba6ddd839f9096cb40f74e4ab7b08db499f9995d1c087602195c2
                  • Opcode Fuzzy Hash: 6f7496856abe06d76e0d551c1c7f0875fb4d873d970c9bf25d9c53d08bfa95b5
                  • Instruction Fuzzy Hash: D201D671A0037867D723EB659C0AEAFBBACDB01720F00426AFC05FB181EA749E454691
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E9555, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E003E9555() {
				intOrPtr _t1;
				_Unknown_base(*)()* _t3;
				void* _t5;
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t14;

				_t1 =  *0x40b708; // 0x0
				if(_t1 != 1) {
					if(_t1 == 0) {
						_t14 = GetModuleHandleW(L"KERNEL32.DLL");
						if(_t14 != 0) {
							_t3 = GetProcAddress(_t14, "AcquireSRWLockExclusive");
							if(_t3 == 0) {
								goto L5;
							} else {
								 *0x40b70c = _t3;
								_t6 = GetProcAddress(_t14, "ReleaseSRWLockExclusive");
								if(_t6 == 0) {
									goto L5;
								} else {
									 *0x40b710 = _t6;
								}
							}
						} else {
							L5:
							_t14 = 1;
						}
						asm("lock cmpxchg [edx], ecx");
						if(0 != 0 || _t14 != 1) {
							if(0 != 1) {
								_t5 = 1;
							} else {
								goto L12;
							}
						} else {
							L12:
							_t5 = 0;
						}
						return _t5;
					} else {
						return 1;
					}
				} else {
					return 0;
				}
			}








                  0x003e9555
                  0x003e9560
                  0x003e9568
                  0x003e957a
                  0x003e957e
                  0x003e958a
                  0x003e9592
                  0x00000000
                  0x003e9594
                  0x003e959a
                  0x003e959f
                  0x003e95a7
                  0x00000000
                  0x003e95a9
                  0x003e95a9
                  0x003e95a9
                  0x003e95a7
                  0x003e9580
                  0x003e9580
                  0x003e9580
                  0x003e9580
                  0x003e95b7
                  0x003e95bd
                  0x003e95c5
                  0x003e95cb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e95c7
                  0x003e95c7
                  0x003e95c7
                  0x003e95c7
                  0x003e95cf
                  0x003e956a
                  0x003e956d
                  0x003e956d
                  0x003e9562
                  0x003e9565
                  0x003e9565

                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID:
                  • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                  • API String ID: 0-1718035505
                  • Opcode ID: 84f5fb8fe6ab42c30e5c8ef2dc7bbeef76102fd80915a19ec4ca5f07380f6bf2
                  • Instruction ID: 8c6ddd655a63c6c5cd192cccc152cc31397a5f5c7920772c6fe4a7dce3913b96
                  • Opcode Fuzzy Hash: 84f5fb8fe6ab42c30e5c8ef2dc7bbeef76102fd80915a19ec4ca5f07380f6bf2
                  • Instruction Fuzzy Hash: 7601ADB22413B29B8F735EB69C807A7228CDA83751322437BE912E72C0D731C84597E8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CD5AF, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48COMMON
                  Download Yara Rule
                  C-Code - Quality: 45%
                  			E003CD5AF(intOrPtr* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				void* _t10;
				intOrPtr* _t21;
				struct _SECURITY_ATTRIBUTES* _t22;

				_t21 = __ecx;
				_t22 = 0;
				_t1 = _t21 + 8; // 0x8
				 *__ecx = 0x4006ec;
				 *(__ecx + 4) = 1;
				InitializeCriticalSection(_t1);
				_t10 = CreateEventW(0, 1, 0, 0);
				 *(_t21 + 0x28) = _t10;
				if(_t10 != 0) {
					 *((intOrPtr*)(_t21 + 0x20)) = 0;
					 *((intOrPtr*)(_t21 + 0x24)) = 0;
					 *((intOrPtr*)(_t21 + 0x2c)) = _a4;
				} else {
					_t25 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					_t22 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "bitsengine.cpp", 0x11c, _t22);
					_push("Failed to create BITS job complete event.");
					_push(_t22);
					E003E012F();
				}
				 *_a8 = _t22;
				return _t21;
			}






                  0x003cd5b4
                  0x003cd5b6
                  0x003cd5b8
                  0x003cd5bb
                  0x003cd5c2
                  0x003cd5c9
                  0x003cd5d4
                  0x003cd5da
                  0x003cd5df
                  0x003cd621
                  0x003cd624
                  0x003cd627
                  0x003cd5e1
                  0x003cd5f2
                  0x003cd5fc
                  0x003cd60a
                  0x003cd60f
                  0x003cd614
                  0x003cd615
                  0x003cd61b
                  0x003cd62d
                  0x003cd634

                  APIs
                  • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,003CDD19,?,?,?,?,?,00000001,00000000,?), ref: 003CD5C9
                  • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,003CDD19,?,?,?,?,?,00000001,00000000,?), ref: 003CD5D4
                  • GetLastError.KERNEL32(?,003CDD19,?,?,?,?,?,00000001,00000000,?), ref: 003CD5E1
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CreateCriticalErrorEventInitializeLastSection
                  • String ID: @Mxt$Failed to create BITS job complete event.$bitsuser.cpp
                  • API String ID: 3069647169-224239337
                  • Opcode ID: 32cd323e98534f4a74e7a00d5125e931606b3d70ea109907978ed9464809fcde
                  • Instruction ID: 040198736e041d97649be6fbb08ddf232033908a369a34c34b32fb163597ee3a
                  • Opcode Fuzzy Hash: 32cd323e98534f4a74e7a00d5125e931606b3d70ea109907978ed9464809fcde
                  • Instruction Fuzzy Hash: 290152726017266BD7129B6AD845B87BBDCFF49760F014226F908DB680D7759810CBE4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DA059, Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E003DA059(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				void* _t80;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				int _t97;
				void* _t98;
				short* _t100;
				int _t102;
				void* _t103;
				signed int _t105;
				short* _t106;
				void* _t109;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t49 ^ _t105;
				_t102 = _a20;
				if(_t102 > 0) {
					_t78 = E003DC675(_a16, _t102);
					_t109 = _t78 - _t102;
					_t4 = _t78 + 1; // 0x1
					_t102 = _t4;
					if(_t109 >= 0) {
						_t102 = _t78;
					}
				}
				_t97 = _a32;
				if(_t97 == 0) {
					_t97 =  *( *_a4 + 8);
					_a32 = _t97;
				}
				_t54 = MultiByteToWideChar(_t97, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t102, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t98);
					_pop(_t103);
					_pop(_t80);
					return E003CDE36(_t80, _v8 ^ _t105, _t95, _t98, _t103);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t104 = 0;
							L37:
							E003D91C7(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t97, 1, _a16, _t102, _t81, _v12);
						_t120 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t99 = _v12;
						_t60 = E003D8969(_t81, _t85, _v12, _t120, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t104 = _t60;
						if(_t104 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t95 = _t104 + _t104;
							_t87 = _t95 + 8;
							__eflags = _t95 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t100 = 0;
								__eflags = 0;
								L30:
								__eflags = _t100;
								if(__eflags == 0) {
									L35:
									E003D91C7(_t100);
									goto L36;
								}
								_t62 = E003D8969(_t81, _t87, _t100, __eflags, _a8, _a12, _t81, _v12, _t100, _t104, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t104 = WideCharToMultiByte(_a32, 0, _t100, _t104, ??, ??, ??, ??);
								__eflags = _t104;
								if(_t104 != 0) {
									E003D91C7(_t100);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t95 + 8;
							__eflags = _t95 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t95 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t95 - _t87;
								asm("sbb eax, eax");
								_t100 = E003D5154(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t100;
								if(_t100 == 0) {
									goto L35;
								}
								 *_t100 = 0xdddd;
								L28:
								_t100 =  &(_t100[4]);
								goto L30;
							}
							__eflags = _t95 - _t87;
							asm("sbb eax, eax");
							E003E9DF0();
							_t100 = _t106;
							__eflags = _t100;
							if(_t100 == 0) {
								goto L35;
							}
							 *_t100 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t124 = _t104 - _t70;
						if(_t104 > _t70) {
							goto L36;
						}
						_t71 = E003D8969(_t81, 0, _t99, _t124, _a8, _a12, _t81, _t99, _a24, _t70, 0, 0, 0);
						_t104 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E003D5154(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E003E9DF0();
					_t81 = _t106;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}
































                  0x003da05e
                  0x003da05f
                  0x003da060
                  0x003da067
                  0x003da06c
                  0x003da072
                  0x003da078
                  0x003da07e
                  0x003da081
                  0x003da081
                  0x003da084
                  0x003da086
                  0x003da086
                  0x003da084
                  0x003da088
                  0x003da08d
                  0x003da094
                  0x003da097
                  0x003da097
                  0x003da0b3
                  0x003da0b9
                  0x003da0be
                  0x003da251
                  0x003da254
                  0x003da255
                  0x003da256
                  0x003da264
                  0x003da0c4
                  0x003da0c4
                  0x003da0c7
                  0x003da0cc
                  0x003da0d0
                  0x003da124
                  0x003da124
                  0x003da126
                  0x003da128
                  0x003da246
                  0x003da246
                  0x003da248
                  0x003da249
                  0x00000000
                  0x003da24f
                  0x003da139
                  0x003da13f
                  0x003da141
                  0x00000000
                  0x00000000
                  0x003da147
                  0x003da159
                  0x003da15e
                  0x003da162
                  0x00000000
                  0x00000000
                  0x003da16f
                  0x003da1a9
                  0x003da1ac
                  0x003da1af
                  0x003da1b1
                  0x003da1b3
                  0x003da1b5
                  0x003da201
                  0x003da201
                  0x003da203
                  0x003da203
                  0x003da205
                  0x003da23f
                  0x003da240
                  0x00000000
                  0x003da245
                  0x003da219
                  0x003da21e
                  0x003da220
                  0x00000000
                  0x00000000
                  0x003da224
                  0x003da225
                  0x003da226
                  0x003da229
                  0x003da265
                  0x003da268
                  0x003da22b
                  0x003da22b
                  0x003da22c
                  0x003da22c
                  0x003da239
                  0x003da23b
                  0x003da23d
                  0x003da26e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003da23d
                  0x003da1b7
                  0x003da1ba
                  0x003da1bc
                  0x003da1be
                  0x003da1c0
                  0x003da1c3
                  0x003da1c8
                  0x003da1e3
                  0x003da1e5
                  0x003da1ef
                  0x003da1f1
                  0x003da1f2
                  0x003da1f4
                  0x00000000
                  0x00000000
                  0x003da1f6
                  0x003da1fc
                  0x003da1fc
                  0x00000000
                  0x003da1fc
                  0x003da1ca
                  0x003da1cc
                  0x003da1d0
                  0x003da1d5
                  0x003da1d7
                  0x003da1d9
                  0x00000000
                  0x00000000
                  0x003da1db
                  0x00000000
                  0x003da1db
                  0x003da171
                  0x003da176
                  0x00000000
                  0x00000000
                  0x003da17c
                  0x003da17e
                  0x00000000
                  0x00000000
                  0x003da195
                  0x003da19a
                  0x003da19e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003da1a4
                  0x003da0d7
                  0x003da0d9
                  0x003da0db
                  0x003da0e3
                  0x003da102
                  0x003da104
                  0x003da10e
                  0x003da110
                  0x003da111
                  0x003da113
                  0x00000000
                  0x00000000
                  0x003da119
                  0x003da11f
                  0x003da11f
                  0x00000000
                  0x003da11f
                  0x003da0e7
                  0x003da0eb
                  0x003da0f0
                  0x003da0f4
                  0x00000000
                  0x00000000
                  0x003da0fa
                  0x00000000
                  0x003da0fa

                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003D3382,003D3382,?,?,?,003DA2AA,00000001,00000001,E3E85006), ref: 003DA0B3
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003DA2AA,00000001,00000001,E3E85006,?,?,?), ref: 003DA139
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E3E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003DA233
                  • __freea.LIBCMT ref: 003DA240
                    • Part of subcall function 003D5154: RtlAllocateHeap.NTDLL(00000000,?,?,?,003D1E90,?,0000015D,?,?,?,?,003D32E9,000000FF,00000000,?,?), ref: 003D5186
                  • __freea.LIBCMT ref: 003DA249
                  • __freea.LIBCMT ref: 003DA26E
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: 90f2595a6b6f83842a8ca598ad81d719c173a0d0681e7b519fd5e412f3b17499
                  • Instruction ID: d9c5c3c1b144903fbd8b86cbf60f9384bc74e0f9659dd7f48f4626a9ea9e3c15
                  • Opcode Fuzzy Hash: 90f2595a6b6f83842a8ca598ad81d719c173a0d0681e7b519fd5e412f3b17499
                  • Instruction Fuzzy Hash: B5510373600616AFDB278F71ED82EBB77A9EB50710F16462AFC04EA280EB75DC408651
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BF6B8, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 138COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E003BF6B8(void* __ecx, intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				char _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				intOrPtr* _t43;
				intOrPtr _t50;
				intOrPtr* _t66;
				void* _t71;
				intOrPtr _t76;
				char _t79;

				_push(__ecx);
				_push(__ecx);
				_t76 = _a4;
				_t79 = 0;
				_v8 = 0;
				_v12 = 0;
				EnterCriticalSection( *(_t76 + 0xc));
				_t66 = _a8;
				if(_t66 == 0 ||  *_t66 == 0) {
					_t43 = _a12;
					if(_t43 == 0 ||  *_t43 == 0) {
						E003AE79A(_t66, 0, _t76,  *(_t76 + 0xc) + 0x2f0);
					} else {
						goto L4;
					}
				} else {
					L4:
					_t50 = _a28;
					if(_a24 != _t79) {
						if(_a24 != 1 || _a32 == 0x14 && _t50 != 0) {
							goto L7;
						} else {
							goto L15;
						}
					} else {
						if(_a32 != _t79 || _t50 != 0) {
							L15:
							_t79 = 0x80070057;
						} else {
							L7:
							E003AE79A(_t66, 0, _t76,  *(_t76 + 0xc) + 0x2f0);
							if(_t66 == 0) {
								L9:
								if(E003A1F20( &_v8, L"update\\%ls",  *((intOrPtr*)( *(_t76 + 0xc) + 0x148))) >= 0) {
									_t71 = 0;
									goto L17;
								} else {
									_push("Failed to default local update source");
									goto L11;
								}
							} else {
								_t71 = 0;
								if( *_t66 != 0) {
									L17:
									if(E003B7C29(_t71,  &_v12, 5,  *((intOrPtr*)( *(_t76 + 0xc) + 0x20)),  *((intOrPtr*)( *(_t76 + 0xc) + 0x24)), _t71, _t71,  *((intOrPtr*)( *(_t76 + 0xc) + 0x140)),  *((intOrPtr*)(_t57 + 0x1c0)), _t71,  *((intOrPtr*)(_t57 + 0x28))) >= 0) {
										_t60 =  *(_t76 + 0xc);
										_t68 =  !=  ? _v8 : _t66;
										_t79 = E003CC0FA( !=  ? _v8 : _t66, 0, _t76, 0x126e0000, 0x3000a,  *(_t76 + 0xc) + 0x2f8, 0,  *((intOrPtr*)( *(_t76 + 0xc) + 0x110)), 6, 2,  *((intOrPtr*)(_t60 + 0x148)),  !=  ? _v8 : _t66, _a12, _a16, _a20, 1, _v12, 0, 0, 0, _a28, _a32);
										if(_t79 >= 0) {
											 *((intOrPtr*)( *(_t76 + 0xc) + 0x2f0)) = 1;
										} else {
											_push("Failed to set update bundle.");
											goto L11;
										}
									} else {
										_push("Failed to recreate command-line for update bundle.");
										L11:
										_push(_t79);
										E003E012F();
									}
								} else {
									goto L9;
								}
							}
						}
					}
				}
				LeaveCriticalSection( *(_t76 + 0xc));
				if(_v12 != 0) {
					E003E54EF(_v12);
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t79;
			}













                  0x003bf6bb
                  0x003bf6bc
                  0x003bf6c0
                  0x003bf6c5
                  0x003bf6c7
                  0x003bf6ca
                  0x003bf6d0
                  0x003bf6d6
                  0x003bf6dd
                  0x003bf6e4
                  0x003bf6e9
                  0x003bf815
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003bf6f8
                  0x003bf6f8
                  0x003bf6f8
                  0x003bf6fe
                  0x003bf758
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003bf700
                  0x003bf703
                  0x003bf764
                  0x003bf764
                  0x003bf709
                  0x003bf709
                  0x003bf712
                  0x003bf719
                  0x003bf722
                  0x003bf740
                  0x003bf76e
                  0x00000000
                  0x003bf742
                  0x003bf742
                  0x00000000
                  0x003bf742
                  0x003bf71b
                  0x003bf71b
                  0x003bf720
                  0x003bf770
                  0x003bf79a
                  0x003bf7a6
                  0x003bf7b2
                  0x003bf7ed
                  0x003bf7f1
                  0x003bf800
                  0x003bf7f3
                  0x003bf7f3
                  0x00000000
                  0x003bf7f3
                  0x003bf79c
                  0x003bf79c
                  0x003bf747
                  0x003bf747
                  0x003bf748
                  0x003bf74e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003bf720
                  0x003bf719
                  0x003bf703
                  0x003bf6fe
                  0x003bf81d
                  0x003bf827
                  0x003bf82c
                  0x003bf82c
                  0x003bf835
                  0x003bf83a
                  0x003bf83a
                  0x003bf847

                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 003BF6D0
                  • LeaveCriticalSection.KERNEL32(?,?), ref: 003BF81D
                  Strings
                  • Failed to recreate command-line for update bundle., xrefs: 003BF79C
                  • Failed to set update bundle., xrefs: 003BF7F3
                  • update\%ls, xrefs: 003BF72E
                  • Failed to default local update source, xrefs: 003BF742
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
                  • API String ID: 3168844106-1266646976
                  • Opcode ID: 0c009eb67d543a5a855f2f4e5c8bea73002b9f749087aa31025ed71463a5c7e9
                  • Instruction ID: 796fe6b2f629cf599eae448b9485cbd2bbd3feecb741146967e96d44c3f2cdd4
                  • Opcode Fuzzy Hash: 0c009eb67d543a5a855f2f4e5c8bea73002b9f749087aa31025ed71463a5c7e9
                  • Instruction Fuzzy Hash: 49418C31940219EFDF139F54CC46EEAB7A8EF04358F0252B5FA04AB561DB71DD509B50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A21BC, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 117COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 33%
                  			E003A21BC(signed int __edx, intOrPtr* _a4, char* _a8, signed int _a12, int _a16) {
				signed int _t17;
				unsigned int _t18;
				signed int _t19;
				signed short _t24;
				intOrPtr _t25;
				signed short _t31;
				signed int _t34;
				int _t36;
				char* _t38;
				void* _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				int _t44;
				unsigned int _t46;
				intOrPtr* _t47;
				unsigned int _t49;
				int _t51;

				_t37 = _a4;
				_t44 = __edx | 0xffffffff;
				_t17 = _a12;
				_t51 = 0;
				_t34 = _t17;
				_t46 = 0;
				if( *_a4 == 0) {
					L4:
					_t38 = _a8;
					if(_t17 != 0) {
						if(_t38[_t17] == 0) {
							_t34 = _t17 - 1;
						}
						L11:
						_t18 = _t34 + 1;
						if(_t46 >= _t18) {
							L20:
							_t19 = _a12;
							_push(_t46);
							_t47 = _a4;
							_push( *_t47);
							_t39 = 0xffffffff;
							_t20 =  ==  ? _t39 : _t19;
							if(MultiByteToWideChar(_a16, _t51, _a8,  ==  ? _t39 : _t19, ??, ??) != 0) {
								 *((short*)( *_t47 + _t34 * 2)) = 0;
								L23:
								return _t51;
							}
							_t24 = GetLastError();
							_t55 =  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							_t25 = 0x80004005;
							_t51 =  >=  ? 0x80004005 :  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							_push(_t51);
							_push(0x22f);
							L7:
							_push("strutil.cpp");
							E003A37D3(_t25);
							goto L23;
						}
						_t46 = _t18;
						if(_t46 < 0x7fffffff) {
							_push(1);
							_t41 =  *_a4;
							_push(_t46 + _t46);
							if(_t41 == 0) {
								_t25 = E003A38D4();
							} else {
								_push(_t41);
								_t25 = E003A3A72();
							}
							_t42 = _t25;
							if(_t42 != 0) {
								 *_a4 = _t42;
								goto L20;
							} else {
								_t51 = 0x8007000e;
								_push(0x8007000e);
								_push(0x228);
								goto L7;
							}
						}
						_t51 = 0x8007000e;
						goto L23;
					}
					_t36 = MultiByteToWideChar(_a16, _t51, _t38, _t44, _t51, _t51);
					if(_t36 != 0) {
						_t34 = _t36 - 1;
						goto L11;
					}
					_t31 = GetLastError();
					_t58 =  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
					_t25 = 0x80004005;
					_t51 =  >=  ? 0x80004005 :  <=  ? _t31 : _t31 & 0x0000ffff | 0x80070000;
					_push(_t51);
					_push(0x20c);
					goto L7;
				}
				_t49 = E003A3B51( *_t37);
				_t44 = _t44 | 0xffffffff;
				if(_t49 != _t44) {
					_t46 = _t49 >> 1;
					_t17 = _t34;
					goto L4;
				}
				_t51 = 0x80070057;
				goto L23;
			}




















                  0x003a21bf
                  0x003a21c2
                  0x003a21c5
                  0x003a21ca
                  0x003a21cc
                  0x003a21cf
                  0x003a21d3
                  0x003a21f3
                  0x003a21f3
                  0x003a21f8
                  0x003a2248
                  0x003a224a
                  0x003a224a
                  0x003a224d
                  0x003a224d
                  0x003a2252
                  0x003a229c
                  0x003a229c
                  0x003a22a1
                  0x003a22a2
                  0x003a22a5
                  0x003a22a9
                  0x003a22aa
                  0x003a22bd
                  0x003a22ec
                  0x003a22f0
                  0x003a22f6
                  0x003a22f6
                  0x003a22bf
                  0x003a22d0
                  0x003a22d3
                  0x003a22da
                  0x003a22dd
                  0x003a22de
                  0x003a2232
                  0x003a2232
                  0x003a2237
                  0x00000000
                  0x003a2237
                  0x003a2254
                  0x003a225c
                  0x003a226b
                  0x003a226d
                  0x003a2272
                  0x003a2275
                  0x003a227f
                  0x003a2277
                  0x003a2277
                  0x003a2278
                  0x003a2278
                  0x003a2284
                  0x003a2288
                  0x003a229a
                  0x00000000
                  0x003a228a
                  0x003a228a
                  0x003a228f
                  0x003a2290
                  0x00000000
                  0x003a2290
                  0x003a2288
                  0x003a225e
                  0x00000000
                  0x003a225e
                  0x003a2208
                  0x003a220c
                  0x003a2241
                  0x00000000
                  0x003a2241
                  0x003a220e
                  0x003a221f
                  0x003a2222
                  0x003a2229
                  0x003a222c
                  0x003a222d
                  0x00000000
                  0x003a222d
                  0x003a21dc
                  0x003a21de
                  0x003a21e3
                  0x003a21ef
                  0x003a21f1
                  0x00000000
                  0x003a21f1
                  0x003a21e5
                  0x00000000

                  APIs
                  • MultiByteToWideChar.KERNEL32(8007139F,00000000,?,?,00000000,00000000,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A2202
                  • GetLastError.KERNEL32(?,00000000,00000000,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A220E
                    • Part of subcall function 003A3B51: GetProcessHeap.KERNEL32(00000000,000001C7,?,003A21DC,000001C7,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3B59
                    • Part of subcall function 003A3B51: HeapSize.KERNEL32(00000000,?,003A21DC,000001C7,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A3B60
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                  • String ID: @Mxt$strutil.cpp
                  • API String ID: 3662877508-4037222359
                  • Opcode ID: b40d1d77c10a723f5eea0db110c22047f7b7b1c4bbbc9b437b517ff84c371176
                  • Instruction ID: 707df4bddbd9bb21e82842acec746e8bb3a18d4077c7432cf68a9cc0cdda641e
                  • Opcode Fuzzy Hash: b40d1d77c10a723f5eea0db110c22047f7b7b1c4bbbc9b437b517ff84c371176
                  • Instruction Fuzzy Hash: 1631D632600216ABEB629A6DCC44B6B77D9EF46760B124729FC15DB6E0EB31DC0087A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BC59C, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E003BC59C(void* __ecx, void* __edx, intOrPtr* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _t87;
				void* _t96;

				_t97 = _a4;
				_t96 = 0;
				_t87 =  *_a4 - 1;
				if(_t87 > 0x13) {
					L23:
					_t96 = 0x80070057;
					E003A37D3(_t87, "elevation.cpp", 0x5e4, 0x80070057);
					E003E012F(0x80070057, "Unexpected elevated message sent to child process, msg: %u",  *_t97);
					L24:
					return _t96;
				}
				switch( *((intOrPtr*)(_t87 * 4 +  &M003BC7AC))) {
					case 0:
						_t92 = E003BAEB2(__ecx, __edx, _t101,  *((intOrPtr*)(_a8 + 0x20)),  *((intOrPtr*)(_a8 + 0x24)),  *((intOrPtr*)(_t91 + 8)),  *((intOrPtr*)(_t91 + 0xc)),  *((intOrPtr*)(_t97 + 0xc)),  *((intOrPtr*)(_t97 + 4)));
						goto L21;
					case 1:
						__eax = _a8;
						__esi =  *(_a8 + 8);
						__eflags =  *__esi;
						if( *__esi != 0) {
							ReleaseMutex( *__esi) = CloseHandle( *__esi);
							 *__esi = 0;
						}
						__esi = __edi;
						goto L22;
					case 2:
						_a8 = E003BC29D(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)),  *((intOrPtr*)(__eax + 0x20)),  *((intOrPtr*)(__eax + 0x28)), __esi[3], __esi[1]);
						goto L21;
					case 3:
						_a8 = E003BC484(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)), __esi[3], __esi[1]);
						goto L21;
					case 4:
						_a8 = E003BC3DF(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 5:
						__eax = _a8;
						__esi = E003AFDDF(__ecx,  *((intOrPtr*)(_a8 + 0x24)), __esi[3], __esi[1]);
						__eflags = __esi;
						if(__esi < 0) {
							_push("Failed to save state.");
							_push(__esi);
							__eax = E003E012F();
							_pop(__ecx);
							_pop(__ecx);
						}
						goto L22;
					case 6:
						goto L23;
					case 7:
						_a8 = E003BC1D8(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x24)), __esi[3], __esi[1]);
						goto L21;
					case 8:
						__ecx = _a8;
						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 0xb4;
						__eax = E003BB35A(__ecx, __edx, __eflags,  *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(__ecx + 0x18)),  *((intOrPtr*)(__ecx + 0x24)) + 0xb4,  *((intOrPtr*)(__ecx + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 9:
						_a8 = E003BB561(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x18)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 0xa:
						_a8 = E003BB813(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x18)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 0xb:
						_a8 = E003BBAB9(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x18)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						goto L21;
					case 0xc:
						__ecx = _a8;
						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 0xb4;
						__eax = E003BBD23(__ecx, __edi, __eflags,  *((intOrPtr*)(__ecx + 0x18)),  *((intOrPtr*)(__ecx + 0x24)) + 0xb4, __esi[3], __esi[1]);
						goto L21;
					case 0xd:
						__ecx = _a8;
						 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(__ecx + 0x24)) + 0xb4;
						__eax = E003BBC1C(__ecx, __edx, __edi, __eflags,  *((intOrPtr*)(__ecx + 0x18)),  *((intOrPtr*)(__ecx + 0x24)) + 0xb4, __esi[3], __esi[1]);
						goto L21;
					case 0xe:
						_a8 = E003BC0B1(__ecx, __eflags,  *((intOrPtr*)(_a8 + 0x18)), __esi[3], __esi[1]);
						goto L21;
					case 0xf:
						_a8 = E003BB2C2(__ecx, __edx, __eflags,  *((intOrPtr*)(_a8 + 0x18)), __esi[3], __esi[1]);
						goto L21;
					case 0x10:
						_a8 = E003BBE05(__ecx, __eflags,  *((intOrPtr*)(_a8 + 4)),  *((intOrPtr*)(__eax + 0x10)),  *((intOrPtr*)(__eax + 0x20)), __esi[3], __esi[1]);
						L21:
						_t98 = _t92;
						L22:
						 *_a12 = _t98;
						goto L24;
				}
			}





                  0x003bc5a0
                  0x003bc5a4
                  0x003bc5a8
                  0x003bc5ac
                  0x003bc77d
                  0x003bc77d
                  0x003bc78d
                  0x003bc79a
                  0x003bc7a2
                  0x003bc7a7
                  0x003bc7a7
                  0x003bc5b2
                  0x00000000
                  0x003bc5ce
                  0x00000000
                  0x00000000
                  0x003bc5d8
                  0x003bc5db
                  0x003bc5de
                  0x003bc5e0
                  0x003bc5ec
                  0x003bc5f2
                  0x003bc5f2
                  0x003bc5f4
                  0x00000000
                  0x00000000
                  0x003bc60d
                  0x00000000
                  0x00000000
                  0x003bc623
                  0x00000000
                  0x00000000
                  0x003bc63c
                  0x00000000
                  0x00000000
                  0x003bc649
                  0x003bc657
                  0x003bc659
                  0x003bc65b
                  0x003bc661
                  0x003bc666
                  0x003bc667
                  0x003bc66c
                  0x003bc66d
                  0x003bc66d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003bc67f
                  0x00000000
                  0x00000000
                  0x003bc68c
                  0x003bc698
                  0x003bc6a4
                  0x00000000
                  0x00000000
                  0x003bc6c0
                  0x00000000
                  0x00000000
                  0x003bc6dc
                  0x00000000
                  0x00000000
                  0x003bc6f8
                  0x00000000
                  0x00000000
                  0x003bc6ff
                  0x003bc70b
                  0x003bc714
                  0x00000000
                  0x00000000
                  0x003bc71b
                  0x003bc727
                  0x003bc730
                  0x00000000
                  0x00000000
                  0x003bc743
                  0x00000000
                  0x00000000
                  0x003bc756
                  0x00000000
                  0x00000000
                  0x003bc76f
                  0x003bc774
                  0x003bc774
                  0x003bc776
                  0x003bc779
                  0x00000000
                  0x00000000

                  APIs
                  Strings
                  • Failed to save state., xrefs: 003BC661
                  • elevation.cpp, xrefs: 003BC788
                  • Unexpected elevated message sent to child process, msg: %u, xrefs: 003BC794
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseHandleMutexRelease
                  • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
                  • API String ID: 4207627910-1576875097
                  • Opcode ID: 62febf1f47c8d90eb2c04579917fcda92ca0d616acebce22b34c49dd22c03ff5
                  • Instruction ID: 924dfce4ddff0adec3976466dcba586350169f568a0918af1e9d573e336f7e71
                  • Opcode Fuzzy Hash: 62febf1f47c8d90eb2c04579917fcda92ca0d616acebce22b34c49dd22c03ff5
                  • Instruction Fuzzy Hash: 7B61D73A110504EFCB239F94CD42C96BBB6FF093187118559FA995AA32CB32E921EF40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E10C5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149registrystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E003E10C5(void* _a4, short* _a8, signed int* _a12, signed int* _a16) {
				int* _v8;
				int _v12;
				int _v16;
				signed short _t44;
				void* _t47;
				int* _t51;
				long _t71;
				signed int _t72;
				signed int _t73;
				signed short _t75;
				unsigned int _t79;
				unsigned int _t80;
				unsigned int _t81;
				WCHAR* _t82;
				void* _t86;
				void* _t87;
				void* _t88;

				_v16 = 0;
				_t72 = 0;
				_v12 = 0;
				_t81 = 0;
				_v8 = 0;
				_t44 = RegQueryValueExW(_a4, _a8, 0,  &_v16, 0,  &_v12);
				_t79 = _v12;
				_t75 = _t44;
				if(_t79 == 0) {
					L3:
					_t86 = 0x80070002;
					_t47 =  <=  ? _t75 : _t75 & 0x0000ffff | 0x80070000;
					if(_t47 != 0x80070002) {
						if(_t75 == 0) {
							_t80 = _t79 >> 1;
							if(_t80 == _t81) {
								if(_v16 == 7) {
									if(_t81 >= 2) {
										_t51 = _v8;
										if(0 !=  *((intOrPtr*)(_t51 + _t81 * 2 - 2)) || 0 !=  *((intOrPtr*)(_t51 + _t81 * 2 - 4))) {
											_t86 = 0x80070057;
										} else {
											_t87 = 0;
											if(_t80 != 0) {
												do {
													_t87 = _t87 + 1;
													_t29 = _t72 + 1; // 0x1
													_t63 =  !=  ? _t72 : _t29;
													_t72 =  !=  ? _t72 : _t29;
												} while (_t87 < _t80);
											}
											_t31 = _t72 - 1; // 0x0
											_t52 = _t31;
											 *_a16 = _t31;
											_t86 = E003A38F6(_t31, _a16, _a12, _t52, 4, 0);
											if(_t86 >= 0) {
												_t73 = 0;
												_t82 = _v8;
												if( *_a16 > 0) {
													while(1) {
														_t86 = E003A21A5( *_a12 + _t73 * 4, _t82, 0);
														if(_t86 < 0) {
															goto L23;
														}
														_t82 =  &(( &(_t82[lstrlenW(_t82)]))[1]);
														_t73 = _t73 + 1;
														if(_t73 <  *_a16) {
															continue;
														} else {
														}
														goto L23;
													}
												}
											}
										}
									} else {
										 *_a12 =  *_a12 & _t72;
										 *_a16 =  *_a16 & _t72;
										_t86 = 0;
									}
								} else {
									_t86 = 0x8007070c;
									_push(0x8007070c);
									_push(0x225);
									goto L6;
								}
							} else {
								_t86 = 0x8000ffff;
							}
						} else {
							_t88 = _t47;
							_t47 = 0x80004005;
							_t86 =  >=  ? 0x80004005 : _t88;
							_push(_t86);
							_push(0x21a);
							L6:
							_push("regutil.cpp");
							E003A37D3(_t47);
						}
					}
				} else {
					_t81 = _t79 >> 1;
					_t86 = E003A1EDE( &_v8, _t81);
					if(_t86 >= 0) {
						_t71 = RegQueryValueExW(_a4, _a8, 0,  &_v16, _v8,  &_v12);
						_t79 = _v12;
						_t75 = _t71;
						goto L3;
					}
				}
				L23:
				_t48 = _v8;
				if(_v8 != 0) {
					E003E54EF(_t48);
				}
				return _t86;
			}




















                  0x003e10d8
                  0x003e10e0
                  0x003e10e2
                  0x003e10e8
                  0x003e10ea
                  0x003e10ed
                  0x003e10f3
                  0x003e10f6
                  0x003e10fa
                  0x003e1131
                  0x003e1134
                  0x003e1140
                  0x003e1145
                  0x003e114d
                  0x003e1170
                  0x003e1174
                  0x003e1184
                  0x003e1196
                  0x003e11a9
                  0x003e11b3
                  0x003e1230
                  0x003e11bc
                  0x003e11bc
                  0x003e11c0
                  0x003e11c2
                  0x003e11cb
                  0x003e11cf
                  0x003e11d2
                  0x003e11d5
                  0x003e11d7
                  0x003e11c2
                  0x003e11de
                  0x003e11de
                  0x003e11e9
                  0x003e11f0
                  0x003e11f4
                  0x003e11f9
                  0x003e11fb
                  0x003e1200
                  0x003e1202
                  0x003e1213
                  0x003e1217
                  0x00000000
                  0x00000000
                  0x003e1226
                  0x003e1229
                  0x003e122c
                  0x00000000
                  0x00000000
                  0x003e122e
                  0x00000000
                  0x003e122c
                  0x003e1202
                  0x003e1200
                  0x003e11f4
                  0x003e1198
                  0x003e119b
                  0x003e11a0
                  0x003e11a2
                  0x003e11a2
                  0x003e1186
                  0x003e1186
                  0x003e118b
                  0x003e118c
                  0x00000000
                  0x003e118c
                  0x003e1176
                  0x003e1176
                  0x003e1176
                  0x003e114f
                  0x003e114f
                  0x003e1151
                  0x003e1158
                  0x003e115b
                  0x003e115c
                  0x003e1161
                  0x003e1161
                  0x003e1166
                  0x003e1166
                  0x003e114d
                  0x003e10fc
                  0x003e1101
                  0x003e110a
                  0x003e110e
                  0x003e1126
                  0x003e112c
                  0x003e112f
                  0x00000000
                  0x003e112f
                  0x003e110e
                  0x003e1235
                  0x003e1235
                  0x003e123a
                  0x003e123d
                  0x003e123d
                  0x003e124a

                  APIs
                  • RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 003E10ED
                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,003B6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 003E1126
                  • lstrlenW.KERNEL32(?,?,?,00000000,?,-00000001,00000004,00000000), ref: 003E121A
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: QueryValue$lstrlen
                  • String ID: BundleUpgradeCode$regutil.cpp
                  • API String ID: 3790715954-1648651458
                  • Opcode ID: 7fbbf083e60ab79269b93b5a9d76d08e976f2d8680db071e4ac4c343ba1f7c69
                  • Instruction ID: f3d3d983c62cc4630a17d2f3830970b1afa1aa0535dbbea726c9337e7eebaa8b
                  • Opcode Fuzzy Hash: 7fbbf083e60ab79269b93b5a9d76d08e976f2d8680db071e4ac4c343ba1f7c69
                  • Instruction Fuzzy Hash: 7841A871A0026AEFDB16CFA6CC81AAE77B9EF44710F124669ED05EB250D731ED018B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E85CB, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 137timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E003E85CB(intOrPtr _a4, struct _FILETIME* _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed int _v28;
				struct _FILETIME* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				void* _t26;
				signed short _t32;
				signed int _t35;
				signed short _t38;
				void* _t40;
				void* _t42;
				void* _t44;
				void* _t46;
				signed short _t50;
				signed short* _t54;
				void* _t56;
				void* _t57;
				signed short* _t58;
				signed int _t64;
				void* _t65;

				_t21 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t21 ^ _t64;
				_v28 = _v28 & 0x00000000;
				_t50 = 0;
				_v32 = _a8;
				_t58 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t26 = E003A21A5( &_v28, _a4, 0);
				_t60 = _t26;
				if(_t26 < 0) {
					L23:
					if(_v28 != 0) {
						E003E54EF(_v28);
					}
					return E003CDE36(_t50, _v8 ^ _t64, 0, _t58, _t60);
				}
				_t58 = _v28;
				_t54 = _t58;
				if(_t58 == 0) {
					L21:
					if(SystemTimeToFileTime( &_v24, _v32) == 0) {
						_t32 = GetLastError();
						_t63 =  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000;
						_t60 =  >=  ? 0x80004005 :  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "timeutil.cpp", 0xbf,  >=  ? 0x80004005 :  <=  ? _t32 : _t32 & 0x0000ffff | 0x80070000);
					}
					goto L23;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t35 =  *_t58 & 0x0000ffff;
					if(_t35 == 0) {
						goto L21;
					}
					_t56 = 0x54;
					if(_t56 == _t35) {
						L6:
						 *_t58 = 0;
						_t58 =  &(_t58[1]);
						_t38 = _t50;
						if(_t38 == 0) {
							_v24.wYear = E003D6490(_t54, _t54, 0, 0xa);
							L18:
							_t65 = _t65 + 0xc;
							L19:
							_t54 = _t58;
							_t50 = _t50 + 1;
							L20:
							_t58 =  &(_t58[1]);
							if(_t58 != 0) {
								continue;
							}
							goto L21;
						}
						_t40 = _t38 - 1;
						if(_t40 == 0) {
							_v24.wMonth = E003D6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						_t42 = _t40 - 1;
						if(_t42 == 0) {
							_v24.wDay = E003D6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						_t44 = _t42 - 1;
						if(_t44 == 0) {
							_v24.wHour = E003D6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						_t46 = _t44 - 1;
						if(_t46 == 0) {
							_v24.wMinute = E003D6490(_t54, _t54, 0, 0xa);
							goto L18;
						}
						if(_t46 != 1) {
							goto L19;
						}
						_v24.wSecond = E003D6490(_t54, _t54, 0, 0xa);
						goto L18;
					}
					_t57 = 0x3a;
					if(_t57 == _t35) {
						goto L6;
					}
					_push(0x2d);
					_pop(0);
					if(0 != _t35) {
						goto L20;
					}
					goto L6;
				}
				goto L21;
			}



























                  0x003e85d1
                  0x003e85d8
                  0x003e85e2
                  0x003e85e6
                  0x003e85ea
                  0x003e85ed
                  0x003e85f2
                  0x003e85f5
                  0x003e85f6
                  0x003e85f7
                  0x003e85fc
                  0x003e8601
                  0x003e8605
                  0x003e8710
                  0x003e8714
                  0x003e8719
                  0x003e8719
                  0x003e8730
                  0x003e8730
                  0x003e860b
                  0x003e860e
                  0x003e8612
                  0x003e86d1
                  0x003e86e0
                  0x003e86e2
                  0x003e86f3
                  0x003e86fd
                  0x003e870b
                  0x003e870b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e8618
                  0x003e8618
                  0x003e8618
                  0x003e861e
                  0x00000000
                  0x00000000
                  0x003e8626
                  0x003e862a
                  0x003e8640
                  0x003e8644
                  0x003e8649
                  0x003e864c
                  0x003e864e
                  0x003e86bd
                  0x003e86c1
                  0x003e86c1
                  0x003e86c4
                  0x003e86c4
                  0x003e86c6
                  0x003e86c7
                  0x003e86c8
                  0x003e86cb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e86cb
                  0x003e8650
                  0x003e8653
                  0x003e86ae
                  0x00000000
                  0x003e86ae
                  0x003e8655
                  0x003e8658
                  0x003e869f
                  0x00000000
                  0x003e869f
                  0x003e865a
                  0x003e865d
                  0x003e8690
                  0x00000000
                  0x003e8690
                  0x003e865f
                  0x003e8662
                  0x003e8681
                  0x00000000
                  0x003e8681
                  0x003e8667
                  0x00000000
                  0x00000000
                  0x003e8672
                  0x00000000
                  0x003e8672
                  0x003e862e
                  0x003e8632
                  0x00000000
                  0x00000000
                  0x003e8634
                  0x003e8636
                  0x003e863a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e863a
                  0x00000000

                  APIs
                  • SystemTimeToFileTime.KERNEL32(?,00000000,00000000,clbcatq.dll,00000000,clbcatq.dll,00000000,00000000,00000000), ref: 003E86D8
                  • GetLastError.KERNEL32 ref: 003E86E2
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Time$ErrorFileLastSystem
                  • String ID: @Mxt$clbcatq.dll$timeutil.cpp
                  • API String ID: 2781989572-2183513452
                  • Opcode ID: 5f5a18f12baba1cb4016926c6860339cdc1e57c30bf57cedcca8e1466a827d95
                  • Instruction ID: 35fbe5f28337740bd2fca28c889f4b4c7b844affa52476f891e6926af0564c41
                  • Opcode Fuzzy Hash: 5f5a18f12baba1cb4016926c6860339cdc1e57c30bf57cedcca8e1466a827d95
                  • Instruction Fuzzy Hash: 1B41E976E4026576EB229BBA8D46BBFB378EF40704F15461AF609BB2D0DD31CD0083A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E4212, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003E4212(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				void* _t34;
				void* _t37;
				signed short* _t39;
				signed int _t42;
				void* _t44;
				void* _t45;
				signed int _t49;
				void* _t50;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_t50 = E003E4315(_a4, _a8);
				if(_t50 == 0) {
					L21:
					if(_v12 != 0) {
						E003A2647(_v12, _v8);
					}
					if(_v16 != 0) {
						RegCloseKey(_v16);
					}
					return _t50;
				}
				_t34 = E003E0E3F(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", 1,  &_v16);
				if(_t34 == 0x80070002 || _t34 < 0) {
					L20:
					goto L21;
				} else {
					_t37 = E003E10C5(_v16, L"PendingFileRenameOperations",  &_v12,  &_v8);
					if(_t37 != 0x80070002 && _t37 >= 0) {
						_t49 = 0;
						if(_v8 <= 0) {
							goto L20;
						}
						_a8 = 0x5c;
						_t45 = 0x3f;
						do {
							_t39 =  *(_v12 + _t49 * 4);
							if(_t39 == 0) {
								goto L17;
							}
							_t42 =  *_t39 & 0x0000ffff;
							if(_t42 == 0) {
								goto L17;
							}
							if(_a8 == _t42 && _t45 == _t39[1] && _t45 == _t39[2]) {
								_t44 = 0x5c;
								if(_t44 == _t39[3]) {
									_t39 =  &(_t39[4]);
								}
							}
							if(E003A2D05( &_v20, _a4, _t39,  &_v20) < 0) {
								goto L20;
							} else {
								if(_v20 == 2) {
									_t50 = 0;
									goto L20;
								}
								_t45 = 0x3f;
							}
							L17:
							_t49 = _t49 + 2;
						} while (_t49 < _v8);
					}
					goto L20;
				}
			}















                  0x003e4222
                  0x003e4225
                  0x003e4228
                  0x003e422b
                  0x003e4233
                  0x003e4237
                  0x003e42ed
                  0x003e42f0
                  0x003e42f8
                  0x003e42f8
                  0x003e4300
                  0x003e4305
                  0x003e4305
                  0x003e4312
                  0x003e4312
                  0x003e424e
                  0x003e425a
                  0x003e42ec
                  0x00000000
                  0x003e4268
                  0x003e4278
                  0x003e427f
                  0x003e4285
                  0x003e428a
                  0x00000000
                  0x00000000
                  0x003e428e
                  0x003e4295
                  0x003e4296
                  0x003e4299
                  0x003e429e
                  0x00000000
                  0x00000000
                  0x003e42a0
                  0x003e42a6
                  0x00000000
                  0x00000000
                  0x003e42ac
                  0x003e42bc
                  0x003e42c1
                  0x003e42c3
                  0x003e42c3
                  0x003e42c1
                  0x003e42d5
                  0x00000000
                  0x003e42d7
                  0x003e42db
                  0x003e42ea
                  0x00000000
                  0x003e42ea
                  0x003e42df
                  0x003e42df
                  0x003e42e0
                  0x003e42e0
                  0x003e42e3
                  0x003e42e8
                  0x00000000
                  0x003e427f

                  APIs
                    • Part of subcall function 003E4315: FindFirstFileW.KERNEL32(003C8FFA,?,000002C0,00000000,00000000), ref: 003E4350
                    • Part of subcall function 003E4315: FindClose.KERNEL32(00000000), ref: 003E435C
                  • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,00000000,?,00000000,?,wininet.dll), ref: 003E4305
                    • Part of subcall function 003E0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,003E5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 003E0E52
                    • Part of subcall function 003E10C5: RegQueryValueExW.ADVAPI32(00000000,000002C0,00000000,000002C0,00000000,00000000,000002C0,BundleUpgradeCode,00000410,000002C0,00000000,00000000,00000000,00000100,00000000), ref: 003E10ED
                    • Part of subcall function 003E10C5: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,003B6EF3,00000100,000000B0,00000088,00000410,000002C0), ref: 003E1126
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseFindQueryValue$FileFirstOpen
                  • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager$\$crypt32.dll
                  • API String ID: 3397690329-3978359083
                  • Opcode ID: 209fe57946940b6d5a4c0502a36b47e17c5bd1085d9d0a6daffa087b781768f3
                  • Instruction ID: 25491b6c7cd8f99813f63101697341c84a3d81f2039246b9de49790a00261079
                  • Opcode Fuzzy Hash: 209fe57946940b6d5a4c0502a36b47e17c5bd1085d9d0a6daffa087b781768f3
                  • Instruction Fuzzy Hash: B731D835900269EBDF23AFD6CC41AAEB779EF0C350F16876AF600AA1D1D7719A40CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003CD047, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 31%
                  			E003CD047(void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v20;
				signed int _t31;
				intOrPtr _t33;
				signed int _t45;
				signed int* _t46;
				signed int* _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int* _t53;
				intOrPtr _t54;

				_t53 = _a8;
				_t45 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t51 =  *_t53;
				_t49 = E003A38D4(_t51 << 2, 1);
				_a8 = _t49;
				if(_t49 != 0) {
					_t31 = 0;
					if( *_t53 > 0) {
						_t4 =  &(_t53[1]); // 0x4
						_t46 = _t4;
						do {
							 *(_t49 + _t31 * 4) = _t46;
							_t31 = _t31 + 1;
							_t46 =  &(_t46[0x83]);
						} while (_t31 <  *_t53);
					}
					_v20 = 3;
					_v16 = 2;
					_v12 = _t51;
					_v8 = _t49;
					_t33 = _a12( &_v20, _a16);
					_t52 = _a4;
					_t54 = _t33;
					WaitForSingleObject( *(_t52 + 0xc), 0xffffffff);
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)) + 0x424)) = _t45;
					 *((intOrPtr*)( *((intOrPtr*)(_t52 + 0x10)) + 0x428)) = _t54;
					if(_t54 == 2) {
						 *((char*)( *((intOrPtr*)(_t52 + 0x10)) + 2)) = 1;
						 *((char*)( *((intOrPtr*)(_t52 + 0x10)) + 3)) = 1;
					}
					ReleaseMutex( *(_t52 + 0xc));
					SetEvent( *(_t52 + 8));
					E003A3999(_a8);
				} else {
					_t45 = 0x8007000e;
					E003A37D3(_t30, "NetFxChainer.cpp", 0xe4, 0x8007000e);
					_push("Failed to allocate buffer.");
					_push(0x8007000e);
					E003E012F();
				}
				return _t45;
			}
















                  0x003cd04f
                  0x003cd058
                  0x003cd05a
                  0x003cd05d
                  0x003cd05e
                  0x003cd05f
                  0x003cd060
                  0x003cd06d
                  0x003cd06f
                  0x003cd074
                  0x003cd09d
                  0x003cd0a1
                  0x003cd0a3
                  0x003cd0a3
                  0x003cd0a6
                  0x003cd0a6
                  0x003cd0a9
                  0x003cd0aa
                  0x003cd0b0
                  0x003cd0a6
                  0x003cd0ba
                  0x003cd0c2
                  0x003cd0c9
                  0x003cd0cc
                  0x003cd0cf
                  0x003cd0d2
                  0x003cd0d5
                  0x003cd0dc
                  0x003cd0e5
                  0x003cd0ee
                  0x003cd0f7
                  0x003cd0fc
                  0x003cd103
                  0x003cd103
                  0x003cd10a
                  0x003cd113
                  0x003cd11c
                  0x003cd076
                  0x003cd076
                  0x003cd086
                  0x003cd08b
                  0x003cd090
                  0x003cd091
                  0x003cd097
                  0x003cd129

                  APIs
                    • Part of subcall function 003A38D4: GetProcessHeap.KERNEL32(?,000001C7,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38E5
                    • Part of subcall function 003A38D4: RtlAllocateHeap.NTDLL(00000000,?,003A2284,000001C7,00000001,80004005,8007139F,?,?,003E015F,8007139F,?,00000000,00000000,8007139F), ref: 003A38EC
                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003CD0DC
                  • ReleaseMutex.KERNEL32(?), ref: 003CD10A
                  • SetEvent.KERNEL32(?), ref: 003CD113
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                  • String ID: Failed to allocate buffer.$NetFxChainer.cpp
                  • API String ID: 944053411-3611226795
                  • Opcode ID: 929acab15e7dc0c03027c3b8486d7ef472d82de42a556f1b559bb686f7443a13
                  • Instruction ID: 1e57687e7f304584e4130d126f105ed562020d36694675e505c2f1ac56a6c0a3
                  • Opcode Fuzzy Hash: 929acab15e7dc0c03027c3b8486d7ef472d82de42a556f1b559bb686f7443a13
                  • Instruction Fuzzy Hash: AF21B1B460034ABFDB119F68D884EAAB7F9FF08314F108639F924AB291C775AD50CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A96F4, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E003A96F4(void* __edx, void* __edi, int _a4, intOrPtr _a8) {
				void* _t12;
				void* _t19;
				void* _t22;
				int _t26;
				void* _t27;
				signed int _t28;
				void* _t33;
				void* _t34;
				void* _t37;

				_t33 = __edi;
				_t26 = _a4;
				_t12 =  *((intOrPtr*)(_t26 + 0x10)) - 0x10;
				if(_t12 == 0) {
					L8:
					_push(_t33);
					_t8 = _t26 + 0x18; // 0x18
					_t34 = _t8;
					E003C1664(_a8, 0x18, _t34, 0x18);
					_t28 = 6;
					memset(_t34, 0, _t28 << 2);
					goto L9;
				} else {
					_t19 = _t12 - 1;
					if(_t19 == 0) {
						_t37 = E003A7410(_t27, __edx,  *_t26,  *(_t26 + 0x18), _a8);
						if(_t37 == 0x80070490 || _t37 >= 0) {
							L9:
							_t37 = E003A8E48(_t26);
							if(_t37 < 0) {
								_push("Failed to read next symbol.");
								goto L11;
							}
						} else {
							E003A37D3(_t20, "condition.cpp", 0x1b8, _t37);
							_push("Failed to find variable.");
							L11:
							_push(_t37);
							E003E012F();
						}
					} else {
						_t22 = _t19 - 1;
						if(_t22 == 0) {
							goto L8;
						} else {
							_t23 = _t22 == 1;
							if(_t22 == 1) {
								goto L8;
							} else {
								_t37 = 0x8007000d;
								 *((intOrPtr*)(_t26 + 0x30)) = 1;
								E003A37D3(_t23, "condition.cpp", 0x1c7, 0x8007000d);
								_push( *((intOrPtr*)(_t26 + 0x14)));
								E003E012F(0x8007000d, "Failed to parse condition \'%ls\' at position: %u",  *((intOrPtr*)(_t26 + 4)));
							}
						}
					}
				}
				return _t37;
			}












                  0x003a96f4
                  0x003a96f8
                  0x003a96ff
                  0x003a9702
                  0x003a9777
                  0x003a9777
                  0x003a977a
                  0x003a977a
                  0x003a9783
                  0x003a978f
                  0x003a9790
                  0x00000000
                  0x003a9704
                  0x003a9704
                  0x003a9707
                  0x003a9752
                  0x003a975a
                  0x003a9793
                  0x003a9799
                  0x003a979d
                  0x003a979f
                  0x00000000
                  0x003a979f
                  0x003a9760
                  0x003a976b
                  0x003a9770
                  0x003a97a4
                  0x003a97a4
                  0x003a97a5
                  0x003a97ab
                  0x003a9709
                  0x003a9709
                  0x003a970c
                  0x00000000
                  0x003a970e
                  0x003a970e
                  0x003a9711
                  0x00000000
                  0x003a9713
                  0x003a9713
                  0x003a9718
                  0x003a972a
                  0x003a972f
                  0x003a973b
                  0x003a9740
                  0x003a9711
                  0x003a970c
                  0x003a9707
                  0x003a97b1

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: _memcpy_s
                  • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
                  • API String ID: 2001391462-1605196437
                  • Opcode ID: fbc36bdad836c7919a6a53e47d93db46e4ef8ca8376df17f35ec559ea94dfa81
                  • Instruction ID: 32b50d28d74165a67d9f34d121ff63a25421e2c880a93fccec2fedf53660d089
                  • Opcode Fuzzy Hash: fbc36bdad836c7919a6a53e47d93db46e4ef8ca8376df17f35ec559ea94dfa81
                  • Instruction Fuzzy Hash: 2D11E332290270BBDB172D69DC86FAB3A18EF17710F040266F9047E6D2CAA3C95096F1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E0658, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62filestringCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E003E0658(void* __ecx, void* __edx, CHAR* _a4) {
				long _v8;
				int _t9;
				CHAR* _t18;
				void* _t21;
				void* _t22;
				void* _t25;
				void* _t28;

				_t22 = __edx;
				_push(__ecx);
				_t18 = _a4;
				_t28 = 0;
				_t25 = 0;
				_v8 = _v8 & 0;
				_t9 = lstrlenA(_t18);
				_t21 =  *0x40a774; // 0xffffffff
				_a4 = _t9;
				if(_t21 != 0xffffffff) {
					if(_t9 == 0) {
						L9:
						return _t28;
					}
					L4:
					while(1) {
						if(WriteFile(_t21, _t25 + _t18, _t9 - _t25,  &_v8, 0) != 0) {
							L6:
							_t25 = _t25 + _v8;
							_t9 = _a4;
							if(_t25 >= _t9) {
								goto L9;
							}
							_t21 =  *0x40a774; // 0xffffffff
							continue;
						}
						_t28 =  <=  ? GetLastError() : _t14 & 0x0000ffff | 0x80070000;
						if(_t28 < 0) {
							E003A37D3(_t14, "logutil.cpp", 0x310, _t28);
							goto L9;
						}
						goto L6;
					}
				}
				_t28 = E003A2384(_t21, _t22, 0x40b608, _t18, 0);
				if(_t28 >= 0) {
					_t28 = 0;
				}
				goto L9;
			}










                  0x003e0658
                  0x003e065b
                  0x003e065d
                  0x003e0662
                  0x003e0664
                  0x003e0666
                  0x003e066a
                  0x003e0670
                  0x003e0676
                  0x003e067c
                  0x003e0696
                  0x003e06ea
                  0x003e06f2
                  0x003e06f2
                  0x00000000
                  0x003e0698
                  0x003e06ae
                  0x003e06c8
                  0x003e06c8
                  0x003e06cb
                  0x003e06d0
                  0x00000000
                  0x00000000
                  0x003e06d2
                  0x00000000
                  0x003e06d2
                  0x003e06c1
                  0x003e06c6
                  0x003e06e5
                  0x00000000
                  0x003e06e5
                  0x00000000
                  0x003e06c6
                  0x003e0698
                  0x003e068a
                  0x003e068e
                  0x003e0690
                  0x003e0690
                  0x00000000

                  APIs
                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,003DFF0B,?,?,00000000,00000000,0000FDE9), ref: 003E066A
                  • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,?,?,003DFF0B,?,?,00000000,00000000,0000FDE9), ref: 003E06A6
                  • GetLastError.KERNEL32(?,?,003DFF0B,?,?,00000000,00000000,0000FDE9), ref: 003E06B0
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastWritelstrlen
                  • String ID: @Mxt$logutil.cpp
                  • API String ID: 606256338-4105458427
                  • Opcode ID: 3e79ce7508fd6249cfb98794be021f31431b2c1b85245ba3a89071ddb3ca5321
                  • Instruction ID: 2d02a48feca5392be35b979fbb07f22ece4bac28a0bb070fe9e6f8a8ad778e40
                  • Opcode Fuzzy Hash: 3e79ce7508fd6249cfb98794be021f31431b2c1b85245ba3a89071ddb3ca5321
                  • Instruction Fuzzy Hash: 11110632A00374ABC3269A7A8C84FAFB76CEB81760F014325FD01EB1C0D7B0AD5086E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A1209, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003A1209(void* __ecx, intOrPtr _a4, intOrPtr* _a8, short*** _a12) {
				int _v8;
				int _v12;
				PWCHAR* _t21;
				signed short _t24;
				void* _t35;

				_v8 = 0;
				_v12 = 0;
				_t35 = E003A1EF2( &_v8, L"ignored ", 0);
				if(_t35 >= 0) {
					_t35 = E003A1EF2( &_v8, _a4, 0);
					if(_t35 >= 0) {
						_t21 = CommandLineToArgvW(_v8,  &_v12);
						if(_t21 != 0) {
							_t8 =  &(_t21[1]); // 0x4
							 *_a12 = _t8;
							 *_a8 = _v12 - 1;
						} else {
							_t24 = GetLastError();
							_t39 =  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							_t35 =  >=  ? 0x80004005 :  <=  ? _t24 : _t24 & 0x0000ffff | 0x80070000;
							E003A37D3(0x80004005, "apputil.cpp", 0x63, _t35);
						}
					}
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t35;
			}








                  0x003a121c
                  0x003a121f
                  0x003a1227
                  0x003a122b
                  0x003a123a
                  0x003a123e
                  0x003a1247
                  0x003a124f
                  0x003a127e
                  0x003a1284
                  0x003a128d
                  0x003a1251
                  0x003a1251
                  0x003a1262
                  0x003a126c
                  0x003a1277
                  0x003a1277
                  0x003a124f
                  0x003a123e
                  0x003a1292
                  0x003a1297
                  0x003a1297
                  0x003a12a3

                  APIs
                  • CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,003A5137,00000000,?), ref: 003A1247
                  • GetLastError.KERNEL32(?,?,?,003A5137,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 003A1251
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ArgvCommandErrorLastLine
                  • String ID: @Mxt$apputil.cpp$ignored
                  • API String ID: 3459693003-1416629166
                  • Opcode ID: dc20ae74954649cbae0e3b7cff5c7d9d569677781af1881198b7f23642f66217
                  • Instruction ID: 9d5b2216fbc2445ee619ceca46afc6a464d622f9ce23cdb88f64ce97151b40fe
                  • Opcode Fuzzy Hash: dc20ae74954649cbae0e3b7cff5c7d9d569677781af1881198b7f23642f66217
                  • Instruction Fuzzy Hash: 36114276900229BBDB13DB99C845EAFBBB8EF46750F114255FC04EB250E770DE009BA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D605E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E003D605E(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0x40a05c; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E003D523F(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E003D88AE(_t20, _t25, _t31, __eflags,  *0x40a05c, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E003D5ED0(_t25, _t31, 0x40b13c);
							E003D511A(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E003D511A();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E003D51FC(_t20, _t25, _t29, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x40a05c; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E003D523F(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E003D88AE(_t21, _t27, _t32, __eflags,  *0x40a05c, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E003D5ED0(_t27, _t32, 0x40b13c);
									E003D511A(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E003D511A();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E003D8858(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E003D8858(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}






















                  0x003d605e
                  0x003d605e
                  0x003d605e
                  0x003d6061
                  0x003d6068
                  0x003d606a
                  0x003d606f
                  0x003d6072
                  0x003d6080
                  0x003d6087
                  0x003d608c
                  0x003d608f
                  0x003d6092
                  0x003d60a4
                  0x003d60a9
                  0x003d60ab
                  0x003d60b6
                  0x003d60bd
                  0x003d60c2
                  0x003d60c5
                  0x003d60c7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003d60ad
                  0x003d60ad
                  0x00000000
                  0x003d60ad
                  0x003d6094
                  0x003d6094
                  0x003d6095
                  0x003d6095
                  0x003d609a
                  0x003d60d5
                  0x003d60d6
                  0x003d60dc
                  0x003d60e1
                  0x003d60e4
                  0x003d60e5
                  0x003d60e6
                  0x003d60ed
                  0x003d60ef
                  0x003d60f1
                  0x003d60f6
                  0x003d60f9
                  0x003d6107
                  0x003d6113
                  0x003d6116
                  0x003d6119
                  0x003d612b
                  0x003d6130
                  0x003d6132
                  0x003d613d
                  0x003d6143
                  0x003d614b
                  0x003d614d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003d6134
                  0x003d6134
                  0x00000000
                  0x003d6134
                  0x003d611b
                  0x003d611b
                  0x003d611c
                  0x003d611c
                  0x003d614f
                  0x003d6150
                  0x003d6150
                  0x003d60fb
                  0x003d6101
                  0x003d6105
                  0x003d6158
                  0x003d6159
                  0x003d615f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003d6105
                  0x003d6166
                  0x003d6166
                  0x003d6074
                  0x003d607a
                  0x003d607e
                  0x003d60c9
                  0x003d60ca
                  0x003d60d4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003d607e

                  APIs
                  • GetLastError.KERNEL32(?,00000000,003D19F5,00000000,80004004,?,003D1CF9,00000000,80004004,00000000,00000000), ref: 003D6062
                  • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 003D60CA
                  • SetLastError.KERNEL32(00000000,80004004,00000000,00000000), ref: 003D60D6
                  • _abort.LIBCMT ref: 003D60DC
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast$_abort
                  • String ID: @Mxt
                  • API String ID: 88804580-1922883433
                  • Opcode ID: 293e6bb36b0e7a63a687499e926584eb76301be1cff2a9d8735a7ac2625f0fe5
                  • Instruction ID: 008d6f8523feaea1e9b54a1d587aa6547bd0715183c1c6ce18bda0db99e00bcb
                  • Opcode Fuzzy Hash: 293e6bb36b0e7a63a687499e926584eb76301be1cff2a9d8735a7ac2625f0fe5
                  • Instruction Fuzzy Hash: AFF0AF37108B0066D62337347C0BF5B265E9BC2B71F26022BF829AA7D2FF20980555A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003AD39D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 45%
                  			E003AD39D(intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr* _t10;
				long _t15;
				long _t18;
				intOrPtr _t19;

				_t19 = _a4;
				_t18 = 0;
				_t2 = _t19 + 0x18; // 0xd0
				EnterCriticalSection(_t2);
				_t3 = _t19 + 0x30; // 0xe8
				_t15 = 1;
				if(InterlockedCompareExchange(_t3, 1, 0) != 0) {
					_t15 = 0;
					_t18 = 0x8007139f;
				}
				_t4 = _t19 + 0x18; // 0xd0
				LeaveCriticalSection(_t4);
				_t10 = _a8;
				if(_t10 != 0) {
					 *_t10 = _t15;
				}
				if(_t18 < 0) {
					E003A37D3(_t10, "userexperience.cpp", 0xea, _t18);
					_push("Engine active cannot be changed because it was already in that state.");
					_push(_t18);
					E003E012F();
				}
				return _t18;
			}







                  0x003ad3a2
                  0x003ad3a6
                  0x003ad3a8
                  0x003ad3ac
                  0x003ad3b5
                  0x003ad3b8
                  0x003ad3c3
                  0x003ad3c5
                  0x003ad3c7
                  0x003ad3c7
                  0x003ad3cc
                  0x003ad3d0
                  0x003ad3d6
                  0x003ad3db
                  0x003ad3dd
                  0x003ad3dd
                  0x003ad3e1
                  0x003ad3ee
                  0x003ad3f3
                  0x003ad3f8
                  0x003ad3f9
                  0x003ad3ff
                  0x003ad406

                  APIs
                  • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,003B6E4B,000000B8,00000000,?,00000000,770DA770), ref: 003AD3AC
                  • InterlockedCompareExchange.KERNEL32(000000E8,00000001,00000000), ref: 003AD3BB
                  • LeaveCriticalSection.KERNEL32(000000D0,?,003B6E4B,000000B8,00000000,?,00000000,770DA770), ref: 003AD3D0
                  Strings
                  • user active cannot be changed because it was already in that state., xrefs: 003AD3F3
                  • userexperience.cpp, xrefs: 003AD3E9
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
                  • String ID: user active cannot be changed because it was already in that state.$userexperience.cpp
                  • API String ID: 3376869089-1544469594
                  • Opcode ID: cc32ee60d9404af89675fe4864b10e071fbafb9e9c02717b4b64165c3f40e442
                  • Instruction ID: abec14153f4bd9818ce60d809f1e584e40964cdb1bd21cc9da08c4f47c77f360
                  • Opcode Fuzzy Hash: cc32ee60d9404af89675fe4864b10e071fbafb9e9c02717b4b64165c3f40e442
                  • Instruction Fuzzy Hash: 74F0AF763003486FD7236EABACC4E9B77ACEB86764B00452AF502DB680DA74F8058724
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BF086, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33threadwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E003BF086(intOrPtr _a4, long _a8) {
				signed short _t7;
				int _t13;

				_t13 = 0;
				if(PostThreadMessageW( *(_a4 + 0x10), 0x9001, 0, _a8) == 0) {
					_t7 = GetLastError();
					_t16 =  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					_t13 =  >=  ? 0x80004005 :  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "EngineForApplication.cpp", 0x292, _t13);
					_push("Failed to post plan message.");
					_push(_t13);
					E003E012F();
				}
				return _t13;
			}





                  0x003bf090
                  0x003bf0a3
                  0x003bf0a5
                  0x003bf0b6
                  0x003bf0c0
                  0x003bf0ce
                  0x003bf0d3
                  0x003bf0d8
                  0x003bf0d9
                  0x003bf0df
                  0x003bf0e4

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastMessagePostThread
                  • String ID: @Mxt$userForApplication.cpp$Failed to post plan message.
                  • API String ID: 2609174426-917788885
                  • Opcode ID: 5463f2e881cc2b5ead4ff7d156a4d069908b564902cf21fd5e996ff396a29eb5
                  • Instruction ID: be5f12f4a18823e4a2238e88ea4e10adda8188596b2c6f58cde8078f03f7ccfd
                  • Opcode Fuzzy Hash: 5463f2e881cc2b5ead4ff7d156a4d069908b564902cf21fd5e996ff396a29eb5
                  • Instruction Fuzzy Hash: 22F0A7327443347AE723666A5C45F97BBC8DF04BA0F014121FE0CEE091D6158C00D5E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003BF194, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33threadwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E003BF194(intOrPtr _a4, int _a8) {
				signed short _t7;
				long _t13;

				_t13 = 0;
				if(PostThreadMessageW( *(_a4 + 0x10), 0x9005, _a8, 0) == 0) {
					_t7 = GetLastError();
					_t16 =  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					_t13 =  >=  ? 0x80004005 :  <=  ? _t7 : _t7 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "EngineForApplication.cpp", 0x2c3, _t13);
					_push("Failed to post shutdown message.");
					_push(_t13);
					E003E012F();
				}
				return _t13;
			}





                  0x003bf19b
                  0x003bf1b1
                  0x003bf1b3
                  0x003bf1c4
                  0x003bf1ce
                  0x003bf1dc
                  0x003bf1e1
                  0x003bf1e6
                  0x003bf1e7
                  0x003bf1ed
                  0x003bf1f2

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastMessagePostThread
                  • String ID: @Mxt$userForApplication.cpp$Failed to post shutdown message.
                  • API String ID: 2609174426-3241820789
                  • Opcode ID: e1c8aed92577683fa197536f9960abc711ae2bbaa30f1d5deba47e5442be2b67
                  • Instruction ID: 5a4b76a1cca6cac635b8aec3f516095876f9d7c7929be64e87aa40badc8c2eb9
                  • Opcode Fuzzy Hash: e1c8aed92577683fa197536f9960abc711ae2bbaa30f1d5deba47e5442be2b67
                  • Instruction Fuzzy Hash: 5CF0A7367403347AE7236AAA9C09F977AC8EF04BA0F024125FE08EA490D6518D0086E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003C051A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(003EB468,00000000,?,003C145A,?,00000000,?,003AC121,?,003A52FD,?,003B73B2,?,?,003A52FD,?), ref: 003C0524
                  • GetLastError.KERNEL32(?,003C145A,?,00000000,?,003AC121,?,003A52FD,?,003B73B2,?,?,003A52FD,?,003A533D,00000001), ref: 003C052E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorEventLast
                  • String ID: @Mxt$Failed to set begin operation event.$cabextract.cpp
                  • API String ID: 3848097054-4245131424
                  • Opcode ID: bfaa9541276d5f766f55282f19476a61b4a783bbfd33f309c7c977b134bf7a8c
                  • Instruction ID: 26c2d5977a855139646dfa7a2befe6fe35f528e7f1e7d35256059dab3213c201
                  • Opcode Fuzzy Hash: bfaa9541276d5f766f55282f19476a61b4a783bbfd33f309c7c977b134bf7a8c
                  • Instruction Fuzzy Hash: BFF02773A0477467A72366A96C01FDBB6C8CF057A0F010229FE08EB180E6109C0056E5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E937F, Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003E937F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t58;
				void* _t60;

				_t58 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v24 = 0;
				_t60 = E003E0E3F(_a4,  *0x40a7e0, 0x20019,  &_v16);
				if(_t60 == 0x80070002 || _t60 < 0) {
					L17:
					if(_v12 != 0) {
						RegCloseKey(_v12);
						_v12 = 0;
					}
					if(_v8 != 0) {
						RegCloseKey(_v8);
						_v8 = 0;
					}
					if(_v16 != 0) {
						RegCloseKey(_v16);
					}
					return _t60;
				} else {
					_t60 = E003E0E3F(_v16, _a8, 0x20019,  &_v8);
					if(_t60 != 0x80070002 && _t60 >= 0) {
						_t60 = E003E0E3F(_v8,  *0x40a7e4, 0x20019,  &_v12);
						if(_t60 != 0x80070002 && _t60 >= 0) {
							_t60 = E003E0B49(_t58, _v12, _a12, 0, 1);
							if(_t60 < 0) {
								goto L17;
							}
							_t60 = E003E0E9B(_v12,  &_v20, 0);
							if(_t60 >= 0 && _v20 <= 0) {
								if(_v12 != 0) {
									RegCloseKey(_v12);
									_v12 = 0;
								}
								_t60 = E003E0B49(_t58, _v8,  *0x40a7e4, 0, 0);
								if(_t60 >= 0) {
									_t60 = E003E0E9B(_v8, 0,  &_v24);
									if(_t60 >= 0 && _v24 == 0) {
										if(_v8 != 0) {
											RegCloseKey(_v8);
											_v8 = 0;
										}
										_t60 = E003E0B49(_t58, _v16, _a8, 0, 0);
									}
								}
							}
						}
					}
					goto L17;
				}
			}










                  0x003e937f
                  0x003e9399
                  0x003e939f
                  0x003e93a2
                  0x003e93a5
                  0x003e93a8
                  0x003e93b6
                  0x003e93be
                  0x003e94a6
                  0x003e94a9
                  0x003e94ae
                  0x003e94b0
                  0x003e94b0
                  0x003e94b6
                  0x003e94bb
                  0x003e94bd
                  0x003e94bd
                  0x003e94c3
                  0x003e94c8
                  0x003e94c8
                  0x003e94d2
                  0x003e93cc
                  0x003e93e0
                  0x003e93e8
                  0x003e940d
                  0x003e9415
                  0x003e9431
                  0x003e9435
                  0x00000000
                  0x00000000
                  0x003e9444
                  0x003e9448
                  0x003e9452
                  0x003e9457
                  0x003e9459
                  0x003e9459
                  0x003e946c
                  0x003e9470
                  0x003e947f
                  0x003e9483
                  0x003e948d
                  0x003e9492
                  0x003e9494
                  0x003e9494
                  0x003e94a4
                  0x003e94a4
                  0x003e9483
                  0x003e9470
                  0x003e9448
                  0x003e9415
                  0x00000000
                  0x003e93e8

                  APIs
                    • Part of subcall function 003E0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,003E5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 003E0E52
                  • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00000000,00000000,00020019,00000000,00000001), ref: 003E9457
                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 003E9492
                  • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00000000,00000000,00000000,00000000), ref: 003E94AE
                  • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 003E94BB
                  • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00000000,00000000,00000000,00000000), ref: 003E94C8
                    • Part of subcall function 003E0B49: RegCloseKey.ADVAPI32(00000000), ref: 003E0CA0
                    • Part of subcall function 003E0E9B: RegQueryInfoKeyW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,003E9444,00000001), ref: 003E0EB3
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Close$InfoOpenQuery
                  • String ID:
                  • API String ID: 796878624-0
                  • Opcode ID: 7877e1d44f0715c90d91a06f538ef09bb6e17eeb346d646686d9b91d21497c5b
                  • Instruction ID: f336c8121efeab23e90158e1fa89f8d59666a8cbbc2a182699fc97d25acb7898
                  • Opcode Fuzzy Hash: 7877e1d44f0715c90d91a06f538ef09bb6e17eeb346d646686d9b91d21497c5b
                  • Instruction Fuzzy Hash: 3C412B72C01279BFDF23EF978D81AADFB79EF04360B11426AE904761A1D3714E519B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A738E, Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 31%
                  			E003A738E(void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t15;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t22 = E003A5C87(_t20, _a4, _a8,  &_v8);
				_t15 = _v8;
				if(_t22 < 0 ||  *((intOrPtr*)(_t15 + 0x18)) != 0) {
					if(_t22 != 0x80070490) {
						if(_t22 >= 0) {
							_t22 = E003C00E0(_t15 + 8, _a12);
							if(_t22 < 0) {
								_push(_a8);
								_push("Failed to get value as string for variable: %ls");
								goto L8;
							}
						} else {
							_push(_a8);
							_push("Failed to get value of variable: %ls");
							L8:
							_push(_t22);
							E003E012F();
						}
					}
				} else {
					_t22 = 0x80070490;
				}
				LeaveCriticalSection(_a4);
				return _t22;
			}






                  0x003a738e
                  0x003a7391
                  0x003a7392
                  0x003a739a
                  0x003a73af
                  0x003a73b1
                  0x003a73b6
                  0x003a73cb
                  0x003a73cf
                  0x003a73e7
                  0x003a73eb
                  0x003a73ed
                  0x003a73f0
                  0x00000000
                  0x003a73f0
                  0x003a73d1
                  0x003a73d1
                  0x003a73d4
                  0x003a73f5
                  0x003a73f5
                  0x003a73f6
                  0x003a73fb
                  0x003a73cf
                  0x003a73be
                  0x003a73be
                  0x003a73be
                  0x003a7401
                  0x003a740d

                  APIs
                  • EnterCriticalSection.KERNEL32(003A52B5,WixBundleOriginalSource,?,?,003BA41D,003A53B5,WixBundleOriginalSource,=S:,0040AA90,?,00000000,003A533D,?,003B7587,?,?), ref: 003A739A
                  • LeaveCriticalSection.KERNEL32(003A52B5,003A52B5,00000000,00000000,?,?,003BA41D,003A53B5,WixBundleOriginalSource,=S:,0040AA90,?,00000000,003A533D,?,003B7587), ref: 003A7401
                  Strings
                  • WixBundleOriginalSource, xrefs: 003A7396
                  • Failed to get value as string for variable: %ls, xrefs: 003A73F0
                  • Failed to get value of variable: %ls, xrefs: 003A73D4
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                  • API String ID: 3168844106-30613933
                  • Opcode ID: 774be67ef9eb9edfda5d022a30a15ae54361c7cf7776c46b982fe6de839bb68c
                  • Instruction ID: 84a2071d7ca81bb827fd4d274c76c9cb65bf5f1bc8c8f801807e6a87db25f137
                  • Opcode Fuzzy Hash: 774be67ef9eb9edfda5d022a30a15ae54361c7cf7776c46b982fe6de839bb68c
                  • Instruction Fuzzy Hash: 1901D436945168FBCF135F54CC45A9E7B28DF01761F128224FC04AE2A0C7369E11A7D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DD038, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E003DD038(void* __ebx, signed int __edx, signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t77;
				intOrPtr _t79;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				signed int _t106;
				signed int _t107;
				signed int _t109;
				intOrPtr _t111;
				signed int _t116;
				signed int _t118;
				void* _t119;
				signed int _t120;
				signed int _t121;
				void* _t122;

				_t118 = __edx;
				_t104 = __ebx;
				_t62 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t62 ^ _t121;
				_t109 = _a12;
				_v12 = _t109;
				_t120 = _a4;
				_t119 = _a8;
				_v52 = _t119;
				if(_t109 != 0) {
					__eflags = _t119;
					if(_t119 != 0) {
						_push(__ebx);
						_t106 = _t120 >> 6;
						_t118 = (_t120 & 0x0000003f) * 0x30;
						_v32 = _t106;
						_t66 =  *((intOrPtr*)(0x40b158 + _t106 * 4));
						_v48 = _t66;
						_v28 = _t118;
						_t107 =  *((intOrPtr*)(_t66 + _t118 + 0x29));
						__eflags = _t107 - 2;
						if(_t107 == 2) {
							L6:
							_t68 =  !_t109;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t118 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E003DD2C2(_t120, 0, 0, 2);
									_t122 = _t122 + 0x10;
								}
								_t69 = E003DCBDD(_t107, _t118, __eflags, _t120);
								__eflags = _t69;
								if(_t69 == 0) {
									_t111 =  *((intOrPtr*)(0x40b158 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t111 + _t71 + 0x28) & 0x00000080;
									if(( *(_t111 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t111 + _t71 + 0x18), _t119, _v12,  &_v20, 0);
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										_t120 =  &_v24;
										goto L28;
									}
									_t87 = _t107;
									__eflags = _t87;
									if(_t87 == 0) {
										_t89 = E003DCC53( &_v24, _t120, _t119, _v12);
										goto L17;
									}
									_t90 = _t87 - 1;
									__eflags = _t90;
									if(_t90 == 0) {
										_t89 = E003DCE20( &_v24, _t120, _t119, _v12);
										goto L17;
									}
									__eflags = _t90 != 1;
									if(_t90 != 1) {
										goto L34;
									}
									_t89 = E003DCD32( &_v24, _t120, _t119, _v12);
									goto L17;
								} else {
									__eflags = _t107;
									if(_t107 == 0) {
										_t89 = E003DC9BD( &_v24, _t120, _t119, _v12);
										L17:
										L15:
										_t120 = _t89;
										L28:
										_t119 =  &_v44;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											__eflags = _t74 - _v36;
											L40:
											_pop(_t104);
											L41:
											return E003CDE36(_t104, _v8 ^ _t121, _t118, _t119, _t120);
										}
										_t77 = _v44;
										__eflags = _t77;
										if(_t77 == 0) {
											_t119 = _v52;
											L34:
											_t116 = _v28;
											_t79 =  *((intOrPtr*)(0x40b158 + _v32 * 4));
											__eflags =  *(_t79 + _t116 + 0x28) & 0x00000040;
											if(( *(_t79 + _t116 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E003D3E36())) = 0x1c;
												_t81 = E003D3E23();
												 *_t81 =  *_t81 & 0x00000000;
												__eflags =  *_t81;
												L38:
												goto L40;
											}
											__eflags =  *_t119 - 0x1a;
											if( *_t119 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t120 = 5;
										__eflags = _t77 - _t120;
										if(_t77 != _t120) {
											_t81 = E003D3E00(_t77);
										} else {
											 *((intOrPtr*)(E003D3E36())) = 9;
											 *(E003D3E23()) = _t120;
										}
										goto L38;
									}
									__eflags = _t107 - 1 - 1;
									if(_t107 - 1 > 1) {
										goto L34;
									}
									_t89 = E003DCB70( &_v24, _t119, _v12);
									goto L15;
								}
							}
							 *(E003D3E23()) =  *_t97 & 0x00000000;
							 *((intOrPtr*)(E003D3E36())) = 0x16;
							_t81 = E003D3D7A();
							goto L38;
						}
						__eflags = _t107 - 1;
						if(_t107 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E003D3E23()) =  *_t99 & _t119;
					 *((intOrPtr*)(E003D3E36())) = 0x16;
					E003D3D7A();
					goto L41;
				}
				goto L41;
			}








































                  0x003dd038
                  0x003dd038
                  0x003dd040
                  0x003dd047
                  0x003dd04a
                  0x003dd04d
                  0x003dd051
                  0x003dd055
                  0x003dd058
                  0x003dd05d
                  0x003dd066
                  0x003dd068
                  0x003dd089
                  0x003dd08e
                  0x003dd094
                  0x003dd097
                  0x003dd09a
                  0x003dd0a1
                  0x003dd0a4
                  0x003dd0a7
                  0x003dd0ab
                  0x003dd0ae
                  0x003dd0b5
                  0x003dd0b7
                  0x003dd0b9
                  0x003dd0bb
                  0x003dd0da
                  0x003dd0dd
                  0x003dd0dd
                  0x003dd0e2
                  0x003dd0eb
                  0x003dd0f0
                  0x003dd0f0
                  0x003dd0f4
                  0x003dd0fa
                  0x003dd0fc
                  0x003dd13a
                  0x003dd141
                  0x003dd144
                  0x003dd149
                  0x003dd198
                  0x003dd19b
                  0x003dd19e
                  0x003dd1aa
                  0x003dd1b0
                  0x003dd1b2
                  0x003dd1ba
                  0x003dd1ba
                  0x003dd1bd
                  0x00000000
                  0x003dd1bd
                  0x003dd14e
                  0x003dd14e
                  0x003dd151
                  0x003dd18a
                  0x00000000
                  0x003dd18a
                  0x003dd153
                  0x003dd153
                  0x003dd156
                  0x003dd17a
                  0x00000000
                  0x003dd17a
                  0x003dd158
                  0x003dd15b
                  0x00000000
                  0x00000000
                  0x003dd16a
                  0x00000000
                  0x003dd0fe
                  0x003dd0fe
                  0x003dd100
                  0x003dd12d
                  0x003dd132
                  0x003dd11d
                  0x003dd11d
                  0x003dd1c0
                  0x003dd1c0
                  0x003dd1c3
                  0x003dd1c4
                  0x003dd1c5
                  0x003dd1c6
                  0x003dd1c9
                  0x003dd1cb
                  0x003dd230
                  0x003dd233
                  0x003dd233
                  0x003dd234
                  0x003dd243
                  0x003dd243
                  0x003dd1cd
                  0x003dd1d0
                  0x003dd1d2
                  0x003dd1f8
                  0x003dd1fb
                  0x003dd1fe
                  0x003dd201
                  0x003dd208
                  0x003dd20d
                  0x003dd218
                  0x003dd21d
                  0x003dd223
                  0x003dd228
                  0x003dd228
                  0x003dd22b
                  0x00000000
                  0x003dd22b
                  0x003dd20f
                  0x003dd212
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003dd214
                  0x003dd1d6
                  0x003dd1d7
                  0x003dd1d9
                  0x003dd1f0
                  0x003dd1db
                  0x003dd1e0
                  0x003dd1eb
                  0x003dd1eb
                  0x00000000
                  0x003dd1d9
                  0x003dd104
                  0x003dd107
                  0x00000000
                  0x00000000
                  0x003dd115
                  0x00000000
                  0x003dd11a
                  0x003dd0fc
                  0x003dd0c2
                  0x003dd0ca
                  0x003dd0d0
                  0x00000000
                  0x003dd0d0
                  0x003dd0b0
                  0x003dd0b3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003dd0b3
                  0x003dd06f
                  0x003dd076
                  0x003dd07c
                  0x00000000
                  0x003dd081
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID:
                  • String ID: @Mxt
                  • API String ID: 0-1922883433
                  • Opcode ID: 470bfe3cf3f28a39c502c7b9a1305ad5480088bcadb4096c6a75ed7f7c138840
                  • Instruction ID: 1fd519c0147e070d09d702b1ee38aa054e9e36d917b85413376b6269ab08e6a2
                  • Opcode Fuzzy Hash: 470bfe3cf3f28a39c502c7b9a1305ad5480088bcadb4096c6a75ed7f7c138840
                  • Instruction Fuzzy Hash: 25518073D1424AABCB139FA4E945FAEBBB8EF45310F15055BF401AB392D7709A02CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E35A4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E003E35A4(intOrPtr _a4, signed char _a8, intOrPtr* _a12) {
				void* _v8;
				void* _v12;
				char _v16;
				intOrPtr _v24;
				char _v32;
				short _t29;
				void* _t31;
				intOrPtr* _t48;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t62;

				_t55 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				__imp__#8( &_v32);
				_t29 = 8;
				_v32 = _t29;
				__imp__#2(_a4);
				_v24 = _t29;
				if(_t29 != 0) {
					_t31 = E003E2F23(0,  &_v8, 0);
					_t55 = _v8;
					_t62 =  ==  ? 0x80004005 : _t31;
					if(_t62 < 0) {
						goto L13;
					}
					if((_a8 & 0x00000001) == 0) {
						L5:
						_t62 =  *((intOrPtr*)( *_t55 + 0x110))(_t55, 0);
						if(_t62 >= 0) {
							_t62 =  *((intOrPtr*)( *_t55 + 0x118))(_t55, 0);
							if(_t62 >= 0) {
								 *((intOrPtr*)( *_t55 + 0xfc))(_t55, 0);
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t62 =  ==  ? 0x8007006e :  *((intOrPtr*)( *_t55 + 0xe8))(_t55,  &_v16);
								if(_t62 >= 0) {
									_t48 = _a12;
									if(_t48 != 0) {
										 *_t48 = _t55;
										_t55 = 0;
									}
									_t62 = 0;
								} else {
									_push( &_v12);
									_push(_t55);
									if( *((intOrPtr*)( *_t55 + 0xf0))() == 0) {
										E003E2E85( &_v12, _v12);
									}
								}
							}
						}
						goto L13;
					}
					_t62 =  *((intOrPtr*)( *_t55 + 0x120))(_t55, 0xffffffff);
					if(_t62 < 0) {
						goto L13;
					}
					goto L5;
				} else {
					_t62 = 0x8007000e;
					E003A37D3(_t29, "xmlutil.cpp", 0x16a, 0x8007000e);
					L13:
					__imp__#9( &_v32);
					if(_t55 != 0) {
						 *((intOrPtr*)( *_t55 + 8))(_t55);
					}
					_t56 = _v12;
					if(_t56 != 0) {
						 *((intOrPtr*)( *_t56 + 8))(_t56);
					}
					return _t62;
				}
			}














                  0x003e35b2
                  0x003e35b4
                  0x003e35b8
                  0x003e35bb
                  0x003e35be
                  0x003e35c6
                  0x003e35ca
                  0x003e35ce
                  0x003e35d4
                  0x003e35d9
                  0x003e35fb
                  0x003e3600
                  0x003e360d
                  0x003e3612
                  0x00000000
                  0x00000000
                  0x003e361c
                  0x003e362f
                  0x003e3639
                  0x003e363d
                  0x003e3649
                  0x003e364d
                  0x003e3653
                  0x003e3668
                  0x003e3669
                  0x003e366a
                  0x003e366b
                  0x003e367c
                  0x003e3681
                  0x003e369e
                  0x003e36a3
                  0x003e36a5
                  0x003e36a7
                  0x003e36a7
                  0x003e36a9
                  0x003e3683
                  0x003e3688
                  0x003e3689
                  0x003e3692
                  0x003e3697
                  0x003e3697
                  0x003e3692
                  0x003e3681
                  0x003e364d
                  0x00000000
                  0x003e363d
                  0x003e3629
                  0x003e362d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e35db
                  0x003e35db
                  0x003e35eb
                  0x003e36ab
                  0x003e36af
                  0x003e36b7
                  0x003e36bc
                  0x003e36bc
                  0x003e36bf
                  0x003e36c4
                  0x003e36c9
                  0x003e36c9
                  0x003e36d4
                  0x003e36d4

                  APIs
                  • VariantInit.OLEAUT32(000002C0), ref: 003E35BE
                  • SysAllocString.OLEAUT32(?), ref: 003E35CE
                  • VariantClear.OLEAUT32(?), ref: 003E36AF
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Variant$AllocClearInitString
                  • String ID: xmlutil.cpp
                  • API String ID: 2213243845-1270936966
                  • Opcode ID: 00b1ae04e815f71da106b94e399d76275d93e66da807e5c559224b5cd2865464
                  • Instruction ID: 5bd3aa5e24a98ab65037c406cb38c5d4bd18db7dbcb5141a8bf81b95796bb987
                  • Opcode Fuzzy Hash: 00b1ae04e815f71da106b94e399d76275d93e66da807e5c559224b5cd2865464
                  • Instruction Fuzzy Hash: A1416575A00665ABCB129FA5C8C8EABBBB8AF45750F0542A5FC05EB351D734DD008B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D65D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E003D65D0(int* _a4, char* _a8, int _a12, short _a16, intOrPtr _a20) {
				int _v8;
				char _v12;
				intOrPtr _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				signed int* _t21;
				intOrPtr _t23;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t31;
				char _t32;
				int* _t33;
				intOrPtr* _t35;
				signed int* _t37;
				char* _t39;
				int _t43;
				void* _t46;
				int _t47;

				_t39 = _a8;
				_t47 = _a12;
				if(_t39 == 0 && _t47 != 0) {
					_t37 = _a4;
					if(_t37 != 0) {
						 *_t37 =  *_t37 & 0x00000000;
					}
					return 0;
				}
				_t21 = _a4;
				if(_t21 != 0) {
					 *_t21 =  *_t21 | 0xffffffff;
				}
				if(_t47 <= 0x7fffffff) {
					E003D19B7(_t39,  &_v24, _t46, _a20);
					_t23 = _v20;
					if( *((intOrPtr*)(_t23 + 0xa8)) != 0) {
						_v8 = 0;
						_t43 = WideCharToMultiByte( *(_t23 + 8), 0,  &_a16, 1, _t39, _t47, 0,  &_v8);
						if(_t43 == 0) {
							if(GetLastError() != 0x7a) {
								L14:
								_t26 = E003D3E36();
								_push(0x2a);
								_pop(0);
								 *_t26 = 0;
								L15:
								if(_v12 != 0) {
									 *(_v24 + 0x350) =  *(_v24 + 0x350) & 0xfffffffd;
								}
								goto L17;
							}
							if(_t39 != 0 && _t47 != 0) {
								E003CF670(_t47, _t39, 0, _t47);
							}
							L32:
							_t28 = E003D3E36();
							_push(0x22);
							_pop(0);
							 *_t28 = 0;
							E003D3D7A();
							goto L15;
						}
						if(_v8 != 0) {
							goto L14;
						}
						_t31 = _a4;
						if(_t31 != 0) {
							 *_t31 = _t43;
						}
						goto L15;
					}
					_t32 = _a16;
					if(_t32 <= 0xff) {
						if(_t39 == 0) {
							L22:
							_t33 = _a4;
							if(_t33 != 0) {
								 *_t33 = 1;
							}
							goto L15;
						}
						if(_t47 == 0) {
							goto L32;
						}
						 *_t39 = _t32;
						goto L22;
					}
					if(_t39 != 0 && _t47 != 0) {
						E003CF670(_t47, _t39, 0, _t47);
					}
					goto L14;
				} else {
					_t35 = E003D3E36();
					_push(0x16);
					_pop(0);
					 *_t35 = 0;
					E003D3D7A();
					L17:
					return 0;
				}
			}






















                  0x003d65d9
                  0x003d65dd
                  0x003d65e2
                  0x003d65e8
                  0x003d65ed
                  0x003d65ef
                  0x003d65ef
                  0x00000000
                  0x003d65f2
                  0x003d65f6
                  0x003d65fb
                  0x003d65fd
                  0x003d65fd
                  0x003d6607
                  0x003d6620
                  0x003d6625
                  0x003d6630
                  0x003d6692
                  0x003d66a9
                  0x003d66ad
                  0x003d66c8
                  0x003d6653
                  0x003d6653
                  0x003d6658
                  0x003d665a
                  0x003d665b
                  0x003d665d
                  0x003d6661
                  0x003d6666
                  0x003d6666
                  0x00000000
                  0x003d6661
                  0x003d66cc
                  0x003d66d5
                  0x003d66da
                  0x003d66dd
                  0x003d66dd
                  0x003d66e2
                  0x003d66e4
                  0x003d66e5
                  0x003d66e7
                  0x00000000
                  0x003d66e7
                  0x003d66b2
                  0x00000000
                  0x00000000
                  0x003d66b4
                  0x003d66b9
                  0x003d66bb
                  0x003d66bb
                  0x00000000
                  0x003d66b9
                  0x003d6632
                  0x003d663e
                  0x003d6678
                  0x003d6680
                  0x003d6680
                  0x003d6685
                  0x003d6687
                  0x003d6687
                  0x00000000
                  0x003d6685
                  0x003d667c
                  0x00000000
                  0x00000000
                  0x003d667e
                  0x00000000
                  0x003d667e
                  0x003d6642
                  0x003d664b
                  0x003d6650
                  0x00000000
                  0x003d6609
                  0x003d6609
                  0x003d660e
                  0x003d6610
                  0x003d6611
                  0x003d6613
                  0x003d666d
                  0x00000000
                  0x003d666f

                  APIs
                  • WideCharToMultiByte.KERNEL32(003EB508,00000000,00000006,00000001,comres.dll,?,00000000,?,00000000,?,?,00000000,00000006,?,comres.dll,?), ref: 003D66A3
                  • GetLastError.KERNEL32 ref: 003D66BF
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ByteCharErrorLastMultiWide
                  • String ID: @Mxt$comres.dll
                  • API String ID: 203985260-4155647414
                  • Opcode ID: 8637af43f24d1be8e66d48e6bfeba66c2e45bbff66a70fee9fbc9242fd02c7a0
                  • Instruction ID: 7ee39aba50cf0bcb933acc23c1d3f35550a64f9e2ed791a8d195c302a8e62dc3
                  • Opcode Fuzzy Hash: 8637af43f24d1be8e66d48e6bfeba66c2e45bbff66a70fee9fbc9242fd02c7a0
                  • Instruction Fuzzy Hash: 0631C433600245ABCB23AE55F897AAB77689F52B50F16012BF8345B391DB30CD44C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DE652, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003DE652(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E003D8D4E(_t33) != 0xffffffff) {
					_t13 =  *0x40b158; // 0x8a8be8
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E003D8D4E(2);
						if(E003D8D4E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E003D8D4E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E003D8CBD(_t33);
						 *((char*)( *((intOrPtr*)(0x40b158 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E003D3E00(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                  0x003de659
                  0x003de666
                  0x003de66c
                  0x003de674
                  0x003de682
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003de68a
                  0x003de68a
                  0x003de68c
                  0x003de69e
                  0x00000000
                  0x00000000
                  0x003de6a0
                  0x003de6b0
                  0x00000000
                  0x00000000
                  0x003de6b8
                  0x003de6ba
                  0x003de6bb
                  0x003de6d3
                  0x003de6da
                  0x00000000
                  0x003de6e8
                  0x00000000
                  0x003de6e3
                  0x003de674
                  0x003de668
                  0x003de668
                  0x00000000

                  APIs
                  • CloseHandle.KERNEL32(00000000,00000000,?,?,003DE570,?), ref: 003DE6A8
                  • GetLastError.KERNEL32(?,003DE570,?), ref: 003DE6B2
                  • __dosmaperr.LIBCMT ref: 003DE6DD
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseErrorHandleLast__dosmaperr
                  • String ID: @Mxt
                  • API String ID: 2583163307-1922883433
                  • Opcode ID: a51dd0eaa307cef064022de7d4ac234981537dabfdb7de33794c52e95641e8f9
                  • Instruction ID: dd93094cd951212b3683473c357ea93486b61db493e742e742dcc1e8a487caf9
                  • Opcode Fuzzy Hash: a51dd0eaa307cef064022de7d4ac234981537dabfdb7de33794c52e95641e8f9
                  • Instruction Fuzzy Hash: EA010433A012505AD6273378BD45B6EAF4A9BA1B30F2A025BF9148F3D1DF60EC808195
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A155F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003A155F(short** _a4, intOrPtr _a8, int _a12, int _a16) {
				short** _t15;
				int _t16;
				void* _t17;

				_t15 = _a4;
				_t16 = _a12;
				_t17 = E003A21A5(_t15, _a8, _t16);
				if(_t17 < 0) {
					L6:
					return _t17;
				}
				if(_t16 != 0) {
					L4:
					if(LCMapStringW(0x7f, _a16,  *_t15, _t16,  *_t15, _t16) == 0) {
						_t20 =  <=  ? GetLastError() : _t10 & 0x0000ffff | 0x80070000;
						_t17 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t10 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "strutil.cpp", 0xa51, _t17);
					}
					goto L6;
				}
				_t17 = E003A1C57( *_t15, 0x7fffffff,  &_a12);
				if(_t17 < 0) {
					goto L6;
				}
				_t16 = _a12;
				goto L4;
			}






                  0x003a1563
                  0x003a1568
                  0x003a1575
                  0x003a1579
                  0x003a15dc
                  0x003a15e1
                  0x003a15e1
                  0x003a157d
                  0x003a1598
                  0x003a15ab
                  0x003a15be
                  0x003a15c8
                  0x003a15d6
                  0x003a15d6
                  0x00000000
                  0x003a15ab
                  0x003a158f
                  0x003a1593
                  0x00000000
                  0x00000000
                  0x003a1595
                  0x00000000

                  APIs
                  • LCMapStringW.KERNEL32(0000007F,00000000,00000000,003B6EF3,00000000,003B6EF3,00000000,00000000,003B6EF3,00000000,00000000,00000000,?,003A2326,00000000,00000000), ref: 003A15A3
                  • GetLastError.KERNEL32(?,003A2326,00000000,00000000,003B6EF3,00000200,?,003E516B,00000000,003B6EF3,00000000,003B6EF3,00000000,00000000,00000000), ref: 003A15AD
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLastString
                  • String ID: @Mxt$strutil.cpp
                  • API String ID: 3728238275-4037222359
                  • Opcode ID: 3d860fd0055dcaffb46c837717df4dd49dec8b5d4de9b1e9303de918bab8bc8e
                  • Instruction ID: 6e52ecfca005c2c1a2d11b4395fa51dfdc97e1979c27451f3e0a1b4e370f0760
                  • Opcode Fuzzy Hash: 3d860fd0055dcaffb46c837717df4dd49dec8b5d4de9b1e9303de918bab8bc8e
                  • Instruction Fuzzy Hash: 6A01B533A4067567EB239E968C44E577AADEF87770F020215FE159F150DB21DC1087E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DD244, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E003DD244(void* __ecx, void* __eflags, signed int _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, intOrPtr _a16) {
				signed int _v8;
				void* _v12;
				void* _t15;
				signed int _t19;
				signed int _t32;
				signed int _t33;
				signed int _t36;

				_t36 = _a4;
				_push(_t32);
				_t15 = E003D8D4E(_t36);
				_t33 = _t32 | 0xffffffff;
				if(_t15 != _t33) {
					_push(_a16);
					if(SetFilePointerEx(_t15, _a8, _a12,  &_v12) != 0) {
						if((_v12 & _v8) == _t33) {
							goto L2;
						} else {
							_t19 = _v12;
							_t39 = (_t36 & 0x0000003f) * 0x30;
							 *( *((intOrPtr*)(0x40b158 + (_t36 >> 6) * 4)) + _t39 + 0x28) =  *( *((intOrPtr*)(0x40b158 + (_t36 >> 6) * 4)) + 0x28 + (_t36 & 0x0000003f) * 0x30) & 0x000000fd;
						}
					} else {
						E003D3E00(GetLastError());
						goto L2;
					}
				} else {
					 *((intOrPtr*)(E003D3E36())) = 9;
					L2:
					_t19 = _t33;
				}
				return _t19;
			}










                  0x003dd24c
                  0x003dd24f
                  0x003dd251
                  0x003dd256
                  0x003dd25c
                  0x003dd26f
                  0x003dd285
                  0x003dd2a0
                  0x00000000
                  0x003dd2a2
                  0x003dd2a2
                  0x003dd2ad
                  0x003dd2b7
                  0x003dd2b7
                  0x003dd287
                  0x003dd28e
                  0x00000000
                  0x003dd293
                  0x003dd25e
                  0x003dd263
                  0x003dd269
                  0x003dd269
                  0x003dd26b
                  0x003dd2c1

                  APIs
                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,?,00000000,?,00000000,?,?,?,003DD2D8,?,00000000,00000002,00000000), ref: 003DD27D
                  • GetLastError.KERNEL32(?,003DD2D8,?,00000000,00000002,00000000,?,003DD0F0,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 003DD287
                  • __dosmaperr.LIBCMT ref: 003DD28E
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastPointer__dosmaperr
                  • String ID: @Mxt
                  • API String ID: 2336955059-1922883433
                  • Opcode ID: fff883d9c4f102e53083fe07dd23f6503dee89b008728845fc99c3c0368259a5
                  • Instruction ID: 2d29b02b40aad50af83a14a678fbcb937ee0ef2da7ade39fe139ccb93cfc7ee0
                  • Opcode Fuzzy Hash: fff883d9c4f102e53083fe07dd23f6503dee89b008728845fc99c3c0368259a5
                  • Instruction Fuzzy Hash: CD012833614255AFCB179FA9EC458AF7B2DEB85330B25020AF8119F3D0EA70DD018790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A33D7, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003A33D7(WCHAR** _a4, struct HINSTANCE__* _a8) {
				long _t6;
				WCHAR** _t10;
				long _t11;
				void* _t12;

				_t10 = _a4;
				_t11 = 0x104;
				while(1) {
					_t12 = E003A1EDE(_t10, _t11);
					if(_t12 < 0) {
						break;
					}
					_t6 = GetModuleFileNameW(_a8,  *_t10, _t11);
					if(_t6 == 0) {
						_t15 =  <=  ? GetLastError() : _t7 & 0x0000ffff | 0x80070000;
						_t12 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t7 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "pathutil.cpp", 0x1d4, _t12);
					} else {
						if(_t6 != _t11) {
							_t12 = 0;
						} else {
							_t3 = _t6 + 1; // 0x1
							_t11 = _t3;
							continue;
						}
					}
					break;
				}
				return _t12;
			}







                  0x003a33db
                  0x003a33e0
                  0x003a33e5
                  0x003a33ec
                  0x003a33f0
                  0x00000000
                  0x00000000
                  0x003a33f8
                  0x003a3400
                  0x003a3420
                  0x003a342a
                  0x003a3438
                  0x003a3402
                  0x003a3404
                  0x003a340b
                  0x003a3406
                  0x003a3406
                  0x003a3406
                  0x00000000
                  0x003a3406
                  0x003a3404
                  0x00000000
                  0x003a3400
                  0x003a3443

                  APIs
                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,003A10DD,?,00000000), ref: 003A33F8
                  • GetLastError.KERNEL32(?,?,?,003A10DD,?,00000000), ref: 003A340F
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorFileLastModuleName
                  • String ID: @Mxt$pathutil.cpp
                  • API String ID: 2776309574-2913857282
                  • Opcode ID: c9f31fb0796bbb8334158efc362f2295c2440e442fadeb3b988d67a0f0bbb9ca
                  • Instruction ID: 0e262b088af696cfdd4ecbbd6c26bb6059e914f2626e149e5b4d52cd867fe276
                  • Opcode Fuzzy Hash: c9f31fb0796bbb8334158efc362f2295c2440e442fadeb3b988d67a0f0bbb9ca
                  • Instruction Fuzzy Hash: 12F0C233B006706BD723966B5C88E97FA9DDB4B7A0F124222FD05EB150C721CD0082E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E602B, Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 159COMMON
                  Download Yara Rule
                  C-Code - Quality: 62%
                  			E003E602B(signed int __ecx, intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, signed int* _a20) {
				signed int _v8;
				signed int _t25;
				signed int* _t29;
				signed int* _t37;
				signed int _t48;
				intOrPtr _t50;
				signed int _t53;
				void* _t58;
				void* _t62;
				void* _t63;
				void* _t64;

				_t39 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t37 = _a16;
				_t50 = _a4;
				while(1) {
					_a16 = _a16 & 0x00000000;
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(_t50);
					if( *0x40a984() != 0) {
						_t53 = E003E8924(_t39, _t50, 0x13,  &_v8);
						__eflags = _t53;
					} else {
						_t53 =  <=  ? GetLastError() : _t31 & 0x0000ffff | 0x80070000;
						E003E012F(_t53, "Failed to send request to URL: %ls, trying to process HTTP status code anyway.",  *_a8);
						_t58 = _t58 + 0xc;
						_t62 = E003E8924(_t39, _t50, 0x13,  &_v8);
					}
					if(_t62 < 0) {
						break;
					}
					_t25 = _v8;
					_t39 = 0x194;
					_t63 = _t25 - 0x194;
					if(_t63 > 0) {
						_t39 = 0x19e;
						__eflags = _t25 - 0x19e;
						if(__eflags > 0) {
							_t39 = _t25 - 0x1f6;
							__eflags = _t39;
							if(_t39 == 0) {
								L40:
								_t53 = 0x80070003;
								L41:
								if(_a16 != 0) {
									continue;
								}
								break;
							}
							_t39 = _t39 - 1;
							__eflags = _t39;
							if(_t39 == 0) {
								goto L40;
							}
							_t39 = _t39 - 1;
							__eflags = _t39;
							if(_t39 == 0) {
								L39:
								_t53 = 0x80070102;
								goto L41;
							}
							L38:
							__eflags = _t53;
							_t53 =  >=  ? 0x8000ffff : _t53;
							_t39 = _a8;
							_push( *_a8);
							E003E012F(_t53, "Unknown HTTP status code %d, returned from URL: %ls", _t25);
							_t58 = _t58 + 0x10;
							goto L41;
						}
						if(__eflags == 0) {
							_t53 = 0x80010135;
							goto L41;
						}
						_t39 = _t25 - 0x195;
						__eflags = _t39;
						if(_t39 == 0) {
							_t53 = 0x80070032;
							goto L41;
						}
						_t39 = _t39;
						__eflags = _t39;
						if(_t39 == 0) {
							L30:
							_a16 = _a16 & 0x00000000;
							_t53 = 0x80070005;
							 *_t37 =  *_t37 & 0x00000000;
							_t48 = _a12;
							__eflags = _t48;
							if(_t48 != 0) {
								_t39 =  *_t48;
								__eflags = _t39;
								if(_t39 != 0) {
									_t53 =  *_t39( *((intOrPtr*)(_t48 + 4)), _t50, _t25,  &_a16, _t37);
								}
							}
							goto L41;
						}
						_t39 = _t39 - 1;
						__eflags = _t39;
						if(_t39 == 0) {
							goto L39;
						}
						_t39 = _t39;
						__eflags = _t39;
						if(_t39 != 0) {
							goto L38;
						}
						L29:
						_t53 = 0x80070002;
						goto L41;
					}
					if(_t63 == 0) {
						goto L29;
					}
					_t39 = 0x12f;
					_t64 = _t25 - 0x194;
					if(_t64 > 0) {
						_t39 = _t25 - 0x190;
						__eflags = _t39;
						if(_t39 == 0) {
							_t53 = 0x800700a1;
							goto L41;
						}
						_t39 = _t39 - 1;
						__eflags = _t39;
						if(_t39 == 0) {
							goto L30;
						}
						_t39 = _t39;
						__eflags = _t39;
						if(_t39 != 0) {
							goto L38;
						}
						_t53 = 0x80070005;
						goto L41;
					}
					if(_t64 == 0) {
						L13:
						_t53 = E003E898E(_t39, _t50, 0x33, _a8);
						if(_t53 < 0) {
							break;
						} else {
							 *_t37 = 1;
							goto L41;
						}
					}
					_t39 = _t25 - 0xc8;
					if(_t39 == 0) {
						_t29 = _a20;
						 *_t29 =  *_t29 & 0x00000000;
						__eflags =  *_t29;
						L17:
						_t53 = 0;
						goto L41;
					}
					_t39 = _t39 - 6;
					if(_t39 == 0) {
						 *_a20 = 1;
						goto L17;
					}
					_t39 = _t39 - 0x5f;
					if(_t39 == 0 || _t39 == 0) {
						goto L13;
					} else {
						goto L38;
					}
				}
				return _t53;
			}














                  0x003e602b
                  0x003e602e
                  0x003e602f
                  0x003e6034
                  0x003e6039
                  0x003e603c
                  0x003e603c
                  0x003e6040
                  0x003e6042
                  0x003e6044
                  0x003e6046
                  0x003e6048
                  0x003e6051
                  0x003e6096
                  0x003e6098
                  0x003e6053
                  0x003e6064
                  0x003e6072
                  0x003e6077
                  0x003e6086
                  0x003e6086
                  0x003e609a
                  0x00000000
                  0x00000000
                  0x003e60a0
                  0x003e60a3
                  0x003e60a8
                  0x003e60aa
                  0x003e6141
                  0x003e6146
                  0x003e6148
                  0x003e61a7
                  0x003e61a7
                  0x003e61ad
                  0x003e61e0
                  0x003e61e0
                  0x003e61e5
                  0x003e61e9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e61e9
                  0x003e61af
                  0x003e61af
                  0x003e61b2
                  0x00000000
                  0x00000000
                  0x003e61b4
                  0x003e61b4
                  0x003e61b7
                  0x003e61d9
                  0x003e61d9
                  0x00000000
                  0x003e61d9
                  0x003e61b9
                  0x003e61be
                  0x003e61c0
                  0x003e61c3
                  0x003e61c6
                  0x003e61cf
                  0x003e61d4
                  0x00000000
                  0x003e61d4
                  0x003e614a
                  0x003e619e
                  0x00000000
                  0x003e619e
                  0x003e614e
                  0x003e614e
                  0x003e6154
                  0x003e6197
                  0x00000000
                  0x003e6197
                  0x003e6157
                  0x003e6157
                  0x003e615a
                  0x003e616e
                  0x003e616e
                  0x003e6172
                  0x003e6177
                  0x003e617a
                  0x003e617d
                  0x003e617f
                  0x003e6181
                  0x003e6183
                  0x003e6185
                  0x003e6193
                  0x003e6193
                  0x003e6185
                  0x00000000
                  0x003e617f
                  0x003e615c
                  0x003e615c
                  0x003e615f
                  0x00000000
                  0x00000000
                  0x003e6162
                  0x003e6162
                  0x003e6165
                  0x00000000
                  0x00000000
                  0x003e6167
                  0x003e6167
                  0x00000000
                  0x003e6167
                  0x003e60b0
                  0x00000000
                  0x00000000
                  0x003e60b6
                  0x003e60b9
                  0x003e60bb
                  0x003e6116
                  0x003e6116
                  0x003e611c
                  0x003e6137
                  0x00000000
                  0x003e6137
                  0x003e611e
                  0x003e611e
                  0x003e6121
                  0x00000000
                  0x00000000
                  0x003e6124
                  0x003e6124
                  0x003e6127
                  0x00000000
                  0x00000000
                  0x003e612d
                  0x00000000
                  0x003e612d
                  0x003e60bd
                  0x003e60dc
                  0x003e60e7
                  0x003e60eb
                  0x00000000
                  0x003e60f1
                  0x003e60f1
                  0x00000000
                  0x003e60f1
                  0x003e60eb
                  0x003e60c1
                  0x003e60c7
                  0x003e6107
                  0x003e610a
                  0x003e610a
                  0x003e610d
                  0x003e610d
                  0x00000000
                  0x003e610d
                  0x003e60c9
                  0x003e60cc
                  0x003e60ff
                  0x00000000
                  0x003e60ff
                  0x003e60ce
                  0x003e60d1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e60d1
                  0x003e61f7

                  APIs
                  • GetLastError.KERNEL32 ref: 003E6053
                    • Part of subcall function 003E8924: GetLastError.KERNEL32(?,?,?,003E6096,?,00000013,00000000), ref: 003E8957
                  Strings
                  • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 003E606C
                  • @Mxt, xrefs: 003E6053
                  • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 003E61C9
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID: @Mxt$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls
                  • API String ID: 1452528299-3226345684
                  • Opcode ID: 31bd2ebd238400a80e9b8351f9df7d785b8b68b1b70cc2e45c668ac3b025216d
                  • Instruction ID: 5b88899a88b84b80ac5df16bf3cb8c5899fbcba3f7dec73ef782af245d28dda7
                  • Opcode Fuzzy Hash: 31bd2ebd238400a80e9b8351f9df7d785b8b68b1b70cc2e45c668ac3b025216d
                  • Instruction Fuzzy Hash: 9541F832A401B5E7DB2B5E6A8D1777E3658EB21390F17032DFD02AF2D3D626CE009291
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D90AA, Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E003D90AA(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t54;
				int _t56;
				signed int _t62;
				int _t65;
				short* _t66;
				signed int _t67;
				short* _t68;

				_t64 = __edx;
				_t34 =  *0x40a008; // 0xd34ccc9a
				_v8 = _t34 ^ _t67;
				E003D19B7(_t54,  &_v28, __edx, _a4);
				_t56 = _a24;
				if(_t56 == 0) {
					_t6 = _v24 + 8; // 0xe3e85006
					_t53 =  *_t6;
					_t56 = _t53;
					_a24 = _t53;
				}
				_t65 = 0;
				_t40 = MultiByteToWideChar(_t56, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E003CDE36(_t54, _v8 ^ _t67, _t64, _t65, _t66);
				}
				_t54 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t54 + 0x00000008 & _t40) == 0) {
					_t66 = 0;
					L11:
					if(_t66 != 0) {
						E003CF670(_t65, _t66, _t65, _t54);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t66, _v12);
						if(_t46 != 0) {
							_t65 = GetStringTypeW(_a8, _t66, _t46, _a20);
						}
					}
					L14:
					E003D91C7(_t66);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t54 + 0x00000008;
				_t62 = _t54 + 8;
				if((_t40 & _t54 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t66 = E003D5154(_t62, _t48 & _t62);
					if(_t66 == 0) {
						goto L14;
					}
					 *_t66 = 0xdddd;
					L9:
					_t66 =  &(_t66[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E003E9DF0();
				_t66 = _t68;
				if(_t66 == 0) {
					goto L14;
				}
				 *_t66 = 0xcccc;
				goto L9;
			}
























                  0x003d90aa
                  0x003d90b2
                  0x003d90b9
                  0x003d90c5
                  0x003d90ca
                  0x003d90cf
                  0x003d90d4
                  0x003d90d4
                  0x003d90d7
                  0x003d90d9
                  0x003d90d9
                  0x003d90de
                  0x003d90f7
                  0x003d90fd
                  0x003d9102
                  0x003d91a1
                  0x003d91a5
                  0x003d91aa
                  0x003d91aa
                  0x003d91c6
                  0x003d91c6
                  0x003d9108
                  0x003d9110
                  0x003d9114
                  0x003d9160
                  0x003d9162
                  0x003d9164
                  0x003d9169
                  0x003d9180
                  0x003d9188
                  0x003d9198
                  0x003d9198
                  0x003d9188
                  0x003d919a
                  0x003d919b
                  0x00000000
                  0x003d91a0
                  0x003d911b
                  0x003d911d
                  0x003d911f
                  0x003d9127
                  0x003d9144
                  0x003d914e
                  0x003d9153
                  0x00000000
                  0x00000000
                  0x003d9155
                  0x003d915b
                  0x003d915b
                  0x00000000
                  0x003d915b
                  0x003d912b
                  0x003d912f
                  0x003d9134
                  0x003d9138
                  0x00000000
                  0x00000000
                  0x003d913a
                  0x00000000

                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,003D234D,00000000,00000000,003D3382,?,003D3382,?,00000001,003D234D,?,00000001,003D3382,003D3382), ref: 003D90F7
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003D9180
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003D9192
                  • __freea.LIBCMT ref: 003D919B
                    • Part of subcall function 003D5154: RtlAllocateHeap.NTDLL(00000000,?,?,?,003D1E90,?,0000015D,?,?,?,?,003D32E9,000000FF,00000000,?,?), ref: 003D5186
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID:
                  • API String ID: 2652629310-0
                  • Opcode ID: 53811c35947bd30820f86e549dc58d1333281d276838f875846c80f5aac450a3
                  • Instruction ID: f049d606e77af09c04c459443a86a14de28527c693ab79d376c931770d29a4b0
                  • Opcode Fuzzy Hash: 53811c35947bd30820f86e549dc58d1333281d276838f875846c80f5aac450a3
                  • Instruction Fuzzy Hash: 9331E572A0021AABDF268F65EC85EAF7BA9EB01310F05422AFC15DB390E735DD54C790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E5587, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E003E5587(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				char _v8;
				intOrPtr* _t29;
				void* _t31;
				void* _t34;

				_t34 = 0;
				_push( &_v8);
				_push(0);
				_push(_a8);
				_v8 = 0;
				_push(_a4);
				if( *0x40a938() != 0) {
					_t31 = E003A38D4(_v8, 1);
					if(_t31 != 0) {
						_push( &_v8);
						_push(_t31);
						_push(_a8);
						_push(_a4);
						if( *0x40a938() != 0) {
							_t29 = _a16;
							 *_a12 = _t31;
							_t31 = 0;
							if(_t29 == 0) {
								L10:
								L11:
								return _t34;
							}
							 *_t29 = _v8;
							L8:
							if(_t31 != 0) {
								E003A3999(_t31);
							}
							goto L10;
						}
						_t38 =  <=  ? GetLastError() : _t21 & 0x0000ffff | 0x80070000;
						_t34 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t21 & 0x0000ffff | 0x80070000;
						E003A37D3(0x80004005, "certutil.cpp", 0x1f, _t34);
						goto L8;
					}
					_t34 = 0x8007000e;
					E003A37D3(_t14, "certutil.cpp", 0x1b, 0x8007000e);
					goto L10;
				}
				_t41 =  <=  ? GetLastError() : _t25 & 0x0000ffff | 0x80070000;
				_t34 =  >=  ? 0x80004005 :  <=  ? GetLastError() : _t25 & 0x0000ffff | 0x80070000;
				E003A37D3(0x80004005, "certutil.cpp", 0x17, _t34);
				goto L11;
			}







                  0x003e558f
                  0x003e5591
                  0x003e5592
                  0x003e5593
                  0x003e5596
                  0x003e5599
                  0x003e55a4
                  0x003e55e1
                  0x003e55e5
                  0x003e55fe
                  0x003e55ff
                  0x003e5600
                  0x003e5603
                  0x003e560e
                  0x003e5640
                  0x003e5643
                  0x003e5645
                  0x003e5649
                  0x003e565a
                  0x003e565b
                  0x003e5661
                  0x003e5661
                  0x003e564e
                  0x003e5650
                  0x003e5652
                  0x003e5655
                  0x003e5655
                  0x00000000
                  0x003e5652
                  0x003e5621
                  0x003e562b
                  0x003e5636
                  0x00000000
                  0x003e5636
                  0x003e55e7
                  0x003e55f4
                  0x00000000
                  0x003e55f4
                  0x003e55b7
                  0x003e55c1
                  0x003e55cc
                  0x00000000

                  APIs
                  • GetLastError.KERNEL32(?,?,003B9133,?,00000003,00000000,?), ref: 003E55A6
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID: @Mxt$certutil.cpp
                  • API String ID: 1452528299-555246254
                  • Opcode ID: 0a955db4e58ad89d0d059b5ad30b527ff33277ae22db0c0952a8f45c69ff42b4
                  • Instruction ID: 04bb0a5f9703c6eeb96f6c4234564d66558290a4e84268474828733c040dd7b7
                  • Opcode Fuzzy Hash: 0a955db4e58ad89d0d059b5ad30b527ff33277ae22db0c0952a8f45c69ff42b4
                  • Instruction Fuzzy Hash: 5121F272641665FBEB229F668D04BAB7BE8DF45790F124226BD06EB190DB318D0096A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E3119, Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E003E3119(void* __eax, intOrPtr* _a4, intOrPtr _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v20;
				char _v28;
				intOrPtr* _t36;
				intOrPtr* _t39;
				signed int _t40;
				signed int _t41;
				signed int* _t43;
				void* _t46;
				void* _t47;
				void* _t51;

				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				__imp__#2(_a8);
				_t46 = __eax;
				__imp__#8( &_v28);
				_t39 = _a4;
				_t47 =  *((intOrPtr*)( *_t39 + 0x44))(_t39,  &_v8);
				if(_t47 >= 0) {
					_t47 = E003E336E( &_v12, _v8, __eax,  &_v12);
					if(_t47 != 1 && _t47 >= 0) {
						_t36 = _v12;
						_t47 =  *((intOrPtr*)( *_t36 + 0x20))(_t36,  &_v28);
						_t51 = _t47;
						if(_t51 >= 0 && _t51 == 0) {
							_t43 = _a12;
							if(_t43 != 0) {
								_v20 = _v20 & 0x00000000;
								 *_t43 = _v20;
							}
						}
					}
				}
				_t40 = _v8;
				if(_t40 != 0) {
					 *((intOrPtr*)( *_t40 + 8))(_t40);
				}
				_t41 = _v12;
				if(_t41 != 0) {
					 *((intOrPtr*)( *_t41 + 8))(_t41);
				}
				__imp__#9( &_v28);
				if(_t46 != 0) {
					__imp__#6(_t46);
				}
				return _t47;
			}















                  0x003e311f
                  0x003e3123
                  0x003e312c
                  0x003e3132
                  0x003e3138
                  0x003e313e
                  0x003e314b
                  0x003e314f
                  0x003e315e
                  0x003e3163
                  0x003e3169
                  0x003e3176
                  0x003e3178
                  0x003e317a
                  0x003e317e
                  0x003e3183
                  0x003e3188
                  0x003e318c
                  0x003e318c
                  0x003e3183
                  0x003e317a
                  0x003e3163
                  0x003e318e
                  0x003e3193
                  0x003e3198
                  0x003e3198
                  0x003e319b
                  0x003e31a0
                  0x003e31a5
                  0x003e31a5
                  0x003e31ac
                  0x003e31b4
                  0x003e31b7
                  0x003e31b7
                  0x003e31c4

                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 003E312C
                  • VariantInit.OLEAUT32(?), ref: 003E3138
                  • VariantClear.OLEAUT32(?), ref: 003E31AC
                  • SysFreeString.OLEAUT32(00000000), ref: 003E31B7
                    • Part of subcall function 003E336E: SysAllocString.OLEAUT32(?), ref: 003E3383
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: String$AllocVariant$ClearFreeInit
                  • String ID:
                  • API String ID: 347726874-0
                  • Opcode ID: c75cbbf78fec70ce1eb2e9fda315a567ce23a968a33727003acfc58eb2483cfe
                  • Instruction ID: e1fac30c8596e53e5bbd3684358b33a00df9474abf993627978fca545da26170
                  • Opcode Fuzzy Hash: c75cbbf78fec70ce1eb2e9fda315a567ce23a968a33727003acfc58eb2483cfe
                  • Instruction Fuzzy Hash: A7214135901269EFCB26EFA6C84CEAEBBB8EF84711F15025CE9019B250D731DE05CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D60E2, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E003D60E2(void* __ecx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x40a05c; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E003D523F(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E003D88AE(_t10, _t13, _t16, __eflags,  *0x40a05c, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E003D5ED0(_t13, _t16, 0x40b13c);
							E003D511A(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E003D511A();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E003D8858(0, _t11, _t15, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}













                  0x003d60e2
                  0x003d60ed
                  0x003d60ef
                  0x003d60f1
                  0x003d60f6
                  0x003d60f9
                  0x003d6107
                  0x003d6113
                  0x003d6116
                  0x003d6119
                  0x003d612b
                  0x003d6130
                  0x003d6132
                  0x003d613d
                  0x003d6143
                  0x003d614b
                  0x003d614d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003d6134
                  0x003d6134
                  0x00000000
                  0x003d6134
                  0x003d611b
                  0x003d611b
                  0x003d611c
                  0x003d611c
                  0x003d614f
                  0x003d6150
                  0x003d6150
                  0x003d60fb
                  0x003d6101
                  0x003d6105
                  0x003d6158
                  0x003d6159
                  0x003d615f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003d6105
                  0x003d6166

                  APIs
                  • GetLastError.KERNEL32(?,00000100,00000000,003D3E3B,003C16CE,80004005,00000000,?,cabextract.cpp,000001C7), ref: 003D60E7
                  • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 003D6150
                  • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 003D6159
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: ErrorLast
                  • String ID: @Mxt
                  • API String ID: 1452528299-1922883433
                  • Opcode ID: 17eff7317cfc36be63a5d1f5222f9fa2e84d4cb26f696fbc4654ed75636c2cee
                  • Instruction ID: 05d652a39cf45899667b8261bf627a5ab56285ba79fba69bfe833afe5f41172f
                  • Opcode Fuzzy Hash: 17eff7317cfc36be63a5d1f5222f9fa2e84d4cb26f696fbc4654ed75636c2cee
                  • Instruction Fuzzy Hash: 1D01D177200B0066D71377747C87A2B2A6DDBD2771F62012BF425AA393EF348C095165
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A730C, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 34%
                  			E003A730C(void* __ecx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t15;
				void* _t22;

				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t22 = E003A5C87(_t20, _a4, _a8,  &_v8);
				_t15 = _v8;
				if(_t22 < 0 ||  *((intOrPtr*)(_t15 + 0x18)) != 0) {
					if(_t22 != 0x80070490) {
						if(_t22 >= 0) {
							_t22 = E003C006A(_t20, _t15 + 8, _a12);
							if(_t22 < 0) {
								_push(_a8);
								_push("Failed to get value as numeric for variable: %ls");
								goto L8;
							}
						} else {
							_push(_a8);
							_push("Failed to get value of variable: %ls");
							L8:
							_push(_t22);
							E003E012F();
						}
					}
				} else {
					_t22 = 0x80070490;
				}
				LeaveCriticalSection(_a4);
				return _t22;
			}






                  0x003a730c
                  0x003a730f
                  0x003a7310
                  0x003a7318
                  0x003a732d
                  0x003a732f
                  0x003a7334
                  0x003a7349
                  0x003a734d
                  0x003a7365
                  0x003a7369
                  0x003a736b
                  0x003a736e
                  0x00000000
                  0x003a736e
                  0x003a734f
                  0x003a734f
                  0x003a7352
                  0x003a7373
                  0x003a7373
                  0x003a7374
                  0x003a7379
                  0x003a734d
                  0x003a733c
                  0x003a733c
                  0x003a733c
                  0x003a737f
                  0x003a738b

                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 003A7318
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 003A737F
                  Strings
                  • Failed to get value as numeric for variable: %ls, xrefs: 003A736E
                  • Failed to get value of variable: %ls, xrefs: 003A7352
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                  • API String ID: 3168844106-4270472870
                  • Opcode ID: 219ea00847b97eeb7d912faaa03562e2b8ac0578e1db88fc8b76ca9358ea11c9
                  • Instruction ID: 05bcd339e39cbc75c710c3344945de49882bf75aabbda29c40face5e4a61fc1d
                  • Opcode Fuzzy Hash: 219ea00847b97eeb7d912faaa03562e2b8ac0578e1db88fc8b76ca9358ea11c9
                  • Instruction Fuzzy Hash: 6001713A954168FBCF139F54CC45ADE7B6DEB16721F028265FD04AA2A1C3369E10ABD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A7481, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 38%
                  			E003A7481(void* __ecx, void* __edx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t15;
				void* _t21;
				void* _t23;

				_t21 = __edx;
				_t20 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t23 = E003A5C87(_t20, _a4, _a8,  &_v8);
				_t15 = _v8;
				if(_t23 < 0 ||  *((intOrPtr*)(_t15 + 0x18)) != 0) {
					if(_t23 != 0x80070490) {
						if(_t23 >= 0) {
							_t23 = E003C01D0(_t20, _t21, _t15 + 8, _a12);
							if(_t23 < 0) {
								_push(_a8);
								_push("Failed to get value as version for variable: %ls");
								goto L8;
							}
						} else {
							_push(_a8);
							_push("Failed to get value of variable: %ls");
							L8:
							_push(_t23);
							E003E012F();
						}
					}
				} else {
					_t23 = 0x80070490;
				}
				LeaveCriticalSection(_a4);
				return _t23;
			}







                  0x003a7481
                  0x003a7481
                  0x003a7484
                  0x003a7485
                  0x003a748d
                  0x003a74a2
                  0x003a74a4
                  0x003a74a9
                  0x003a74be
                  0x003a74c2
                  0x003a74da
                  0x003a74de
                  0x003a74e0
                  0x003a74e3
                  0x00000000
                  0x003a74e3
                  0x003a74c4
                  0x003a74c4
                  0x003a74c7
                  0x003a74e8
                  0x003a74e8
                  0x003a74e9
                  0x003a74ee
                  0x003a74c2
                  0x003a74b1
                  0x003a74b1
                  0x003a74b1
                  0x003a74f4
                  0x003a7500

                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 003A748D
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 003A74F4
                  Strings
                  • Failed to get value as version for variable: %ls, xrefs: 003A74E3
                  • Failed to get value of variable: %ls, xrefs: 003A74C7
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                  • API String ID: 3168844106-1851729331
                  • Opcode ID: c896761a64280d33c04e2c8bdbd17423bb8e3cc5d0aeb023a0c2cc40420c8ea0
                  • Instruction ID: 4f632f204d24ff3f1ebdddedcab1ac568ee6c85b7a0cd3e07e32aa3fe6a98d2b
                  • Opcode Fuzzy Hash: c896761a64280d33c04e2c8bdbd17423bb8e3cc5d0aeb023a0c2cc40420c8ea0
                  • Instruction Fuzzy Hash: 09018F32A54278FBCF235F45CC85AAE7F68EF19721F118225FC04AA260C3369E1197E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A7410, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON
                  Download Yara Rule
                  C-Code - Quality: 31%
                  			E003A7410(void* __ecx, void* __edx, struct _CRITICAL_SECTION* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _t20;
				void* _t22;

				_t20 = __edx;
				_t19 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				EnterCriticalSection(_a4);
				_t22 = E003A5C87(_t19, _a4, _a8,  &_v8);
				if(_t22 != 0x80070490) {
					if(_t22 >= 0) {
						_t22 = E003BFF73(_t20, _v8 + 8, _a12);
						if(_t22 < 0) {
							_push(_a8);
							_push("Failed to copy value of variable: %ls");
							goto L5;
						}
					} else {
						_push(_a8);
						_push("Failed to get value of variable: %ls");
						L5:
						_push(_t22);
						E003E012F();
					}
				}
				LeaveCriticalSection(_a4);
				return _t22;
			}






                  0x003a7410
                  0x003a7410
                  0x003a7413
                  0x003a7414
                  0x003a741c
                  0x003a7431
                  0x003a7439
                  0x003a743d
                  0x003a7458
                  0x003a745c
                  0x003a745e
                  0x003a7461
                  0x00000000
                  0x003a7461
                  0x003a743f
                  0x003a743f
                  0x003a7442
                  0x003a7466
                  0x003a7466
                  0x003a7467
                  0x003a746c
                  0x003a743d
                  0x003a7472
                  0x003a747e

                  APIs
                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,003A9752,00000000,?,00000000,00000000,00000000,?,003A9590,00000000,?,00000000,00000000), ref: 003A741C
                  • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,003A9752,00000000,?,00000000,00000000,00000000,?,003A9590,00000000,?,00000000), ref: 003A7472
                  Strings
                  • Failed to get value of variable: %ls, xrefs: 003A7442
                  • Failed to copy value of variable: %ls, xrefs: 003A7461
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterLeave
                  • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                  • API String ID: 3168844106-2936390398
                  • Opcode ID: e62236a511c52886c971ca6e05d46d042284b510b45acfa7acf3f44faee9d39c
                  • Instruction ID: 864ed74ede4df6dc5ae9024b86b6d2b643ed7b7d674a69169dff86c96ea1b638
                  • Opcode Fuzzy Hash: e62236a511c52886c971ca6e05d46d042284b510b45acfa7acf3f44faee9d39c
                  • Instruction Fuzzy Hash: A7F04F36944168FBCF236F55CC45DDE7F68EF19365F008224FD04AA261D7369A20ABD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003D1246, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003D1246() {
				void* _t4;
				void* _t8;

				E003D1854();
				E003D17E8();
				if(E003D1548() != 0) {
					_t4 = E003D14FA(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E003D1584();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                  0x003d1246
                  0x003d124b
                  0x003d1257
                  0x003d125c
                  0x003d1261
                  0x003d1263
                  0x003d126e
                  0x003d1265
                  0x003d1265
                  0x00000000
                  0x003d1265
                  0x003d1259
                  0x003d1259
                  0x003d125b
                  0x003d125b

                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 003D1246
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 003D124B
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 003D1250
                    • Part of subcall function 003D1548: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 003D1559
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 003D1265
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
                  • Instruction ID: 95c9e5a94c00a85b982c04d7f168fd15b0bcc87567509d1a5111e7e72a138bcf
                  • Opcode Fuzzy Hash: 294756368ebb91e0d837f8d85631f380e5f2af2aa371e18ba28d844398db2aca
                  • Instruction Fuzzy Hash: 00C04C0B104201772E2336F232422ED03590CE738579118C7F8669F707590B041B3032
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E4661, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003E4661(intOrPtr _a4) {
				char _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				signed short* _t64;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				void* _t82;
				intOrPtr _t83;
				signed int _t84;
				void* _t85;
				signed int _t86;

				_t86 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_t84 = E003E0E3F(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager", 3,  &_v16);
				if(_t84 != 0x80070002) {
					if(_t84 >= 0) {
						_t84 = E003E10C5(_v16, L"PendingFileRenameOperations",  &_v8,  &_v12);
						if(_t84 == 0x80070002) {
							goto L1;
						} else {
							if(_t84 >= 0) {
								_t78 = 0;
								if(_v12 > 0) {
									_t82 = 0x3f;
									do {
										_t64 =  *(_v8 + _t78 * 4);
										if(_t64 == 0) {
											L21:
											_t65 = _v20;
											goto L24;
										} else {
											_t79 =  *_t64 & 0x0000ffff;
											if(_t79 == 0) {
												goto L21;
											} else {
												_t85 = 0x5c;
												if(_t85 == _t79 && _t82 == _t64[1] && _t82 == _t64[2] && _t85 == _t64[3]) {
													_t64 =  &(_t64[4]);
												}
												_t84 = E003A2D05( &_v24, _a4, _t64,  &_v24);
												if(_t84 >= 0) {
													if(_v24 != 2) {
														_t65 = _v20;
													} else {
														_t69 = _v8;
														if( *(_v8 + _t78 * 4) != _t86) {
															E003E54EF( *((intOrPtr*)(_t69 + _t78 * 4)));
															 *(_v8 + _t78 * 4) = _t86;
														}
														_t71 =  *(_v8 + 4 + _t78 * 4);
														if( *(_v8 + 4 + _t78 * 4) != 0) {
															E003E54EF(_t71);
															 *(_v8 + 4 + _t78 * 4) = _t86;
														}
														_t65 = 1;
														_v20 = 1;
													}
													_t82 = 0x3f;
													goto L24;
												}
											}
										}
										goto L31;
										L24:
										_t78 = _t78 + 2;
									} while (_t78 < _v12);
									if(_t65 != 0) {
										_t80 = _t86;
										if(_v12 > _t80) {
											do {
												_t67 = _v8;
												_t83 =  *((intOrPtr*)(_t67 + _t80 * 4));
												if(_t83 != 0) {
													 *((intOrPtr*)(_t67 + _t86 * 4)) = _t83;
													_t86 = _t86 + 1;
												}
												_t80 = _t80 + 1;
											} while (_t80 < _v12);
										}
										_v12 = _t86;
										_t84 = E003E143C(_v16, L"PendingFileRenameOperations", _v8, _t86);
									}
								}
							}
						}
					}
				} else {
					L1:
					_t84 = _t86;
				}
				L31:
				_t56 = _v8;
				if(_v8 != 0) {
					E003A2647(_t56, _v12);
				}
				if(_v16 != 0) {
					RegCloseKey(_v16);
				}
				return _t84;
			}



















                  0x003e466d
                  0x003e467c
                  0x003e467f
                  0x003e4682
                  0x003e4685
                  0x003e4688
                  0x003e4690
                  0x003e4699
                  0x003e46a4
                  0x003e46bf
                  0x003e46c3
                  0x00000000
                  0x003e46c5
                  0x003e46c7
                  0x003e46cd
                  0x003e46d2
                  0x003e46da
                  0x003e46db
                  0x003e46de
                  0x003e46e3
                  0x003e475d
                  0x003e475d
                  0x00000000
                  0x003e46e5
                  0x003e46e5
                  0x003e46eb
                  0x00000000
                  0x003e46ed
                  0x003e46ef
                  0x003e46f3
                  0x003e4707
                  0x003e4707
                  0x003e4717
                  0x003e471b
                  0x003e4725
                  0x003e4762
                  0x003e4727
                  0x003e4727
                  0x003e472d
                  0x003e4732
                  0x003e473a
                  0x003e473a
                  0x003e4740
                  0x003e4746
                  0x003e4749
                  0x003e4751
                  0x003e4751
                  0x003e4757
                  0x003e4758
                  0x003e4758
                  0x003e4767
                  0x00000000
                  0x003e4767
                  0x003e471b
                  0x003e46eb
                  0x00000000
                  0x003e4768
                  0x003e4768
                  0x003e476b
                  0x003e4776
                  0x003e4778
                  0x003e477d
                  0x003e477f
                  0x003e477f
                  0x003e4782
                  0x003e4787
                  0x003e4789
                  0x003e478c
                  0x003e478c
                  0x003e478d
                  0x003e478e
                  0x003e477f
                  0x003e4797
                  0x003e47a7
                  0x003e47a7
                  0x003e4776
                  0x003e46d2
                  0x003e46c7
                  0x003e46c3
                  0x003e469b
                  0x003e469b
                  0x003e469b
                  0x003e469b
                  0x003e47a9
                  0x003e47a9
                  0x003e47ae
                  0x003e47b4
                  0x003e47b4
                  0x003e47bd
                  0x003e47c2
                  0x003e47c2
                  0x003e47d0

                  APIs
                    • Part of subcall function 003E0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,003E5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 003E0E52
                  • RegCloseKey.ADVAPI32(00000000,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,00000003,?,00000000,00000000,00000101), ref: 003E47C2
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseOpen
                  • String ID: PendingFileRenameOperations$SYSTEM\CurrentControlSet\Control\Session Manager
                  • API String ID: 47109696-3023217399
                  • Opcode ID: e4279f7908486275f1e5b97c1dc3817d1b2384db5d30c4ce009c0b21a4ee6365
                  • Instruction ID: a59ae5f2d148d60e426835292d0fe54ffb10e9616cc77f9244b4719b383de952
                  • Opcode Fuzzy Hash: e4279f7908486275f1e5b97c1dc3817d1b2384db5d30c4ce009c0b21a4ee6365
                  • Instruction Fuzzy Hash: 1A411A75E00165EFCF22DF96C980EAEB7B9EF49700F124269E510AB2D1D7319E40DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E9220, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E003E9220(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t55;
				void* _t58;

				_t55 = __edx;
				_t54 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_t58 = E003E8CFB(__ecx, _a8,  &_v20);
				if(_t58 >= 0) {
					_t58 = E003E0AD5(__ecx, _a4, _v20, 0x20006, 0, 0,  &_v12,  &_v24);
					if(_t58 >= 0) {
						_push(_a12);
						_t58 = E003A1F20( &_v16, L"%ls\\%ls",  *0x40a7e4);
						if(_t58 >= 0) {
							_t58 = E003E0AD5(_t54, _v12, _v16, 0x20006, 0, 0,  &_v8,  &_v24);
							if(_t58 >= 0) {
								_t58 = E003E1392(_t54, _t55, _v8,  *0x40a7d4, _a16);
								if(_t58 >= 0) {
									_t58 = E003E1392(_t54, _t55, _v8,  *0x40a7d8, _a20);
									if(_t58 >= 0 && _a24 != 0) {
										_t58 = E003E1344(_v8,  *0x40a7dc, _a24);
									}
								}
							}
						}
					}
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
					_v8 = 0;
				}
				if(_v16 != 0) {
					E003E54EF(_v16);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
					_v12 = 0;
				}
				if(_v20 != 0) {
					E003E54EF(_v20);
				}
				return _t58;
			}










                  0x003e9220
                  0x003e9220
                  0x003e9232
                  0x003e9235
                  0x003e9238
                  0x003e923b
                  0x003e923e
                  0x003e9246
                  0x003e924a
                  0x003e926b
                  0x003e926f
                  0x003e9275
                  0x003e928c
                  0x003e9293
                  0x003e92ab
                  0x003e92af
                  0x003e92c2
                  0x003e92c6
                  0x003e92d9
                  0x003e92dd
                  0x003e92f5
                  0x003e92f5
                  0x003e92dd
                  0x003e92c6
                  0x003e92af
                  0x003e9293
                  0x003e926f
                  0x003e9300
                  0x003e9305
                  0x003e9307
                  0x003e9307
                  0x003e930d
                  0x003e9312
                  0x003e9312
                  0x003e931a
                  0x003e931f
                  0x003e9321
                  0x003e9321
                  0x003e9327
                  0x003e932c
                  0x003e932c
                  0x003e9339

                  APIs
                    • Part of subcall function 003E8CFB: lstrlenW.KERNEL32(00000100,?,?,003E9098,000002C0,00000100,00000100,00000100,?,?,?,003C7B40,?,?,000001BC,00000000), ref: 003E8D1B
                  • RegCloseKey.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000), ref: 003E9305
                  • RegCloseKey.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 003E931F
                    • Part of subcall function 003E0AD5: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,003B0491,?,00000000,00020006), ref: 003E0AFA
                    • Part of subcall function 003E1392: RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,003AF1C2,00000000,?,00020006), ref: 003E13C5
                    • Part of subcall function 003E1392: RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,003AF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 003E13F5
                    • Part of subcall function 003E1344: RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,003AF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 003E1359
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Value$Close$CreateDeletelstrlen
                  • String ID: %ls\%ls
                  • API String ID: 3924016894-2125769799
                  • Opcode ID: 5938857b69dbf58d4dd3732e6e1aa627adc13b700905d13d7819658e657a809a
                  • Instruction ID: 81c8201607cc3b8fd2a4eda52b7a5c45ee1de6e814b596439e66fd625b2fc575
                  • Opcode Fuzzy Hash: 5938857b69dbf58d4dd3732e6e1aa627adc13b700905d13d7819658e657a809a
                  • Instruction Fuzzy Hash: E0310D72C0127EFBCF139F96CD819AEBBB9EF04350B114666FA1076161D7318E609B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E1392, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E003E1392(void* __ecx, void* __edx, void* _a4, short* _a8, char* _a12) {
				signed int _v8;
				signed short _t12;
				void* _t14;
				signed short _t18;
				signed short _t22;

				_t22 = 0;
				_v8 = _v8 & 0;
				if(_a12 == 0) {
					_t12 = RegDeleteValueW(_a4, _a8);
					if(_t12 == 2 || _t12 == 3) {
						_t12 = 0;
					}
					if(_t12 != 0) {
						_t26 =  <=  ? _t12 : _t12 & 0x0000ffff | 0x80070000;
						_t14 = 0x80004005;
						_t22 =  >=  ? 0x80004005 :  <=  ? _t12 : _t12 & 0x0000ffff | 0x80070000;
						_push(_t22);
						_push(0x2fe);
						goto L9;
					}
				} else {
					_t22 = E003E0A2B(_a12, 0xffffffff,  &_v8);
					if(_t22 >= 0) {
						_t18 = RegSetValueExW(_a4, _a8, 0, 1, _a12, _v8);
						if(_t18 != 0) {
							_t29 =  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
							_t14 = 0x80004005;
							_t22 =  >=  ? 0x80004005 :  <=  ? _t18 : _t18 & 0x0000ffff | 0x80070000;
							_push(_t22);
							_push(0x2f5);
							L9:
							_push("regutil.cpp");
							E003A37D3(_t14);
						}
					}
				}
				return _t22;
			}








                  0x003e1397
                  0x003e1399
                  0x003e139f
                  0x003e13f5
                  0x003e13fe
                  0x003e1405
                  0x003e1405
                  0x003e1409
                  0x003e1416
                  0x003e1419
                  0x003e1420
                  0x003e1423
                  0x003e1424
                  0x00000000
                  0x003e1424
                  0x003e13a1
                  0x003e13af
                  0x003e13b3
                  0x003e13c5
                  0x003e13cd
                  0x003e13da
                  0x003e13dd
                  0x003e13e4
                  0x003e13e7
                  0x003e13e8
                  0x003e1429
                  0x003e1429
                  0x003e142e
                  0x003e142e
                  0x003e13cd
                  0x003e13b3
                  0x003e1439

                  APIs
                  • RegSetValueExW.ADVAPI32(00020006,00020006,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,003AF1C2,00000000,?,00020006), ref: 003E13C5
                  • RegDeleteValueW.ADVAPI32(00020006,00020006,00000000,?,?,003AF1C2,00000000,?,00020006,?,00020006,00020006,00000000,?,?,?), ref: 003E13F5
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Value$Delete
                  • String ID: regutil.cpp
                  • API String ID: 1738766685-955085611
                  • Opcode ID: fb93578494861eacc5d813fdbb414e62c347327472e546a6f218492d344ecfaa
                  • Instruction ID: c0fc1d8919a6f1cc72c8140751adf6ec3acd3dbd4ef8be1e784eacfd7ebd135c
                  • Opcode Fuzzy Hash: fb93578494861eacc5d813fdbb414e62c347327472e546a6f218492d344ecfaa
                  • Instruction Fuzzy Hash: 4911C636E10279BBEF225E678D04BAA76A9EF04790F424331FD00EA1E0D771CD109AD4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E54F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E003E54F8(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, long _a36) {
				char _v8;
				signed short _t16;
				char _t22;
				signed short _t25;

				_t22 = 0;
				_v8 = 0;
				_t16 = E003A21A5( &_v8, _a4, 0);
				_t25 = _t16;
				if(_t25 < 0) {
					L8:
					if(_v8 != 0) {
						E003E54EF(_v8);
					}
					return _t25;
				}
				_t25 = 0x80004005;
				while(_t22 <= _a32) {
					if(_t22 != 0) {
						Sleep(_a36);
					}
					__imp__SetNamedSecurityInfoW(_v8, _a8, _a12, _a16, _a20, _a24, _a28);
					_t25 =  <=  ? _t16 : _t16 & 0x0000ffff | 0x80070000;
					_t22 = _t22 + 1;
					if(_t25 < 0) {
						continue;
					} else {
						break;
					}
				}
				if(_t25 < 0) {
					E003A37D3(_t16, "aclutil.cpp", 0x399, _t25);
				}
				goto L8;
			}







                  0x003e54fe
                  0x003e5507
                  0x003e550b
                  0x003e5510
                  0x003e5514
                  0x003e556f
                  0x003e5573
                  0x003e5578
                  0x003e5578
                  0x003e5584
                  0x003e5584
                  0x003e5516
                  0x003e551b
                  0x003e5522
                  0x003e5527
                  0x003e5527
                  0x003e5542
                  0x003e5553
                  0x003e5556
                  0x003e5559
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x003e5559
                  0x003e555d
                  0x003e556a
                  0x003e556a
                  0x00000000

                  APIs
                  • Sleep.KERNEL32(20000004,00000000,00000000,00000000,00000000,00000000,?,?,003B8C90,?,00000001,20000004,00000000,00000000,?,00000000), ref: 003E5527
                  • SetNamedSecurityInfoW.ADVAPI32(00000000,?,000007D0,00000003,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,003B8C90,?), ref: 003E5542
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: InfoNamedSecuritySleep
                  • String ID: aclutil.cpp
                  • API String ID: 2352087905-2159165307
                  • Opcode ID: 9c07b278db08e1a43abb6e6150f6126eb33091d3e3b7f8891dfeb3e06119f955
                  • Instruction ID: 7817180c9b0e8b6d653717c20d904fb7edd75b60cc082bfb3e07ec62dc8d1480
                  • Opcode Fuzzy Hash: 9c07b278db08e1a43abb6e6150f6126eb33091d3e3b7f8891dfeb3e06119f955
                  • Instruction Fuzzy Hash: 2A0182738015A8BBCF239E96CD04ECF7E7AEF45764F020215BD056B190D6318E609B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B55BD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • CoInitializeEx.OLE32(00000000,00000000), ref: 003B55D9
                  • CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?), ref: 003B5633
                  Strings
                  • Failed to initialize COM on cache thread., xrefs: 003B55E5
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: InitializeUninitialize
                  • String ID: Failed to initialize COM on cache thread.
                  • API String ID: 3442037557-3629645316
                  • Opcode ID: 98827a0f7ac0ae882069f5ca49e6a0f946716bf49407a85aa65f2f30f1456e7e
                  • Instruction ID: c348985bffb15d72d04a3e7575de2645e124fedff02cf7f7cc853a0567da88a2
                  • Opcode Fuzzy Hash: 98827a0f7ac0ae882069f5ca49e6a0f946716bf49407a85aa65f2f30f1456e7e
                  • Instruction Fuzzy Hash: E9018072600619BFC7069FA9DC80ED6F7ACFF09354F408226FA09DB121DB31AE548B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003A6418, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 39%
                  			E003A6418(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _t26;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t26 = 0;
				_v8 = _v8 & 0;
				_v12 = _v12 & 0;
				E003E09BB(_t22, GetCurrentProcess(),  &_v12);
				if(_v12 != 0) {
					if(E003A5BF0(_t22, _a4,  &_v8) >= 0) {
						_t26 = E003C02F4(_a8, _v8, 0);
						if(_t26 < 0) {
							_push("Failed to set variant value.");
							goto L5;
						}
					} else {
						_push("Failed to get 64-bit folder.");
						L5:
						_push(_t26);
						E003E012F();
					}
				}
				if(_v8 != 0) {
					E003E54EF(_v8);
				}
				return _t26;
			}






                  0x003a6418
                  0x003a641b
                  0x003a641c
                  0x003a6421
                  0x003a6423
                  0x003a6426
                  0x003a6431
                  0x003a6439
                  0x003a644b
                  0x003a6461
                  0x003a6465
                  0x003a6467
                  0x00000000
                  0x003a6467
                  0x003a644d
                  0x003a644d
                  0x003a646c
                  0x003a646c
                  0x003a646d
                  0x003a6473
                  0x003a644b
                  0x003a6478
                  0x003a647d
                  0x003a647d
                  0x003a6488

                  APIs
                  • GetCurrentProcess.KERNEL32(?), ref: 003A642A
                    • Part of subcall function 003E09BB: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,003A5D8F,00000000), ref: 003E09CF
                    • Part of subcall function 003E09BB: GetProcAddress.KERNEL32(00000000), ref: 003E09D6
                    • Part of subcall function 003E09BB: GetLastError.KERNEL32(?,?,?,003A5D8F,00000000), ref: 003E09ED
                    • Part of subcall function 003A5BF0: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 003A5C77
                  Strings
                  • Failed to set variant value., xrefs: 003A6467
                  • Failed to get 64-bit folder., xrefs: 003A644D
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                  • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                  • API String ID: 3109562764-2681622189
                  • Opcode ID: 6bc4ddc1355297609d434545431c1690f0bc805c7f4286834ae24e7b1203216b
                  • Instruction ID: a7af5e9b7a04ea2d92fbf3753fbb88a8f7e7b00703db3aefc09bf64f15e87ec9
                  • Opcode Fuzzy Hash: 6bc4ddc1355297609d434545431c1690f0bc805c7f4286834ae24e7b1203216b
                  • Instruction Fuzzy Hash: AD0162329402B8BBCF13AB96CC06AEEBB68DF05721F154255F800BA192DB759E40D7D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003DD3D3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E003DD3D3(void* __ebx, void* __edi, void* __eflags) {
				signed int _t37;
				void* _t38;

				E003CE830(__ebx, __edi, 0x407fc8, 0xc);
				_t37 = 0;
				 *(_t38 - 0x1c) = 0;
				E003D8C77( *((intOrPtr*)( *((intOrPtr*)(_t38 + 8)))));
				 *((intOrPtr*)(_t38 - 4)) = 0;
				if(( *( *((intOrPtr*)(0x40b158 + ( *( *( *(_t38 + 0xc))) >> 6) * 4)) + 0x28 + ( *( *( *(_t38 + 0xc))) & 0x0000003f) * 0x30) & 0x00000001) == 0) {
					L3:
					 *((intOrPtr*)(E003D3E36())) = 9;
					_t37 = _t37 | 0xffffffff;
				} else {
					if(FlushFileBuffers(E003D8D4E(_t36)) == 0) {
						_t37 = E003D3E23();
						 *_t37 = GetLastError();
						goto L3;
					}
				}
				 *(_t38 - 0x1c) = _t37;
				 *((intOrPtr*)(_t38 - 4)) = 0xfffffffe;
				E003DD45F();
				return E003CE876();
			}





                  0x003dd3da
                  0x003dd3df
                  0x003dd3e1
                  0x003dd3e9
                  0x003dd3ef
                  0x003dd412
                  0x003dd435
                  0x003dd43a
                  0x003dd440
                  0x003dd414
                  0x003dd424
                  0x003dd42b
                  0x003dd433
                  0x00000000
                  0x003dd433
                  0x003dd424
                  0x003dd443
                  0x003dd446
                  0x003dd44d
                  0x003dd459

                  APIs
                    • Part of subcall function 003D8C77: EnterCriticalSection.KERNEL32(?), ref: 003D8C92
                  • FlushFileBuffers.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003DD41C
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 003DD42D
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                  • String ID: @Mxt
                  • API String ID: 4109680722-1922883433
                  • Opcode ID: 754bb4221e5f01497e496eb40d0e50c25082552211b91f1b11bdcad25e0110a9
                  • Instruction ID: 9e4a30fc822b0ff9d0a7f18cfa21cb25b646daa00e8614d20e6a8aad0cf390a8
                  • Opcode Fuzzy Hash: 754bb4221e5f01497e496eb40d0e50c25082552211b91f1b11bdcad25e0110a9
                  • Instruction Fuzzy Hash: F1018472A103149FC712BF78E949A4E7BB5AF45720B14420BF4109F3E2DB74AD419B81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003B0598, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 49%
                  			E003B0598(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _t19;
				void* _t24;

				_t19 = __edx;
				_v8 = _v8 & 0x00000000;
				_t24 = E003E0E3F( *((intOrPtr*)(_a4 + 0x4c)),  *((intOrPtr*)(_a4 + 0x50)), 0x20006,  &_v8);
				if(_t24 >= 0) {
					_t24 = E003AF09D(_t19, __eflags, _t21, _v8, 1, 0);
					__eflags = _t24;
					if(_t24 < 0) {
						_push("Failed to update resume mode.");
						goto L4;
					}
				} else {
					_push("Failed to open registration key.");
					L4:
					_push(_t24);
					E003E012F();
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				return _t24;
			}






                  0x003b0598
                  0x003b059c
                  0x003b05b9
                  0x003b05bd
                  0x003b05d3
                  0x003b05d5
                  0x003b05d7
                  0x003b05d9
                  0x00000000
                  0x003b05d9
                  0x003b05bf
                  0x003b05bf
                  0x003b05de
                  0x003b05de
                  0x003b05df
                  0x003b05e5
                  0x003b05ea
                  0x003b05ef
                  0x003b05ef
                  0x003b05fc

                  APIs
                    • Part of subcall function 003E0E3F: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,?,003E5699,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000,00000000), ref: 003E0E52
                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,00000001,00000000,?,?,003CBB7C,00000101,?), ref: 003B05EF
                  Strings
                  • Failed to update resume mode., xrefs: 003B05D9
                  • Failed to open registration key., xrefs: 003B05BF
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: CloseOpen
                  • String ID: Failed to open registration key.$Failed to update resume mode.
                  • API String ID: 47109696-3366686031
                  • Opcode ID: 09d6312288dd6d656ed59a3038195f8d61bf61643fbd3d7b1484e8c38a5cf80a
                  • Instruction ID: e26ddeb1cdc45112f77b709f5c8e810c1b68f73794c7e835fee56b6721f30bf7
                  • Opcode Fuzzy Hash: 09d6312288dd6d656ed59a3038195f8d61bf61643fbd3d7b1484e8c38a5cf80a
                  • Instruction Fuzzy Hash: 7DF0CD32945138FBC7375A94DC01FDFB769DB01754F100156F600B6590D7B56F5096D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E30BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003E30BF(void* __eax, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t12;
				intOrPtr* _t15;
				void* _t16;

				if(_a12 == 0) {
					L6:
					return 0x80070057;
				}
				_t15 = _a4;
				if(_t15 == 0) {
					goto L6;
				}
				__imp__#2(_a8, _t12);
				if(__eax != 0) {
					_t16 =  *((intOrPtr*)( *_t15 + 0xbc))(_t15, __eax, _a12);
					__imp__#6(__eax);
				} else {
					_t16 = 0x8007000e;
					E003A37D3(__eax, "xmlutil.cpp", 0x66, 0x8007000e);
				}
				return _t16;
			}






                  0x003e30c7
                  0x003e310f
                  0x00000000
                  0x003e310f
                  0x003e30c9
                  0x003e30ce
                  0x00000000
                  0x00000000
                  0x003e30d4
                  0x003e30de
                  0x003e3101
                  0x003e3104
                  0x003e30e0
                  0x003e30e0
                  0x003e30ed
                  0x003e30ed
                  0x00000000

                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 003E30D4
                  • SysFreeString.OLEAUT32(00000000), ref: 003E3104
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: String$AllocFree
                  • String ID: xmlutil.cpp
                  • API String ID: 344208780-1270936966
                  • Opcode ID: 9e2a34bc6483be5ec3803ce2eaa02cfcbae37773e0511203b52f2163e9e52f2c
                  • Instruction ID: 4513d1164d75949bde18fea1add6554e0b4da450a9dfa9570c1f9fd13c1d094c
                  • Opcode Fuzzy Hash: 9e2a34bc6483be5ec3803ce2eaa02cfcbae37773e0511203b52f2163e9e52f2c
                  • Instruction Fuzzy Hash: 63F0BB351011E4E7C7335E059C0DFAB7BA9EF41760F150229FC056B290C7758D109AA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E336E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E003E336E(void* __eax, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t12;
				intOrPtr* _t15;
				void* _t16;

				_t15 = _a4;
				if(_t15 == 0 || _a12 == 0) {
					return 0x80070057;
				} else {
					__imp__#2(_a8, _t12);
					if(__eax != 0) {
						_t16 =  *((intOrPtr*)( *_t15 + 0x1c))(_t15, __eax, _a12);
						__imp__#6(__eax);
					} else {
						_t16 = 0x8007000e;
						E003A37D3(__eax, "xmlutil.cpp", 0x340, 0x8007000e);
					}
					return _t16;
				}
			}






                  0x003e3372
                  0x003e3377
                  0x00000000
                  0x003e337f
                  0x003e3383
                  0x003e338d
                  0x003e33b0
                  0x003e33b3
                  0x003e338f
                  0x003e338f
                  0x003e339f
                  0x003e339f
                  0x00000000
                  0x003e33bb

                  APIs
                  • SysAllocString.OLEAUT32(?), ref: 003E3383
                  • SysFreeString.OLEAUT32(00000000), ref: 003E33B3
                  Strings
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: String$AllocFree
                  • String ID: xmlutil.cpp
                  • API String ID: 344208780-1270936966
                  • Opcode ID: f1f0e3aee6785d2577d2d2090882bd72df34d202915b353f900aaea1b31046d5
                  • Instruction ID: 5bebda643ebc7f46302e6286c448e6e61c531aea094f44d5255fdd4117501fe2
                  • Opcode Fuzzy Hash: f1f0e3aee6785d2577d2d2090882bd72df34d202915b353f900aaea1b31046d5
                  • Instruction Fuzzy Hash: 2EF0B4392001A8E7C7234E0A9C0CF6B77A8EB85760F22021AFC059B290CB74CE109AE0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 003E1344, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E003E1344(void* _a4, short* _a8, char _a12) {
				signed short _t5;
				int _t9;

				_t9 = 0;
				_t5 = RegSetValueExW(_a4, _a8, 0, 4,  &_a12, 4);
				if(_t5 != 0) {
					_t12 =  <=  ? _t5 : _t5 & 0x0000ffff | 0x80070000;
					_t9 =  >=  ? 0x80004005 :  <=  ? _t5 : _t5 & 0x0000ffff | 0x80070000;
					E003A37D3(0x80004005, "regutil.cpp", 0x372, _t9);
				}
				return _t9;
			}





                  0x003e134d
                  0x003e1359
                  0x003e1361
                  0x003e136e
                  0x003e1378
                  0x003e1386
                  0x003e1386
                  0x003e138f

                  APIs
                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,?,003AF11A,00000005,Resume,?,?,?,00000002,00000000), ref: 003E1359
                  Strings
                  • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 003E1347
                  • regutil.cpp, xrefs: 003E1381
                  Memory Dump Source
                  • Source File: 00000018.00000002.463822452.00000000003A1000.00000020.00020000.sdmp, Offset: 003A0000, based on PE: true
                  • Associated: 00000018.00000002.463817609.00000000003A0000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463853516.00000000003EB000.00000002.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463870278.000000000040A000.00000004.00020000.sdmp Download File
                  • Associated: 00000018.00000002.463875136.000000000040E000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_24_2_3a0000_VC_redist.jbxd
                  Similarity
                  • API ID: Value
                  • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$regutil.cpp
                  • API String ID: 3702945584-2416625845
                  • Opcode ID: 2f68edf84b31080fe67b46b4b351d3c4e5b5814476e9340c396cba9c9a99dee4
                  • Instruction ID: cff089eded4e0c133b24d5a3eed551981ce95c5a4759b752049acf7dc12248c7
                  • Opcode Fuzzy Hash: 2f68edf84b31080fe67b46b4b351d3c4e5b5814476e9340c396cba9c9a99dee4
                  • Instruction Fuzzy Hash: 84E06D72B402357AE7215AAA4C05F977ACCDB04BE0F024121BE08EA190D6718D1086E8
                  Uniqueness

                  Uniqueness Score: -1.00%